1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
21 from wpasupplicant import WpaSupplicant
22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
26 openssl_imported = True
28 openssl_imported = False
30 def check_hlr_auc_gw_support():
31 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev, method):
35 res = dev.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method)
39 def check_subject_match_support(dev):
40 tls = dev.request("GET tls_library")
41 if not tls.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
44 def check_altsubject_match_support(dev):
45 tls = dev.request("GET tls_library")
46 if not tls.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
49 def check_domain_match(dev):
50 tls = dev.request("GET tls_library")
51 if tls.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
54 def check_domain_suffix_match(dev):
55 tls = dev.request("GET tls_library")
56 if tls.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
59 def check_domain_match_full(dev):
60 tls = dev.request("GET tls_library")
61 if not tls.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
64 def check_cert_probe_support(dev):
65 tls = dev.request("GET tls_library")
66 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
69 def check_ext_cert_check_support(dev):
70 tls = dev.request("GET tls_library")
71 if not tls.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
74 def check_ocsp_support(dev):
75 tls = dev.request("GET tls_library")
76 #if tls.startswith("internal"):
77 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev):
82 tls = dev.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
86 def check_dh_dsa_support(dev):
87 tls = dev.request("GET tls_library")
88 if tls.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
92 with open(fname, "r") as f:
101 if "-----BEGIN" in l:
103 return base64.b64decode(cert)
105 def eap_connect(dev, ap, method, identity,
106 sha256=False, expect_failure=False, local_error_report=False,
107 maybe_local_error=False, **kwargs):
108 hapd = hostapd.Hostapd(ap['ifname'])
109 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
110 eap=method, identity=identity,
111 wait_connect=False, scan_freq="2412", ieee80211w="1",
113 eap_check_auth(dev, method, True, sha256=sha256,
114 expect_failure=expect_failure,
115 local_error_report=local_error_report,
116 maybe_local_error=maybe_local_error)
119 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
125 expect_failure=False, local_error_report=False,
126 maybe_local_error=False):
127 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
129 raise Exception("Association and EAP start timed out")
130 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev:
135 if maybe_local_error:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev = dev.wait_disconnected(timeout=10)
145 if maybe_local_error and "locally_generated=1" in ev:
147 if not local_error_report:
148 if "reason=23" not in ev:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
153 raise Exception("EAP success timed out")
156 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
158 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
160 raise Exception("Association with the AP timed out")
161 status = dev.get_status()
162 if status["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method not in status["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e = "WPA2-EAP-SHA256"
172 e = "WPA2/IEEE 802.1X/EAP"
174 e = "WPA/IEEE 802.1X/EAP"
175 if status["key_mgmt"] != e:
176 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
180 dev.request("REAUTHENTICATE")
181 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
182 expect_failure=expect_failure)
184 def test_ap_wpa2_eap_sim(dev, apdev):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils.test_connectivity(dev[0], hapd)
192 eap_reauth(dev[0], "SIM")
194 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger.info("Negative test with incorrect key")
201 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger.info("Invalid GSM-Milenage key")
207 dev[0].request("REMOVE_NETWORK all")
208 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
209 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger.info("Invalid GSM-Milenage key(2)")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger.info("Invalid GSM-Milenage key(3)")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger.info("Invalid GSM-Milenage key(4)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger.info("Missing key configuration")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
244 params['auth_server_port'] = "1814"
245 hostapd.add_ap(apdev[0]['ifname'], params)
246 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger.info("SIM fast re-authentication")
250 eap_reauth(dev[0], "SIM")
252 logger.info("SIM full auth with pseudonym")
255 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev[0], "SIM")
258 logger.info("SIM full auth with permanent identity")
261 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev[0], "SIM")
265 logger.info("SIM reauth with mismatching MK")
268 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev[0], "SIM", expect_failure=True)
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger.info("SIM reauth with mismatching counter")
282 eap_reauth(dev[0], "SIM")
283 dev[0].request("REMOVE_NETWORK all")
285 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev, apdev):
294 """EAP-SIM configuration options"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
298 identity="1232010000000000",
299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1="sim_min_num_chal=1",
301 wait_connect=False, scan_freq="2412")
302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
304 raise Exception("No EAP error message seen")
305 dev[0].request("REMOVE_NETWORK all")
307 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
308 identity="1232010000000000",
309 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1="sim_min_num_chal=4",
311 wait_connect=False, scan_freq="2412")
312 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
314 raise Exception("No EAP error message seen (2)")
315 dev[0].request("REMOVE_NETWORK all")
317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1="sim_min_num_chal=2")
320 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity="345678")
324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev, apdev)
329 dev[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
332 check_hlr_auc_gw_support()
333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
334 hostapd.add_ap(apdev[0]['ifname'], params)
335 dev[0].request("SET external_sim 1")
336 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
337 identity="1232010000000000",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
341 raise Exception("Network connected timed out")
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
352 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
362 dev[0].select_network(id, freq="2412")
363 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid = p[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375 raise Exception("EAP failure not reported")
376 dev[0].request("DISCONNECT")
377 dev[0].wait_disconnected()
380 dev[0].select_network(id, freq="2412")
381 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid = p[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393 raise Exception("EAP failure not reported")
394 dev[0].request("DISCONNECT")
395 dev[0].wait_disconnected()
398 dev[0].select_network(id, freq="2412")
399 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid = p[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411 raise Exception("EAP failure not reported")
412 dev[0].request("DISCONNECT")
413 dev[0].wait_disconnected()
416 dev[0].select_network(id, freq="2412")
417 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid = p[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429 raise Exception("EAP failure not reported")
430 dev[0].request("DISCONNECT")
431 dev[0].wait_disconnected()
434 dev[0].select_network(id, freq="2412")
435 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid = p[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
447 raise Exception("EAP failure not reported")
448 dev[0].request("DISCONNECT")
449 dev[0].wait_disconnected()
452 dev[0].select_network(id, freq="2412")
453 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid = p[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
468 """EAP-SIM and OOM"""
469 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
470 hostapd.add_ap(apdev[0]['ifname'], params)
471 tests = [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count, func in tests:
484 with alloc_fail(dev[0], count, func):
485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
486 identity="1232010000000000",
487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect=False, scan_freq="2412")
489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
491 raise Exception("EAP method not selected")
492 dev[0].wait_disconnected()
493 dev[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev, apdev):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils.test_connectivity(dev[0], hapd)
503 eap_reauth(dev[0], "AKA")
505 logger.info("Negative test with incorrect key")
506 dev[0].request("REMOVE_NETWORK all")
507 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
508 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger.info("Invalid Milenage key")
512 dev[0].request("REMOVE_NETWORK all")
513 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger.info("Invalid Milenage key(2)")
518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
519 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger.info("Invalid Milenage key(3)")
523 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
524 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger.info("Invalid Milenage key(4)")
528 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
529 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger.info("Invalid Milenage key(5)")
533 dev[0].request("REMOVE_NETWORK all")
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger.info("Invalid Milenage key(6)")
539 dev[0].request("REMOVE_NETWORK all")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger.info("Missing key configuration")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 params['auth_server_port'] = "1814"
559 hostapd.add_ap(apdev[0]['ifname'], params)
560 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger.info("AKA fast re-authentication")
564 eap_reauth(dev[0], "AKA")
566 logger.info("AKA full auth with pseudonym")
569 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev[0], "AKA")
572 logger.info("AKA full auth with permanent identity")
575 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev[0], "AKA")
579 logger.info("AKA reauth with mismatching MK")
582 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev[0], "AKA", expect_failure=True)
584 dev[0].request("REMOVE_NETWORK all")
586 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
587 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev[0], "AKA")
594 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger.info("AKA reauth with mismatching counter")
596 eap_reauth(dev[0], "AKA")
597 dev[0].request("REMOVE_NETWORK all")
599 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
600 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev, apdev):
608 """EAP-AKA configuration options"""
609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
610 hostapd.add_ap(apdev[0]['ifname'], params)
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev, apdev)
620 dev[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
623 check_hlr_auc_gw_support()
624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
625 hostapd.add_ap(apdev[0]['ifname'], params)
626 dev[0].request("SET external_sim 1")
627 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
628 identity="0232010000000000",
629 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect=False, scan_freq="2412")
631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
633 raise Exception("Network connected timed out")
635 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid = p[0].split('-')[3]
644 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
649 raise Exception("EAP failure not reported")
650 dev[0].request("DISCONNECT")
651 dev[0].wait_disconnected()
653 dev[0].dump_monitor()
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
678 raise Exception("EAP failure not reported")
679 dev[0].request("DISCONNECT")
680 dev[0].wait_disconnected()
682 dev[0].dump_monitor()
684 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev[0].select_network(id, freq="2412")
693 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid = p[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
705 raise Exception("EAP failure not reported")
706 dev[0].request("DISCONNECT")
707 dev[0].wait_disconnected()
709 dev[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
717 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils.test_connectivity(dev[0], hapd)
719 eap_reauth(dev[0], "AKA'")
721 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
723 identity="6555444333222111@both",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect=False, scan_freq="2412")
726 dev[1].wait_connected(timeout=15)
728 logger.info("Negative test with incorrect key")
729 dev[0].request("REMOVE_NETWORK all")
730 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
731 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 params['auth_server_port'] = "1814"
744 hostapd.add_ap(apdev[0]['ifname'], params)
745 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
746 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger.info("AKA' fast re-authentication")
749 eap_reauth(dev[0], "AKA'")
751 logger.info("AKA' full auth with pseudonym")
754 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev[0], "AKA'")
757 logger.info("AKA' full auth with permanent identity")
760 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev[0], "AKA'")
764 logger.info("AKA' reauth with mismatching k_aut")
767 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev[0], "AKA'", expect_failure=True)
769 dev[0].request("REMOVE_NETWORK all")
771 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
772 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev[0], "AKA'")
779 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev[0], "AKA'")
782 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
785 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 key_mgmt = hapd.get_config()['key_mgmt']
797 if key_mgmt.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
799 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
802 hwsim_utils.test_connectivity(dev[0], hapd)
803 eap_reauth(dev[0], "TTLS")
804 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev[0])
810 check_altsubject_match_support(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
814 anonymous_identity="ttls", password="password",
815 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
825 anonymous_identity="ttls", password="wrong",
826 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
828 eap_connect(dev[1], apdev[0], "TTLS", "user",
829 anonymous_identity="ttls", password="password",
830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
838 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev[0])
847 check_altsubject_match_support(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
853 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev[0])
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
862 anonymous_identity="ttls", password="wrong",
863 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
865 eap_connect(dev[1], apdev[0], "TTLS", "user",
866 anonymous_identity="ttls", password="password",
867 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev[0])
873 check_domain_suffix_match(dev[0])
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
877 anonymous_identity="ttls", password="password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
879 domain_suffix_match="server.w1.fi")
880 hwsim_utils.test_connectivity(dev[0], hapd)
881 eap_reauth(dev[0], "TTLS")
882 dev[0].request("REMOVE_NETWORK all")
883 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
888 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
889 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
890 skip_with_fips(dev[0])
891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
892 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
893 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
894 anonymous_identity="ttls", password="wrong",
895 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
897 eap_connect(dev[1], apdev[0], "TTLS", "user",
898 anonymous_identity="ttls", password="password",
899 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
901 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
902 anonymous_identity="ttls", password="password",
903 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
906 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
908 check_domain_suffix_match(dev[0])
909 check_eap_capa(dev[0], "MSCHAPV2")
910 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
911 hostapd.add_ap(apdev[0]['ifname'], params)
912 hapd = hostapd.Hostapd(apdev[0]['ifname'])
913 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
914 anonymous_identity="ttls", password="password",
915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
916 domain_suffix_match="server.w1.fi")
917 hwsim_utils.test_connectivity(dev[0], hapd)
918 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
919 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
920 eap_reauth(dev[0], "TTLS")
921 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
922 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
923 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
924 raise Exception("dot1xAuthEapolFramesRx did not increase")
925 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
926 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
927 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
928 raise Exception("backendAuthSuccesses did not increase")
930 logger.info("Password as hash value")
931 dev[0].request("REMOVE_NETWORK all")
932 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
933 anonymous_identity="ttls",
934 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
937 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
938 """EAP-TTLS with invalid phase2 parameter values"""
939 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
940 hostapd.add_ap(apdev[0]['ifname'], params)
941 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
942 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP" ]
944 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
945 identity="DOMAIN\mschapv2 user",
946 anonymous_identity="ttls", password="password",
947 ca_cert="auth_serv/ca.pem", phase2=t,
948 wait_connect=False, scan_freq="2412")
949 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
950 if ev is None or "method=21" not in ev:
951 raise Exception("EAP-TTLS not started")
952 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
953 "CTRL-EVENT-CONNECTED"], timeout=5)
954 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
955 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
956 dev[0].request("REMOVE_NETWORK all")
957 dev[0].wait_disconnected()
958 dev[0].dump_monitor()
960 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
961 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
962 check_domain_match_full(dev[0])
963 skip_with_fips(dev[0])
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965 hostapd.add_ap(apdev[0]['ifname'], params)
966 hapd = hostapd.Hostapd(apdev[0]['ifname'])
967 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
968 anonymous_identity="ttls", password="password",
969 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
970 domain_suffix_match="w1.fi")
971 hwsim_utils.test_connectivity(dev[0], hapd)
972 eap_reauth(dev[0], "TTLS")
974 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
975 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
976 check_domain_match(dev[0])
977 skip_with_fips(dev[0])
978 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
979 hostapd.add_ap(apdev[0]['ifname'], params)
980 hapd = hostapd.Hostapd(apdev[0]['ifname'])
981 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
982 anonymous_identity="ttls", password="password",
983 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
984 domain_match="Server.w1.fi")
985 hwsim_utils.test_connectivity(dev[0], hapd)
986 eap_reauth(dev[0], "TTLS")
988 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
989 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
990 skip_with_fips(dev[0])
991 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
992 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
993 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
994 anonymous_identity="ttls", password="password1",
995 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
997 eap_connect(dev[1], apdev[0], "TTLS", "user",
998 anonymous_identity="ttls", password="password",
999 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1000 expect_failure=True)
1002 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1003 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1004 skip_with_fips(dev[0])
1005 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1006 hostapd.add_ap(apdev[0]['ifname'], params)
1007 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1008 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1009 anonymous_identity="ttls", password="secret-åäö-€-password",
1010 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1011 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1012 anonymous_identity="ttls",
1013 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1014 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1015 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1016 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1017 eap="TTLS", identity="utf8-user-hash",
1018 anonymous_identity="ttls", password_hex=p,
1019 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1020 wait_connect=False, scan_freq="2412")
1021 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1023 raise Exception("No failure reported")
1024 dev[2].request("REMOVE_NETWORK all")
1025 dev[2].wait_disconnected()
1027 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1028 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1029 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1030 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1031 eap_connect(dev[0], apdev[0], "TTLS", "user",
1032 anonymous_identity="ttls", password="password",
1033 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1034 hwsim_utils.test_connectivity(dev[0], hapd)
1035 eap_reauth(dev[0], "TTLS")
1037 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1038 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1039 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1040 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1041 eap_connect(dev[0], apdev[0], "TTLS", "user",
1042 anonymous_identity="ttls", password="wrong",
1043 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1044 expect_failure=True)
1046 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1047 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1048 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1049 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1050 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1051 anonymous_identity="ttls", password="password",
1052 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1053 expect_failure=True)
1055 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1056 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1057 params = int_eap_server_params()
1058 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1059 with alloc_fail(hapd, 1, "eap_gtc_init"):
1060 eap_connect(dev[0], apdev[0], "TTLS", "user",
1061 anonymous_identity="ttls", password="password",
1062 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1063 expect_failure=True)
1064 dev[0].request("REMOVE_NETWORK all")
1066 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1067 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1068 eap="TTLS", identity="user",
1069 anonymous_identity="ttls", password="password",
1070 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1071 wait_connect=False, scan_freq="2412")
1072 # This would eventually time out, but we can stop after having reached
1073 # the allocation failure.
1076 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1079 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1080 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1081 check_eap_capa(dev[0], "MD5")
1082 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1083 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1084 eap_connect(dev[0], apdev[0], "TTLS", "user",
1085 anonymous_identity="ttls", password="password",
1086 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1087 hwsim_utils.test_connectivity(dev[0], hapd)
1088 eap_reauth(dev[0], "TTLS")
1090 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1091 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1092 check_eap_capa(dev[0], "MD5")
1093 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1094 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1095 eap_connect(dev[0], apdev[0], "TTLS", "user",
1096 anonymous_identity="ttls", password="wrong",
1097 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1098 expect_failure=True)
1100 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1101 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1102 check_eap_capa(dev[0], "MD5")
1103 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1104 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1105 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1106 anonymous_identity="ttls", password="password",
1107 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1108 expect_failure=True)
1110 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1111 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1112 check_eap_capa(dev[0], "MD5")
1113 params = int_eap_server_params()
1114 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1115 with alloc_fail(hapd, 1, "eap_md5_init"):
1116 eap_connect(dev[0], apdev[0], "TTLS", "user",
1117 anonymous_identity="ttls", password="password",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1119 expect_failure=True)
1120 dev[0].request("REMOVE_NETWORK all")
1122 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1123 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1124 eap="TTLS", identity="user",
1125 anonymous_identity="ttls", password="password",
1126 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1127 wait_connect=False, scan_freq="2412")
1128 # This would eventually time out, but we can stop after having reached
1129 # the allocation failure.
1132 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1135 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1136 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1137 check_eap_capa(dev[0], "MSCHAPV2")
1138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1140 eap_connect(dev[0], apdev[0], "TTLS", "user",
1141 anonymous_identity="ttls", password="password",
1142 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1143 hwsim_utils.test_connectivity(dev[0], hapd)
1144 eap_reauth(dev[0], "TTLS")
1146 logger.info("Negative test with incorrect password")
1147 dev[0].request("REMOVE_NETWORK all")
1148 eap_connect(dev[0], apdev[0], "TTLS", "user",
1149 anonymous_identity="ttls", password="password1",
1150 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1151 expect_failure=True)
1153 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1154 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1155 check_eap_capa(dev[0], "MSCHAPV2")
1156 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1157 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1158 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1159 anonymous_identity="ttls", password="password",
1160 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1161 expect_failure=True)
1163 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1164 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1165 check_eap_capa(dev[0], "MSCHAPV2")
1166 params = int_eap_server_params()
1167 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1168 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1169 eap_connect(dev[0], apdev[0], "TTLS", "user",
1170 anonymous_identity="ttls", password="password",
1171 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1172 expect_failure=True)
1173 dev[0].request("REMOVE_NETWORK all")
1175 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1176 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1177 eap="TTLS", identity="user",
1178 anonymous_identity="ttls", password="password",
1179 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1180 wait_connect=False, scan_freq="2412")
1181 # This would eventually time out, but we can stop after having reached
1182 # the allocation failure.
1185 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1187 dev[0].request("REMOVE_NETWORK all")
1189 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1190 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1191 eap="TTLS", identity="user",
1192 anonymous_identity="ttls", password="password",
1193 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1194 wait_connect=False, scan_freq="2412")
1195 # This would eventually time out, but we can stop after having reached
1196 # the allocation failure.
1199 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1201 dev[0].request("REMOVE_NETWORK all")
1203 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1204 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1205 eap="TTLS", identity="user",
1206 anonymous_identity="ttls", password="wrong",
1207 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1208 wait_connect=False, scan_freq="2412")
1209 # This would eventually time out, but we can stop after having reached
1210 # the allocation failure.
1213 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1215 dev[0].request("REMOVE_NETWORK all")
1217 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1218 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1219 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1220 hostapd.add_ap(apdev[0]['ifname'], params)
1221 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1222 anonymous_identity="0232010000000000@ttls",
1223 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1224 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1226 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1227 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1228 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1229 hostapd.add_ap(apdev[0]['ifname'], params)
1230 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1231 anonymous_identity="0232010000000000@peap",
1232 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1233 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1235 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1236 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1237 check_eap_capa(dev[0], "FAST")
1238 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1239 hostapd.add_ap(apdev[0]['ifname'], params)
1240 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1241 anonymous_identity="0232010000000000@fast",
1242 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1243 phase1="fast_provisioning=2",
1244 pac_file="blob://fast_pac_auth_aka",
1245 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1247 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1248 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1249 check_eap_capa(dev[0], "MSCHAPV2")
1250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1251 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1252 eap_connect(dev[0], apdev[0], "PEAP", "user",
1253 anonymous_identity="peap", password="password",
1254 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1255 hwsim_utils.test_connectivity(dev[0], hapd)
1256 eap_reauth(dev[0], "PEAP")
1257 dev[0].request("REMOVE_NETWORK all")
1258 eap_connect(dev[0], apdev[0], "PEAP", "user",
1259 anonymous_identity="peap", password="password",
1260 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1261 fragment_size="200")
1263 logger.info("Password as hash value")
1264 dev[0].request("REMOVE_NETWORK all")
1265 eap_connect(dev[0], apdev[0], "PEAP", "user",
1266 anonymous_identity="peap",
1267 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1270 logger.info("Negative test with incorrect password")
1271 dev[0].request("REMOVE_NETWORK all")
1272 eap_connect(dev[0], apdev[0], "PEAP", "user",
1273 anonymous_identity="peap", password="password1",
1274 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1275 expect_failure=True)
1277 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1278 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1279 check_eap_capa(dev[0], "MSCHAPV2")
1280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1281 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1282 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1283 anonymous_identity="peap", password="password",
1284 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1285 hwsim_utils.test_connectivity(dev[0], hapd)
1286 eap_reauth(dev[0], "PEAP")
1288 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1290 check_eap_capa(dev[0], "MSCHAPV2")
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1293 eap_connect(dev[0], apdev[0], "PEAP", "user",
1294 anonymous_identity="peap", password="wrong",
1295 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1296 expect_failure=True)
1298 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1299 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1300 check_eap_capa(dev[0], "MSCHAPV2")
1301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1302 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1303 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1304 ca_cert="auth_serv/ca.pem",
1305 phase1="peapver=0 crypto_binding=2",
1306 phase2="auth=MSCHAPV2")
1307 hwsim_utils.test_connectivity(dev[0], hapd)
1308 eap_reauth(dev[0], "PEAP")
1310 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1311 ca_cert="auth_serv/ca.pem",
1312 phase1="peapver=0 crypto_binding=1",
1313 phase2="auth=MSCHAPV2")
1314 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1315 ca_cert="auth_serv/ca.pem",
1316 phase1="peapver=0 crypto_binding=0",
1317 phase2="auth=MSCHAPV2")
1319 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1320 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1321 check_eap_capa(dev[0], "MSCHAPV2")
1322 params = int_eap_server_params()
1323 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1324 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1325 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1326 ca_cert="auth_serv/ca.pem",
1327 phase1="peapver=0 crypto_binding=2",
1328 phase2="auth=MSCHAPV2",
1329 expect_failure=True, local_error_report=True)
1331 def test_ap_wpa2_eap_peap_params(dev, apdev):
1332 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1333 check_eap_capa(dev[0], "MSCHAPV2")
1334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1335 hostapd.add_ap(apdev[0]['ifname'], params)
1336 eap_connect(dev[0], apdev[0], "PEAP", "user",
1337 anonymous_identity="peap", password="password",
1338 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1339 phase1="peapver=0 peaplabel=1",
1340 expect_failure=True)
1341 dev[0].request("REMOVE_NETWORK all")
1342 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1344 anonymous_identity="peap", password="password",
1345 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1346 phase1="peap_outer_success=0",
1347 wait_connect=False, scan_freq="2412")
1348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1350 raise Exception("No EAP success seen")
1351 # This won't succeed to connect with peap_outer_success=0, so stop here.
1352 dev[0].request("REMOVE_NETWORK all")
1353 dev[0].wait_disconnected()
1354 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1355 ca_cert="auth_serv/ca.pem",
1356 phase1="peap_outer_success=1",
1357 phase2="auth=MSCHAPV2")
1358 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1359 ca_cert="auth_serv/ca.pem",
1360 phase1="peap_outer_success=2",
1361 phase2="auth=MSCHAPV2")
1362 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1364 anonymous_identity="peap", password="password",
1365 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1366 phase1="peapver=1 peaplabel=1",
1367 wait_connect=False, scan_freq="2412")
1368 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1370 raise Exception("No EAP success seen")
1371 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1373 raise Exception("Unexpected connection")
1375 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1376 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1377 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1378 hostapd.add_ap(apdev[0]['ifname'], params)
1379 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1380 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1381 ca_cert2="auth_serv/ca.pem",
1382 client_cert2="auth_serv/user.pem",
1383 private_key2="auth_serv/user.key")
1384 eap_reauth(dev[0], "PEAP")
1386 def test_ap_wpa2_eap_tls(dev, apdev):
1387 """WPA2-Enterprise connection using EAP-TLS"""
1388 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1389 hostapd.add_ap(apdev[0]['ifname'], params)
1390 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1391 client_cert="auth_serv/user.pem",
1392 private_key="auth_serv/user.key")
1393 eap_reauth(dev[0], "TLS")
1395 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1396 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1397 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1398 hostapd.add_ap(apdev[0]['ifname'], params)
1399 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1400 client_cert="auth_serv/user.pem",
1401 private_key="auth_serv/user.key.pkcs8",
1402 private_key_passwd="whatever")
1404 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1405 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1406 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1407 hostapd.add_ap(apdev[0]['ifname'], params)
1408 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1409 client_cert="auth_serv/user.pem",
1410 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1411 private_key_passwd="whatever")
1413 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1414 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1415 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1416 hostapd.add_ap(apdev[0]['ifname'], params)
1417 cert = read_pem("auth_serv/ca.pem")
1418 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1419 raise Exception("Could not set cacert blob")
1420 cert = read_pem("auth_serv/user.pem")
1421 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1422 raise Exception("Could not set usercert blob")
1423 key = read_pem("auth_serv/user.rsa-key")
1424 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1425 raise Exception("Could not set cacert blob")
1426 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1427 client_cert="blob://usercert",
1428 private_key="blob://userkey")
1430 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1431 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1432 check_pkcs12_support(dev[0])
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hostapd.add_ap(apdev[0]['ifname'], params)
1435 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1436 private_key="auth_serv/user.pkcs12",
1437 private_key_passwd="whatever")
1438 dev[0].request("REMOVE_NETWORK all")
1439 dev[0].wait_disconnected()
1441 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1442 identity="tls user",
1443 ca_cert="auth_serv/ca.pem",
1444 private_key="auth_serv/user.pkcs12",
1445 wait_connect=False, scan_freq="2412")
1446 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1448 raise Exception("Request for private key passphrase timed out")
1449 id = ev.split(':')[0].split('-')[-1]
1450 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1451 dev[0].wait_connected(timeout=10)
1452 dev[0].request("REMOVE_NETWORK all")
1453 dev[0].wait_disconnected()
1455 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1456 # different files to cover both cases of the extra certificate being the
1457 # one that signed the client certificate and it being unrelated to the
1458 # client certificate.
1459 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1461 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1462 ca_cert="auth_serv/ca.pem",
1464 private_key_passwd="whatever")
1465 dev[0].request("REMOVE_NETWORK all")
1466 dev[0].wait_disconnected()
1468 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1469 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1470 check_pkcs12_support(dev[0])
1471 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1472 hostapd.add_ap(apdev[0]['ifname'], params)
1473 cert = read_pem("auth_serv/ca.pem")
1474 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1475 raise Exception("Could not set cacert blob")
1476 with open("auth_serv/user.pkcs12", "rb") as f:
1477 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1478 raise Exception("Could not set pkcs12 blob")
1479 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1480 private_key="blob://pkcs12",
1481 private_key_passwd="whatever")
1483 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1484 """WPA2-Enterprise negative test - incorrect trust root"""
1485 check_eap_capa(dev[0], "MSCHAPV2")
1486 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1487 hostapd.add_ap(apdev[0]['ifname'], params)
1488 cert = read_pem("auth_serv/ca-incorrect.pem")
1489 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1490 raise Exception("Could not set cacert blob")
1491 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1492 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1493 password="password", phase2="auth=MSCHAPV2",
1494 ca_cert="blob://cacert",
1495 wait_connect=False, scan_freq="2412")
1496 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1497 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1498 password="password", phase2="auth=MSCHAPV2",
1499 ca_cert="auth_serv/ca-incorrect.pem",
1500 wait_connect=False, scan_freq="2412")
1502 for dev in (dev[0], dev[1]):
1503 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1505 raise Exception("Association and EAP start timed out")
1507 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1509 raise Exception("EAP method selection timed out")
1510 if "TTLS" not in ev:
1511 raise Exception("Unexpected EAP method")
1513 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1514 "CTRL-EVENT-EAP-SUCCESS",
1515 "CTRL-EVENT-EAP-FAILURE",
1516 "CTRL-EVENT-CONNECTED",
1517 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1519 raise Exception("EAP result timed out")
1520 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1521 raise Exception("TLS certificate error not reported")
1523 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1524 "CTRL-EVENT-EAP-FAILURE",
1525 "CTRL-EVENT-CONNECTED",
1526 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1528 raise Exception("EAP result(2) timed out")
1529 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1530 raise Exception("EAP failure not reported")
1532 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1533 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1535 raise Exception("EAP result(3) timed out")
1536 if "CTRL-EVENT-DISCONNECTED" not in ev:
1537 raise Exception("Disconnection not reported")
1539 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1541 raise Exception("Network block disabling not reported")
1543 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1544 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1545 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1546 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1547 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1548 identity="pap user", anonymous_identity="ttls",
1549 password="password", phase2="auth=PAP",
1550 ca_cert="auth_serv/ca.pem",
1551 wait_connect=True, scan_freq="2412")
1552 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1553 identity="pap user", anonymous_identity="ttls",
1554 password="password", phase2="auth=PAP",
1555 ca_cert="auth_serv/ca-incorrect.pem",
1556 only_add_network=True, scan_freq="2412")
1558 dev[0].request("DISCONNECT")
1559 dev[0].wait_disconnected()
1560 dev[0].dump_monitor()
1561 dev[0].select_network(id, freq="2412")
1563 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1565 raise Exception("EAP-TTLS not re-started")
1567 ev = dev[0].wait_disconnected(timeout=15)
1568 if "reason=23" not in ev:
1569 raise Exception("Proper reason code for disconnection not reported")
1571 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1572 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1573 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1574 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1575 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1576 identity="pap user", anonymous_identity="ttls",
1577 password="password", phase2="auth=PAP",
1578 wait_connect=True, scan_freq="2412")
1579 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1580 identity="pap user", anonymous_identity="ttls",
1581 password="password", phase2="auth=PAP",
1582 ca_cert="auth_serv/ca-incorrect.pem",
1583 only_add_network=True, scan_freq="2412")
1585 dev[0].request("DISCONNECT")
1586 dev[0].wait_disconnected()
1587 dev[0].dump_monitor()
1588 dev[0].select_network(id, freq="2412")
1590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1592 raise Exception("EAP-TTLS not re-started")
1594 ev = dev[0].wait_disconnected(timeout=15)
1595 if "reason=23" not in ev:
1596 raise Exception("Proper reason code for disconnection not reported")
1598 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1599 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1600 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1601 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1602 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1603 identity="pap user", anonymous_identity="ttls",
1604 password="password", phase2="auth=PAP",
1605 ca_cert="auth_serv/ca.pem",
1606 wait_connect=True, scan_freq="2412")
1607 dev[0].request("DISCONNECT")
1608 dev[0].wait_disconnected()
1609 dev[0].dump_monitor()
1610 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1611 dev[0].select_network(id, freq="2412")
1613 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1615 raise Exception("EAP-TTLS not re-started")
1617 ev = dev[0].wait_disconnected(timeout=15)
1618 if "reason=23" not in ev:
1619 raise Exception("Proper reason code for disconnection not reported")
1621 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1622 """WPA2-Enterprise negative test - domain suffix mismatch"""
1623 check_domain_suffix_match(dev[0])
1624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1625 hostapd.add_ap(apdev[0]['ifname'], params)
1626 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1627 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1628 password="password", phase2="auth=MSCHAPV2",
1629 ca_cert="auth_serv/ca.pem",
1630 domain_suffix_match="incorrect.example.com",
1631 wait_connect=False, scan_freq="2412")
1633 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1635 raise Exception("Association and EAP start timed out")
1637 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1639 raise Exception("EAP method selection timed out")
1640 if "TTLS" not in ev:
1641 raise Exception("Unexpected EAP method")
1643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1644 "CTRL-EVENT-EAP-SUCCESS",
1645 "CTRL-EVENT-EAP-FAILURE",
1646 "CTRL-EVENT-CONNECTED",
1647 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1649 raise Exception("EAP result timed out")
1650 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1651 raise Exception("TLS certificate error not reported")
1652 if "Domain suffix mismatch" not in ev:
1653 raise Exception("Domain suffix mismatch not reported")
1655 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1656 "CTRL-EVENT-EAP-FAILURE",
1657 "CTRL-EVENT-CONNECTED",
1658 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1660 raise Exception("EAP result(2) timed out")
1661 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1662 raise Exception("EAP failure not reported")
1664 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1665 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1667 raise Exception("EAP result(3) timed out")
1668 if "CTRL-EVENT-DISCONNECTED" not in ev:
1669 raise Exception("Disconnection not reported")
1671 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1673 raise Exception("Network block disabling not reported")
1675 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1676 """WPA2-Enterprise negative test - domain mismatch"""
1677 check_domain_match(dev[0])
1678 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1679 hostapd.add_ap(apdev[0]['ifname'], params)
1680 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1681 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1682 password="password", phase2="auth=MSCHAPV2",
1683 ca_cert="auth_serv/ca.pem",
1684 domain_match="w1.fi",
1685 wait_connect=False, scan_freq="2412")
1687 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1689 raise Exception("Association and EAP start timed out")
1691 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1693 raise Exception("EAP method selection timed out")
1694 if "TTLS" not in ev:
1695 raise Exception("Unexpected EAP method")
1697 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1698 "CTRL-EVENT-EAP-SUCCESS",
1699 "CTRL-EVENT-EAP-FAILURE",
1700 "CTRL-EVENT-CONNECTED",
1701 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1703 raise Exception("EAP result timed out")
1704 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1705 raise Exception("TLS certificate error not reported")
1706 if "Domain mismatch" not in ev:
1707 raise Exception("Domain mismatch not reported")
1709 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1710 "CTRL-EVENT-EAP-FAILURE",
1711 "CTRL-EVENT-CONNECTED",
1712 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1714 raise Exception("EAP result(2) timed out")
1715 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1716 raise Exception("EAP failure not reported")
1718 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1719 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1721 raise Exception("EAP result(3) timed out")
1722 if "CTRL-EVENT-DISCONNECTED" not in ev:
1723 raise Exception("Disconnection not reported")
1725 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1727 raise Exception("Network block disabling not reported")
1729 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1730 """WPA2-Enterprise negative test - subject mismatch"""
1731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1732 hostapd.add_ap(apdev[0]['ifname'], params)
1733 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1734 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1735 password="password", phase2="auth=MSCHAPV2",
1736 ca_cert="auth_serv/ca.pem",
1737 subject_match="/C=FI/O=w1.fi/CN=example.com",
1738 wait_connect=False, scan_freq="2412")
1740 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1742 raise Exception("Association and EAP start timed out")
1744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1745 "EAP: Failed to initialize EAP method"], timeout=10)
1747 raise Exception("EAP method selection timed out")
1748 if "EAP: Failed to initialize EAP method" in ev:
1749 tls = dev[0].request("GET tls_library")
1750 if tls.startswith("OpenSSL"):
1751 raise Exception("Failed to select EAP method")
1752 logger.info("subject_match not supported - connection failed, so test succeeded")
1754 if "TTLS" not in ev:
1755 raise Exception("Unexpected EAP method")
1757 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1758 "CTRL-EVENT-EAP-SUCCESS",
1759 "CTRL-EVENT-EAP-FAILURE",
1760 "CTRL-EVENT-CONNECTED",
1761 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1763 raise Exception("EAP result timed out")
1764 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1765 raise Exception("TLS certificate error not reported")
1766 if "Subject mismatch" not in ev:
1767 raise Exception("Subject mismatch not reported")
1769 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1770 "CTRL-EVENT-EAP-FAILURE",
1771 "CTRL-EVENT-CONNECTED",
1772 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1774 raise Exception("EAP result(2) timed out")
1775 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1776 raise Exception("EAP failure not reported")
1778 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1779 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1781 raise Exception("EAP result(3) timed out")
1782 if "CTRL-EVENT-DISCONNECTED" not in ev:
1783 raise Exception("Disconnection not reported")
1785 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1787 raise Exception("Network block disabling not reported")
1789 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1790 """WPA2-Enterprise negative test - altsubject mismatch"""
1791 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1792 hostapd.add_ap(apdev[0]['ifname'], params)
1794 tests = [ "incorrect.example.com",
1795 "DNS:incorrect.example.com",
1799 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1801 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1802 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1803 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1804 password="password", phase2="auth=MSCHAPV2",
1805 ca_cert="auth_serv/ca.pem",
1806 altsubject_match=match,
1807 wait_connect=False, scan_freq="2412")
1809 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1811 raise Exception("Association and EAP start timed out")
1813 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1814 "EAP: Failed to initialize EAP method"], timeout=10)
1816 raise Exception("EAP method selection timed out")
1817 if "EAP: Failed to initialize EAP method" in ev:
1818 tls = dev[0].request("GET tls_library")
1819 if tls.startswith("OpenSSL"):
1820 raise Exception("Failed to select EAP method")
1821 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1823 if "TTLS" not in ev:
1824 raise Exception("Unexpected EAP method")
1826 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1827 "CTRL-EVENT-EAP-SUCCESS",
1828 "CTRL-EVENT-EAP-FAILURE",
1829 "CTRL-EVENT-CONNECTED",
1830 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1832 raise Exception("EAP result timed out")
1833 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1834 raise Exception("TLS certificate error not reported")
1835 if "AltSubject mismatch" not in ev:
1836 raise Exception("altsubject mismatch not reported")
1838 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1839 "CTRL-EVENT-EAP-FAILURE",
1840 "CTRL-EVENT-CONNECTED",
1841 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1843 raise Exception("EAP result(2) timed out")
1844 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1845 raise Exception("EAP failure not reported")
1847 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1848 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1850 raise Exception("EAP result(3) timed out")
1851 if "CTRL-EVENT-DISCONNECTED" not in ev:
1852 raise Exception("Disconnection not reported")
1854 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1856 raise Exception("Network block disabling not reported")
1858 dev[0].request("REMOVE_NETWORK all")
1860 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1861 """WPA2-Enterprise connection using UNAUTH-TLS"""
1862 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1863 hostapd.add_ap(apdev[0]['ifname'], params)
1864 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1865 ca_cert="auth_serv/ca.pem")
1866 eap_reauth(dev[0], "UNAUTH-TLS")
1868 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1869 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1870 check_cert_probe_support(dev[0])
1871 skip_with_fips(dev[0])
1872 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1873 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1874 hostapd.add_ap(apdev[0]['ifname'], params)
1875 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1876 identity="probe", ca_cert="probe://",
1877 wait_connect=False, scan_freq="2412")
1878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1880 raise Exception("Association and EAP start timed out")
1881 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1883 raise Exception("No peer server certificate event seen")
1884 if "hash=" + srv_cert_hash not in ev:
1885 raise Exception("Expected server certificate hash not reported")
1886 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1888 raise Exception("EAP result timed out")
1889 if "Server certificate chain probe" not in ev:
1890 raise Exception("Server certificate probe not reported")
1891 dev[0].wait_disconnected(timeout=10)
1892 dev[0].request("REMOVE_NETWORK all")
1894 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1895 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1896 password="password", phase2="auth=MSCHAPV2",
1897 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1898 wait_connect=False, scan_freq="2412")
1899 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1901 raise Exception("Association and EAP start timed out")
1902 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1904 raise Exception("EAP result timed out")
1905 if "Server certificate mismatch" not in ev:
1906 raise Exception("Server certificate mismatch not reported")
1907 dev[0].wait_disconnected(timeout=10)
1908 dev[0].request("REMOVE_NETWORK all")
1910 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1911 anonymous_identity="ttls", password="password",
1912 ca_cert="hash://server/sha256/" + srv_cert_hash,
1913 phase2="auth=MSCHAPV2")
1915 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1916 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1918 hostapd.add_ap(apdev[0]['ifname'], params)
1919 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1920 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1921 password="password", phase2="auth=MSCHAPV2",
1922 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1923 wait_connect=False, scan_freq="2412")
1924 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1925 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1926 password="password", phase2="auth=MSCHAPV2",
1927 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1928 wait_connect=False, scan_freq="2412")
1929 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1930 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1931 password="password", phase2="auth=MSCHAPV2",
1932 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1933 wait_connect=False, scan_freq="2412")
1934 for i in range(0, 3):
1935 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1937 raise Exception("Association and EAP start timed out")
1938 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1940 raise Exception("Did not report EAP method initialization failure")
1942 def test_ap_wpa2_eap_pwd(dev, apdev):
1943 """WPA2-Enterprise connection using EAP-pwd"""
1944 check_eap_capa(dev[0], "PWD")
1945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1946 hostapd.add_ap(apdev[0]['ifname'], params)
1947 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1948 eap_reauth(dev[0], "PWD")
1949 dev[0].request("REMOVE_NETWORK all")
1951 eap_connect(dev[1], apdev[0], "PWD",
1952 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1953 password="secret password",
1956 logger.info("Negative test with incorrect password")
1957 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1958 expect_failure=True, local_error_report=True)
1960 eap_connect(dev[0], apdev[0], "PWD",
1961 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1962 password="secret password",
1965 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1966 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1967 check_eap_capa(dev[0], "PWD")
1968 skip_with_fips(dev[0])
1969 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1970 hostapd.add_ap(apdev[0]['ifname'], params)
1971 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1972 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1973 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1974 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1975 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1976 expect_failure=True, local_error_report=True)
1978 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1979 """WPA2-Enterprise connection using various EAP-pwd groups"""
1980 check_eap_capa(dev[0], "PWD")
1981 tls = dev[0].request("GET tls_library")
1982 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1983 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1984 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1985 groups = [ 19, 20, 21, 25, 26 ]
1986 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
1987 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
1988 groups += [ 27, 28, 29, 30 ]
1990 logger.info("Group %d" % i)
1991 params['pwd_group'] = str(i)
1992 hostapd.add_ap(apdev[0]['ifname'], params)
1994 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1995 password="secret password")
1996 dev[0].request("REMOVE_NETWORK all")
1997 dev[0].wait_disconnected()
1998 dev[0].dump_monitor()
2000 if "BoringSSL" in tls and i in [ 25 ]:
2001 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2002 dev[0].request("DISCONNECT")
2004 dev[0].request("REMOVE_NETWORK all")
2005 dev[0].dump_monitor()
2009 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2010 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2011 check_eap_capa(dev[0], "PWD")
2012 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2013 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2014 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2015 params['pwd_group'] = "0"
2016 hostapd.add_ap(apdev[0]['ifname'], params)
2017 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2018 identity="pwd user", password="secret password",
2019 scan_freq="2412", wait_connect=False)
2020 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2022 raise Exception("Timeout on EAP failure report")
2024 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2025 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2026 check_eap_capa(dev[0], "PWD")
2027 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2028 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2029 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2030 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2031 "pwd_group": "19", "fragment_size": "40" }
2032 hostapd.add_ap(apdev[0]['ifname'], params)
2033 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2035 def test_ap_wpa2_eap_gpsk(dev, apdev):
2036 """WPA2-Enterprise connection using EAP-GPSK"""
2037 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2038 hostapd.add_ap(apdev[0]['ifname'], params)
2039 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2040 password="abcdefghijklmnop0123456789abcdef")
2041 eap_reauth(dev[0], "GPSK")
2043 logger.info("Test forced algorithm selection")
2044 for phase1 in [ "cipher=1", "cipher=2" ]:
2045 dev[0].set_network_quoted(id, "phase1", phase1)
2046 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2048 raise Exception("EAP success timed out")
2049 dev[0].wait_connected(timeout=10)
2051 logger.info("Test failed algorithm negotiation")
2052 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2055 raise Exception("EAP failure timed out")
2057 logger.info("Negative test with incorrect password")
2058 dev[0].request("REMOVE_NETWORK all")
2059 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2060 password="ffcdefghijklmnop0123456789abcdef",
2061 expect_failure=True)
2063 def test_ap_wpa2_eap_sake(dev, apdev):
2064 """WPA2-Enterprise connection using EAP-SAKE"""
2065 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2066 hostapd.add_ap(apdev[0]['ifname'], params)
2067 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2068 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2069 eap_reauth(dev[0], "SAKE")
2071 logger.info("Negative test with incorrect password")
2072 dev[0].request("REMOVE_NETWORK all")
2073 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2074 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2075 expect_failure=True)
2077 def test_ap_wpa2_eap_eke(dev, apdev):
2078 """WPA2-Enterprise connection using EAP-EKE"""
2079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2080 hostapd.add_ap(apdev[0]['ifname'], params)
2081 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2082 eap_reauth(dev[0], "EKE")
2084 logger.info("Test forced algorithm selection")
2085 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2086 "dhgroup=4 encr=1 prf=2 mac=2",
2087 "dhgroup=3 encr=1 prf=2 mac=2",
2088 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2089 dev[0].set_network_quoted(id, "phase1", phase1)
2090 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2092 raise Exception("EAP success timed out")
2093 dev[0].wait_connected(timeout=10)
2095 logger.info("Test failed algorithm negotiation")
2096 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2097 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2099 raise Exception("EAP failure timed out")
2101 logger.info("Negative test with incorrect password")
2102 dev[0].request("REMOVE_NETWORK all")
2103 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2104 expect_failure=True)
2106 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2107 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2108 params = int_eap_server_params()
2109 params['server_id'] = 'example.server@w1.fi'
2110 hostapd.add_ap(apdev[0]['ifname'], params)
2111 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2113 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2114 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2115 params = int_eap_server_params()
2116 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2117 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2119 for count,func in [ (1, "eap_eke_build_commit"),
2120 (2, "eap_eke_build_commit"),
2121 (3, "eap_eke_build_commit"),
2122 (1, "eap_eke_build_confirm"),
2123 (2, "eap_eke_build_confirm"),
2124 (1, "eap_eke_process_commit"),
2125 (2, "eap_eke_process_commit"),
2126 (1, "eap_eke_process_confirm"),
2127 (1, "eap_eke_process_identity"),
2128 (2, "eap_eke_process_identity"),
2129 (3, "eap_eke_process_identity"),
2130 (4, "eap_eke_process_identity") ]:
2131 with alloc_fail(hapd, count, func):
2132 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2133 expect_failure=True)
2134 dev[0].request("REMOVE_NETWORK all")
2136 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2137 (1, "eap_eke_get_session_id", "hello"),
2138 (1, "eap_eke_getKey", "hello"),
2139 (1, "eap_eke_build_msg", "hello"),
2140 (1, "eap_eke_build_failure", "wrong"),
2141 (1, "eap_eke_build_identity", "hello"),
2142 (2, "eap_eke_build_identity", "hello") ]:
2143 with alloc_fail(hapd, count, func):
2144 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2145 eap="EKE", identity="eke user", password=pw,
2146 wait_connect=False, scan_freq="2412")
2147 # This would eventually time out, but we can stop after having
2148 # reached the allocation failure.
2151 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2153 dev[0].request("REMOVE_NETWORK all")
2155 for count in range(1, 1000):
2157 with alloc_fail(hapd, count, "eap_server_sm_step"):
2158 dev[0].connect("test-wpa2-eap",
2159 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2160 eap="EKE", identity="eke user", password=pw,
2161 wait_connect=False, scan_freq="2412")
2162 # This would eventually time out, but we can stop after having
2163 # reached the allocation failure.
2166 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2168 dev[0].request("REMOVE_NETWORK all")
2169 except Exception, e:
2170 if str(e) == "Allocation failure did not trigger":
2172 raise Exception("Too few allocation failures")
2173 logger.info("%d allocation failures tested" % (count - 1))
2177 def test_ap_wpa2_eap_ikev2(dev, apdev):
2178 """WPA2-Enterprise connection using EAP-IKEv2"""
2179 check_eap_capa(dev[0], "IKEV2")
2180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2181 hostapd.add_ap(apdev[0]['ifname'], params)
2182 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2183 password="ike password")
2184 eap_reauth(dev[0], "IKEV2")
2185 dev[0].request("REMOVE_NETWORK all")
2186 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2187 password="ike password", fragment_size="50")
2189 logger.info("Negative test with incorrect password")
2190 dev[0].request("REMOVE_NETWORK all")
2191 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2192 password="ike-password", expect_failure=True)
2194 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2195 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2196 check_eap_capa(dev[0], "IKEV2")
2197 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2198 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2199 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2200 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2201 "fragment_size": "50" }
2202 hostapd.add_ap(apdev[0]['ifname'], params)
2203 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2204 password="ike password")
2205 eap_reauth(dev[0], "IKEV2")
2207 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2208 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2209 check_eap_capa(dev[0], "IKEV2")
2210 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2211 hostapd.add_ap(apdev[0]['ifname'], params)
2213 tests = [ (1, "dh_init"),
2215 (1, "dh_derive_shared") ]
2216 for count, func in tests:
2217 with alloc_fail(dev[0], count, func):
2218 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2219 identity="ikev2 user", password="ike password",
2220 wait_connect=False, scan_freq="2412")
2221 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2223 raise Exception("EAP method not selected")
2225 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2228 dev[0].request("REMOVE_NETWORK all")
2230 tests = [ (1, "os_get_random;dh_init") ]
2231 for count, func in tests:
2232 with fail_test(dev[0], count, func):
2233 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2234 identity="ikev2 user", password="ike password",
2235 wait_connect=False, scan_freq="2412")
2236 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2238 raise Exception("EAP method not selected")
2240 if "0:" in dev[0].request("GET_FAIL"):
2243 dev[0].request("REMOVE_NETWORK all")
2245 def test_ap_wpa2_eap_pax(dev, apdev):
2246 """WPA2-Enterprise connection using EAP-PAX"""
2247 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2248 hostapd.add_ap(apdev[0]['ifname'], params)
2249 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2250 password_hex="0123456789abcdef0123456789abcdef")
2251 eap_reauth(dev[0], "PAX")
2253 logger.info("Negative test with incorrect password")
2254 dev[0].request("REMOVE_NETWORK all")
2255 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2256 password_hex="ff23456789abcdef0123456789abcdef",
2257 expect_failure=True)
2259 def test_ap_wpa2_eap_psk(dev, apdev):
2260 """WPA2-Enterprise connection using EAP-PSK"""
2261 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2262 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2263 params["ieee80211w"] = "2"
2264 hostapd.add_ap(apdev[0]['ifname'], params)
2265 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2266 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2267 eap_reauth(dev[0], "PSK", sha256=True)
2268 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2269 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2271 bss = dev[0].get_bss(apdev[0]['bssid'])
2272 if 'flags' not in bss:
2273 raise Exception("Could not get BSS flags from BSS table")
2274 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2275 raise Exception("Unexpected BSS flags: " + bss['flags'])
2277 logger.info("Negative test with incorrect password")
2278 dev[0].request("REMOVE_NETWORK all")
2279 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2280 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2281 expect_failure=True)
2283 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2284 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2285 skip_with_fips(dev[0])
2286 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2287 hostapd.add_ap(apdev[0]['ifname'], params)
2288 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2289 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2290 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2291 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2292 (1, "=aes_128_eax_encrypt"),
2293 (1, "omac1_aes_vector"),
2294 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2295 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2296 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2297 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2298 (1, "=aes_128_eax_decrypt") ]
2299 for count, func in tests:
2300 with alloc_fail(dev[0], count, func):
2301 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2302 identity="psk.user@example.com",
2303 password_hex="0123456789abcdef0123456789abcdef",
2304 wait_connect=False, scan_freq="2412")
2305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2307 raise Exception("EAP method not selected")
2309 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2312 dev[0].request("REMOVE_NETWORK all")
2314 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2315 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2316 identity="psk.user@example.com",
2317 password_hex="0123456789abcdef0123456789abcdef",
2318 wait_connect=False, scan_freq="2412")
2319 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2321 raise Exception("EAP method failure not reported")
2322 dev[0].request("REMOVE_NETWORK all")
2324 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2325 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2326 check_eap_capa(dev[0], "MSCHAPV2")
2327 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2328 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2329 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2330 identity="user", password="password", phase2="auth=MSCHAPV2",
2331 ca_cert="auth_serv/ca.pem", wait_connect=False,
2333 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2334 hwsim_utils.test_connectivity(dev[0], hapd)
2335 eap_reauth(dev[0], "PEAP", rsn=False)
2336 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2337 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2338 status = dev[0].get_status(extra="VERBOSE")
2339 if 'portControl' not in status:
2340 raise Exception("portControl missing from STATUS-VERBOSE")
2341 if status['portControl'] != 'Auto':
2342 raise Exception("Unexpected portControl value: " + status['portControl'])
2343 if 'eap_session_id' not in status:
2344 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2345 if not status['eap_session_id'].startswith("19"):
2346 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2348 def test_ap_wpa2_eap_interactive(dev, apdev):
2349 """WPA2-Enterprise connection using interactive identity/password entry"""
2350 check_eap_capa(dev[0], "MSCHAPV2")
2351 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2352 hostapd.add_ap(apdev[0]['ifname'], params)
2353 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2355 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2356 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2358 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2359 "TTLS", "ttls", None, "auth=MSCHAPV2",
2360 "DOMAIN\mschapv2 user", "password"),
2361 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2362 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2363 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2364 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2365 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2366 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2367 ("Connection with dynamic PEAP/EAP-GTC password entry",
2368 "PEAP", None, "user", "auth=GTC", None, "password") ]
2369 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2371 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2372 anonymous_identity=anon, identity=identity,
2373 ca_cert="auth_serv/ca.pem", phase2=phase2,
2374 wait_connect=False, scan_freq="2412")
2376 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2378 raise Exception("Request for identity timed out")
2379 id = ev.split(':')[0].split('-')[-1]
2380 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2381 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2383 raise Exception("Request for password timed out")
2384 id = ev.split(':')[0].split('-')[-1]
2385 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2386 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2387 dev[0].wait_connected(timeout=10)
2388 dev[0].request("REMOVE_NETWORK all")
2390 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2391 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2392 check_eap_capa(dev[0], "MSCHAPV2")
2393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2394 hostapd.add_ap(apdev[0]['ifname'], params)
2395 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2397 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2398 only_add_network=True)
2400 req_id = "DOMAIN\mschapv2 user"
2401 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2402 anonymous_identity="ttls", identity=None,
2403 password="password",
2404 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2405 wait_connect=False, scan_freq="2412")
2406 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2408 raise Exception("Request for identity timed out")
2409 id = ev.split(':')[0].split('-')[-1]
2410 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2411 dev[0].wait_connected(timeout=10)
2413 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2414 raise Exception("Failed to enable network")
2415 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2417 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2418 dev[0].request("REMOVE_NETWORK all")
2420 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2421 """WPA2-Enterprise connection using EAP vendor test"""
2422 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2423 hostapd.add_ap(apdev[0]['ifname'], params)
2424 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2425 eap_reauth(dev[0], "VENDOR-TEST")
2426 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2429 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2430 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2431 check_eap_capa(dev[0], "FAST")
2432 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2433 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2434 eap_connect(dev[0], apdev[0], "FAST", "user",
2435 anonymous_identity="FAST", password="password",
2436 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2437 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2438 hwsim_utils.test_connectivity(dev[0], hapd)
2439 res = eap_reauth(dev[0], "FAST")
2440 if res['tls_session_reused'] != '1':
2441 raise Exception("EAP-FAST could not use PAC session ticket")
2443 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2444 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2445 check_eap_capa(dev[0], "FAST")
2446 pac_file = os.path.join(params['logdir'], "fast.pac")
2447 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2449 hostapd.add_ap(apdev[0]['ifname'], params)
2452 eap_connect(dev[0], apdev[0], "FAST", "user",
2453 anonymous_identity="FAST", password="password",
2454 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2455 phase1="fast_provisioning=1", pac_file=pac_file)
2456 with open(pac_file, "r") as f:
2458 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2459 raise Exception("PAC file header missing")
2460 if "PAC-Key=" not in data:
2461 raise Exception("PAC-Key missing from PAC file")
2462 dev[0].request("REMOVE_NETWORK all")
2463 eap_connect(dev[0], apdev[0], "FAST", "user",
2464 anonymous_identity="FAST", password="password",
2465 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2468 eap_connect(dev[1], apdev[0], "FAST", "user",
2469 anonymous_identity="FAST", password="password",
2470 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2471 phase1="fast_provisioning=1 fast_pac_format=binary",
2473 dev[1].request("REMOVE_NETWORK all")
2474 eap_connect(dev[1], apdev[0], "FAST", "user",
2475 anonymous_identity="FAST", password="password",
2476 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2477 phase1="fast_pac_format=binary",
2485 os.remove(pac_file2)
2489 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2490 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2491 check_eap_capa(dev[0], "FAST")
2492 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2493 hostapd.add_ap(apdev[0]['ifname'], params)
2494 eap_connect(dev[0], apdev[0], "FAST", "user",
2495 anonymous_identity="FAST", password="password",
2496 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2497 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2498 pac_file="blob://fast_pac_bin")
2499 res = eap_reauth(dev[0], "FAST")
2500 if res['tls_session_reused'] != '1':
2501 raise Exception("EAP-FAST could not use PAC session ticket")
2503 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2504 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2505 check_eap_capa(dev[0], "FAST")
2506 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2507 hostapd.add_ap(apdev[0]['ifname'], params)
2509 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2510 identity="user", anonymous_identity="FAST",
2511 password="password",
2512 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2513 pac_file="blob://fast_pac_not_in_use",
2514 wait_connect=False, scan_freq="2412")
2515 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2517 raise Exception("Timeout on EAP failure report")
2518 dev[0].request("REMOVE_NETWORK all")
2520 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2521 identity="user", anonymous_identity="FAST",
2522 password="password",
2523 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2524 wait_connect=False, scan_freq="2412")
2525 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2527 raise Exception("Timeout on EAP failure report")
2529 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2530 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2531 check_eap_capa(dev[0], "FAST")
2532 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2533 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2534 eap_connect(dev[0], apdev[0], "FAST", "user",
2535 anonymous_identity="FAST", password="password",
2536 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2537 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2538 hwsim_utils.test_connectivity(dev[0], hapd)
2539 res = eap_reauth(dev[0], "FAST")
2540 if res['tls_session_reused'] != '1':
2541 raise Exception("EAP-FAST could not use PAC session ticket")
2543 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2544 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2545 check_eap_capa(dev[0], "FAST")
2546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2547 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2548 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2549 anonymous_identity="FAST", password="password",
2550 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2551 phase1="fast_provisioning=2",
2552 pac_file="blob://fast_pac_auth")
2553 dev[0].set_network_quoted(id, "identity", "user2")
2554 dev[0].wait_disconnected()
2555 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2557 raise Exception("EAP-FAST not started")
2558 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2560 raise Exception("EAP failure not reported")
2561 dev[0].wait_disconnected()
2563 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2564 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2565 check_eap_capa(dev[0], "FAST")
2566 tls = dev[0].request("GET tls_library")
2567 if tls.startswith("OpenSSL"):
2568 func = "openssl_tls_prf"
2570 elif tls.startswith("internal"):
2571 func = "tls_connection_prf"
2574 raise HwsimSkip("Unsupported TLS library")
2575 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2576 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2577 with alloc_fail(dev[0], count, func):
2578 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2579 identity="user", anonymous_identity="FAST",
2580 password="password", ca_cert="auth_serv/ca.pem",
2582 phase1="fast_provisioning=2",
2583 pac_file="blob://fast_pac_auth",
2584 wait_connect=False, scan_freq="2412")
2585 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2587 raise Exception("EAP failure not reported")
2588 dev[0].request("DISCONNECT")
2590 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2591 """EAP-FAST/MSCHAPv2 and server OOM"""
2592 check_eap_capa(dev[0], "FAST")
2594 params = int_eap_server_params()
2595 params['dh_file'] = 'auth_serv/dh.conf'
2596 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2597 params['eap_fast_a_id'] = '1011'
2598 params['eap_fast_a_id_info'] = 'another test server'
2599 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2601 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2602 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2603 anonymous_identity="FAST", password="password",
2604 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2605 phase1="fast_provisioning=1",
2606 pac_file="blob://fast_pac",
2607 expect_failure=True)
2608 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2610 raise Exception("No EAP failure reported")
2611 dev[0].wait_disconnected()
2612 dev[0].request("DISCONNECT")
2614 dev[0].select_network(id, freq="2412")
2616 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2617 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2618 check_ocsp_support(dev[0])
2619 check_pkcs12_support(dev[0])
2620 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2621 hostapd.add_ap(apdev[0]['ifname'], params)
2622 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2623 private_key="auth_serv/user.pkcs12",
2624 private_key_passwd="whatever", ocsp=2)
2626 def int_eap_server_params():
2627 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2628 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2629 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2630 "ca_cert": "auth_serv/ca.pem",
2631 "server_cert": "auth_serv/server.pem",
2632 "private_key": "auth_serv/server.key" }
2635 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2636 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2637 check_ocsp_support(dev[0])
2638 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2639 if not os.path.exists(ocsp):
2640 raise HwsimSkip("No OCSP response available")
2641 params = int_eap_server_params()
2642 params["ocsp_stapling_response"] = ocsp
2643 hostapd.add_ap(apdev[0]['ifname'], params)
2644 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2645 identity="tls user", ca_cert="auth_serv/ca.pem",
2646 private_key="auth_serv/user.pkcs12",
2647 private_key_passwd="whatever", ocsp=2,
2650 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2651 """EAP-TLS and CA signed OCSP response (good)"""
2652 check_ocsp_support(dev[0])
2653 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2654 if not os.path.exists(ocsp):
2655 raise HwsimSkip("No OCSP response available")
2656 params = int_eap_server_params()
2657 params["ocsp_stapling_response"] = ocsp
2658 hostapd.add_ap(apdev[0]['ifname'], params)
2659 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2660 identity="tls user", ca_cert="auth_serv/ca.pem",
2661 private_key="auth_serv/user.pkcs12",
2662 private_key_passwd="whatever", ocsp=2,
2665 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2666 """EAP-TLS and CA signed OCSP response (revoked)"""
2667 check_ocsp_support(dev[0])
2668 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2669 if not os.path.exists(ocsp):
2670 raise HwsimSkip("No OCSP response available")
2671 params = int_eap_server_params()
2672 params["ocsp_stapling_response"] = ocsp
2673 hostapd.add_ap(apdev[0]['ifname'], params)
2674 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2675 identity="tls user", ca_cert="auth_serv/ca.pem",
2676 private_key="auth_serv/user.pkcs12",
2677 private_key_passwd="whatever", ocsp=2,
2678 wait_connect=False, scan_freq="2412")
2681 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2683 raise Exception("Timeout on EAP status")
2684 if 'bad certificate status response' in ev:
2686 if 'certificate revoked' in ev:
2690 raise Exception("Unexpected number of EAP status messages")
2692 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2694 raise Exception("Timeout on EAP failure report")
2696 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2697 """EAP-TLS and CA signed OCSP response (unknown)"""
2698 check_ocsp_support(dev[0])
2699 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2700 if not os.path.exists(ocsp):
2701 raise HwsimSkip("No OCSP response available")
2702 params = int_eap_server_params()
2703 params["ocsp_stapling_response"] = ocsp
2704 hostapd.add_ap(apdev[0]['ifname'], params)
2705 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2706 identity="tls user", ca_cert="auth_serv/ca.pem",
2707 private_key="auth_serv/user.pkcs12",
2708 private_key_passwd="whatever", ocsp=2,
2709 wait_connect=False, scan_freq="2412")
2712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2714 raise Exception("Timeout on EAP status")
2715 if 'bad certificate status response' in ev:
2719 raise Exception("Unexpected number of EAP status messages")
2721 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2723 raise Exception("Timeout on EAP failure report")
2725 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2726 """EAP-TLS and server signed OCSP response"""
2727 check_ocsp_support(dev[0])
2728 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2729 if not os.path.exists(ocsp):
2730 raise HwsimSkip("No OCSP response available")
2731 params = int_eap_server_params()
2732 params["ocsp_stapling_response"] = ocsp
2733 hostapd.add_ap(apdev[0]['ifname'], params)
2734 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2735 identity="tls user", ca_cert="auth_serv/ca.pem",
2736 private_key="auth_serv/user.pkcs12",
2737 private_key_passwd="whatever", ocsp=2,
2738 wait_connect=False, scan_freq="2412")
2741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2743 raise Exception("Timeout on EAP status")
2744 if 'bad certificate status response' in ev:
2748 raise Exception("Unexpected number of EAP status messages")
2750 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2752 raise Exception("Timeout on EAP failure report")
2754 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2755 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2756 check_ocsp_support(dev[0])
2757 params = int_eap_server_params()
2758 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2759 hostapd.add_ap(apdev[0]['ifname'], params)
2760 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2761 identity="tls user", ca_cert="auth_serv/ca.pem",
2762 private_key="auth_serv/user.pkcs12",
2763 private_key_passwd="whatever", ocsp=2,
2764 wait_connect=False, scan_freq="2412")
2767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2769 raise Exception("Timeout on EAP status")
2770 if 'bad certificate status response' in ev:
2774 raise Exception("Unexpected number of EAP status messages")
2776 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2778 raise Exception("Timeout on EAP failure report")
2780 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2781 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2782 check_ocsp_support(dev[0])
2783 params = int_eap_server_params()
2784 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2785 hostapd.add_ap(apdev[0]['ifname'], params)
2786 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2787 identity="tls user", ca_cert="auth_serv/ca.pem",
2788 private_key="auth_serv/user.pkcs12",
2789 private_key_passwd="whatever", ocsp=2,
2790 wait_connect=False, scan_freq="2412")
2793 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2795 raise Exception("Timeout on EAP status")
2796 if 'bad certificate status response' in ev:
2800 raise Exception("Unexpected number of EAP status messages")
2802 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2804 raise Exception("Timeout on EAP failure report")
2806 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2807 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2808 check_ocsp_support(dev[0])
2809 params = int_eap_server_params()
2810 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2811 hostapd.add_ap(apdev[0]['ifname'], params)
2812 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2813 identity="tls user", ca_cert="auth_serv/ca.pem",
2814 private_key="auth_serv/user.pkcs12",
2815 private_key_passwd="whatever", ocsp=2,
2816 wait_connect=False, scan_freq="2412")
2819 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2821 raise Exception("Timeout on EAP status")
2822 if 'bad certificate status response' in ev:
2826 raise Exception("Unexpected number of EAP status messages")
2828 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2830 raise Exception("Timeout on EAP failure report")
2832 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2833 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2834 check_ocsp_support(dev[0])
2835 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2836 if not os.path.exists(ocsp):
2837 raise HwsimSkip("No OCSP response available")
2838 params = int_eap_server_params()
2839 params["ocsp_stapling_response"] = ocsp
2840 hostapd.add_ap(apdev[0]['ifname'], params)
2841 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2842 identity="pap user", ca_cert="auth_serv/ca.pem",
2843 anonymous_identity="ttls", password="password",
2844 phase2="auth=PAP", ocsp=2,
2845 wait_connect=False, scan_freq="2412")
2848 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2850 raise Exception("Timeout on EAP status")
2851 if 'bad certificate status response' in ev:
2853 if 'certificate revoked' in ev:
2857 raise Exception("Unexpected number of EAP status messages")
2859 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2861 raise Exception("Timeout on EAP failure report")
2863 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2864 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2865 check_ocsp_support(dev[0])
2866 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2867 if not os.path.exists(ocsp):
2868 raise HwsimSkip("No OCSP response available")
2869 params = int_eap_server_params()
2870 params["ocsp_stapling_response"] = ocsp
2871 hostapd.add_ap(apdev[0]['ifname'], params)
2872 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2873 identity="pap user", ca_cert="auth_serv/ca.pem",
2874 anonymous_identity="ttls", password="password",
2875 phase2="auth=PAP", ocsp=2,
2876 wait_connect=False, scan_freq="2412")
2879 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2881 raise Exception("Timeout on EAP status")
2882 if 'bad certificate status response' in ev:
2886 raise Exception("Unexpected number of EAP status messages")
2888 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2890 raise Exception("Timeout on EAP failure report")
2892 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2893 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2894 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2895 if not os.path.exists(ocsp):
2896 raise HwsimSkip("No OCSP response available")
2897 params = int_eap_server_params()
2898 params["ocsp_stapling_response"] = ocsp
2899 hostapd.add_ap(apdev[0]['ifname'], params)
2900 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2901 identity="pap user", ca_cert="auth_serv/ca.pem",
2902 anonymous_identity="ttls", password="password",
2903 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2905 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2906 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2907 check_domain_match_full(dev[0])
2908 params = int_eap_server_params()
2909 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2910 params["private_key"] = "auth_serv/server-no-dnsname.key"
2911 hostapd.add_ap(apdev[0]['ifname'], params)
2912 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2913 identity="tls user", ca_cert="auth_serv/ca.pem",
2914 private_key="auth_serv/user.pkcs12",
2915 private_key_passwd="whatever",
2916 domain_suffix_match="server3.w1.fi",
2919 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2920 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2921 check_domain_match(dev[0])
2922 params = int_eap_server_params()
2923 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2924 params["private_key"] = "auth_serv/server-no-dnsname.key"
2925 hostapd.add_ap(apdev[0]['ifname'], params)
2926 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2927 identity="tls user", ca_cert="auth_serv/ca.pem",
2928 private_key="auth_serv/user.pkcs12",
2929 private_key_passwd="whatever",
2930 domain_match="server3.w1.fi",
2933 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2934 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2935 check_domain_match_full(dev[0])
2936 params = int_eap_server_params()
2937 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2938 params["private_key"] = "auth_serv/server-no-dnsname.key"
2939 hostapd.add_ap(apdev[0]['ifname'], params)
2940 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2941 identity="tls user", ca_cert="auth_serv/ca.pem",
2942 private_key="auth_serv/user.pkcs12",
2943 private_key_passwd="whatever",
2944 domain_suffix_match="w1.fi",
2947 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2948 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2949 check_domain_suffix_match(dev[0])
2950 params = int_eap_server_params()
2951 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2952 params["private_key"] = "auth_serv/server-no-dnsname.key"
2953 hostapd.add_ap(apdev[0]['ifname'], params)
2954 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2955 identity="tls user", ca_cert="auth_serv/ca.pem",
2956 private_key="auth_serv/user.pkcs12",
2957 private_key_passwd="whatever",
2958 domain_suffix_match="example.com",
2961 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2962 identity="tls user", ca_cert="auth_serv/ca.pem",
2963 private_key="auth_serv/user.pkcs12",
2964 private_key_passwd="whatever",
2965 domain_suffix_match="erver3.w1.fi",
2968 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2970 raise Exception("Timeout on EAP failure report")
2971 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2973 raise Exception("Timeout on EAP failure report (2)")
2975 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2976 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2977 check_domain_match(dev[0])
2978 params = int_eap_server_params()
2979 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2980 params["private_key"] = "auth_serv/server-no-dnsname.key"
2981 hostapd.add_ap(apdev[0]['ifname'], params)
2982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2983 identity="tls user", ca_cert="auth_serv/ca.pem",
2984 private_key="auth_serv/user.pkcs12",
2985 private_key_passwd="whatever",
2986 domain_match="example.com",
2989 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2990 identity="tls user", ca_cert="auth_serv/ca.pem",
2991 private_key="auth_serv/user.pkcs12",
2992 private_key_passwd="whatever",
2993 domain_match="w1.fi",
2996 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2998 raise Exception("Timeout on EAP failure report")
2999 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3001 raise Exception("Timeout on EAP failure report (2)")
3003 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3004 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3005 skip_with_fips(dev[0])
3006 params = int_eap_server_params()
3007 params["server_cert"] = "auth_serv/server-expired.pem"
3008 params["private_key"] = "auth_serv/server-expired.key"
3009 hostapd.add_ap(apdev[0]['ifname'], params)
3010 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3011 identity="mschap user", password="password",
3012 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3015 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3017 raise Exception("Timeout on EAP certificate error report")
3018 if "reason=4" not in ev or "certificate has expired" not in ev:
3019 raise Exception("Unexpected failure reason: " + ev)
3020 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3022 raise Exception("Timeout on EAP failure report")
3024 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3025 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3026 skip_with_fips(dev[0])
3027 params = int_eap_server_params()
3028 params["server_cert"] = "auth_serv/server-expired.pem"
3029 params["private_key"] = "auth_serv/server-expired.key"
3030 hostapd.add_ap(apdev[0]['ifname'], params)
3031 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3032 identity="mschap user", password="password",
3033 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3034 phase1="tls_disable_time_checks=1",
3037 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3038 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3039 skip_with_fips(dev[0])
3040 params = int_eap_server_params()
3041 params["server_cert"] = "auth_serv/server-long-duration.pem"
3042 params["private_key"] = "auth_serv/server-long-duration.key"
3043 hostapd.add_ap(apdev[0]['ifname'], params)
3044 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3045 identity="mschap user", password="password",
3046 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3049 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3050 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3051 skip_with_fips(dev[0])
3052 params = int_eap_server_params()
3053 params["server_cert"] = "auth_serv/server-eku-client.pem"
3054 params["private_key"] = "auth_serv/server-eku-client.key"
3055 hostapd.add_ap(apdev[0]['ifname'], params)
3056 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3057 identity="mschap user", password="password",
3058 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3061 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3063 raise Exception("Timeout on EAP failure report")
3065 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3066 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3067 skip_with_fips(dev[0])
3068 params = int_eap_server_params()
3069 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3070 params["private_key"] = "auth_serv/server-eku-client-server.key"
3071 hostapd.add_ap(apdev[0]['ifname'], params)
3072 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3073 identity="mschap user", password="password",
3074 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3077 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3078 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3079 skip_with_fips(dev[0])
3080 params = int_eap_server_params()
3081 del params["server_cert"]
3082 params["private_key"] = "auth_serv/server.pkcs12"
3083 hostapd.add_ap(apdev[0]['ifname'], params)
3084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3085 identity="mschap user", password="password",
3086 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3089 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3090 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3091 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3092 hostapd.add_ap(apdev[0]['ifname'], params)
3093 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3094 anonymous_identity="ttls", password="password",
3095 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3096 dh_file="auth_serv/dh.conf")
3098 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3099 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3100 check_dh_dsa_support(dev[0])
3101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3102 hostapd.add_ap(apdev[0]['ifname'], params)
3103 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3104 anonymous_identity="ttls", password="password",
3105 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3106 dh_file="auth_serv/dsaparam.pem")
3108 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3109 """EAP-TTLS and DH params file not found"""
3110 skip_with_fips(dev[0])
3111 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3112 hostapd.add_ap(apdev[0]['ifname'], params)
3113 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3114 identity="mschap user", password="password",
3115 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3116 dh_file="auth_serv/dh-no-such-file.conf",
3117 scan_freq="2412", wait_connect=False)
3118 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3120 raise Exception("EAP failure timed out")
3121 dev[0].request("REMOVE_NETWORK all")
3122 dev[0].wait_disconnected()
3124 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3125 """EAP-TTLS and invalid DH params file"""
3126 skip_with_fips(dev[0])
3127 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3128 hostapd.add_ap(apdev[0]['ifname'], params)
3129 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3130 identity="mschap user", password="password",
3131 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3132 dh_file="auth_serv/ca.pem",
3133 scan_freq="2412", wait_connect=False)
3134 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3136 raise Exception("EAP failure timed out")
3137 dev[0].request("REMOVE_NETWORK all")
3138 dev[0].wait_disconnected()
3140 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3141 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3143 hostapd.add_ap(apdev[0]['ifname'], params)
3144 dh = read_pem("auth_serv/dh2.conf")
3145 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3146 raise Exception("Could not set dhparams blob")
3147 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3148 anonymous_identity="ttls", password="password",
3149 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3150 dh_file="blob://dhparams")
3152 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3153 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3154 params = int_eap_server_params()
3155 params["dh_file"] = "auth_serv/dh2.conf"
3156 hostapd.add_ap(apdev[0]['ifname'], params)
3157 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3158 anonymous_identity="ttls", password="password",
3159 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3161 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3162 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3163 params = int_eap_server_params()
3164 params["dh_file"] = "auth_serv/dsaparam.pem"
3165 hostapd.add_ap(apdev[0]['ifname'], params)
3166 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3167 anonymous_identity="ttls", password="password",
3168 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3170 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3171 """EAP-TLS server and dhparams file not found"""
3172 params = int_eap_server_params()
3173 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3174 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3175 if "FAIL" not in hapd.request("ENABLE"):
3176 raise Exception("Invalid configuration accepted")
3178 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3179 """EAP-TLS server and invalid dhparams file"""
3180 params = int_eap_server_params()
3181 params["dh_file"] = "auth_serv/ca.pem"
3182 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3183 if "FAIL" not in hapd.request("ENABLE"):
3184 raise Exception("Invalid configuration accepted")
3186 def test_ap_wpa2_eap_reauth(dev, apdev):
3187 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3188 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3189 params['eap_reauth_period'] = '2'
3190 hostapd.add_ap(apdev[0]['ifname'], params)
3191 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3192 password_hex="0123456789abcdef0123456789abcdef")
3193 logger.info("Wait for reauthentication")
3194 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3196 raise Exception("Timeout on reauthentication")
3197 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3199 raise Exception("Timeout on reauthentication")
3200 for i in range(0, 20):
3201 state = dev[0].get_status_field("wpa_state")
3202 if state == "COMPLETED":
3205 if state != "COMPLETED":
3206 raise Exception("Reauthentication did not complete")
3208 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3209 """Optional displayable message in EAP Request-Identity"""
3210 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3211 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3212 hostapd.add_ap(apdev[0]['ifname'], params)
3213 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3214 password_hex="0123456789abcdef0123456789abcdef")
3216 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3217 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3218 check_hlr_auc_gw_support()
3219 params = int_eap_server_params()
3220 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3221 params['eap_sim_aka_result_ind'] = "1"
3222 hostapd.add_ap(apdev[0]['ifname'], params)
3224 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3225 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3226 phase1="result_ind=1")
3227 eap_reauth(dev[0], "SIM")
3228 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3229 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3231 dev[0].request("REMOVE_NETWORK all")
3232 dev[1].request("REMOVE_NETWORK all")
3234 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3235 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3236 phase1="result_ind=1")
3237 eap_reauth(dev[0], "AKA")
3238 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3239 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3241 dev[0].request("REMOVE_NETWORK all")
3242 dev[1].request("REMOVE_NETWORK all")
3244 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3245 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3246 phase1="result_ind=1")
3247 eap_reauth(dev[0], "AKA'")
3248 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3249 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3251 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3252 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3253 skip_with_fips(dev[0])
3254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3255 hostapd.add_ap(apdev[0]['ifname'], params)
3256 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3257 eap="TTLS", identity="mschap user",
3258 wait_connect=False, scan_freq="2412", ieee80211w="1",
3259 anonymous_identity="ttls", password="password",
3260 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3262 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3264 raise Exception("EAP roundtrip limit not reached")
3266 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3267 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3268 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3269 hostapd.add_ap(apdev[0]['ifname'], params)
3270 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3271 eap="PSK", identity="vendor-test",
3272 password_hex="ff23456789abcdef0123456789abcdef",
3276 for i in range(0, 5):
3277 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3279 raise Exception("Association and EAP start timed out")
3280 if "refuse proposed method" in ev:
3284 raise Exception("Unexpected EAP status: " + ev)
3286 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3288 raise Exception("EAP failure timed out")
3290 def test_ap_wpa2_eap_sql(dev, apdev, params):
3291 """WPA2-Enterprise connection using SQLite for user DB"""
3292 skip_with_fips(dev[0])
3296 raise HwsimSkip("No sqlite3 module available")
3297 dbfile = os.path.join(params['logdir'], "eap-user.db")
3302 con = sqlite3.connect(dbfile)
3305 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3306 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3307 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3308 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3309 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3310 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3311 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3312 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3315 params = int_eap_server_params()
3316 params["eap_user_file"] = "sqlite:" + dbfile
3317 hostapd.add_ap(apdev[0]['ifname'], params)
3318 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3319 anonymous_identity="ttls", password="password",
3320 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3321 dev[0].request("REMOVE_NETWORK all")
3322 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3323 anonymous_identity="ttls", password="password",
3324 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3325 dev[1].request("REMOVE_NETWORK all")
3326 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3327 anonymous_identity="ttls", password="password",
3328 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3329 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3330 anonymous_identity="ttls", password="password",
3331 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3335 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3336 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3337 params = int_eap_server_params()
3338 hostapd.add_ap(apdev[0]['ifname'], params)
3339 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3340 identity="\x80", password="password", wait_connect=False)
3341 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3342 identity="a\x80", password="password", wait_connect=False)
3343 for i in range(0, 2):
3344 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3346 raise Exception("Association and EAP start timed out")
3347 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3349 raise Exception("EAP method selection timed out")
3351 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3352 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3353 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3354 hostapd.add_ap(apdev[0]['ifname'], params)
3355 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3356 identity="\x80", password="password", wait_connect=False)
3357 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3358 identity="a\x80", password="password", wait_connect=False)
3359 for i in range(0, 2):
3360 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3362 raise Exception("Association and EAP start timed out")
3363 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3365 raise Exception("EAP method selection timed out")
3367 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3368 """OpenSSL cipher suite configuration on wpa_supplicant"""
3369 tls = dev[0].request("GET tls_library")
3370 if not tls.startswith("OpenSSL"):
3371 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3372 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3373 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3374 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3375 anonymous_identity="ttls", password="password",
3376 openssl_ciphers="AES128",
3377 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3378 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3379 anonymous_identity="ttls", password="password",
3380 openssl_ciphers="EXPORT",
3381 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3382 expect_failure=True, maybe_local_error=True)
3383 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3384 identity="pap user", anonymous_identity="ttls",
3385 password="password",
3386 openssl_ciphers="FOO",
3387 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3389 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3391 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3392 dev[2].request("DISCONNECT")
3394 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3395 """OpenSSL cipher suite configuration on hostapd"""
3396 tls = dev[0].request("GET tls_library")
3397 if not tls.startswith("OpenSSL"):
3398 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3399 params = int_eap_server_params()
3400 params['openssl_ciphers'] = "AES256"
3401 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3402 tls = hapd.request("GET tls_library")
3403 if not tls.startswith("OpenSSL"):
3404 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3405 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3406 anonymous_identity="ttls", password="password",
3407 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3408 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3409 anonymous_identity="ttls", password="password",
3410 openssl_ciphers="AES128",
3411 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3412 expect_failure=True)
3413 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3414 anonymous_identity="ttls", password="password",
3415 openssl_ciphers="HIGH:!ADH",
3416 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3418 params['openssl_ciphers'] = "FOO"
3419 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3420 if "FAIL" not in hapd2.request("ENABLE"):
3421 raise Exception("Invalid openssl_ciphers value accepted")
3423 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3424 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3425 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3426 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3427 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3428 pid = find_wpas_process(dev[0])
3429 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3430 anonymous_identity="ttls", password=password,
3431 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3432 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3433 # event has been delivered, so verify that wpa_supplicant has returned to
3434 # eloop before reading process memory.
3437 buf = read_process_memory(pid, password)
3439 dev[0].request("DISCONNECT")
3440 dev[0].wait_disconnected()
3448 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3449 for l in f.readlines():
3450 if "EAP-TTLS: Derived key - hexdump" in l:
3451 val = l.strip().split(':')[3].replace(' ', '')
3452 msk = binascii.unhexlify(val)
3453 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3454 val = l.strip().split(':')[3].replace(' ', '')
3455 emsk = binascii.unhexlify(val)
3456 if "WPA: PMK - hexdump" in l:
3457 val = l.strip().split(':')[3].replace(' ', '')
3458 pmk = binascii.unhexlify(val)
3459 if "WPA: PTK - hexdump" in l:
3460 val = l.strip().split(':')[3].replace(' ', '')
3461 ptk = binascii.unhexlify(val)
3462 if "WPA: Group Key - hexdump" in l:
3463 val = l.strip().split(':')[3].replace(' ', '')
3464 gtk = binascii.unhexlify(val)
3465 if not msk or not emsk or not pmk or not ptk or not gtk:
3466 raise Exception("Could not find keys from debug log")
3468 raise Exception("Unexpected GTK length")
3474 fname = os.path.join(params['logdir'],
3475 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3477 logger.info("Checking keys in memory while associated")
3478 get_key_locations(buf, password, "Password")
3479 get_key_locations(buf, pmk, "PMK")
3480 get_key_locations(buf, msk, "MSK")
3481 get_key_locations(buf, emsk, "EMSK")
3482 if password not in buf:
3483 raise HwsimSkip("Password not found while associated")
3485 raise HwsimSkip("PMK not found while associated")
3487 raise Exception("KCK not found while associated")
3489 raise Exception("KEK not found while associated")
3491 raise Exception("TK found from memory")
3493 get_key_locations(buf, gtk, "GTK")
3494 raise Exception("GTK found from memory")
3496 logger.info("Checking keys in memory after disassociation")
3497 buf = read_process_memory(pid, password)
3499 # Note: Password is still present in network configuration
3500 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3502 get_key_locations(buf, password, "Password")
3503 get_key_locations(buf, pmk, "PMK")
3504 get_key_locations(buf, msk, "MSK")
3505 get_key_locations(buf, emsk, "EMSK")
3506 verify_not_present(buf, kck, fname, "KCK")
3507 verify_not_present(buf, kek, fname, "KEK")
3508 verify_not_present(buf, tk, fname, "TK")
3509 verify_not_present(buf, gtk, fname, "GTK")
3511 dev[0].request("PMKSA_FLUSH")
3512 dev[0].set_network_quoted(id, "identity", "foo")
3513 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3514 buf = read_process_memory(pid, password)
3515 get_key_locations(buf, password, "Password")
3516 get_key_locations(buf, pmk, "PMK")
3517 get_key_locations(buf, msk, "MSK")
3518 get_key_locations(buf, emsk, "EMSK")
3519 verify_not_present(buf, pmk, fname, "PMK")
3521 dev[0].request("REMOVE_NETWORK all")
3523 logger.info("Checking keys in memory after network profile removal")
3524 buf = read_process_memory(pid, password)
3526 get_key_locations(buf, password, "Password")
3527 get_key_locations(buf, pmk, "PMK")
3528 get_key_locations(buf, msk, "MSK")
3529 get_key_locations(buf, emsk, "EMSK")
3530 verify_not_present(buf, password, fname, "password")
3531 verify_not_present(buf, pmk, fname, "PMK")
3532 verify_not_present(buf, kck, fname, "KCK")
3533 verify_not_present(buf, kek, fname, "KEK")
3534 verify_not_present(buf, tk, fname, "TK")
3535 verify_not_present(buf, gtk, fname, "GTK")
3536 verify_not_present(buf, msk, fname, "MSK")
3537 verify_not_present(buf, emsk, fname, "EMSK")
3539 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3540 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3541 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3542 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3543 bssid = apdev[0]['bssid']
3544 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3545 anonymous_identity="ttls", password="password",
3546 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3548 # Send unexpected WEP EAPOL-Key; this gets dropped
3549 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3551 raise Exception("EAPOL_RX to wpa_supplicant failed")
3553 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3554 """WPA2-EAP and wpas interface in a bridge"""
3558 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3560 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3561 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3562 subprocess.call(['brctl', 'delbr', br_ifname])
3563 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3565 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3566 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3567 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3571 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3572 subprocess.call(['brctl', 'addbr', br_ifname])
3573 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3574 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3575 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3576 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3577 wpas.interface_add(ifname, br_ifname=br_ifname)
3580 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3581 password_hex="0123456789abcdef0123456789abcdef")
3583 eap_reauth(wpas, "PAX")
3585 # Try again as a regression test for packet socket workaround
3586 eap_reauth(wpas, "PAX")
3588 wpas.request("DISCONNECT")
3589 wpas.wait_disconnected()
3591 wpas.request("RECONNECT")
3592 wpas.wait_connected()
3595 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3596 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3597 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3598 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3599 key_mgmt = hapd.get_config()['key_mgmt']
3600 if key_mgmt.split(' ')[0] != "WPA-EAP":
3601 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3602 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3603 anonymous_identity="ttls", password="password",
3604 ca_cert="auth_serv/ca.pem",
3605 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3606 eap_reauth(dev[0], "TTLS")
3608 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3609 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3610 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3611 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3612 key_mgmt = hapd.get_config()['key_mgmt']
3613 if key_mgmt.split(' ')[0] != "WPA-EAP":
3614 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3615 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3616 anonymous_identity="ttls", password="password",
3617 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3619 eap_reauth(dev[0], "TTLS")
3621 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3622 """EAP-TLS and server checking CRL"""
3623 params = int_eap_server_params()
3624 params['check_crl'] = '1'
3625 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3627 # check_crl=1 and no CRL available --> reject connection
3628 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3629 client_cert="auth_serv/user.pem",
3630 private_key="auth_serv/user.key", expect_failure=True)
3631 dev[0].request("REMOVE_NETWORK all")
3634 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3637 # check_crl=1 and valid CRL --> accept
3638 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3639 client_cert="auth_serv/user.pem",
3640 private_key="auth_serv/user.key")
3641 dev[0].request("REMOVE_NETWORK all")
3644 hapd.set("check_crl", "2")
3647 # check_crl=2 and valid CRL --> accept
3648 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3649 client_cert="auth_serv/user.pem",
3650 private_key="auth_serv/user.key")
3651 dev[0].request("REMOVE_NETWORK all")
3653 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3654 """EAP-TLS and OOM"""
3655 check_subject_match_support(dev[0])
3656 check_altsubject_match_support(dev[0])
3657 check_domain_match(dev[0])
3658 check_domain_match_full(dev[0])
3660 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3661 hostapd.add_ap(apdev[0]['ifname'], params)
3663 tests = [ (1, "tls_connection_set_subject_match"),
3664 (2, "tls_connection_set_subject_match"),
3665 (3, "tls_connection_set_subject_match"),
3666 (4, "tls_connection_set_subject_match") ]
3667 for count, func in tests:
3668 with alloc_fail(dev[0], count, func):
3669 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3670 identity="tls user", ca_cert="auth_serv/ca.pem",
3671 client_cert="auth_serv/user.pem",
3672 private_key="auth_serv/user.key",
3673 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3674 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3675 domain_suffix_match="server.w1.fi",
3676 domain_match="server.w1.fi",
3677 wait_connect=False, scan_freq="2412")
3678 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3679 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3681 raise Exception("No passphrase request")
3682 dev[0].request("REMOVE_NETWORK all")
3683 dev[0].wait_disconnected()
3685 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3686 """WPA2-Enterprise connection using MAC ACL"""
3687 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3688 params["macaddr_acl"] = "2"
3689 hostapd.add_ap(apdev[0]['ifname'], params)
3690 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3691 client_cert="auth_serv/user.pem",
3692 private_key="auth_serv/user.key")
3694 def test_ap_wpa2_eap_oom(dev, apdev):
3695 """EAP server and OOM"""
3696 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3697 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3698 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3700 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3701 # The first attempt fails, but STA will send EAPOL-Start to retry and
3703 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3704 identity="tls user", ca_cert="auth_serv/ca.pem",
3705 client_cert="auth_serv/user.pem",
3706 private_key="auth_serv/user.key",
3709 def check_tls_ver(dev, ap, phase1, expected):
3710 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3711 client_cert="auth_serv/user.pem",
3712 private_key="auth_serv/user.key",
3714 ver = dev.get_status_field("eap_tls_version")
3716 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3718 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3719 """EAP-TLS and TLS version configuration"""
3720 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3721 hostapd.add_ap(apdev[0]['ifname'], params)
3723 tls = dev[0].request("GET tls_library")
3724 if tls.startswith("OpenSSL"):
3725 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3726 check_tls_ver(dev[0], apdev[0],
3727 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3729 elif tls.startswith("internal"):
3730 check_tls_ver(dev[0], apdev[0],
3731 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3732 check_tls_ver(dev[1], apdev[0],
3733 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3734 check_tls_ver(dev[2], apdev[0],
3735 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3737 def test_rsn_ie_proto_eap_sta(dev, apdev):
3738 """RSN element protocol testing for EAP cases on STA side"""
3739 bssid = apdev[0]['bssid']
3740 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3741 # This is the RSN element used normally by hostapd
3742 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3744 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3745 identity="gpsk user",
3746 password="abcdefghijklmnop0123456789abcdef",
3749 tests = [ ('No RSN Capabilities field',
3750 '30120100000fac040100000fac040100000fac01'),
3751 ('No AKM Suite fields',
3752 '300c0100000fac040100000fac04'),
3753 ('No Pairwise Cipher Suite fields',
3754 '30060100000fac04'),
3755 ('No Group Data Cipher Suite field',
3757 for txt,ie in tests:
3758 dev[0].request("DISCONNECT")
3759 dev[0].wait_disconnected()
3762 hapd.set('own_ie_override', ie)
3764 dev[0].request("BSS_FLUSH 0")
3765 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3766 dev[0].select_network(id, freq=2412)
3767 dev[0].wait_connected()
3769 def check_tls_session_resumption_capa(dev, hapd):
3770 tls = hapd.request("GET tls_library")
3771 if not tls.startswith("OpenSSL"):
3772 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3774 tls = dev.request("GET tls_library")
3775 if not tls.startswith("OpenSSL"):
3776 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3778 def test_eap_ttls_pap_session_resumption(dev, apdev):
3779 """EAP-TTLS/PAP session resumption"""
3780 params = int_eap_server_params()
3781 params['tls_session_lifetime'] = '60'
3782 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3783 check_tls_session_resumption_capa(dev[0], hapd)
3784 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3785 anonymous_identity="ttls", password="password",
3786 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3788 if dev[0].get_status_field("tls_session_reused") != '0':
3789 raise Exception("Unexpected session resumption on the first connection")
3791 dev[0].request("REAUTHENTICATE")
3792 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3794 raise Exception("EAP success timed out")
3795 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3797 raise Exception("Key handshake with the AP timed out")
3798 if dev[0].get_status_field("tls_session_reused") != '1':
3799 raise Exception("Session resumption not used on the second connection")
3801 def test_eap_ttls_chap_session_resumption(dev, apdev):
3802 """EAP-TTLS/CHAP session resumption"""
3803 params = int_eap_server_params()
3804 params['tls_session_lifetime'] = '60'
3805 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3806 check_tls_session_resumption_capa(dev[0], hapd)
3807 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3808 anonymous_identity="ttls", password="password",
3809 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3810 if dev[0].get_status_field("tls_session_reused") != '0':
3811 raise Exception("Unexpected session resumption on the first connection")
3813 dev[0].request("REAUTHENTICATE")
3814 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3816 raise Exception("EAP success timed out")
3817 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3819 raise Exception("Key handshake with the AP timed out")
3820 if dev[0].get_status_field("tls_session_reused") != '1':
3821 raise Exception("Session resumption not used on the second connection")
3823 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3824 """EAP-TTLS/MSCHAP session resumption"""
3825 check_domain_suffix_match(dev[0])
3826 params = int_eap_server_params()
3827 params['tls_session_lifetime'] = '60'
3828 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3829 check_tls_session_resumption_capa(dev[0], hapd)
3830 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3831 anonymous_identity="ttls", password="password",
3832 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3833 domain_suffix_match="server.w1.fi")
3834 if dev[0].get_status_field("tls_session_reused") != '0':
3835 raise Exception("Unexpected session resumption on the first connection")
3837 dev[0].request("REAUTHENTICATE")
3838 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3840 raise Exception("EAP success timed out")
3841 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3843 raise Exception("Key handshake with the AP timed out")
3844 if dev[0].get_status_field("tls_session_reused") != '1':
3845 raise Exception("Session resumption not used on the second connection")
3847 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3848 """EAP-TTLS/MSCHAPv2 session resumption"""
3849 check_domain_suffix_match(dev[0])
3850 check_eap_capa(dev[0], "MSCHAPV2")
3851 params = int_eap_server_params()
3852 params['tls_session_lifetime'] = '60'
3853 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3854 check_tls_session_resumption_capa(dev[0], hapd)
3855 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3856 anonymous_identity="ttls", password="password",
3857 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3858 domain_suffix_match="server.w1.fi")
3859 if dev[0].get_status_field("tls_session_reused") != '0':
3860 raise Exception("Unexpected session resumption on the first connection")
3862 dev[0].request("REAUTHENTICATE")
3863 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3865 raise Exception("EAP success timed out")
3866 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3868 raise Exception("Key handshake with the AP timed out")
3869 if dev[0].get_status_field("tls_session_reused") != '1':
3870 raise Exception("Session resumption not used on the second connection")
3872 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3873 """EAP-TTLS/EAP-GTC session resumption"""
3874 params = int_eap_server_params()
3875 params['tls_session_lifetime'] = '60'
3876 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3877 check_tls_session_resumption_capa(dev[0], hapd)
3878 eap_connect(dev[0], apdev[0], "TTLS", "user",
3879 anonymous_identity="ttls", password="password",
3880 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3881 if dev[0].get_status_field("tls_session_reused") != '0':
3882 raise Exception("Unexpected session resumption on the first connection")
3884 dev[0].request("REAUTHENTICATE")
3885 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3887 raise Exception("EAP success timed out")
3888 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3890 raise Exception("Key handshake with the AP timed out")
3891 if dev[0].get_status_field("tls_session_reused") != '1':
3892 raise Exception("Session resumption not used on the second connection")
3894 def test_eap_ttls_no_session_resumption(dev, apdev):
3895 """EAP-TTLS session resumption disabled on server"""
3896 params = int_eap_server_params()
3897 params['tls_session_lifetime'] = '0'
3898 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3899 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3900 anonymous_identity="ttls", password="password",
3901 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3903 if dev[0].get_status_field("tls_session_reused") != '0':
3904 raise Exception("Unexpected session resumption on the first connection")
3906 dev[0].request("REAUTHENTICATE")
3907 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3909 raise Exception("EAP success timed out")
3910 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3912 raise Exception("Key handshake with the AP timed out")
3913 if dev[0].get_status_field("tls_session_reused") != '0':
3914 raise Exception("Unexpected session resumption on the second connection")
3916 def test_eap_peap_session_resumption(dev, apdev):
3917 """EAP-PEAP session resumption"""
3918 params = int_eap_server_params()
3919 params['tls_session_lifetime'] = '60'
3920 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3921 check_tls_session_resumption_capa(dev[0], hapd)
3922 eap_connect(dev[0], apdev[0], "PEAP", "user",
3923 anonymous_identity="peap", password="password",
3924 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3925 if dev[0].get_status_field("tls_session_reused") != '0':
3926 raise Exception("Unexpected session resumption on the first connection")
3928 dev[0].request("REAUTHENTICATE")
3929 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3931 raise Exception("EAP success timed out")
3932 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3934 raise Exception("Key handshake with the AP timed out")
3935 if dev[0].get_status_field("tls_session_reused") != '1':
3936 raise Exception("Session resumption not used on the second connection")
3938 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
3939 """EAP-PEAP session resumption with crypto binding"""
3940 params = int_eap_server_params()
3941 params['tls_session_lifetime'] = '60'
3942 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3943 check_tls_session_resumption_capa(dev[0], hapd)
3944 eap_connect(dev[0], apdev[0], "PEAP", "user",
3945 anonymous_identity="peap", password="password",
3946 phase1="peapver=0 crypto_binding=2",
3947 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3948 if dev[0].get_status_field("tls_session_reused") != '0':
3949 raise Exception("Unexpected session resumption on the first connection")
3951 dev[0].request("REAUTHENTICATE")
3952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3954 raise Exception("EAP success timed out")
3955 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3957 raise Exception("Key handshake with the AP timed out")
3958 if dev[0].get_status_field("tls_session_reused") != '1':
3959 raise Exception("Session resumption not used on the second connection")
3961 def test_eap_peap_no_session_resumption(dev, apdev):
3962 """EAP-PEAP session resumption disabled on server"""
3963 params = int_eap_server_params()
3964 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3965 eap_connect(dev[0], apdev[0], "PEAP", "user",
3966 anonymous_identity="peap", password="password",
3967 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3968 if dev[0].get_status_field("tls_session_reused") != '0':
3969 raise Exception("Unexpected session resumption on the first connection")
3971 dev[0].request("REAUTHENTICATE")
3972 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3974 raise Exception("EAP success timed out")
3975 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3977 raise Exception("Key handshake with the AP timed out")
3978 if dev[0].get_status_field("tls_session_reused") != '0':
3979 raise Exception("Unexpected session resumption on the second connection")
3981 def test_eap_tls_session_resumption(dev, apdev):
3982 """EAP-TLS session resumption"""
3983 params = int_eap_server_params()
3984 params['tls_session_lifetime'] = '60'
3985 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3986 check_tls_session_resumption_capa(dev[0], hapd)
3987 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3988 client_cert="auth_serv/user.pem",
3989 private_key="auth_serv/user.key")
3990 if dev[0].get_status_field("tls_session_reused") != '0':
3991 raise Exception("Unexpected session resumption on the first connection")
3993 dev[0].request("REAUTHENTICATE")
3994 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3996 raise Exception("EAP success timed out")
3997 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3999 raise Exception("Key handshake with the AP timed out")
4000 if dev[0].get_status_field("tls_session_reused") != '1':
4001 raise Exception("Session resumption not used on the second connection")
4003 dev[0].request("REAUTHENTICATE")
4004 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4006 raise Exception("EAP success timed out")
4007 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4009 raise Exception("Key handshake with the AP timed out")
4010 if dev[0].get_status_field("tls_session_reused") != '1':
4011 raise Exception("Session resumption not used on the third connection")
4013 def test_eap_tls_session_resumption_expiration(dev, apdev):
4014 """EAP-TLS session resumption"""
4015 params = int_eap_server_params()
4016 params['tls_session_lifetime'] = '1'
4017 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4018 check_tls_session_resumption_capa(dev[0], hapd)
4019 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4020 client_cert="auth_serv/user.pem",
4021 private_key="auth_serv/user.key")
4022 if dev[0].get_status_field("tls_session_reused") != '0':
4023 raise Exception("Unexpected session resumption on the first connection")
4025 # Allow multiple attempts since OpenSSL may not expire the cached entry
4030 dev[0].request("REAUTHENTICATE")
4031 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4033 raise Exception("EAP success timed out")
4034 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4036 raise Exception("Key handshake with the AP timed out")
4037 if dev[0].get_status_field("tls_session_reused") == '0':
4039 if dev[0].get_status_field("tls_session_reused") != '0':
4040 raise Exception("Session resumption used after lifetime expiration")
4042 def test_eap_tls_no_session_resumption(dev, apdev):
4043 """EAP-TLS session resumption disabled on server"""
4044 params = int_eap_server_params()
4045 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4046 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4047 client_cert="auth_serv/user.pem",
4048 private_key="auth_serv/user.key")
4049 if dev[0].get_status_field("tls_session_reused") != '0':
4050 raise Exception("Unexpected session resumption on the first connection")
4052 dev[0].request("REAUTHENTICATE")
4053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4055 raise Exception("EAP success timed out")
4056 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4058 raise Exception("Key handshake with the AP timed out")
4059 if dev[0].get_status_field("tls_session_reused") != '0':
4060 raise Exception("Unexpected session resumption on the second connection")
4062 def test_eap_tls_session_resumption_radius(dev, apdev):
4063 """EAP-TLS session resumption (RADIUS)"""
4064 params = { "ssid": "as", "beacon_int": "2000",
4065 "radius_server_clients": "auth_serv/radius_clients.conf",
4066 "radius_server_auth_port": '18128',
4068 "eap_user_file": "auth_serv/eap_user.conf",
4069 "ca_cert": "auth_serv/ca.pem",
4070 "server_cert": "auth_serv/server.pem",
4071 "private_key": "auth_serv/server.key",
4072 "tls_session_lifetime": "60" }
4073 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4074 check_tls_session_resumption_capa(dev[0], authsrv)
4076 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4077 params['auth_server_port'] = "18128"
4078 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4079 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4080 client_cert="auth_serv/user.pem",
4081 private_key="auth_serv/user.key")
4082 if dev[0].get_status_field("tls_session_reused") != '0':
4083 raise Exception("Unexpected session resumption on the first connection")
4085 dev[0].request("REAUTHENTICATE")
4086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4088 raise Exception("EAP success timed out")
4089 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4091 raise Exception("Key handshake with the AP timed out")
4092 if dev[0].get_status_field("tls_session_reused") != '1':
4093 raise Exception("Session resumption not used on the second connection")
4095 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4096 """EAP-TLS session resumption disabled (RADIUS)"""
4097 params = { "ssid": "as", "beacon_int": "2000",
4098 "radius_server_clients": "auth_serv/radius_clients.conf",
4099 "radius_server_auth_port": '18128',
4101 "eap_user_file": "auth_serv/eap_user.conf",
4102 "ca_cert": "auth_serv/ca.pem",
4103 "server_cert": "auth_serv/server.pem",
4104 "private_key": "auth_serv/server.key",
4105 "tls_session_lifetime": "0" }
4106 hostapd.add_ap(apdev[1]['ifname'], params)
4108 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4109 params['auth_server_port'] = "18128"
4110 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4111 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4112 client_cert="auth_serv/user.pem",
4113 private_key="auth_serv/user.key")
4114 if dev[0].get_status_field("tls_session_reused") != '0':
4115 raise Exception("Unexpected session resumption on the first connection")
4117 dev[0].request("REAUTHENTICATE")
4118 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4120 raise Exception("EAP success timed out")
4121 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4123 raise Exception("Key handshake with the AP timed out")
4124 if dev[0].get_status_field("tls_session_reused") != '0':
4125 raise Exception("Unexpected session resumption on the second connection")
4127 def test_eap_mschapv2_errors(dev, apdev):
4128 """EAP-MSCHAPv2 error cases"""
4129 check_eap_capa(dev[0], "MSCHAPV2")
4130 check_eap_capa(dev[0], "FAST")
4132 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4133 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4134 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4135 identity="phase1-user", password="password",
4137 dev[0].request("REMOVE_NETWORK all")
4138 dev[0].wait_disconnected()
4140 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4141 (1, "nt_password_hash;mschapv2_derive_response"),
4142 (1, "nt_password_hash;=mschapv2_derive_response"),
4143 (1, "generate_nt_response;mschapv2_derive_response"),
4144 (1, "generate_authenticator_response;mschapv2_derive_response"),
4145 (1, "nt_password_hash;=mschapv2_derive_response"),
4146 (1, "get_master_key;mschapv2_derive_response"),
4147 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4148 for count, func in tests:
4149 with fail_test(dev[0], count, func):
4150 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4151 identity="phase1-user", password="password",
4152 wait_connect=False, scan_freq="2412")
4153 wait_fail_trigger(dev[0], "GET_FAIL")
4154 dev[0].request("REMOVE_NETWORK all")
4155 dev[0].wait_disconnected()
4157 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4158 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4159 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4160 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4161 for count, func in tests:
4162 with fail_test(dev[0], count, func):
4163 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4164 identity="phase1-user",
4165 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4166 wait_connect=False, scan_freq="2412")
4167 wait_fail_trigger(dev[0], "GET_FAIL")
4168 dev[0].request("REMOVE_NETWORK all")
4169 dev[0].wait_disconnected()
4171 tests = [ (1, "eap_mschapv2_init"),
4172 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4173 (1, "eap_msg_alloc;eap_mschapv2_success"),
4174 (1, "eap_mschapv2_getKey") ]
4175 for count, func in tests:
4176 with alloc_fail(dev[0], count, func):
4177 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4178 identity="phase1-user", password="password",
4179 wait_connect=False, scan_freq="2412")
4180 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4181 dev[0].request("REMOVE_NETWORK all")
4182 dev[0].wait_disconnected()
4184 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4185 for count, func in tests:
4186 with alloc_fail(dev[0], count, func):
4187 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4188 identity="phase1-user", password="wrong password",
4189 wait_connect=False, scan_freq="2412")
4190 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4191 dev[0].request("REMOVE_NETWORK all")
4192 dev[0].wait_disconnected()
4194 tests = [ (2, "eap_mschapv2_init"),
4195 (3, "eap_mschapv2_init") ]
4196 for count, func in tests:
4197 with alloc_fail(dev[0], count, func):
4198 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4199 anonymous_identity="FAST", identity="user",
4200 password="password",
4201 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4202 phase1="fast_provisioning=1",
4203 pac_file="blob://fast_pac",
4204 wait_connect=False, scan_freq="2412")
4205 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4206 dev[0].request("REMOVE_NETWORK all")
4207 dev[0].wait_disconnected()
4209 def test_eap_gpsk_errors(dev, apdev):
4210 """EAP-GPSK error cases"""
4211 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4213 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4214 identity="gpsk user",
4215 password="abcdefghijklmnop0123456789abcdef",
4217 dev[0].request("REMOVE_NETWORK all")
4218 dev[0].wait_disconnected()
4220 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4221 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4223 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4225 (1, "eap_gpsk_derive_keys_helper", None),
4226 (2, "eap_gpsk_derive_keys_helper", None),
4227 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4229 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4231 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4232 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4233 (1, "eap_gpsk_derive_mid_helper", None) ]
4234 for count, func, phase1 in tests:
4235 with fail_test(dev[0], count, func):
4236 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4237 identity="gpsk user",
4238 password="abcdefghijklmnop0123456789abcdef",
4240 wait_connect=False, scan_freq="2412")
4241 wait_fail_trigger(dev[0], "GET_FAIL")
4242 dev[0].request("REMOVE_NETWORK all")
4243 dev[0].wait_disconnected()
4245 tests = [ (1, "eap_gpsk_init"),
4246 (2, "eap_gpsk_init"),
4247 (3, "eap_gpsk_init"),
4248 (1, "eap_gpsk_process_id_server"),
4249 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4250 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4251 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4252 (1, "eap_gpsk_derive_keys"),
4253 (1, "eap_gpsk_derive_keys_helper"),
4254 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4255 (1, "eap_gpsk_getKey"),
4256 (1, "eap_gpsk_get_emsk"),
4257 (1, "eap_gpsk_get_session_id") ]
4258 for count, func in tests:
4259 with alloc_fail(dev[0], count, func):
4260 dev[0].request("ERP_FLUSH")
4261 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4262 identity="gpsk user", erp="1",
4263 password="abcdefghijklmnop0123456789abcdef",
4264 wait_connect=False, scan_freq="2412")
4265 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4266 dev[0].request("REMOVE_NETWORK all")
4267 dev[0].wait_disconnected()
4269 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4270 """EAP-SIM DB error cases"""
4271 sockpath = '/tmp/hlr_auc_gw.sock-test'
4276 hparams = int_eap_server_params()
4277 hparams['eap_sim_db'] = 'unix:' + sockpath
4278 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4280 # Initial test with hlr_auc_gw socket not available
4281 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4282 eap="SIM", identity="1232010000000000",
4283 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4284 scan_freq="2412", wait_connect=False)
4285 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4287 raise Exception("EAP-Failure not reported")
4288 dev[0].wait_disconnected()
4289 dev[0].request("DISCONNECT")
4291 # Test with invalid responses and response timeout
4293 class test_handler(SocketServer.DatagramRequestHandler):
4295 data = self.request[0].strip()
4296 socket = self.request[1]
4297 logger.debug("Received hlr_auc_gw request: " + data)
4298 # EAP-SIM DB: Failed to parse response string
4299 socket.sendto("FOO", self.client_address)
4300 # EAP-SIM DB: Failed to parse response string
4301 socket.sendto("FOO 1", self.client_address)
4302 # EAP-SIM DB: Unknown external response
4303 socket.sendto("FOO 1 2", self.client_address)
4304 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4306 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4309 dev[0].select_network(id)
4310 server.handle_request()
4311 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4313 raise Exception("EAP-Failure not reported")
4314 dev[0].wait_disconnected()
4315 dev[0].request("DISCONNECT")
4317 # Test with a valid response
4319 class test_handler2(SocketServer.DatagramRequestHandler):
4321 data = self.request[0].strip()
4322 socket = self.request[1]
4323 logger.debug("Received hlr_auc_gw request: " + data)
4324 fname = os.path.join(params['logdir'],
4325 'hlr_auc_gw.milenage_db')
4326 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4328 stdout=subprocess.PIPE)
4329 res = cmd.stdout.read().strip()
4331 logger.debug("hlr_auc_gw response: " + res)
4332 socket.sendto(res, self.client_address)
4334 server.RequestHandlerClass = test_handler2
4336 dev[0].select_network(id)
4337 server.handle_request()
4338 dev[0].wait_connected()
4339 dev[0].request("DISCONNECT")
4340 dev[0].wait_disconnected()
4342 def test_eap_tls_sha512(dev, apdev, params):
4343 """EAP-TLS with SHA512 signature"""
4344 params = int_eap_server_params()
4345 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4346 params["server_cert"] = "auth_serv/sha512-server.pem"
4347 params["private_key"] = "auth_serv/sha512-server.key"
4348 hostapd.add_ap(apdev[0]['ifname'], params)
4350 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4351 identity="tls user sha512",
4352 ca_cert="auth_serv/sha512-ca.pem",
4353 client_cert="auth_serv/sha512-user.pem",
4354 private_key="auth_serv/sha512-user.key",
4356 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4357 identity="tls user sha512",
4358 ca_cert="auth_serv/sha512-ca.pem",
4359 client_cert="auth_serv/sha384-user.pem",
4360 private_key="auth_serv/sha384-user.key",
4363 def test_eap_tls_sha384(dev, apdev, params):
4364 """EAP-TLS with SHA384 signature"""
4365 params = int_eap_server_params()
4366 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4367 params["server_cert"] = "auth_serv/sha384-server.pem"
4368 params["private_key"] = "auth_serv/sha384-server.key"
4369 hostapd.add_ap(apdev[0]['ifname'], params)
4371 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4372 identity="tls user sha512",
4373 ca_cert="auth_serv/sha512-ca.pem",
4374 client_cert="auth_serv/sha512-user.pem",
4375 private_key="auth_serv/sha512-user.key",
4377 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4378 identity="tls user sha512",
4379 ca_cert="auth_serv/sha512-ca.pem",
4380 client_cert="auth_serv/sha384-user.pem",
4381 private_key="auth_serv/sha384-user.key",
4384 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4385 """WPA2-Enterprise AP and association request RSN IE differences"""
4386 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4387 hostapd.add_ap(apdev[0]['ifname'], params)
4389 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4390 params["ieee80211w"] = "2"
4391 hostapd.add_ap(apdev[1]['ifname'], params)
4393 # Success cases with optional RSN IE fields removed one by one
4394 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4395 "30140100000fac040100000fac040100000fac010000"),
4396 ("Extra PMKIDCount field in RSN IE",
4397 "30160100000fac040100000fac040100000fac0100000000"),
4398 ("Extra Group Management Cipher Suite in RSN IE",
4399 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4400 ("Extra undefined extension field in RSN IE",
4401 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4402 ("RSN IE without RSN Capabilities",
4403 "30120100000fac040100000fac040100000fac01"),
4404 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4405 ("RSN IE without pairwise", "30060100000fac04"),
4406 ("RSN IE without group", "30020100") ]
4407 for title, ie in tests:
4409 set_test_assoc_ie(dev[0], ie)
4410 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4411 identity="gpsk user",
4412 password="abcdefghijklmnop0123456789abcdef",
4414 dev[0].request("REMOVE_NETWORK all")
4415 dev[0].wait_disconnected()
4417 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4418 "30140100000fac040100000fac040100000fac01cc00"),
4419 ("Group management cipher included in assoc req RSN IE",
4420 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4421 for title, ie in tests:
4423 set_test_assoc_ie(dev[0], ie)
4424 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4425 eap="GPSK", identity="gpsk user",
4426 password="abcdefghijklmnop0123456789abcdef",
4428 dev[0].request("REMOVE_NETWORK all")
4429 dev[0].wait_disconnected()
4431 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4432 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4433 for title, ie, status in tests:
4435 set_test_assoc_ie(dev[0], ie)
4436 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4437 identity="gpsk user",
4438 password="abcdefghijklmnop0123456789abcdef",
4439 scan_freq="2412", wait_connect=False)
4440 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4442 raise Exception("Association rejection not reported")
4443 if "status_code=" + str(status) not in ev:
4444 raise Exception("Unexpected status code: " + ev)
4445 dev[0].request("REMOVE_NETWORK all")
4446 dev[0].dump_monitor()
4448 tests = [ ("Management frame protection not enabled",
4449 "30140100000fac040100000fac040100000fac010000", 31),
4450 ("Unsupported management group cipher",
4451 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4452 for title, ie, status in tests:
4454 set_test_assoc_ie(dev[0], ie)
4455 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4456 eap="GPSK", identity="gpsk user",
4457 password="abcdefghijklmnop0123456789abcdef",
4458 scan_freq="2412", wait_connect=False)
4459 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4461 raise Exception("Association rejection not reported")
4462 if "status_code=" + str(status) not in ev:
4463 raise Exception("Unexpected status code: " + ev)
4464 dev[0].request("REMOVE_NETWORK all")
4465 dev[0].dump_monitor()
4467 def test_eap_tls_ext_cert_check(dev, apdev):
4468 """EAP-TLS and external server certification validation"""
4469 # With internal server certificate chain validation
4470 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4471 identity="tls user",
4472 ca_cert="auth_serv/ca.pem",
4473 client_cert="auth_serv/user.pem",
4474 private_key="auth_serv/user.key",
4475 phase1="tls_ext_cert_check=1", scan_freq="2412",
4476 only_add_network=True)
4477 run_ext_cert_check(dev, apdev, id)
4479 def test_eap_ttls_ext_cert_check(dev, apdev):
4480 """EAP-TTLS and external server certification validation"""
4481 # Without internal server certificate chain validation
4482 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4483 identity="pap user", anonymous_identity="ttls",
4484 password="password", phase2="auth=PAP",
4485 phase1="tls_ext_cert_check=1", scan_freq="2412",
4486 only_add_network=True)
4487 run_ext_cert_check(dev, apdev, id)
4489 def test_eap_peap_ext_cert_check(dev, apdev):
4490 """EAP-PEAP and external server certification validation"""
4491 # With internal server certificate chain validation
4492 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4493 identity="user", anonymous_identity="peap",
4494 ca_cert="auth_serv/ca.pem",
4495 password="password", phase2="auth=MSCHAPV2",
4496 phase1="tls_ext_cert_check=1", scan_freq="2412",
4497 only_add_network=True)
4498 run_ext_cert_check(dev, apdev, id)
4500 def test_eap_fast_ext_cert_check(dev, apdev):
4501 """EAP-FAST and external server certification validation"""
4502 check_eap_capa(dev[0], "FAST")
4503 # With internal server certificate chain validation
4504 dev[0].request("SET blob fast_pac_auth_ext ")
4505 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4506 identity="user", anonymous_identity="FAST",
4507 ca_cert="auth_serv/ca.pem",
4508 password="password", phase2="auth=GTC",
4509 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4510 pac_file="blob://fast_pac_auth_ext",
4512 only_add_network=True)
4513 run_ext_cert_check(dev, apdev, id)
4515 def run_ext_cert_check(dev, apdev, net_id):
4516 check_ext_cert_check_support(dev[0])
4517 if not openssl_imported:
4518 raise HwsimSkip("OpenSSL python method not available")
4520 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4521 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4523 dev[0].select_network(net_id)
4526 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4527 "CTRL-REQ-EXT_CERT_CHECK",
4528 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4530 raise Exception("No peer server certificate event seen")
4531 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4534 vals = ev.split(' ')
4536 if v.startswith("depth="):
4537 depth = int(v.split('=')[1])
4538 elif v.startswith("cert="):
4539 cert = v.split('=')[1]
4540 if depth is not None and cert:
4541 certs[depth] = binascii.unhexlify(cert)
4542 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4543 raise Exception("Unexpected EAP-Success")
4544 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4545 id = ev.split(':')[0].split('-')[-1]
4548 raise Exception("Server certificate not received")
4550 raise Exception("Server certificate issuer not received")
4552 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4554 cn = cert.get_subject().commonName
4555 logger.info("Server certificate CN=" + cn)
4557 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4559 icn = issuer.get_subject().commonName
4560 logger.info("Issuer certificate CN=" + icn)
4562 if cn != "server.w1.fi":
4563 raise Exception("Unexpected server certificate CN: " + cn)
4564 if icn != "Root CA":
4565 raise Exception("Unexpected server certificate issuer CN: " + icn)
4567 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4569 raise Exception("Unexpected EAP-Success before external check result indication")
4571 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4572 dev[0].wait_connected()
4574 dev[0].request("DISCONNECT")
4575 dev[0].wait_disconnected()
4576 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4577 raise Exception("PMKSA_FLUSH failed")
4578 dev[0].request("SET blob fast_pac_auth_ext ")
4579 dev[0].request("RECONNECT")
4581 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4583 raise Exception("No peer server certificate event seen (2)")
4584 id = ev.split(':')[0].split('-')[-1]
4585 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4588 raise Exception("EAP-Failure not reported")
4589 dev[0].request("REMOVE_NETWORK all")
4590 dev[0].wait_disconnected()