1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report)
78 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
80 raise Exception("No connection event received from hostapd")
83 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
84 expect_failure=False, local_error_report=False):
85 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
87 raise Exception("Association and EAP start timed out")
88 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
90 raise Exception("EAP method selection timed out")
92 raise Exception("Unexpected EAP method")
94 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
96 raise Exception("EAP failure timed out")
97 ev = dev.wait_disconnected(timeout=10)
98 if not local_error_report:
99 if "reason=23" not in ev:
100 raise Exception("Proper reason code for disconnection not reported")
102 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
104 raise Exception("EAP success timed out")
107 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
109 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
111 raise Exception("Association with the AP timed out")
112 status = dev.get_status()
113 if status["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
116 if status["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method not in status["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
121 e = "WPA2-EAP-SHA256"
123 e = "WPA2/IEEE 802.1X/EAP"
125 e = "WPA/IEEE 802.1X/EAP"
126 if status["key_mgmt"] != e:
127 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
130 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
131 dev.request("REAUTHENTICATE")
132 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
133 expect_failure=expect_failure)
135 def test_ap_wpa2_eap_sim(dev, apdev):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
140 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
141 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils.test_connectivity(dev[0], hapd)
143 eap_reauth(dev[0], "SIM")
145 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
146 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
151 logger.info("Negative test with incorrect key")
152 dev[0].request("REMOVE_NETWORK all")
153 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
154 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
157 logger.info("Invalid GSM-Milenage key")
158 dev[0].request("REMOVE_NETWORK all")
159 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
160 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
163 logger.info("Invalid GSM-Milenage key(2)")
164 dev[0].request("REMOVE_NETWORK all")
165 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
166 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
169 logger.info("Invalid GSM-Milenage key(3)")
170 dev[0].request("REMOVE_NETWORK all")
171 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
172 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
175 logger.info("Invalid GSM-Milenage key(4)")
176 dev[0].request("REMOVE_NETWORK all")
177 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
178 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
181 logger.info("Missing key configuration")
182 dev[0].request("REMOVE_NETWORK all")
183 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
192 raise HwsimSkip("No sqlite3 module available")
193 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
195 params['auth_server_port'] = "1814"
196 hostapd.add_ap(apdev[0]['ifname'], params)
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
200 logger.info("SIM fast re-authentication")
201 eap_reauth(dev[0], "SIM")
203 logger.info("SIM full auth with pseudonym")
206 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
209 logger.info("SIM full auth with permanent identity")
212 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev[0], "SIM")
216 logger.info("SIM reauth with mismatching MK")
219 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev[0], "SIM", expect_failure=True)
221 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger.info("SIM reauth with mismatching counter")
233 eap_reauth(dev[0], "SIM")
234 dev[0].request("REMOVE_NETWORK all")
236 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
237 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
240 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev[0], "SIM")
244 def test_ap_wpa2_eap_sim_config(dev, apdev):
245 """EAP-SIM configuration options"""
246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
247 hostapd.add_ap(apdev[0]['ifname'], params)
248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
249 identity="1232010000000000",
250 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1="sim_min_num_chal=1",
252 wait_connect=False, scan_freq="2412")
253 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
255 raise Exception("No EAP error message seen")
256 dev[0].request("REMOVE_NETWORK all")
258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
259 identity="1232010000000000",
260 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1="sim_min_num_chal=4",
262 wait_connect=False, scan_freq="2412")
263 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
265 raise Exception("No EAP error message seen (2)")
266 dev[0].request("REMOVE_NETWORK all")
268 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=2")
271 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity="345678")
275 def test_ap_wpa2_eap_sim_ext(dev, apdev):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
278 _test_ap_wpa2_eap_sim_ext(dev, apdev)
280 dev[0].request("SET external_sim 0")
282 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
283 check_hlr_auc_gw_support()
284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
285 hostapd.add_ap(apdev[0]['ifname'], params)
286 dev[0].request("SET external_sim 1")
287 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
288 identity="1232010000000000",
289 wait_connect=False, scan_freq="2412")
290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
292 raise Exception("Network connected timed out")
294 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
296 raise Exception("Wait for external SIM processing request timed out")
298 if p[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid = p[0].split('-')[3]
303 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
308 raise Exception("EAP failure not reported")
309 dev[0].request("DISCONNECT")
310 dev[0].wait_disconnected()
313 dev[0].select_network(id, freq="2412")
314 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
316 raise Exception("Wait for external SIM processing request timed out")
318 if p[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid = p[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
326 raise Exception("EAP failure not reported")
327 dev[0].request("DISCONNECT")
328 dev[0].wait_disconnected()
331 dev[0].select_network(id, freq="2412")
332 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid = p[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
344 raise Exception("EAP failure not reported")
345 dev[0].request("DISCONNECT")
346 dev[0].wait_disconnected()
349 dev[0].select_network(id, freq="2412")
350 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid = p[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
362 raise Exception("EAP failure not reported")
363 dev[0].request("DISCONNECT")
364 dev[0].wait_disconnected()
367 dev[0].select_network(id, freq="2412")
368 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid = p[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 raise Exception("EAP failure not reported")
381 dev[0].request("DISCONNECT")
382 dev[0].wait_disconnected()
385 dev[0].select_network(id, freq="2412")
386 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid = p[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
398 raise Exception("EAP failure not reported")
399 dev[0].request("DISCONNECT")
400 dev[0].wait_disconnected()
403 dev[0].select_network(id, freq="2412")
404 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid = p[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
416 raise Exception("EAP failure not reported")
418 def test_ap_wpa2_eap_aka(dev, apdev):
419 """WPA2-Enterprise connection using EAP-AKA"""
420 check_hlr_auc_gw_support()
421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
423 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
424 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
425 hwsim_utils.test_connectivity(dev[0], hapd)
426 eap_reauth(dev[0], "AKA")
428 logger.info("Negative test with incorrect key")
429 dev[0].request("REMOVE_NETWORK all")
430 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
431 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
434 logger.info("Invalid Milenage key")
435 dev[0].request("REMOVE_NETWORK all")
436 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
437 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
440 logger.info("Invalid Milenage key(2)")
441 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
442 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
445 logger.info("Invalid Milenage key(3)")
446 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
447 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
450 logger.info("Invalid Milenage key(4)")
451 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
452 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
455 logger.info("Invalid Milenage key(5)")
456 dev[0].request("REMOVE_NETWORK all")
457 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
458 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
461 logger.info("Invalid Milenage key(6)")
462 dev[0].request("REMOVE_NETWORK all")
463 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
464 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
467 logger.info("Missing key configuration")
468 dev[0].request("REMOVE_NETWORK all")
469 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
472 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
473 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
474 check_hlr_auc_gw_support()
478 raise HwsimSkip("No sqlite3 module available")
479 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
480 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
481 params['auth_server_port'] = "1814"
482 hostapd.add_ap(apdev[0]['ifname'], params)
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
486 logger.info("AKA fast re-authentication")
487 eap_reauth(dev[0], "AKA")
489 logger.info("AKA full auth with pseudonym")
492 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
493 eap_reauth(dev[0], "AKA")
495 logger.info("AKA full auth with permanent identity")
498 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
499 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
500 eap_reauth(dev[0], "AKA")
502 logger.info("AKA reauth with mismatching MK")
505 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
506 eap_reauth(dev[0], "AKA", expect_failure=True)
507 dev[0].request("REMOVE_NETWORK all")
509 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
510 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
513 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
514 eap_reauth(dev[0], "AKA")
517 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
518 logger.info("AKA reauth with mismatching counter")
519 eap_reauth(dev[0], "AKA")
520 dev[0].request("REMOVE_NETWORK all")
522 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
523 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
526 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
527 logger.info("AKA reauth with max reauth count reached")
528 eap_reauth(dev[0], "AKA")
530 def test_ap_wpa2_eap_aka_config(dev, apdev):
531 """EAP-AKA configuration options"""
532 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
533 hostapd.add_ap(apdev[0]['ifname'], params)
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
536 anonymous_identity="2345678")
538 def test_ap_wpa2_eap_aka_ext(dev, apdev):
539 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
541 _test_ap_wpa2_eap_aka_ext(dev, apdev)
543 dev[0].request("SET external_sim 0")
545 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
546 check_hlr_auc_gw_support()
547 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
548 hostapd.add_ap(apdev[0]['ifname'], params)
549 dev[0].request("SET external_sim 1")
550 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
551 identity="0232010000000000",
552 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
553 wait_connect=False, scan_freq="2412")
554 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
556 raise Exception("Network connected timed out")
558 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
560 raise Exception("Wait for external SIM processing request timed out")
562 if p[1] != "UMTS-AUTH":
563 raise Exception("Unexpected CTRL-REQ-SIM type")
564 rid = p[0].split('-')[3]
567 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
568 # This will fail during processing, but the ctrl_iface command succeeds
569 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
570 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
572 raise Exception("EAP failure not reported")
573 dev[0].request("DISCONNECT")
574 dev[0].wait_disconnected()
577 dev[0].select_network(id, freq="2412")
578 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
580 raise Exception("Wait for external SIM processing request timed out")
582 if p[1] != "UMTS-AUTH":
583 raise Exception("Unexpected CTRL-REQ-SIM type")
584 rid = p[0].split('-')[3]
585 # This will fail during UMTS auth validation
586 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
587 raise Exception("CTRL-RSP-SIM failed")
588 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
590 raise Exception("Wait for external SIM processing request timed out")
592 if p[1] != "UMTS-AUTH":
593 raise Exception("Unexpected CTRL-REQ-SIM type")
594 rid = p[0].split('-')[3]
595 # This will fail during UMTS auth validation
596 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
597 raise Exception("CTRL-RSP-SIM failed")
598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
600 raise Exception("EAP failure not reported")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected()
605 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
611 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
613 dev[0].select_network(id, freq="2412")
614 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
616 raise Exception("Wait for external SIM processing request timed out")
618 if p[1] != "UMTS-AUTH":
619 raise Exception("Unexpected CTRL-REQ-SIM type")
620 rid = p[0].split('-')[3]
621 # This will fail during UMTS auth validation
622 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
623 raise Exception("CTRL-RSP-SIM failed")
624 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
626 raise Exception("EAP failure not reported")
627 dev[0].request("DISCONNECT")
628 dev[0].wait_disconnected()
631 def test_ap_wpa2_eap_aka_prime(dev, apdev):
632 """WPA2-Enterprise connection using EAP-AKA'"""
633 check_hlr_auc_gw_support()
634 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
635 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
636 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
637 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
638 hwsim_utils.test_connectivity(dev[0], hapd)
639 eap_reauth(dev[0], "AKA'")
641 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
642 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
643 identity="6555444333222111@both",
644 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
645 wait_connect=False, scan_freq="2412")
646 dev[1].wait_connected(timeout=15)
648 logger.info("Negative test with incorrect key")
649 dev[0].request("REMOVE_NETWORK all")
650 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
651 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
654 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
655 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
656 check_hlr_auc_gw_support()
660 raise HwsimSkip("No sqlite3 module available")
661 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 params['auth_server_port'] = "1814"
664 hostapd.add_ap(apdev[0]['ifname'], params)
665 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
666 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
668 logger.info("AKA' fast re-authentication")
669 eap_reauth(dev[0], "AKA'")
671 logger.info("AKA' full auth with pseudonym")
674 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
675 eap_reauth(dev[0], "AKA'")
677 logger.info("AKA' full auth with permanent identity")
680 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
681 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
682 eap_reauth(dev[0], "AKA'")
684 logger.info("AKA' reauth with mismatching k_aut")
687 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
688 eap_reauth(dev[0], "AKA'", expect_failure=True)
689 dev[0].request("REMOVE_NETWORK all")
691 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
692 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
695 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
696 eap_reauth(dev[0], "AKA'")
699 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
700 logger.info("AKA' reauth with mismatching counter")
701 eap_reauth(dev[0], "AKA'")
702 dev[0].request("REMOVE_NETWORK all")
704 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
705 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
708 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
709 logger.info("AKA' reauth with max reauth count reached")
710 eap_reauth(dev[0], "AKA'")
712 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
713 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 key_mgmt = hapd.get_config()['key_mgmt']
717 if key_mgmt.split(' ')[0] != "WPA-EAP":
718 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
719 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
720 anonymous_identity="ttls", password="password",
721 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
722 hwsim_utils.test_connectivity(dev[0], hapd)
723 eap_reauth(dev[0], "TTLS")
724 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
725 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
727 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
728 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
729 check_subject_match_support(dev[0])
730 check_altsubject_match_support(dev[0])
731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
732 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
733 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
734 anonymous_identity="ttls", password="password",
735 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
736 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
737 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
738 eap_reauth(dev[0], "TTLS")
740 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
744 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
745 anonymous_identity="ttls", password="wrong",
746 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
748 eap_connect(dev[1], apdev[0], "TTLS", "user",
749 anonymous_identity="ttls", password="password",
750 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
753 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
754 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
755 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
756 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
757 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
758 anonymous_identity="ttls", password="password",
759 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
760 hwsim_utils.test_connectivity(dev[0], hapd)
761 eap_reauth(dev[0], "TTLS")
763 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
764 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
765 check_altsubject_match_support(dev[0])
766 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
767 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
768 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
769 anonymous_identity="ttls", password="password",
770 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
771 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
772 eap_reauth(dev[0], "TTLS")
774 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
775 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
776 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
777 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
778 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
779 anonymous_identity="ttls", password="wrong",
780 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
782 eap_connect(dev[1], apdev[0], "TTLS", "user",
783 anonymous_identity="ttls", password="password",
784 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
787 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
788 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
790 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
791 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
792 anonymous_identity="ttls", password="password",
793 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
794 domain_suffix_match="server.w1.fi")
795 hwsim_utils.test_connectivity(dev[0], hapd)
796 eap_reauth(dev[0], "TTLS")
797 dev[0].request("REMOVE_NETWORK all")
798 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
799 anonymous_identity="ttls", password="password",
800 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
803 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
804 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
807 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
808 anonymous_identity="ttls", password="wrong",
809 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
811 eap_connect(dev[1], apdev[0], "TTLS", "user",
812 anonymous_identity="ttls", password="password",
813 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
815 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
816 anonymous_identity="ttls", password="password",
817 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
820 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hostapd.add_ap(apdev[0]['ifname'], params)
824 hapd = hostapd.Hostapd(apdev[0]['ifname'])
825 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
826 anonymous_identity="ttls", password="password",
827 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
828 domain_suffix_match="server.w1.fi")
829 hwsim_utils.test_connectivity(dev[0], hapd)
830 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
831 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
832 eap_reauth(dev[0], "TTLS")
833 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
834 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
835 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
836 raise Exception("dot1xAuthEapolFramesRx did not increase")
837 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
838 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
839 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
840 raise Exception("backendAuthSuccesses did not increase")
842 logger.info("Password as hash value")
843 dev[0].request("REMOVE_NETWORK all")
844 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
845 anonymous_identity="ttls",
846 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
849 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
850 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
851 check_domain_match_full(dev[0])
852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
853 hostapd.add_ap(apdev[0]['ifname'], params)
854 hapd = hostapd.Hostapd(apdev[0]['ifname'])
855 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
856 anonymous_identity="ttls", password="password",
857 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
858 domain_suffix_match="w1.fi")
859 hwsim_utils.test_connectivity(dev[0], hapd)
860 eap_reauth(dev[0], "TTLS")
862 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
864 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
865 hostapd.add_ap(apdev[0]['ifname'], params)
866 hapd = hostapd.Hostapd(apdev[0]['ifname'])
867 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
868 anonymous_identity="ttls", password="password",
869 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
870 domain_match="Server.w1.fi")
871 hwsim_utils.test_connectivity(dev[0], hapd)
872 eap_reauth(dev[0], "TTLS")
874 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
875 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
876 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
877 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
878 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
879 anonymous_identity="ttls", password="password1",
880 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
882 eap_connect(dev[1], apdev[0], "TTLS", "user",
883 anonymous_identity="ttls", password="password",
884 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
887 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
888 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
889 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
890 hostapd.add_ap(apdev[0]['ifname'], params)
891 hapd = hostapd.Hostapd(apdev[0]['ifname'])
892 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
893 anonymous_identity="ttls", password="secret-åäö-€-password",
894 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
895 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
896 anonymous_identity="ttls",
897 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
898 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
900 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
901 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
902 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
903 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
904 eap_connect(dev[0], apdev[0], "TTLS", "user",
905 anonymous_identity="ttls", password="password",
906 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
907 hwsim_utils.test_connectivity(dev[0], hapd)
908 eap_reauth(dev[0], "TTLS")
910 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
911 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
912 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
913 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
914 eap_connect(dev[0], apdev[0], "TTLS", "user",
915 anonymous_identity="ttls", password="wrong",
916 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
919 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
921 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
922 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
923 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
924 anonymous_identity="ttls", password="password",
925 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
928 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
930 params = int_eap_server_params()
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 with alloc_fail(hapd, 1, "eap_gtc_init"):
933 eap_connect(dev[0], apdev[0], "TTLS", "user",
934 anonymous_identity="ttls", password="password",
935 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
937 dev[0].request("REMOVE_NETWORK all")
939 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
940 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
941 eap="TTLS", identity="user",
942 anonymous_identity="ttls", password="password",
943 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
944 wait_connect=False, scan_freq="2412")
945 # This would eventually time out, but we can stop after having reached
946 # the allocation failure.
949 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
952 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="password",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
959 hwsim_utils.test_connectivity(dev[0], hapd)
960 eap_reauth(dev[0], "TTLS")
962 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
963 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
966 eap_connect(dev[0], apdev[0], "TTLS", "user",
967 anonymous_identity="ttls", password="wrong",
968 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
971 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
972 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
973 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
974 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
975 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
980 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
982 params = int_eap_server_params()
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 with alloc_fail(hapd, 1, "eap_md5_init"):
985 eap_connect(dev[0], apdev[0], "TTLS", "user",
986 anonymous_identity="ttls", password="password",
987 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
989 dev[0].request("REMOVE_NETWORK all")
991 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
992 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
993 eap="TTLS", identity="user",
994 anonymous_identity="ttls", password="password",
995 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
996 wait_connect=False, scan_freq="2412")
997 # This would eventually time out, but we can stop after having reached
998 # the allocation failure.
1001 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1004 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1006 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1007 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1008 eap_connect(dev[0], apdev[0], "TTLS", "user",
1009 anonymous_identity="ttls", password="password",
1010 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1011 hwsim_utils.test_connectivity(dev[0], hapd)
1012 eap_reauth(dev[0], "TTLS")
1014 logger.info("Negative test with incorrect password")
1015 dev[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev[0], apdev[0], "TTLS", "user",
1017 anonymous_identity="ttls", password="password1",
1018 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1019 expect_failure=True)
1021 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1022 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1023 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1024 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1025 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1028 expect_failure=True)
1030 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1032 params = int_eap_server_params()
1033 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1034 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1035 eap_connect(dev[0], apdev[0], "TTLS", "user",
1036 anonymous_identity="ttls", password="password",
1037 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1038 expect_failure=True)
1039 dev[0].request("REMOVE_NETWORK all")
1041 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1042 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1043 eap="TTLS", identity="user",
1044 anonymous_identity="ttls", password="password",
1045 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1046 wait_connect=False, scan_freq="2412")
1047 # This would eventually time out, but we can stop after having reached
1048 # the allocation failure.
1051 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1053 dev[0].request("REMOVE_NETWORK all")
1055 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1056 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1057 eap="TTLS", identity="user",
1058 anonymous_identity="ttls", password="password",
1059 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1060 wait_connect=False, scan_freq="2412")
1061 # This would eventually time out, but we can stop after having reached
1062 # the allocation failure.
1065 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1067 dev[0].request("REMOVE_NETWORK all")
1069 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1071 eap="TTLS", identity="user",
1072 anonymous_identity="ttls", password="wrong",
1073 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1074 wait_connect=False, scan_freq="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1079 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1081 dev[0].request("REMOVE_NETWORK all")
1083 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1085 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1086 hostapd.add_ap(apdev[0]['ifname'], params)
1087 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1088 anonymous_identity="0232010000000000@ttls",
1089 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1090 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1092 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1093 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1094 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1095 hostapd.add_ap(apdev[0]['ifname'], params)
1096 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1097 anonymous_identity="0232010000000000@peap",
1098 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1099 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1101 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1102 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1103 check_eap_capa(dev[0], "FAST")
1104 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1105 hostapd.add_ap(apdev[0]['ifname'], params)
1106 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1107 anonymous_identity="0232010000000000@fast",
1108 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1109 phase1="fast_provisioning=2",
1110 pac_file="blob://fast_pac_auth_aka",
1111 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1113 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1114 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1115 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1116 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1117 eap_connect(dev[0], apdev[0], "PEAP", "user",
1118 anonymous_identity="peap", password="password",
1119 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1120 hwsim_utils.test_connectivity(dev[0], hapd)
1121 eap_reauth(dev[0], "PEAP")
1122 dev[0].request("REMOVE_NETWORK all")
1123 eap_connect(dev[0], apdev[0], "PEAP", "user",
1124 anonymous_identity="peap", password="password",
1125 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1126 fragment_size="200")
1128 logger.info("Password as hash value")
1129 dev[0].request("REMOVE_NETWORK all")
1130 eap_connect(dev[0], apdev[0], "PEAP", "user",
1131 anonymous_identity="peap",
1132 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1133 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1135 logger.info("Negative test with incorrect password")
1136 dev[0].request("REMOVE_NETWORK all")
1137 eap_connect(dev[0], apdev[0], "PEAP", "user",
1138 anonymous_identity="peap", password="password1",
1139 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1140 expect_failure=True)
1142 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1144 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1146 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1147 anonymous_identity="peap", password="password",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1149 hwsim_utils.test_connectivity(dev[0], hapd)
1150 eap_reauth(dev[0], "PEAP")
1152 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1153 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1155 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1156 eap_connect(dev[0], apdev[0], "PEAP", "user",
1157 anonymous_identity="peap", password="wrong",
1158 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1159 expect_failure=True)
1161 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1162 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1166 ca_cert="auth_serv/ca.pem",
1167 phase1="peapver=0 crypto_binding=2",
1168 phase2="auth=MSCHAPV2")
1169 hwsim_utils.test_connectivity(dev[0], hapd)
1170 eap_reauth(dev[0], "PEAP")
1172 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1173 ca_cert="auth_serv/ca.pem",
1174 phase1="peapver=0 crypto_binding=1",
1175 phase2="auth=MSCHAPV2")
1176 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1177 ca_cert="auth_serv/ca.pem",
1178 phase1="peapver=0 crypto_binding=0",
1179 phase2="auth=MSCHAPV2")
1181 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1182 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1183 params = int_eap_server_params()
1184 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1185 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1186 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1187 ca_cert="auth_serv/ca.pem",
1188 phase1="peapver=0 crypto_binding=2",
1189 phase2="auth=MSCHAPV2",
1190 expect_failure=True, local_error_report=True)
1192 def test_ap_wpa2_eap_peap_params(dev, apdev):
1193 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1195 hostapd.add_ap(apdev[0]['ifname'], params)
1196 eap_connect(dev[0], apdev[0], "PEAP", "user",
1197 anonymous_identity="peap", password="password",
1198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1199 phase1="peapver=0 peaplabel=1",
1200 expect_failure=True)
1201 dev[0].request("REMOVE_NETWORK all")
1202 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1203 ca_cert="auth_serv/ca.pem",
1204 phase1="peap_outer_success=1",
1205 phase2="auth=MSCHAPV2")
1206 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1207 ca_cert="auth_serv/ca.pem",
1208 phase1="peap_outer_success=2",
1209 phase2="auth=MSCHAPV2")
1210 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1212 anonymous_identity="peap", password="password",
1213 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1214 phase1="peapver=1 peaplabel=1",
1215 wait_connect=False, scan_freq="2412")
1216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1218 raise Exception("No EAP success seen")
1219 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1221 raise Exception("Unexpected connection")
1223 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1226 hostapd.add_ap(apdev[0]['ifname'], params)
1227 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1228 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1229 ca_cert2="auth_serv/ca.pem",
1230 client_cert2="auth_serv/user.pem",
1231 private_key2="auth_serv/user.key")
1232 eap_reauth(dev[0], "PEAP")
1234 def test_ap_wpa2_eap_tls(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-TLS"""
1236 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1237 hostapd.add_ap(apdev[0]['ifname'], params)
1238 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1239 client_cert="auth_serv/user.pem",
1240 private_key="auth_serv/user.key")
1241 eap_reauth(dev[0], "TLS")
1243 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1244 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246 hostapd.add_ap(apdev[0]['ifname'], params)
1247 cert = read_pem("auth_serv/ca.pem")
1248 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1249 raise Exception("Could not set cacert blob")
1250 cert = read_pem("auth_serv/user.pem")
1251 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1252 raise Exception("Could not set usercert blob")
1253 key = read_pem("auth_serv/user.rsa-key")
1254 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1255 raise Exception("Could not set cacert blob")
1256 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1257 client_cert="blob://usercert",
1258 private_key="blob://userkey")
1260 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1261 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1263 hostapd.add_ap(apdev[0]['ifname'], params)
1264 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1265 private_key="auth_serv/user.pkcs12",
1266 private_key_passwd="whatever")
1267 dev[0].request("REMOVE_NETWORK all")
1268 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1269 identity="tls user",
1270 ca_cert="auth_serv/ca.pem",
1271 private_key="auth_serv/user.pkcs12",
1272 wait_connect=False, scan_freq="2412")
1273 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1275 raise Exception("Request for private key passphrase timed out")
1276 id = ev.split(':')[0].split('-')[-1]
1277 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1278 dev[0].wait_connected(timeout=10)
1280 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1281 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1282 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1283 hostapd.add_ap(apdev[0]['ifname'], params)
1284 cert = read_pem("auth_serv/ca.pem")
1285 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1286 raise Exception("Could not set cacert blob")
1287 with open("auth_serv/user.pkcs12", "rb") as f:
1288 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1289 raise Exception("Could not set pkcs12 blob")
1290 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1291 private_key="blob://pkcs12",
1292 private_key_passwd="whatever")
1294 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1295 """WPA2-Enterprise negative test - incorrect trust root"""
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1297 hostapd.add_ap(apdev[0]['ifname'], params)
1298 cert = read_pem("auth_serv/ca-incorrect.pem")
1299 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1300 raise Exception("Could not set cacert blob")
1301 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1302 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1303 password="password", phase2="auth=MSCHAPV2",
1304 ca_cert="blob://cacert",
1305 wait_connect=False, scan_freq="2412")
1306 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1307 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1308 password="password", phase2="auth=MSCHAPV2",
1309 ca_cert="auth_serv/ca-incorrect.pem",
1310 wait_connect=False, scan_freq="2412")
1312 for dev in (dev[0], dev[1]):
1313 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1315 raise Exception("Association and EAP start timed out")
1317 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1319 raise Exception("EAP method selection timed out")
1320 if "TTLS" not in ev:
1321 raise Exception("Unexpected EAP method")
1323 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1324 "CTRL-EVENT-EAP-SUCCESS",
1325 "CTRL-EVENT-EAP-FAILURE",
1326 "CTRL-EVENT-CONNECTED",
1327 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1329 raise Exception("EAP result timed out")
1330 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1331 raise Exception("TLS certificate error not reported")
1333 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1334 "CTRL-EVENT-EAP-FAILURE",
1335 "CTRL-EVENT-CONNECTED",
1336 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1338 raise Exception("EAP result(2) timed out")
1339 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1340 raise Exception("EAP failure not reported")
1342 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1343 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1345 raise Exception("EAP result(3) timed out")
1346 if "CTRL-EVENT-DISCONNECTED" not in ev:
1347 raise Exception("Disconnection not reported")
1349 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1351 raise Exception("Network block disabling not reported")
1353 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1354 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1357 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1358 identity="pap user", anonymous_identity="ttls",
1359 password="password", phase2="auth=PAP",
1360 ca_cert="auth_serv/ca.pem",
1361 wait_connect=True, scan_freq="2412")
1362 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1363 identity="pap user", anonymous_identity="ttls",
1364 password="password", phase2="auth=PAP",
1365 ca_cert="auth_serv/ca-incorrect.pem",
1366 only_add_network=True, scan_freq="2412")
1368 dev[0].request("DISCONNECT")
1369 dev[0].wait_disconnected()
1370 dev[0].dump_monitor()
1371 dev[0].select_network(id, freq="2412")
1373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1375 raise Exception("EAP-TTLS not re-started")
1377 ev = dev[0].wait_disconnected(timeout=15)
1378 if "reason=23" not in ev:
1379 raise Exception("Proper reason code for disconnection not reported")
1381 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1382 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1383 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1384 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1385 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1386 identity="pap user", anonymous_identity="ttls",
1387 password="password", phase2="auth=PAP",
1388 wait_connect=True, scan_freq="2412")
1389 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1390 identity="pap user", anonymous_identity="ttls",
1391 password="password", phase2="auth=PAP",
1392 ca_cert="auth_serv/ca-incorrect.pem",
1393 only_add_network=True, scan_freq="2412")
1395 dev[0].request("DISCONNECT")
1396 dev[0].wait_disconnected()
1397 dev[0].dump_monitor()
1398 dev[0].select_network(id, freq="2412")
1400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1402 raise Exception("EAP-TTLS not re-started")
1404 ev = dev[0].wait_disconnected(timeout=15)
1405 if "reason=23" not in ev:
1406 raise Exception("Proper reason code for disconnection not reported")
1408 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1409 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1410 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1411 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1412 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1413 identity="pap user", anonymous_identity="ttls",
1414 password="password", phase2="auth=PAP",
1415 ca_cert="auth_serv/ca.pem",
1416 wait_connect=True, scan_freq="2412")
1417 dev[0].request("DISCONNECT")
1418 dev[0].wait_disconnected()
1419 dev[0].dump_monitor()
1420 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1421 dev[0].select_network(id, freq="2412")
1423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1425 raise Exception("EAP-TTLS not re-started")
1427 ev = dev[0].wait_disconnected(timeout=15)
1428 if "reason=23" not in ev:
1429 raise Exception("Proper reason code for disconnection not reported")
1431 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1432 """WPA2-Enterprise negative test - domain suffix mismatch"""
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hostapd.add_ap(apdev[0]['ifname'], params)
1435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1436 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1437 password="password", phase2="auth=MSCHAPV2",
1438 ca_cert="auth_serv/ca.pem",
1439 domain_suffix_match="incorrect.example.com",
1440 wait_connect=False, scan_freq="2412")
1442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1444 raise Exception("Association and EAP start timed out")
1446 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1448 raise Exception("EAP method selection timed out")
1449 if "TTLS" not in ev:
1450 raise Exception("Unexpected EAP method")
1452 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1453 "CTRL-EVENT-EAP-SUCCESS",
1454 "CTRL-EVENT-EAP-FAILURE",
1455 "CTRL-EVENT-CONNECTED",
1456 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1458 raise Exception("EAP result timed out")
1459 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1460 raise Exception("TLS certificate error not reported")
1461 if "Domain suffix mismatch" not in ev:
1462 raise Exception("Domain suffix mismatch not reported")
1464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1465 "CTRL-EVENT-EAP-FAILURE",
1466 "CTRL-EVENT-CONNECTED",
1467 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1469 raise Exception("EAP result(2) timed out")
1470 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1471 raise Exception("EAP failure not reported")
1473 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1474 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1476 raise Exception("EAP result(3) timed out")
1477 if "CTRL-EVENT-DISCONNECTED" not in ev:
1478 raise Exception("Disconnection not reported")
1480 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1482 raise Exception("Network block disabling not reported")
1484 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1485 """WPA2-Enterprise negative test - domain mismatch"""
1486 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1487 hostapd.add_ap(apdev[0]['ifname'], params)
1488 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1489 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1490 password="password", phase2="auth=MSCHAPV2",
1491 ca_cert="auth_serv/ca.pem",
1492 domain_match="w1.fi",
1493 wait_connect=False, scan_freq="2412")
1495 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1497 raise Exception("Association and EAP start timed out")
1499 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1501 raise Exception("EAP method selection timed out")
1502 if "TTLS" not in ev:
1503 raise Exception("Unexpected EAP method")
1505 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1506 "CTRL-EVENT-EAP-SUCCESS",
1507 "CTRL-EVENT-EAP-FAILURE",
1508 "CTRL-EVENT-CONNECTED",
1509 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1511 raise Exception("EAP result timed out")
1512 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1513 raise Exception("TLS certificate error not reported")
1514 if "Domain mismatch" not in ev:
1515 raise Exception("Domain mismatch not reported")
1517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1518 "CTRL-EVENT-EAP-FAILURE",
1519 "CTRL-EVENT-CONNECTED",
1520 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1522 raise Exception("EAP result(2) timed out")
1523 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1524 raise Exception("EAP failure not reported")
1526 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1527 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1529 raise Exception("EAP result(3) timed out")
1530 if "CTRL-EVENT-DISCONNECTED" not in ev:
1531 raise Exception("Disconnection not reported")
1533 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1535 raise Exception("Network block disabling not reported")
1537 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1538 """WPA2-Enterprise negative test - subject mismatch"""
1539 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1540 hostapd.add_ap(apdev[0]['ifname'], params)
1541 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1542 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1543 password="password", phase2="auth=MSCHAPV2",
1544 ca_cert="auth_serv/ca.pem",
1545 subject_match="/C=FI/O=w1.fi/CN=example.com",
1546 wait_connect=False, scan_freq="2412")
1548 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1550 raise Exception("Association and EAP start timed out")
1552 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1553 "EAP: Failed to initialize EAP method"], timeout=10)
1555 raise Exception("EAP method selection timed out")
1556 if "EAP: Failed to initialize EAP method" in ev:
1557 tls = dev[0].request("GET tls_library")
1558 if tls.startswith("OpenSSL"):
1559 raise Exception("Failed to select EAP method")
1560 logger.info("subject_match not supported - connection failed, so test succeeded")
1562 if "TTLS" not in ev:
1563 raise Exception("Unexpected EAP method")
1565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1566 "CTRL-EVENT-EAP-SUCCESS",
1567 "CTRL-EVENT-EAP-FAILURE",
1568 "CTRL-EVENT-CONNECTED",
1569 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1571 raise Exception("EAP result timed out")
1572 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1573 raise Exception("TLS certificate error not reported")
1574 if "Subject mismatch" not in ev:
1575 raise Exception("Subject mismatch not reported")
1577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1578 "CTRL-EVENT-EAP-FAILURE",
1579 "CTRL-EVENT-CONNECTED",
1580 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1582 raise Exception("EAP result(2) timed out")
1583 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1584 raise Exception("EAP failure not reported")
1586 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1587 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1589 raise Exception("EAP result(3) timed out")
1590 if "CTRL-EVENT-DISCONNECTED" not in ev:
1591 raise Exception("Disconnection not reported")
1593 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1595 raise Exception("Network block disabling not reported")
1597 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1598 """WPA2-Enterprise negative test - altsubject mismatch"""
1599 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1600 hostapd.add_ap(apdev[0]['ifname'], params)
1602 tests = [ "incorrect.example.com",
1603 "DNS:incorrect.example.com",
1607 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1609 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1610 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1611 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1612 password="password", phase2="auth=MSCHAPV2",
1613 ca_cert="auth_serv/ca.pem",
1614 altsubject_match=match,
1615 wait_connect=False, scan_freq="2412")
1617 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1619 raise Exception("Association and EAP start timed out")
1621 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1622 "EAP: Failed to initialize EAP method"], timeout=10)
1624 raise Exception("EAP method selection timed out")
1625 if "EAP: Failed to initialize EAP method" in ev:
1626 tls = dev[0].request("GET tls_library")
1627 if tls.startswith("OpenSSL"):
1628 raise Exception("Failed to select EAP method")
1629 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1631 if "TTLS" not in ev:
1632 raise Exception("Unexpected EAP method")
1634 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1635 "CTRL-EVENT-EAP-SUCCESS",
1636 "CTRL-EVENT-EAP-FAILURE",
1637 "CTRL-EVENT-CONNECTED",
1638 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1640 raise Exception("EAP result timed out")
1641 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1642 raise Exception("TLS certificate error not reported")
1643 if "AltSubject mismatch" not in ev:
1644 raise Exception("altsubject mismatch not reported")
1646 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1647 "CTRL-EVENT-EAP-FAILURE",
1648 "CTRL-EVENT-CONNECTED",
1649 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1651 raise Exception("EAP result(2) timed out")
1652 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1653 raise Exception("EAP failure not reported")
1655 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1656 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1658 raise Exception("EAP result(3) timed out")
1659 if "CTRL-EVENT-DISCONNECTED" not in ev:
1660 raise Exception("Disconnection not reported")
1662 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1664 raise Exception("Network block disabling not reported")
1666 dev[0].request("REMOVE_NETWORK all")
1668 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1669 """WPA2-Enterprise connection using UNAUTH-TLS"""
1670 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1671 hostapd.add_ap(apdev[0]['ifname'], params)
1672 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1673 ca_cert="auth_serv/ca.pem")
1674 eap_reauth(dev[0], "UNAUTH-TLS")
1676 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1677 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1678 check_cert_probe_support(dev[0])
1679 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1680 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1681 hostapd.add_ap(apdev[0]['ifname'], params)
1682 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1683 identity="probe", ca_cert="probe://",
1684 wait_connect=False, scan_freq="2412")
1685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1687 raise Exception("Association and EAP start timed out")
1688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1690 raise Exception("No peer server certificate event seen")
1691 if "hash=" + srv_cert_hash not in ev:
1692 raise Exception("Expected server certificate hash not reported")
1693 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1695 raise Exception("EAP result timed out")
1696 if "Server certificate chain probe" not in ev:
1697 raise Exception("Server certificate probe not reported")
1698 dev[0].wait_disconnected(timeout=10)
1699 dev[0].request("REMOVE_NETWORK all")
1701 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1702 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1703 password="password", phase2="auth=MSCHAPV2",
1704 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1705 wait_connect=False, scan_freq="2412")
1706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1708 raise Exception("Association and EAP start timed out")
1709 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1711 raise Exception("EAP result timed out")
1712 if "Server certificate mismatch" not in ev:
1713 raise Exception("Server certificate mismatch not reported")
1714 dev[0].wait_disconnected(timeout=10)
1715 dev[0].request("REMOVE_NETWORK all")
1717 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1718 anonymous_identity="ttls", password="password",
1719 ca_cert="hash://server/sha256/" + srv_cert_hash,
1720 phase2="auth=MSCHAPV2")
1722 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1723 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1724 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1725 hostapd.add_ap(apdev[0]['ifname'], params)
1726 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1727 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1728 password="password", phase2="auth=MSCHAPV2",
1729 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1730 wait_connect=False, scan_freq="2412")
1731 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1732 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1733 password="password", phase2="auth=MSCHAPV2",
1734 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1735 wait_connect=False, scan_freq="2412")
1736 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1737 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1738 password="password", phase2="auth=MSCHAPV2",
1739 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1740 wait_connect=False, scan_freq="2412")
1741 for i in range(0, 3):
1742 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1744 raise Exception("Association and EAP start timed out")
1745 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1747 raise Exception("Did not report EAP method initialization failure")
1749 def test_ap_wpa2_eap_pwd(dev, apdev):
1750 """WPA2-Enterprise connection using EAP-pwd"""
1751 check_eap_capa(dev[0], "PWD")
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1755 eap_reauth(dev[0], "PWD")
1756 dev[0].request("REMOVE_NETWORK all")
1758 eap_connect(dev[1], apdev[0], "PWD",
1759 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1760 password="secret password",
1763 logger.info("Negative test with incorrect password")
1764 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1765 expect_failure=True, local_error_report=True)
1767 eap_connect(dev[0], apdev[0], "PWD",
1768 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1769 password="secret password",
1772 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1773 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1774 check_eap_capa(dev[0], "PWD")
1775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1776 hostapd.add_ap(apdev[0]['ifname'], params)
1777 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1778 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1779 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1780 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1781 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1782 expect_failure=True, local_error_report=True)
1784 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1785 """WPA2-Enterprise connection using various EAP-pwd groups"""
1786 check_eap_capa(dev[0], "PWD")
1787 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1788 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1789 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1790 for i in [ 19, 20, 21, 25, 26 ]:
1791 params['pwd_group'] = str(i)
1792 hostapd.add_ap(apdev[0]['ifname'], params)
1793 dev[0].request("REMOVE_NETWORK all")
1794 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1796 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1797 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1798 check_eap_capa(dev[0], "PWD")
1799 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1800 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1801 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1802 params['pwd_group'] = "0"
1803 hostapd.add_ap(apdev[0]['ifname'], params)
1804 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1805 identity="pwd user", password="secret password",
1806 scan_freq="2412", wait_connect=False)
1807 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1809 raise Exception("Timeout on EAP failure report")
1811 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1812 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1813 check_eap_capa(dev[0], "PWD")
1814 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1815 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1816 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1817 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1818 "pwd_group": "19", "fragment_size": "40" }
1819 hostapd.add_ap(apdev[0]['ifname'], params)
1820 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1822 def test_ap_wpa2_eap_gpsk(dev, apdev):
1823 """WPA2-Enterprise connection using EAP-GPSK"""
1824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1825 hostapd.add_ap(apdev[0]['ifname'], params)
1826 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1827 password="abcdefghijklmnop0123456789abcdef")
1828 eap_reauth(dev[0], "GPSK")
1830 logger.info("Test forced algorithm selection")
1831 for phase1 in [ "cipher=1", "cipher=2" ]:
1832 dev[0].set_network_quoted(id, "phase1", phase1)
1833 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1835 raise Exception("EAP success timed out")
1836 dev[0].wait_connected(timeout=10)
1838 logger.info("Test failed algorithm negotiation")
1839 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1840 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1842 raise Exception("EAP failure timed out")
1844 logger.info("Negative test with incorrect password")
1845 dev[0].request("REMOVE_NETWORK all")
1846 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1847 password="ffcdefghijklmnop0123456789abcdef",
1848 expect_failure=True)
1850 def test_ap_wpa2_eap_sake(dev, apdev):
1851 """WPA2-Enterprise connection using EAP-SAKE"""
1852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1853 hostapd.add_ap(apdev[0]['ifname'], params)
1854 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1855 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1856 eap_reauth(dev[0], "SAKE")
1858 logger.info("Negative test with incorrect password")
1859 dev[0].request("REMOVE_NETWORK all")
1860 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1861 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1862 expect_failure=True)
1864 def test_ap_wpa2_eap_eke(dev, apdev):
1865 """WPA2-Enterprise connection using EAP-EKE"""
1866 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1867 hostapd.add_ap(apdev[0]['ifname'], params)
1868 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1869 eap_reauth(dev[0], "EKE")
1871 logger.info("Test forced algorithm selection")
1872 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1873 "dhgroup=4 encr=1 prf=2 mac=2",
1874 "dhgroup=3 encr=1 prf=2 mac=2",
1875 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1876 dev[0].set_network_quoted(id, "phase1", phase1)
1877 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1879 raise Exception("EAP success timed out")
1880 dev[0].wait_connected(timeout=10)
1882 logger.info("Test failed algorithm negotiation")
1883 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1884 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1886 raise Exception("EAP failure timed out")
1888 logger.info("Negative test with incorrect password")
1889 dev[0].request("REMOVE_NETWORK all")
1890 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1891 expect_failure=True)
1893 def test_ap_wpa2_eap_ikev2(dev, apdev):
1894 """WPA2-Enterprise connection using EAP-IKEv2"""
1895 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1896 hostapd.add_ap(apdev[0]['ifname'], params)
1897 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1898 password="ike password")
1899 eap_reauth(dev[0], "IKEV2")
1900 dev[0].request("REMOVE_NETWORK all")
1901 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1902 password="ike password", fragment_size="50")
1904 logger.info("Negative test with incorrect password")
1905 dev[0].request("REMOVE_NETWORK all")
1906 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1907 password="ike-password", expect_failure=True)
1909 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1910 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1911 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1912 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1913 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1914 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1915 "fragment_size": "50" }
1916 hostapd.add_ap(apdev[0]['ifname'], params)
1917 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1918 password="ike password")
1919 eap_reauth(dev[0], "IKEV2")
1921 def test_ap_wpa2_eap_pax(dev, apdev):
1922 """WPA2-Enterprise connection using EAP-PAX"""
1923 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1924 hostapd.add_ap(apdev[0]['ifname'], params)
1925 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1926 password_hex="0123456789abcdef0123456789abcdef")
1927 eap_reauth(dev[0], "PAX")
1929 logger.info("Negative test with incorrect password")
1930 dev[0].request("REMOVE_NETWORK all")
1931 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1932 password_hex="ff23456789abcdef0123456789abcdef",
1933 expect_failure=True)
1935 def test_ap_wpa2_eap_psk(dev, apdev):
1936 """WPA2-Enterprise connection using EAP-PSK"""
1937 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1938 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1939 params["ieee80211w"] = "2"
1940 hostapd.add_ap(apdev[0]['ifname'], params)
1941 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1942 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1943 eap_reauth(dev[0], "PSK", sha256=True)
1944 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1945 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1947 bss = dev[0].get_bss(apdev[0]['bssid'])
1948 if 'flags' not in bss:
1949 raise Exception("Could not get BSS flags from BSS table")
1950 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
1951 raise Exception("Unexpected BSS flags: " + bss['flags'])
1953 logger.info("Negative test with incorrect password")
1954 dev[0].request("REMOVE_NETWORK all")
1955 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1956 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1957 expect_failure=True)
1959 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1960 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1961 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1962 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1963 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1964 identity="user", password="password", phase2="auth=MSCHAPV2",
1965 ca_cert="auth_serv/ca.pem", wait_connect=False,
1967 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1968 hwsim_utils.test_connectivity(dev[0], hapd)
1969 eap_reauth(dev[0], "PEAP", rsn=False)
1970 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1971 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1972 status = dev[0].get_status(extra="VERBOSE")
1973 if 'portControl' not in status:
1974 raise Exception("portControl missing from STATUS-VERBOSE")
1975 if status['portControl'] != 'Auto':
1976 raise Exception("Unexpected portControl value: " + status['portControl'])
1977 if 'eap_session_id' not in status:
1978 raise Exception("eap_session_id missing from STATUS-VERBOSE")
1979 if not status['eap_session_id'].startswith("19"):
1980 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
1982 def test_ap_wpa2_eap_interactive(dev, apdev):
1983 """WPA2-Enterprise connection using interactive identity/password entry"""
1984 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1985 hostapd.add_ap(apdev[0]['ifname'], params)
1986 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1988 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1989 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1991 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1992 "TTLS", "ttls", None, "auth=MSCHAPV2",
1993 "DOMAIN\mschapv2 user", "password"),
1994 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1995 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1996 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1997 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1998 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1999 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2000 ("Connection with dynamic PEAP/EAP-GTC password entry",
2001 "PEAP", None, "user", "auth=GTC", None, "password") ]
2002 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2004 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2005 anonymous_identity=anon, identity=identity,
2006 ca_cert="auth_serv/ca.pem", phase2=phase2,
2007 wait_connect=False, scan_freq="2412")
2009 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2011 raise Exception("Request for identity timed out")
2012 id = ev.split(':')[0].split('-')[-1]
2013 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2014 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2016 raise Exception("Request for password timed out")
2017 id = ev.split(':')[0].split('-')[-1]
2018 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2019 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2020 dev[0].wait_connected(timeout=10)
2021 dev[0].request("REMOVE_NETWORK all")
2023 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2024 """WPA2-Enterprise connection using EAP vendor test"""
2025 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2026 hostapd.add_ap(apdev[0]['ifname'], params)
2027 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2028 eap_reauth(dev[0], "VENDOR-TEST")
2029 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2032 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2033 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2034 check_eap_capa(dev[0], "FAST")
2035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2036 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2037 eap_connect(dev[0], apdev[0], "FAST", "user",
2038 anonymous_identity="FAST", password="password",
2039 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2040 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2041 hwsim_utils.test_connectivity(dev[0], hapd)
2042 res = eap_reauth(dev[0], "FAST")
2043 if res['tls_session_reused'] != '1':
2044 raise Exception("EAP-FAST could not use PAC session ticket")
2046 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2047 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2048 check_eap_capa(dev[0], "FAST")
2049 pac_file = os.path.join(params['logdir'], "fast.pac")
2050 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2052 hostapd.add_ap(apdev[0]['ifname'], params)
2055 eap_connect(dev[0], apdev[0], "FAST", "user",
2056 anonymous_identity="FAST", password="password",
2057 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2058 phase1="fast_provisioning=1", pac_file=pac_file)
2059 with open(pac_file, "r") as f:
2061 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2062 raise Exception("PAC file header missing")
2063 if "PAC-Key=" not in data:
2064 raise Exception("PAC-Key missing from PAC file")
2065 dev[0].request("REMOVE_NETWORK all")
2066 eap_connect(dev[0], apdev[0], "FAST", "user",
2067 anonymous_identity="FAST", password="password",
2068 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2071 eap_connect(dev[1], apdev[0], "FAST", "user",
2072 anonymous_identity="FAST", password="password",
2073 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2074 phase1="fast_provisioning=1 fast_pac_format=binary",
2076 dev[1].request("REMOVE_NETWORK all")
2077 eap_connect(dev[1], apdev[0], "FAST", "user",
2078 anonymous_identity="FAST", password="password",
2079 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2080 phase1="fast_pac_format=binary",
2088 os.remove(pac_file2)
2092 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2093 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2094 check_eap_capa(dev[0], "FAST")
2095 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2096 hostapd.add_ap(apdev[0]['ifname'], params)
2097 eap_connect(dev[0], apdev[0], "FAST", "user",
2098 anonymous_identity="FAST", password="password",
2099 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2100 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2101 pac_file="blob://fast_pac_bin")
2102 res = eap_reauth(dev[0], "FAST")
2103 if res['tls_session_reused'] != '1':
2104 raise Exception("EAP-FAST could not use PAC session ticket")
2106 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2107 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2108 check_eap_capa(dev[0], "FAST")
2109 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2110 hostapd.add_ap(apdev[0]['ifname'], params)
2112 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2113 identity="user", anonymous_identity="FAST",
2114 password="password",
2115 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2116 pac_file="blob://fast_pac_not_in_use",
2117 wait_connect=False, scan_freq="2412")
2118 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2120 raise Exception("Timeout on EAP failure report")
2121 dev[0].request("REMOVE_NETWORK all")
2123 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2124 identity="user", anonymous_identity="FAST",
2125 password="password",
2126 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2127 wait_connect=False, scan_freq="2412")
2128 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2130 raise Exception("Timeout on EAP failure report")
2132 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2133 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2134 check_eap_capa(dev[0], "FAST")
2135 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2136 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2137 eap_connect(dev[0], apdev[0], "FAST", "user",
2138 anonymous_identity="FAST", password="password",
2139 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2140 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2141 hwsim_utils.test_connectivity(dev[0], hapd)
2142 res = eap_reauth(dev[0], "FAST")
2143 if res['tls_session_reused'] != '1':
2144 raise Exception("EAP-FAST could not use PAC session ticket")
2146 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2147 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2148 check_eap_capa(dev[0], "FAST")
2149 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2150 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2151 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2152 anonymous_identity="FAST", password="password",
2153 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2154 phase1="fast_provisioning=2",
2155 pac_file="blob://fast_pac_auth")
2156 dev[0].set_network_quoted(id, "identity", "user2")
2157 dev[0].wait_disconnected()
2158 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2160 raise Exception("EAP-FAST not started")
2161 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2163 raise Exception("EAP failure not reported")
2164 dev[0].wait_disconnected()
2166 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2167 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2168 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2169 hostapd.add_ap(apdev[0]['ifname'], params)
2170 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2171 private_key="auth_serv/user.pkcs12",
2172 private_key_passwd="whatever", ocsp=2)
2174 def int_eap_server_params():
2175 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2176 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2177 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2178 "ca_cert": "auth_serv/ca.pem",
2179 "server_cert": "auth_serv/server.pem",
2180 "private_key": "auth_serv/server.key" }
2183 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2184 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2185 params = int_eap_server_params()
2186 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2187 hostapd.add_ap(apdev[0]['ifname'], params)
2188 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2189 identity="tls user", ca_cert="auth_serv/ca.pem",
2190 private_key="auth_serv/user.pkcs12",
2191 private_key_passwd="whatever", ocsp=2,
2192 wait_connect=False, scan_freq="2412")
2195 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2197 raise Exception("Timeout on EAP status")
2198 if 'bad certificate status response' in ev:
2202 raise Exception("Unexpected number of EAP status messages")
2204 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2206 raise Exception("Timeout on EAP failure report")
2208 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2209 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2210 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2211 if not os.path.exists(ocsp):
2212 raise HwsimSkip("No OCSP response available")
2213 params = int_eap_server_params()
2214 params["ocsp_stapling_response"] = ocsp
2215 hostapd.add_ap(apdev[0]['ifname'], params)
2216 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2217 identity="pap user", ca_cert="auth_serv/ca.pem",
2218 anonymous_identity="ttls", password="password",
2219 phase2="auth=PAP", ocsp=2,
2220 wait_connect=False, scan_freq="2412")
2223 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2225 raise Exception("Timeout on EAP status")
2226 if 'bad certificate status response' in ev:
2228 if 'certificate revoked' in ev:
2232 raise Exception("Unexpected number of EAP status messages")
2234 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2236 raise Exception("Timeout on EAP failure report")
2238 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2239 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2240 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2241 if not os.path.exists(ocsp):
2242 raise HwsimSkip("No OCSP response available")
2243 params = int_eap_server_params()
2244 params["ocsp_stapling_response"] = ocsp
2245 hostapd.add_ap(apdev[0]['ifname'], params)
2246 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2247 identity="pap user", ca_cert="auth_serv/ca.pem",
2248 anonymous_identity="ttls", password="password",
2249 phase2="auth=PAP", ocsp=2,
2250 wait_connect=False, scan_freq="2412")
2253 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2255 raise Exception("Timeout on EAP status")
2256 if 'bad certificate status response' in ev:
2260 raise Exception("Unexpected number of EAP status messages")
2262 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2264 raise Exception("Timeout on EAP failure report")
2266 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2267 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2268 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2269 if not os.path.exists(ocsp):
2270 raise HwsimSkip("No OCSP response available")
2271 params = int_eap_server_params()
2272 params["ocsp_stapling_response"] = ocsp
2273 hostapd.add_ap(apdev[0]['ifname'], params)
2274 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2275 identity="pap user", ca_cert="auth_serv/ca.pem",
2276 anonymous_identity="ttls", password="password",
2277 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2279 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2280 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2281 params = int_eap_server_params()
2282 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2283 params["private_key"] = "auth_serv/server-no-dnsname.key"
2284 hostapd.add_ap(apdev[0]['ifname'], params)
2285 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2286 identity="tls user", ca_cert="auth_serv/ca.pem",
2287 private_key="auth_serv/user.pkcs12",
2288 private_key_passwd="whatever",
2289 domain_suffix_match="server3.w1.fi",
2292 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2293 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2294 params = int_eap_server_params()
2295 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2296 params["private_key"] = "auth_serv/server-no-dnsname.key"
2297 hostapd.add_ap(apdev[0]['ifname'], params)
2298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2299 identity="tls user", ca_cert="auth_serv/ca.pem",
2300 private_key="auth_serv/user.pkcs12",
2301 private_key_passwd="whatever",
2302 domain_match="server3.w1.fi",
2305 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2306 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2307 check_domain_match_full(dev[0])
2308 params = int_eap_server_params()
2309 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2310 params["private_key"] = "auth_serv/server-no-dnsname.key"
2311 hostapd.add_ap(apdev[0]['ifname'], params)
2312 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2313 identity="tls user", ca_cert="auth_serv/ca.pem",
2314 private_key="auth_serv/user.pkcs12",
2315 private_key_passwd="whatever",
2316 domain_suffix_match="w1.fi",
2319 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2320 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2321 params = int_eap_server_params()
2322 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2323 params["private_key"] = "auth_serv/server-no-dnsname.key"
2324 hostapd.add_ap(apdev[0]['ifname'], params)
2325 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2326 identity="tls user", ca_cert="auth_serv/ca.pem",
2327 private_key="auth_serv/user.pkcs12",
2328 private_key_passwd="whatever",
2329 domain_suffix_match="example.com",
2332 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2333 identity="tls user", ca_cert="auth_serv/ca.pem",
2334 private_key="auth_serv/user.pkcs12",
2335 private_key_passwd="whatever",
2336 domain_suffix_match="erver3.w1.fi",
2339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2341 raise Exception("Timeout on EAP failure report")
2342 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2344 raise Exception("Timeout on EAP failure report (2)")
2346 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2347 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2348 params = int_eap_server_params()
2349 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2350 params["private_key"] = "auth_serv/server-no-dnsname.key"
2351 hostapd.add_ap(apdev[0]['ifname'], params)
2352 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2353 identity="tls user", ca_cert="auth_serv/ca.pem",
2354 private_key="auth_serv/user.pkcs12",
2355 private_key_passwd="whatever",
2356 domain_match="example.com",
2359 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2360 identity="tls user", ca_cert="auth_serv/ca.pem",
2361 private_key="auth_serv/user.pkcs12",
2362 private_key_passwd="whatever",
2363 domain_match="w1.fi",
2366 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2368 raise Exception("Timeout on EAP failure report")
2369 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2371 raise Exception("Timeout on EAP failure report (2)")
2373 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2374 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2375 params = int_eap_server_params()
2376 params["server_cert"] = "auth_serv/server-expired.pem"
2377 params["private_key"] = "auth_serv/server-expired.key"
2378 hostapd.add_ap(apdev[0]['ifname'], params)
2379 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2380 identity="mschap user", password="password",
2381 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2384 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2386 raise Exception("Timeout on EAP certificate error report")
2387 if "reason=4" not in ev or "certificate has expired" not in ev:
2388 raise Exception("Unexpected failure reason: " + ev)
2389 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2391 raise Exception("Timeout on EAP failure report")
2393 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2394 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2395 params = int_eap_server_params()
2396 params["server_cert"] = "auth_serv/server-expired.pem"
2397 params["private_key"] = "auth_serv/server-expired.key"
2398 hostapd.add_ap(apdev[0]['ifname'], params)
2399 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2400 identity="mschap user", password="password",
2401 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2402 phase1="tls_disable_time_checks=1",
2405 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2406 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2407 params = int_eap_server_params()
2408 params["server_cert"] = "auth_serv/server-eku-client.pem"
2409 params["private_key"] = "auth_serv/server-eku-client.key"
2410 hostapd.add_ap(apdev[0]['ifname'], params)
2411 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2412 identity="mschap user", password="password",
2413 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2416 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2418 raise Exception("Timeout on EAP failure report")
2420 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2421 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2422 params = int_eap_server_params()
2423 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2424 params["private_key"] = "auth_serv/server-eku-client-server.key"
2425 hostapd.add_ap(apdev[0]['ifname'], params)
2426 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2427 identity="mschap user", password="password",
2428 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2431 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2432 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2433 params = int_eap_server_params()
2434 del params["server_cert"]
2435 params["private_key"] = "auth_serv/server.pkcs12"
2436 hostapd.add_ap(apdev[0]['ifname'], params)
2437 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2438 identity="mschap user", password="password",
2439 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2442 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2443 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2444 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2445 hostapd.add_ap(apdev[0]['ifname'], params)
2446 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2447 anonymous_identity="ttls", password="password",
2448 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2449 dh_file="auth_serv/dh.conf")
2451 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2452 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2453 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2454 hostapd.add_ap(apdev[0]['ifname'], params)
2455 dh = read_pem("auth_serv/dh2.conf")
2456 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2457 raise Exception("Could not set dhparams blob")
2458 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2459 anonymous_identity="ttls", password="password",
2460 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2461 dh_file="blob://dhparams")
2463 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2464 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2465 params = int_eap_server_params()
2466 params["dh_file"] = "auth_serv/dh2.conf"
2467 hostapd.add_ap(apdev[0]['ifname'], params)
2468 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2469 anonymous_identity="ttls", password="password",
2470 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2472 def test_ap_wpa2_eap_reauth(dev, apdev):
2473 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2474 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2475 params['eap_reauth_period'] = '2'
2476 hostapd.add_ap(apdev[0]['ifname'], params)
2477 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2478 password_hex="0123456789abcdef0123456789abcdef")
2479 logger.info("Wait for reauthentication")
2480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2482 raise Exception("Timeout on reauthentication")
2483 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2485 raise Exception("Timeout on reauthentication")
2486 for i in range(0, 20):
2487 state = dev[0].get_status_field("wpa_state")
2488 if state == "COMPLETED":
2491 if state != "COMPLETED":
2492 raise Exception("Reauthentication did not complete")
2494 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2495 """Optional displayable message in EAP Request-Identity"""
2496 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2497 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2498 hostapd.add_ap(apdev[0]['ifname'], params)
2499 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2500 password_hex="0123456789abcdef0123456789abcdef")
2502 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2503 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2504 check_hlr_auc_gw_support()
2505 params = int_eap_server_params()
2506 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2507 params['eap_sim_aka_result_ind'] = "1"
2508 hostapd.add_ap(apdev[0]['ifname'], params)
2510 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2511 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2512 phase1="result_ind=1")
2513 eap_reauth(dev[0], "SIM")
2514 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2515 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2517 dev[0].request("REMOVE_NETWORK all")
2518 dev[1].request("REMOVE_NETWORK all")
2520 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2521 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2522 phase1="result_ind=1")
2523 eap_reauth(dev[0], "AKA")
2524 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2525 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2527 dev[0].request("REMOVE_NETWORK all")
2528 dev[1].request("REMOVE_NETWORK all")
2530 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2531 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2532 phase1="result_ind=1")
2533 eap_reauth(dev[0], "AKA'")
2534 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2535 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2537 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2538 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2539 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2540 hostapd.add_ap(apdev[0]['ifname'], params)
2541 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2542 eap="TTLS", identity="mschap user",
2543 wait_connect=False, scan_freq="2412", ieee80211w="1",
2544 anonymous_identity="ttls", password="password",
2545 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2547 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2549 raise Exception("EAP roundtrip limit not reached")
2551 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2552 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2553 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2554 hostapd.add_ap(apdev[0]['ifname'], params)
2555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2556 eap="PSK", identity="vendor-test",
2557 password_hex="ff23456789abcdef0123456789abcdef",
2561 for i in range(0, 5):
2562 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2564 raise Exception("Association and EAP start timed out")
2565 if "refuse proposed method" in ev:
2569 raise Exception("Unexpected EAP status: " + ev)
2571 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2573 raise Exception("EAP failure timed out")
2575 def test_ap_wpa2_eap_sql(dev, apdev, params):
2576 """WPA2-Enterprise connection using SQLite for user DB"""
2580 raise HwsimSkip("No sqlite3 module available")
2581 dbfile = os.path.join(params['logdir'], "eap-user.db")
2586 con = sqlite3.connect(dbfile)
2589 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2590 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2591 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2592 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2593 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2594 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2595 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2596 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2599 params = int_eap_server_params()
2600 params["eap_user_file"] = "sqlite:" + dbfile
2601 hostapd.add_ap(apdev[0]['ifname'], params)
2602 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2603 anonymous_identity="ttls", password="password",
2604 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2605 dev[0].request("REMOVE_NETWORK all")
2606 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2607 anonymous_identity="ttls", password="password",
2608 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2609 dev[1].request("REMOVE_NETWORK all")
2610 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2611 anonymous_identity="ttls", password="password",
2612 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2613 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2614 anonymous_identity="ttls", password="password",
2615 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2619 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2620 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2621 params = int_eap_server_params()
2622 hostapd.add_ap(apdev[0]['ifname'], params)
2623 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2624 identity="\x80", password="password", wait_connect=False)
2625 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2626 identity="a\x80", password="password", wait_connect=False)
2627 for i in range(0, 2):
2628 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2630 raise Exception("Association and EAP start timed out")
2631 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2633 raise Exception("EAP method selection timed out")
2635 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2636 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2638 hostapd.add_ap(apdev[0]['ifname'], params)
2639 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2640 identity="\x80", password="password", wait_connect=False)
2641 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2642 identity="a\x80", password="password", wait_connect=False)
2643 for i in range(0, 2):
2644 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2646 raise Exception("Association and EAP start timed out")
2647 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2649 raise Exception("EAP method selection timed out")
2651 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2652 """OpenSSL cipher suite configuration on wpa_supplicant"""
2653 tls = dev[0].request("GET tls_library")
2654 if not tls.startswith("OpenSSL"):
2655 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2656 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2657 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2658 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2659 anonymous_identity="ttls", password="password",
2660 openssl_ciphers="AES128",
2661 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2662 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2663 anonymous_identity="ttls", password="password",
2664 openssl_ciphers="EXPORT",
2665 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2666 expect_failure=True)
2668 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2669 """OpenSSL cipher suite configuration on hostapd"""
2670 tls = dev[0].request("GET tls_library")
2671 if not tls.startswith("OpenSSL"):
2672 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2673 params = int_eap_server_params()
2674 params['openssl_ciphers'] = "AES256"
2675 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2676 tls = hapd.request("GET tls_library")
2677 if not tls.startswith("OpenSSL"):
2678 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2679 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2680 anonymous_identity="ttls", password="password",
2681 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2682 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2683 anonymous_identity="ttls", password="password",
2684 openssl_ciphers="AES128",
2685 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2686 expect_failure=True)
2687 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2688 anonymous_identity="ttls", password="password",
2689 openssl_ciphers="HIGH:!ADH",
2690 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2692 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2693 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2694 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2695 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2696 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2697 pid = find_wpas_process(dev[0])
2698 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2699 anonymous_identity="ttls", password=password,
2700 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2702 buf = read_process_memory(pid, password)
2704 dev[0].request("DISCONNECT")
2705 dev[0].wait_disconnected()
2713 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2714 for l in f.readlines():
2715 if "EAP-TTLS: Derived key - hexdump" in l:
2716 val = l.strip().split(':')[3].replace(' ', '')
2717 msk = binascii.unhexlify(val)
2718 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2719 val = l.strip().split(':')[3].replace(' ', '')
2720 emsk = binascii.unhexlify(val)
2721 if "WPA: PMK - hexdump" in l:
2722 val = l.strip().split(':')[3].replace(' ', '')
2723 pmk = binascii.unhexlify(val)
2724 if "WPA: PTK - hexdump" in l:
2725 val = l.strip().split(':')[3].replace(' ', '')
2726 ptk = binascii.unhexlify(val)
2727 if "WPA: Group Key - hexdump" in l:
2728 val = l.strip().split(':')[3].replace(' ', '')
2729 gtk = binascii.unhexlify(val)
2730 if not msk or not emsk or not pmk or not ptk or not gtk:
2731 raise Exception("Could not find keys from debug log")
2733 raise Exception("Unexpected GTK length")
2739 fname = os.path.join(params['logdir'],
2740 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2742 logger.info("Checking keys in memory while associated")
2743 get_key_locations(buf, password, "Password")
2744 get_key_locations(buf, pmk, "PMK")
2745 get_key_locations(buf, msk, "MSK")
2746 get_key_locations(buf, emsk, "EMSK")
2747 if password not in buf:
2748 raise HwsimSkip("Password not found while associated")
2750 raise HwsimSkip("PMK not found while associated")
2752 raise Exception("KCK not found while associated")
2754 raise Exception("KEK not found while associated")
2756 raise Exception("TK found from memory")
2758 raise Exception("GTK found from memory")
2760 logger.info("Checking keys in memory after disassociation")
2761 buf = read_process_memory(pid, password)
2763 # Note: Password is still present in network configuration
2764 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2766 get_key_locations(buf, password, "Password")
2767 get_key_locations(buf, pmk, "PMK")
2768 get_key_locations(buf, msk, "MSK")
2769 get_key_locations(buf, emsk, "EMSK")
2770 verify_not_present(buf, kck, fname, "KCK")
2771 verify_not_present(buf, kek, fname, "KEK")
2772 verify_not_present(buf, tk, fname, "TK")
2773 verify_not_present(buf, gtk, fname, "GTK")
2775 dev[0].request("PMKSA_FLUSH")
2776 dev[0].set_network_quoted(id, "identity", "foo")
2777 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2778 buf = read_process_memory(pid, password)
2779 get_key_locations(buf, password, "Password")
2780 get_key_locations(buf, pmk, "PMK")
2781 get_key_locations(buf, msk, "MSK")
2782 get_key_locations(buf, emsk, "EMSK")
2783 verify_not_present(buf, pmk, fname, "PMK")
2785 dev[0].request("REMOVE_NETWORK all")
2787 logger.info("Checking keys in memory after network profile removal")
2788 buf = read_process_memory(pid, password)
2790 get_key_locations(buf, password, "Password")
2791 get_key_locations(buf, pmk, "PMK")
2792 get_key_locations(buf, msk, "MSK")
2793 get_key_locations(buf, emsk, "EMSK")
2794 verify_not_present(buf, password, fname, "password")
2795 verify_not_present(buf, pmk, fname, "PMK")
2796 verify_not_present(buf, kck, fname, "KCK")
2797 verify_not_present(buf, kek, fname, "KEK")
2798 verify_not_present(buf, tk, fname, "TK")
2799 verify_not_present(buf, gtk, fname, "GTK")
2800 verify_not_present(buf, msk, fname, "MSK")
2801 verify_not_present(buf, emsk, fname, "EMSK")
2803 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
2804 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
2805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2807 bssid = apdev[0]['bssid']
2808 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2809 anonymous_identity="ttls", password="password",
2810 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2812 # Send unexpected WEP EAPOL-Key; this gets dropped
2813 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
2815 raise Exception("EAPOL_RX to wpa_supplicant failed")
2817 def test_ap_wpa2_eap_in_bridge(dev, apdev):
2818 """WPA2-EAP and wpas interface in a bridge"""
2822 _test_ap_wpa2_eap_in_bridge(dev, apdev)
2824 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
2825 subprocess.call(['brctl', 'delif', br_ifname, ifname])
2826 subprocess.call(['brctl', 'delbr', br_ifname])
2827 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
2829 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
2830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2831 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2835 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
2836 subprocess.call(['brctl', 'addbr', br_ifname])
2837 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
2838 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
2839 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
2840 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
2841 wpas.interface_add(ifname, br_ifname=br_ifname)
2843 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
2844 password_hex="0123456789abcdef0123456789abcdef")
2845 eap_reauth(wpas, "PAX")
2846 # Try again as a regression test for packet socket workaround
2847 eap_reauth(wpas, "PAX")
2848 wpas.request("DISCONNECT")
2849 wpas.wait_disconnected()
2850 wpas.request("RECONNECT")
2851 wpas.wait_connected()
2853 def test_ap_wpa2_eap_session_ticket(dev, apdev):
2854 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
2855 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2856 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2857 key_mgmt = hapd.get_config()['key_mgmt']
2858 if key_mgmt.split(' ')[0] != "WPA-EAP":
2859 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
2860 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2861 anonymous_identity="ttls", password="password",
2862 ca_cert="auth_serv/ca.pem",
2863 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
2864 eap_reauth(dev[0], "TTLS")
2866 def test_ap_wpa2_eap_no_workaround(dev, apdev):
2867 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
2868 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2869 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2870 key_mgmt = hapd.get_config()['key_mgmt']
2871 if key_mgmt.split(' ')[0] != "WPA-EAP":
2872 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
2873 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2874 anonymous_identity="ttls", password="password",
2875 ca_cert="auth_serv/ca.pem", eap_workaround='0',
2877 eap_reauth(dev[0], "TTLS")
projects / mech_eap.git / blob