1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, ap, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 hapd = hostapd.Hostapd(ap['ifname'])
121 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
122 eap=method, identity=identity,
123 wait_connect=False, scan_freq="2412", ieee80211w="1",
125 eap_check_auth(dev, method, True, sha256=sha256,
126 expect_failure=expect_failure,
127 local_error_report=local_error_report,
128 maybe_local_error=maybe_local_error)
131 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
137 expect_failure=False, local_error_report=False,
138 maybe_local_error=False):
139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
141 raise Exception("Association and EAP start timed out")
142 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev:
147 if maybe_local_error:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev = dev.wait_disconnected(timeout=10)
157 if maybe_local_error and "locally_generated=1" in ev:
159 if not local_error_report:
160 if "reason=23" not in ev:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
165 raise Exception("EAP success timed out")
168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
170 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
172 raise Exception("Association with the AP timed out")
173 status = dev.get_status()
174 if status["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if method not in status["selectedMethod"]:
180 raise Exception("Incorrect EAP method status")
182 e = "WPA2-EAP-SHA256"
184 e = "WPA2/IEEE 802.1X/EAP"
186 e = "WPA/IEEE 802.1X/EAP"
187 if status["key_mgmt"] != e:
188 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
191 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
192 dev.request("REAUTHENTICATE")
193 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
194 expect_failure=expect_failure)
196 def test_ap_wpa2_eap_sim(dev, apdev):
197 """WPA2-Enterprise connection using EAP-SIM"""
198 check_hlr_auc_gw_support()
199 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
200 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
201 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
202 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
203 hwsim_utils.test_connectivity(dev[0], hapd)
204 eap_reauth(dev[0], "SIM")
206 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
207 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
208 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
209 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
212 logger.info("Negative test with incorrect key")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
218 logger.info("Invalid GSM-Milenage key")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
224 logger.info("Invalid GSM-Milenage key(2)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
230 logger.info("Invalid GSM-Milenage key(3)")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
233 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
236 logger.info("Invalid GSM-Milenage key(4)")
237 dev[0].request("REMOVE_NETWORK all")
238 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
239 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
242 logger.info("Missing key configuration")
243 dev[0].request("REMOVE_NETWORK all")
244 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
248 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
249 check_hlr_auc_gw_support()
253 raise HwsimSkip("No sqlite3 module available")
254 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
256 params['auth_server_port'] = "1814"
257 hostapd.add_ap(apdev[0]['ifname'], params)
258 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
261 logger.info("SIM fast re-authentication")
262 eap_reauth(dev[0], "SIM")
264 logger.info("SIM full auth with pseudonym")
267 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
268 eap_reauth(dev[0], "SIM")
270 logger.info("SIM full auth with permanent identity")
273 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
274 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
275 eap_reauth(dev[0], "SIM")
277 logger.info("SIM reauth with mismatching MK")
280 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
281 eap_reauth(dev[0], "SIM", expect_failure=True)
282 dev[0].request("REMOVE_NETWORK all")
284 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
285 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
288 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
289 eap_reauth(dev[0], "SIM")
292 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
293 logger.info("SIM reauth with mismatching counter")
294 eap_reauth(dev[0], "SIM")
295 dev[0].request("REMOVE_NETWORK all")
297 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
298 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
301 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
302 logger.info("SIM reauth with max reauth count reached")
303 eap_reauth(dev[0], "SIM")
305 def test_ap_wpa2_eap_sim_config(dev, apdev):
306 """EAP-SIM configuration options"""
307 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
308 hostapd.add_ap(apdev[0]['ifname'], params)
309 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
310 identity="1232010000000000",
311 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
312 phase1="sim_min_num_chal=1",
313 wait_connect=False, scan_freq="2412")
314 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
316 raise Exception("No EAP error message seen")
317 dev[0].request("REMOVE_NETWORK all")
319 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
320 identity="1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 phase1="sim_min_num_chal=4",
323 wait_connect=False, scan_freq="2412")
324 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
326 raise Exception("No EAP error message seen (2)")
327 dev[0].request("REMOVE_NETWORK all")
329 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
330 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
331 phase1="sim_min_num_chal=2")
332 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 anonymous_identity="345678")
336 def test_ap_wpa2_eap_sim_ext(dev, apdev):
337 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
339 _test_ap_wpa2_eap_sim_ext(dev, apdev)
341 dev[0].request("SET external_sim 0")
343 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
344 check_hlr_auc_gw_support()
345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
346 hostapd.add_ap(apdev[0]['ifname'], params)
347 dev[0].request("SET external_sim 1")
348 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
349 identity="1232010000000000",
350 wait_connect=False, scan_freq="2412")
351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
353 raise Exception("Network connected timed out")
355 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
357 raise Exception("Wait for external SIM processing request timed out")
359 if p[1] != "GSM-AUTH":
360 raise Exception("Unexpected CTRL-REQ-SIM type")
361 rid = p[0].split('-')[3]
364 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
365 # This will fail during processing, but the ctrl_iface command succeeds
366 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
367 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
369 raise Exception("EAP failure not reported")
370 dev[0].request("DISCONNECT")
371 dev[0].wait_disconnected()
374 dev[0].select_network(id, freq="2412")
375 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
377 raise Exception("Wait for external SIM processing request timed out")
379 if p[1] != "GSM-AUTH":
380 raise Exception("Unexpected CTRL-REQ-SIM type")
381 rid = p[0].split('-')[3]
382 # This will fail during GSM auth validation
383 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
384 raise Exception("CTRL-RSP-SIM failed")
385 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
387 raise Exception("EAP failure not reported")
388 dev[0].request("DISCONNECT")
389 dev[0].wait_disconnected()
392 dev[0].select_network(id, freq="2412")
393 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
395 raise Exception("Wait for external SIM processing request timed out")
397 if p[1] != "GSM-AUTH":
398 raise Exception("Unexpected CTRL-REQ-SIM type")
399 rid = p[0].split('-')[3]
400 # This will fail during GSM auth validation
401 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
402 raise Exception("CTRL-RSP-SIM failed")
403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
405 raise Exception("EAP failure not reported")
406 dev[0].request("DISCONNECT")
407 dev[0].wait_disconnected()
410 dev[0].select_network(id, freq="2412")
411 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
413 raise Exception("Wait for external SIM processing request timed out")
415 if p[1] != "GSM-AUTH":
416 raise Exception("Unexpected CTRL-REQ-SIM type")
417 rid = p[0].split('-')[3]
418 # This will fail during GSM auth validation
419 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
420 raise Exception("CTRL-RSP-SIM failed")
421 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
423 raise Exception("EAP failure not reported")
424 dev[0].request("DISCONNECT")
425 dev[0].wait_disconnected()
428 dev[0].select_network(id, freq="2412")
429 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
431 raise Exception("Wait for external SIM processing request timed out")
433 if p[1] != "GSM-AUTH":
434 raise Exception("Unexpected CTRL-REQ-SIM type")
435 rid = p[0].split('-')[3]
436 # This will fail during GSM auth validation
437 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
438 raise Exception("CTRL-RSP-SIM failed")
439 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
441 raise Exception("EAP failure not reported")
442 dev[0].request("DISCONNECT")
443 dev[0].wait_disconnected()
446 dev[0].select_network(id, freq="2412")
447 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
449 raise Exception("Wait for external SIM processing request timed out")
451 if p[1] != "GSM-AUTH":
452 raise Exception("Unexpected CTRL-REQ-SIM type")
453 rid = p[0].split('-')[3]
454 # This will fail during GSM auth validation
455 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
456 raise Exception("CTRL-RSP-SIM failed")
457 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
459 raise Exception("EAP failure not reported")
460 dev[0].request("DISCONNECT")
461 dev[0].wait_disconnected()
464 dev[0].select_network(id, freq="2412")
465 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
467 raise Exception("Wait for external SIM processing request timed out")
469 if p[1] != "GSM-AUTH":
470 raise Exception("Unexpected CTRL-REQ-SIM type")
471 rid = p[0].split('-')[3]
472 # This will fail during GSM auth validation
473 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
474 raise Exception("CTRL-RSP-SIM failed")
475 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
477 raise Exception("EAP failure not reported")
479 def test_ap_wpa2_eap_sim_oom(dev, apdev):
480 """EAP-SIM and OOM"""
481 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
482 hostapd.add_ap(apdev[0]['ifname'], params)
483 tests = [ (1, "milenage_f2345"),
484 (2, "milenage_f2345"),
485 (3, "milenage_f2345"),
486 (4, "milenage_f2345"),
487 (5, "milenage_f2345"),
488 (6, "milenage_f2345"),
489 (7, "milenage_f2345"),
490 (8, "milenage_f2345"),
491 (9, "milenage_f2345"),
492 (10, "milenage_f2345"),
493 (11, "milenage_f2345"),
494 (12, "milenage_f2345") ]
495 for count, func in tests:
496 with alloc_fail(dev[0], count, func):
497 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
498 identity="1232010000000000",
499 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
500 wait_connect=False, scan_freq="2412")
501 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
503 raise Exception("EAP method not selected")
504 dev[0].wait_disconnected()
505 dev[0].request("REMOVE_NETWORK all")
507 def test_ap_wpa2_eap_aka(dev, apdev):
508 """WPA2-Enterprise connection using EAP-AKA"""
509 check_hlr_auc_gw_support()
510 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
511 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
512 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
513 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
514 hwsim_utils.test_connectivity(dev[0], hapd)
515 eap_reauth(dev[0], "AKA")
517 logger.info("Negative test with incorrect key")
518 dev[0].request("REMOVE_NETWORK all")
519 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
520 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
523 logger.info("Invalid Milenage key")
524 dev[0].request("REMOVE_NETWORK all")
525 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
526 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
529 logger.info("Invalid Milenage key(2)")
530 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
531 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
534 logger.info("Invalid Milenage key(3)")
535 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
536 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
539 logger.info("Invalid Milenage key(4)")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
544 logger.info("Invalid Milenage key(5)")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
547 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
550 logger.info("Invalid Milenage key(6)")
551 dev[0].request("REMOVE_NETWORK all")
552 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
553 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
556 logger.info("Missing key configuration")
557 dev[0].request("REMOVE_NETWORK all")
558 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
562 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
563 check_hlr_auc_gw_support()
567 raise HwsimSkip("No sqlite3 module available")
568 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
570 params['auth_server_port'] = "1814"
571 hostapd.add_ap(apdev[0]['ifname'], params)
572 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
573 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
575 logger.info("AKA fast re-authentication")
576 eap_reauth(dev[0], "AKA")
578 logger.info("AKA full auth with pseudonym")
581 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
582 eap_reauth(dev[0], "AKA")
584 logger.info("AKA full auth with permanent identity")
587 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
588 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
589 eap_reauth(dev[0], "AKA")
591 logger.info("AKA reauth with mismatching MK")
594 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
595 eap_reauth(dev[0], "AKA", expect_failure=True)
596 dev[0].request("REMOVE_NETWORK all")
598 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
599 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
602 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
603 eap_reauth(dev[0], "AKA")
606 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
607 logger.info("AKA reauth with mismatching counter")
608 eap_reauth(dev[0], "AKA")
609 dev[0].request("REMOVE_NETWORK all")
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
615 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
616 logger.info("AKA reauth with max reauth count reached")
617 eap_reauth(dev[0], "AKA")
619 def test_ap_wpa2_eap_aka_config(dev, apdev):
620 """EAP-AKA configuration options"""
621 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
622 hostapd.add_ap(apdev[0]['ifname'], params)
623 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
624 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
625 anonymous_identity="2345678")
627 def test_ap_wpa2_eap_aka_ext(dev, apdev):
628 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
630 _test_ap_wpa2_eap_aka_ext(dev, apdev)
632 dev[0].request("SET external_sim 0")
634 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
635 check_hlr_auc_gw_support()
636 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
637 hostapd.add_ap(apdev[0]['ifname'], params)
638 dev[0].request("SET external_sim 1")
639 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
640 identity="0232010000000000",
641 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
642 wait_connect=False, scan_freq="2412")
643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
645 raise Exception("Network connected timed out")
647 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
649 raise Exception("Wait for external SIM processing request timed out")
651 if p[1] != "UMTS-AUTH":
652 raise Exception("Unexpected CTRL-REQ-SIM type")
653 rid = p[0].split('-')[3]
656 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
657 # This will fail during processing, but the ctrl_iface command succeeds
658 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
661 raise Exception("EAP failure not reported")
662 dev[0].request("DISCONNECT")
663 dev[0].wait_disconnected()
665 dev[0].dump_monitor()
667 dev[0].select_network(id, freq="2412")
668 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
670 raise Exception("Wait for external SIM processing request timed out")
672 if p[1] != "UMTS-AUTH":
673 raise Exception("Unexpected CTRL-REQ-SIM type")
674 rid = p[0].split('-')[3]
675 # This will fail during UMTS auth validation
676 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
677 raise Exception("CTRL-RSP-SIM failed")
678 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
680 raise Exception("Wait for external SIM processing request timed out")
682 if p[1] != "UMTS-AUTH":
683 raise Exception("Unexpected CTRL-REQ-SIM type")
684 rid = p[0].split('-')[3]
685 # This will fail during UMTS auth validation
686 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
687 raise Exception("CTRL-RSP-SIM failed")
688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
690 raise Exception("EAP failure not reported")
691 dev[0].request("DISCONNECT")
692 dev[0].wait_disconnected()
694 dev[0].dump_monitor()
696 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
698 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
699 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
700 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
701 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
702 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
704 dev[0].select_network(id, freq="2412")
705 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 if p[1] != "UMTS-AUTH":
710 raise Exception("Unexpected CTRL-REQ-SIM type")
711 rid = p[0].split('-')[3]
712 # This will fail during UMTS auth validation
713 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
714 raise Exception("CTRL-RSP-SIM failed")
715 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
717 raise Exception("EAP failure not reported")
718 dev[0].request("DISCONNECT")
719 dev[0].wait_disconnected()
721 dev[0].dump_monitor()
723 def test_ap_wpa2_eap_aka_prime(dev, apdev):
724 """WPA2-Enterprise connection using EAP-AKA'"""
725 check_hlr_auc_gw_support()
726 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
727 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
728 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
729 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
730 hwsim_utils.test_connectivity(dev[0], hapd)
731 eap_reauth(dev[0], "AKA'")
733 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
734 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
735 identity="6555444333222111@both",
736 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
737 wait_connect=False, scan_freq="2412")
738 dev[1].wait_connected(timeout=15)
740 logger.info("Negative test with incorrect key")
741 dev[0].request("REMOVE_NETWORK all")
742 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
743 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
746 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
747 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
748 check_hlr_auc_gw_support()
752 raise HwsimSkip("No sqlite3 module available")
753 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
754 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
755 params['auth_server_port'] = "1814"
756 hostapd.add_ap(apdev[0]['ifname'], params)
757 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
758 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
760 logger.info("AKA' fast re-authentication")
761 eap_reauth(dev[0], "AKA'")
763 logger.info("AKA' full auth with pseudonym")
766 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
767 eap_reauth(dev[0], "AKA'")
769 logger.info("AKA' full auth with permanent identity")
772 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
773 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
774 eap_reauth(dev[0], "AKA'")
776 logger.info("AKA' reauth with mismatching k_aut")
779 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
780 eap_reauth(dev[0], "AKA'", expect_failure=True)
781 dev[0].request("REMOVE_NETWORK all")
783 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
784 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
787 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
788 eap_reauth(dev[0], "AKA'")
791 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
792 logger.info("AKA' reauth with mismatching counter")
793 eap_reauth(dev[0], "AKA'")
794 dev[0].request("REMOVE_NETWORK all")
796 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
797 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
800 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
801 logger.info("AKA' reauth with max reauth count reached")
802 eap_reauth(dev[0], "AKA'")
804 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
805 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
806 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
807 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
808 key_mgmt = hapd.get_config()['key_mgmt']
809 if key_mgmt.split(' ')[0] != "WPA-EAP":
810 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
811 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
812 anonymous_identity="ttls", password="password",
813 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
814 hwsim_utils.test_connectivity(dev[0], hapd)
815 eap_reauth(dev[0], "TTLS")
816 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
817 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
819 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
820 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
821 check_subject_match_support(dev[0])
822 check_altsubject_match_support(dev[0])
823 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
824 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
825 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
826 anonymous_identity="ttls", password="password",
827 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
828 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
829 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
830 eap_reauth(dev[0], "TTLS")
832 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
833 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
834 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
835 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
836 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
837 anonymous_identity="ttls", password="wrong",
838 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
840 eap_connect(dev[1], apdev[0], "TTLS", "user",
841 anonymous_identity="ttls", password="password",
842 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
845 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
846 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
847 skip_with_fips(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
853 hwsim_utils.test_connectivity(dev[0], hapd)
854 eap_reauth(dev[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
858 skip_with_fips(dev[0])
859 check_altsubject_match_support(dev[0])
860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
861 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
862 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
863 anonymous_identity="ttls", password="password",
864 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
865 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
866 eap_reauth(dev[0], "TTLS")
868 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
869 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
870 skip_with_fips(dev[0])
871 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
872 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
873 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
874 anonymous_identity="ttls", password="wrong",
875 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
877 eap_connect(dev[1], apdev[0], "TTLS", "user",
878 anonymous_identity="ttls", password="password",
879 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
882 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
883 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
884 skip_with_fips(dev[0])
885 check_domain_suffix_match(dev[0])
886 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
887 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
888 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
889 anonymous_identity="ttls", password="password",
890 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
891 domain_suffix_match="server.w1.fi")
892 hwsim_utils.test_connectivity(dev[0], hapd)
893 eap_reauth(dev[0], "TTLS")
894 dev[0].request("REMOVE_NETWORK all")
895 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
896 anonymous_identity="ttls", password="password",
897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
899 dev[0].request("REMOVE_NETWORK all")
900 dev[0].wait_disconnected()
901 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
902 anonymous_identity="ttls",
903 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
904 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
906 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
908 skip_with_fips(dev[0])
909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
910 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
911 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
912 anonymous_identity="ttls", password="wrong",
913 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
915 eap_connect(dev[1], apdev[0], "TTLS", "user",
916 anonymous_identity="ttls", password="password",
917 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
919 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
920 anonymous_identity="ttls", password="password",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
924 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
925 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
926 check_domain_suffix_match(dev[0])
927 check_eap_capa(dev[0], "MSCHAPV2")
928 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
929 hostapd.add_ap(apdev[0]['ifname'], params)
930 hapd = hostapd.Hostapd(apdev[0]['ifname'])
931 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
932 anonymous_identity="ttls", password="password",
933 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
934 domain_suffix_match="server.w1.fi")
935 hwsim_utils.test_connectivity(dev[0], hapd)
936 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
937 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
938 eap_reauth(dev[0], "TTLS")
939 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
940 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
941 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
942 raise Exception("dot1xAuthEapolFramesRx did not increase")
943 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
944 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
945 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
946 raise Exception("backendAuthSuccesses did not increase")
948 logger.info("Password as hash value")
949 dev[0].request("REMOVE_NETWORK all")
950 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
951 anonymous_identity="ttls",
952 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
953 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
955 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
956 """EAP-TTLS with invalid phase2 parameter values"""
957 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
958 hostapd.add_ap(apdev[0]['ifname'], params)
959 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
960 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
961 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
963 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
964 identity="DOMAIN\mschapv2 user",
965 anonymous_identity="ttls", password="password",
966 ca_cert="auth_serv/ca.pem", phase2=t,
967 wait_connect=False, scan_freq="2412")
968 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
969 if ev is None or "method=21" not in ev:
970 raise Exception("EAP-TTLS not started")
971 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
972 "CTRL-EVENT-CONNECTED"], timeout=5)
973 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
974 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
975 dev[0].request("REMOVE_NETWORK all")
976 dev[0].wait_disconnected()
977 dev[0].dump_monitor()
979 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
980 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
981 check_domain_match_full(dev[0])
982 skip_with_fips(dev[0])
983 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
984 hostapd.add_ap(apdev[0]['ifname'], params)
985 hapd = hostapd.Hostapd(apdev[0]['ifname'])
986 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
987 anonymous_identity="ttls", password="password",
988 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
989 domain_suffix_match="w1.fi")
990 hwsim_utils.test_connectivity(dev[0], hapd)
991 eap_reauth(dev[0], "TTLS")
993 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
994 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
995 check_domain_match(dev[0])
996 skip_with_fips(dev[0])
997 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
998 hostapd.add_ap(apdev[0]['ifname'], params)
999 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1000 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1001 anonymous_identity="ttls", password="password",
1002 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1003 domain_match="Server.w1.fi")
1004 hwsim_utils.test_connectivity(dev[0], hapd)
1005 eap_reauth(dev[0], "TTLS")
1007 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1008 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1009 skip_with_fips(dev[0])
1010 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1011 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1012 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1013 anonymous_identity="ttls", password="password1",
1014 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1015 expect_failure=True)
1016 eap_connect(dev[1], apdev[0], "TTLS", "user",
1017 anonymous_identity="ttls", password="password",
1018 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1019 expect_failure=True)
1021 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1022 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1023 skip_with_fips(dev[0])
1024 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1025 hostapd.add_ap(apdev[0]['ifname'], params)
1026 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1027 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1028 anonymous_identity="ttls", password="secret-åäö-€-password",
1029 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1030 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1031 anonymous_identity="ttls",
1032 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1033 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1034 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1035 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1036 eap="TTLS", identity="utf8-user-hash",
1037 anonymous_identity="ttls", password_hex=p,
1038 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1039 wait_connect=False, scan_freq="2412")
1040 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1042 raise Exception("No failure reported")
1043 dev[2].request("REMOVE_NETWORK all")
1044 dev[2].wait_disconnected()
1046 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1047 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1048 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1049 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1050 eap_connect(dev[0], apdev[0], "TTLS", "user",
1051 anonymous_identity="ttls", password="password",
1052 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1053 hwsim_utils.test_connectivity(dev[0], hapd)
1054 eap_reauth(dev[0], "TTLS")
1056 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1057 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1058 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1059 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1060 eap_connect(dev[0], apdev[0], "TTLS", "user",
1061 anonymous_identity="ttls", password="wrong",
1062 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1063 expect_failure=True)
1065 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1066 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1067 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1068 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1069 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1070 anonymous_identity="ttls", password="password",
1071 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1072 expect_failure=True)
1074 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1075 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1076 params = int_eap_server_params()
1077 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1078 with alloc_fail(hapd, 1, "eap_gtc_init"):
1079 eap_connect(dev[0], apdev[0], "TTLS", "user",
1080 anonymous_identity="ttls", password="password",
1081 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1082 expect_failure=True)
1083 dev[0].request("REMOVE_NETWORK all")
1085 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1086 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1087 eap="TTLS", identity="user",
1088 anonymous_identity="ttls", password="password",
1089 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1090 wait_connect=False, scan_freq="2412")
1091 # This would eventually time out, but we can stop after having reached
1092 # the allocation failure.
1095 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1098 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1099 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1100 check_eap_capa(dev[0], "MD5")
1101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1102 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1103 eap_connect(dev[0], apdev[0], "TTLS", "user",
1104 anonymous_identity="ttls", password="password",
1105 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1106 hwsim_utils.test_connectivity(dev[0], hapd)
1107 eap_reauth(dev[0], "TTLS")
1109 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1110 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1111 check_eap_capa(dev[0], "MD5")
1112 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1113 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1114 eap_connect(dev[0], apdev[0], "TTLS", "user",
1115 anonymous_identity="ttls", password="wrong",
1116 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1117 expect_failure=True)
1119 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1120 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1121 check_eap_capa(dev[0], "MD5")
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1124 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1125 anonymous_identity="ttls", password="password",
1126 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1127 expect_failure=True)
1129 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1130 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1131 check_eap_capa(dev[0], "MD5")
1132 params = int_eap_server_params()
1133 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1134 with alloc_fail(hapd, 1, "eap_md5_init"):
1135 eap_connect(dev[0], apdev[0], "TTLS", "user",
1136 anonymous_identity="ttls", password="password",
1137 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1138 expect_failure=True)
1139 dev[0].request("REMOVE_NETWORK all")
1141 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1142 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1143 eap="TTLS", identity="user",
1144 anonymous_identity="ttls", password="password",
1145 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1146 wait_connect=False, scan_freq="2412")
1147 # This would eventually time out, but we can stop after having reached
1148 # the allocation failure.
1151 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1154 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1155 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1156 check_eap_capa(dev[0], "MSCHAPV2")
1157 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1158 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1159 eap_connect(dev[0], apdev[0], "TTLS", "user",
1160 anonymous_identity="ttls", password="password",
1161 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1162 hwsim_utils.test_connectivity(dev[0], hapd)
1163 eap_reauth(dev[0], "TTLS")
1165 logger.info("Negative test with incorrect password")
1166 dev[0].request("REMOVE_NETWORK all")
1167 eap_connect(dev[0], apdev[0], "TTLS", "user",
1168 anonymous_identity="ttls", password="password1",
1169 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1170 expect_failure=True)
1172 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1173 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1174 check_eap_capa(dev[0], "MSCHAPV2")
1175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1176 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1177 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1178 anonymous_identity="ttls", password="password",
1179 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1180 expect_failure=True)
1182 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1183 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1184 check_eap_capa(dev[0], "MSCHAPV2")
1185 params = int_eap_server_params()
1186 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1187 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1188 eap_connect(dev[0], apdev[0], "TTLS", "user",
1189 anonymous_identity="ttls", password="password",
1190 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1191 expect_failure=True)
1192 dev[0].request("REMOVE_NETWORK all")
1194 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1195 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1196 eap="TTLS", identity="user",
1197 anonymous_identity="ttls", password="password",
1198 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1199 wait_connect=False, scan_freq="2412")
1200 # This would eventually time out, but we can stop after having reached
1201 # the allocation failure.
1204 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1206 dev[0].request("REMOVE_NETWORK all")
1208 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1209 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1210 eap="TTLS", identity="user",
1211 anonymous_identity="ttls", password="password",
1212 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1213 wait_connect=False, scan_freq="2412")
1214 # This would eventually time out, but we can stop after having reached
1215 # the allocation failure.
1218 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1220 dev[0].request("REMOVE_NETWORK all")
1222 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1223 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1224 eap="TTLS", identity="user",
1225 anonymous_identity="ttls", password="wrong",
1226 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1227 wait_connect=False, scan_freq="2412")
1228 # This would eventually time out, but we can stop after having reached
1229 # the allocation failure.
1232 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1234 dev[0].request("REMOVE_NETWORK all")
1236 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1237 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1238 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1239 hostapd.add_ap(apdev[0]['ifname'], params)
1240 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1241 anonymous_identity="0232010000000000@ttls",
1242 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1243 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1245 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1246 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1247 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1248 hostapd.add_ap(apdev[0]['ifname'], params)
1249 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1250 anonymous_identity="0232010000000000@peap",
1251 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1252 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1254 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1255 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1256 check_eap_capa(dev[0], "FAST")
1257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258 hostapd.add_ap(apdev[0]['ifname'], params)
1259 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1260 anonymous_identity="0232010000000000@fast",
1261 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1262 phase1="fast_provisioning=2",
1263 pac_file="blob://fast_pac_auth_aka",
1264 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1266 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1267 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1268 check_eap_capa(dev[0], "MSCHAPV2")
1269 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1270 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1271 eap_connect(dev[0], apdev[0], "PEAP", "user",
1272 anonymous_identity="peap", password="password",
1273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1274 hwsim_utils.test_connectivity(dev[0], hapd)
1275 eap_reauth(dev[0], "PEAP")
1276 dev[0].request("REMOVE_NETWORK all")
1277 eap_connect(dev[0], apdev[0], "PEAP", "user",
1278 anonymous_identity="peap", password="password",
1279 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1280 fragment_size="200")
1282 logger.info("Password as hash value")
1283 dev[0].request("REMOVE_NETWORK all")
1284 eap_connect(dev[0], apdev[0], "PEAP", "user",
1285 anonymous_identity="peap",
1286 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1287 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1289 logger.info("Negative test with incorrect password")
1290 dev[0].request("REMOVE_NETWORK all")
1291 eap_connect(dev[0], apdev[0], "PEAP", "user",
1292 anonymous_identity="peap", password="password1",
1293 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1294 expect_failure=True)
1296 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1297 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1298 check_eap_capa(dev[0], "MSCHAPV2")
1299 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1300 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1301 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1302 anonymous_identity="peap", password="password",
1303 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1304 hwsim_utils.test_connectivity(dev[0], hapd)
1305 eap_reauth(dev[0], "PEAP")
1307 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1308 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1309 check_eap_capa(dev[0], "MSCHAPV2")
1310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1311 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1312 eap_connect(dev[0], apdev[0], "PEAP", "user",
1313 anonymous_identity="peap", password="wrong",
1314 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1315 expect_failure=True)
1317 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1318 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1319 check_eap_capa(dev[0], "MSCHAPV2")
1320 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1321 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1322 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1323 ca_cert="auth_serv/ca.pem",
1324 phase1="peapver=0 crypto_binding=2",
1325 phase2="auth=MSCHAPV2")
1326 hwsim_utils.test_connectivity(dev[0], hapd)
1327 eap_reauth(dev[0], "PEAP")
1329 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1330 ca_cert="auth_serv/ca.pem",
1331 phase1="peapver=0 crypto_binding=1",
1332 phase2="auth=MSCHAPV2")
1333 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1334 ca_cert="auth_serv/ca.pem",
1335 phase1="peapver=0 crypto_binding=0",
1336 phase2="auth=MSCHAPV2")
1338 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1339 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1340 check_eap_capa(dev[0], "MSCHAPV2")
1341 params = int_eap_server_params()
1342 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1343 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1344 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1345 ca_cert="auth_serv/ca.pem",
1346 phase1="peapver=0 crypto_binding=2",
1347 phase2="auth=MSCHAPV2",
1348 expect_failure=True, local_error_report=True)
1350 def test_ap_wpa2_eap_peap_params(dev, apdev):
1351 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1352 check_eap_capa(dev[0], "MSCHAPV2")
1353 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1354 hostapd.add_ap(apdev[0]['ifname'], params)
1355 eap_connect(dev[0], apdev[0], "PEAP", "user",
1356 anonymous_identity="peap", password="password",
1357 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1358 phase1="peapver=0 peaplabel=1",
1359 expect_failure=True)
1360 dev[0].request("REMOVE_NETWORK all")
1361 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1363 anonymous_identity="peap", password="password",
1364 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1365 phase1="peap_outer_success=0",
1366 wait_connect=False, scan_freq="2412")
1367 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1369 raise Exception("No EAP success seen")
1370 # This won't succeed to connect with peap_outer_success=0, so stop here.
1371 dev[0].request("REMOVE_NETWORK all")
1372 dev[0].wait_disconnected()
1373 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1374 ca_cert="auth_serv/ca.pem",
1375 phase1="peap_outer_success=1",
1376 phase2="auth=MSCHAPV2")
1377 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1378 ca_cert="auth_serv/ca.pem",
1379 phase1="peap_outer_success=2",
1380 phase2="auth=MSCHAPV2")
1381 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1383 anonymous_identity="peap", password="password",
1384 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1385 phase1="peapver=1 peaplabel=1",
1386 wait_connect=False, scan_freq="2412")
1387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1389 raise Exception("No EAP success seen")
1390 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1392 raise Exception("Unexpected connection")
1394 tests = [ ("peap-ver0", ""),
1396 ("peap-ver0", "peapver=0"),
1397 ("peap-ver1", "peapver=1") ]
1398 for anon,phase1 in tests:
1399 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1400 identity="user", anonymous_identity=anon,
1401 password="password", phase1=phase1,
1402 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1404 dev[0].request("REMOVE_NETWORK all")
1405 dev[0].wait_disconnected()
1407 tests = [ ("peap-ver0", "peapver=1"),
1408 ("peap-ver1", "peapver=0") ]
1409 for anon,phase1 in tests:
1410 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1411 identity="user", anonymous_identity=anon,
1412 password="password", phase1=phase1,
1413 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1414 wait_connect=False, scan_freq="2412")
1415 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1417 raise Exception("No EAP-Failure seen")
1418 dev[0].request("REMOVE_NETWORK all")
1419 dev[0].wait_disconnected()
1421 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1422 ca_cert="auth_serv/ca.pem",
1423 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1424 phase2="auth=MSCHAPV2")
1426 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1427 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1428 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1429 hostapd.add_ap(apdev[0]['ifname'], params)
1430 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1431 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1432 ca_cert2="auth_serv/ca.pem",
1433 client_cert2="auth_serv/user.pem",
1434 private_key2="auth_serv/user.key")
1435 eap_reauth(dev[0], "PEAP")
1437 def test_ap_wpa2_eap_tls(dev, apdev):
1438 """WPA2-Enterprise connection using EAP-TLS"""
1439 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1440 hostapd.add_ap(apdev[0]['ifname'], params)
1441 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1442 client_cert="auth_serv/user.pem",
1443 private_key="auth_serv/user.key")
1444 eap_reauth(dev[0], "TLS")
1446 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1447 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1449 hostapd.add_ap(apdev[0]['ifname'], params)
1450 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1451 client_cert="auth_serv/user.pem",
1452 private_key="auth_serv/user.key.pkcs8",
1453 private_key_passwd="whatever")
1455 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1456 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1458 hostapd.add_ap(apdev[0]['ifname'], params)
1459 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1460 client_cert="auth_serv/user.pem",
1461 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1462 private_key_passwd="whatever")
1464 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1465 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hostapd.add_ap(apdev[0]['ifname'], params)
1468 cert = read_pem("auth_serv/ca.pem")
1469 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1470 raise Exception("Could not set cacert blob")
1471 cert = read_pem("auth_serv/user.pem")
1472 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1473 raise Exception("Could not set usercert blob")
1474 key = read_pem("auth_serv/user.rsa-key")
1475 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1476 raise Exception("Could not set cacert blob")
1477 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1478 client_cert="blob://usercert",
1479 private_key="blob://userkey")
1481 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1482 """EAP-TLS and config blob missing"""
1483 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1484 hostapd.add_ap(apdev[0]['ifname'], params)
1485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1486 identity="tls user",
1487 ca_cert="blob://testing-blob-does-not-exist",
1488 client_cert="blob://testing-blob-does-not-exist",
1489 private_key="blob://testing-blob-does-not-exist",
1490 wait_connect=False, scan_freq="2412")
1491 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1493 raise Exception("EAP failure not reported")
1494 dev[0].request("REMOVE_NETWORK all")
1495 dev[0].wait_disconnected()
1497 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1498 """EAP-TLS and TLS Message Length in unfragmented packets"""
1499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1500 hostapd.add_ap(apdev[0]['ifname'], params)
1501 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1502 phase1="include_tls_length=1",
1503 client_cert="auth_serv/user.pem",
1504 private_key="auth_serv/user.key")
1506 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1507 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1508 check_pkcs12_support(dev[0])
1509 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1510 hostapd.add_ap(apdev[0]['ifname'], params)
1511 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1512 private_key="auth_serv/user.pkcs12",
1513 private_key_passwd="whatever")
1514 dev[0].request("REMOVE_NETWORK all")
1515 dev[0].wait_disconnected()
1517 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1518 identity="tls user",
1519 ca_cert="auth_serv/ca.pem",
1520 private_key="auth_serv/user.pkcs12",
1521 wait_connect=False, scan_freq="2412")
1522 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1524 raise Exception("Request for private key passphrase timed out")
1525 id = ev.split(':')[0].split('-')[-1]
1526 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1527 dev[0].wait_connected(timeout=10)
1528 dev[0].request("REMOVE_NETWORK all")
1529 dev[0].wait_disconnected()
1531 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1532 # different files to cover both cases of the extra certificate being the
1533 # one that signed the client certificate and it being unrelated to the
1534 # client certificate.
1535 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1537 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1538 ca_cert="auth_serv/ca.pem",
1540 private_key_passwd="whatever")
1541 dev[0].request("REMOVE_NETWORK all")
1542 dev[0].wait_disconnected()
1544 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1545 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1546 check_pkcs12_support(dev[0])
1547 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1548 hostapd.add_ap(apdev[0]['ifname'], params)
1549 cert = read_pem("auth_serv/ca.pem")
1550 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1551 raise Exception("Could not set cacert blob")
1552 with open("auth_serv/user.pkcs12", "rb") as f:
1553 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1554 raise Exception("Could not set pkcs12 blob")
1555 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1556 private_key="blob://pkcs12",
1557 private_key_passwd="whatever")
1559 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1560 """WPA2-Enterprise negative test - incorrect trust root"""
1561 check_eap_capa(dev[0], "MSCHAPV2")
1562 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1563 hostapd.add_ap(apdev[0]['ifname'], params)
1564 cert = read_pem("auth_serv/ca-incorrect.pem")
1565 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1566 raise Exception("Could not set cacert blob")
1567 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1568 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1569 password="password", phase2="auth=MSCHAPV2",
1570 ca_cert="blob://cacert",
1571 wait_connect=False, scan_freq="2412")
1572 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1573 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1574 password="password", phase2="auth=MSCHAPV2",
1575 ca_cert="auth_serv/ca-incorrect.pem",
1576 wait_connect=False, scan_freq="2412")
1578 for dev in (dev[0], dev[1]):
1579 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1581 raise Exception("Association and EAP start timed out")
1583 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1585 raise Exception("EAP method selection timed out")
1586 if "TTLS" not in ev:
1587 raise Exception("Unexpected EAP method")
1589 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1590 "CTRL-EVENT-EAP-SUCCESS",
1591 "CTRL-EVENT-EAP-FAILURE",
1592 "CTRL-EVENT-CONNECTED",
1593 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1595 raise Exception("EAP result timed out")
1596 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1597 raise Exception("TLS certificate error not reported")
1599 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1600 "CTRL-EVENT-EAP-FAILURE",
1601 "CTRL-EVENT-CONNECTED",
1602 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1604 raise Exception("EAP result(2) timed out")
1605 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1606 raise Exception("EAP failure not reported")
1608 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1609 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1611 raise Exception("EAP result(3) timed out")
1612 if "CTRL-EVENT-DISCONNECTED" not in ev:
1613 raise Exception("Disconnection not reported")
1615 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1617 raise Exception("Network block disabling not reported")
1619 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1620 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1621 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1622 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1623 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1624 identity="pap user", anonymous_identity="ttls",
1625 password="password", phase2="auth=PAP",
1626 ca_cert="auth_serv/ca.pem",
1627 wait_connect=True, scan_freq="2412")
1628 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1629 identity="pap user", anonymous_identity="ttls",
1630 password="password", phase2="auth=PAP",
1631 ca_cert="auth_serv/ca-incorrect.pem",
1632 only_add_network=True, scan_freq="2412")
1634 dev[0].request("DISCONNECT")
1635 dev[0].wait_disconnected()
1636 dev[0].dump_monitor()
1637 dev[0].select_network(id, freq="2412")
1639 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1641 raise Exception("EAP-TTLS not re-started")
1643 ev = dev[0].wait_disconnected(timeout=15)
1644 if "reason=23" not in ev:
1645 raise Exception("Proper reason code for disconnection not reported")
1647 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1648 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1649 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1650 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1651 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1652 identity="pap user", anonymous_identity="ttls",
1653 password="password", phase2="auth=PAP",
1654 wait_connect=True, scan_freq="2412")
1655 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1656 identity="pap user", anonymous_identity="ttls",
1657 password="password", phase2="auth=PAP",
1658 ca_cert="auth_serv/ca-incorrect.pem",
1659 only_add_network=True, scan_freq="2412")
1661 dev[0].request("DISCONNECT")
1662 dev[0].wait_disconnected()
1663 dev[0].dump_monitor()
1664 dev[0].select_network(id, freq="2412")
1666 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1668 raise Exception("EAP-TTLS not re-started")
1670 ev = dev[0].wait_disconnected(timeout=15)
1671 if "reason=23" not in ev:
1672 raise Exception("Proper reason code for disconnection not reported")
1674 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1675 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1676 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1677 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1678 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1679 identity="pap user", anonymous_identity="ttls",
1680 password="password", phase2="auth=PAP",
1681 ca_cert="auth_serv/ca.pem",
1682 wait_connect=True, scan_freq="2412")
1683 dev[0].request("DISCONNECT")
1684 dev[0].wait_disconnected()
1685 dev[0].dump_monitor()
1686 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1687 dev[0].select_network(id, freq="2412")
1689 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1691 raise Exception("EAP-TTLS not re-started")
1693 ev = dev[0].wait_disconnected(timeout=15)
1694 if "reason=23" not in ev:
1695 raise Exception("Proper reason code for disconnection not reported")
1697 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1698 """WPA2-Enterprise negative test - domain suffix mismatch"""
1699 check_domain_suffix_match(dev[0])
1700 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1701 hostapd.add_ap(apdev[0]['ifname'], params)
1702 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1703 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1704 password="password", phase2="auth=MSCHAPV2",
1705 ca_cert="auth_serv/ca.pem",
1706 domain_suffix_match="incorrect.example.com",
1707 wait_connect=False, scan_freq="2412")
1709 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1711 raise Exception("Association and EAP start timed out")
1713 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1715 raise Exception("EAP method selection timed out")
1716 if "TTLS" not in ev:
1717 raise Exception("Unexpected EAP method")
1719 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1720 "CTRL-EVENT-EAP-SUCCESS",
1721 "CTRL-EVENT-EAP-FAILURE",
1722 "CTRL-EVENT-CONNECTED",
1723 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1725 raise Exception("EAP result timed out")
1726 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1727 raise Exception("TLS certificate error not reported")
1728 if "Domain suffix mismatch" not in ev:
1729 raise Exception("Domain suffix mismatch not reported")
1731 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1732 "CTRL-EVENT-EAP-FAILURE",
1733 "CTRL-EVENT-CONNECTED",
1734 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1736 raise Exception("EAP result(2) timed out")
1737 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1738 raise Exception("EAP failure not reported")
1740 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1741 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1743 raise Exception("EAP result(3) timed out")
1744 if "CTRL-EVENT-DISCONNECTED" not in ev:
1745 raise Exception("Disconnection not reported")
1747 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1749 raise Exception("Network block disabling not reported")
1751 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1752 """WPA2-Enterprise negative test - domain mismatch"""
1753 check_domain_match(dev[0])
1754 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1755 hostapd.add_ap(apdev[0]['ifname'], params)
1756 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1757 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1758 password="password", phase2="auth=MSCHAPV2",
1759 ca_cert="auth_serv/ca.pem",
1760 domain_match="w1.fi",
1761 wait_connect=False, scan_freq="2412")
1763 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1765 raise Exception("Association and EAP start timed out")
1767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1769 raise Exception("EAP method selection timed out")
1770 if "TTLS" not in ev:
1771 raise Exception("Unexpected EAP method")
1773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1774 "CTRL-EVENT-EAP-SUCCESS",
1775 "CTRL-EVENT-EAP-FAILURE",
1776 "CTRL-EVENT-CONNECTED",
1777 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1779 raise Exception("EAP result timed out")
1780 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1781 raise Exception("TLS certificate error not reported")
1782 if "Domain mismatch" not in ev:
1783 raise Exception("Domain mismatch not reported")
1785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1786 "CTRL-EVENT-EAP-FAILURE",
1787 "CTRL-EVENT-CONNECTED",
1788 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1790 raise Exception("EAP result(2) timed out")
1791 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1792 raise Exception("EAP failure not reported")
1794 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1795 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1797 raise Exception("EAP result(3) timed out")
1798 if "CTRL-EVENT-DISCONNECTED" not in ev:
1799 raise Exception("Disconnection not reported")
1801 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1803 raise Exception("Network block disabling not reported")
1805 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1806 """WPA2-Enterprise negative test - subject mismatch"""
1807 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1808 hostapd.add_ap(apdev[0]['ifname'], params)
1809 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1810 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1811 password="password", phase2="auth=MSCHAPV2",
1812 ca_cert="auth_serv/ca.pem",
1813 subject_match="/C=FI/O=w1.fi/CN=example.com",
1814 wait_connect=False, scan_freq="2412")
1816 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1818 raise Exception("Association and EAP start timed out")
1820 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1821 "EAP: Failed to initialize EAP method"], timeout=10)
1823 raise Exception("EAP method selection timed out")
1824 if "EAP: Failed to initialize EAP method" in ev:
1825 tls = dev[0].request("GET tls_library")
1826 if tls.startswith("OpenSSL"):
1827 raise Exception("Failed to select EAP method")
1828 logger.info("subject_match not supported - connection failed, so test succeeded")
1830 if "TTLS" not in ev:
1831 raise Exception("Unexpected EAP method")
1833 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1834 "CTRL-EVENT-EAP-SUCCESS",
1835 "CTRL-EVENT-EAP-FAILURE",
1836 "CTRL-EVENT-CONNECTED",
1837 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1839 raise Exception("EAP result timed out")
1840 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1841 raise Exception("TLS certificate error not reported")
1842 if "Subject mismatch" not in ev:
1843 raise Exception("Subject mismatch not reported")
1845 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1846 "CTRL-EVENT-EAP-FAILURE",
1847 "CTRL-EVENT-CONNECTED",
1848 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1850 raise Exception("EAP result(2) timed out")
1851 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1852 raise Exception("EAP failure not reported")
1854 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1855 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1857 raise Exception("EAP result(3) timed out")
1858 if "CTRL-EVENT-DISCONNECTED" not in ev:
1859 raise Exception("Disconnection not reported")
1861 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1863 raise Exception("Network block disabling not reported")
1865 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1866 """WPA2-Enterprise negative test - altsubject mismatch"""
1867 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1868 hostapd.add_ap(apdev[0]['ifname'], params)
1870 tests = [ "incorrect.example.com",
1871 "DNS:incorrect.example.com",
1875 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1877 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1878 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1879 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1880 password="password", phase2="auth=MSCHAPV2",
1881 ca_cert="auth_serv/ca.pem",
1882 altsubject_match=match,
1883 wait_connect=False, scan_freq="2412")
1885 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1887 raise Exception("Association and EAP start timed out")
1889 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1890 "EAP: Failed to initialize EAP method"], timeout=10)
1892 raise Exception("EAP method selection timed out")
1893 if "EAP: Failed to initialize EAP method" in ev:
1894 tls = dev[0].request("GET tls_library")
1895 if tls.startswith("OpenSSL"):
1896 raise Exception("Failed to select EAP method")
1897 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1899 if "TTLS" not in ev:
1900 raise Exception("Unexpected EAP method")
1902 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1903 "CTRL-EVENT-EAP-SUCCESS",
1904 "CTRL-EVENT-EAP-FAILURE",
1905 "CTRL-EVENT-CONNECTED",
1906 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1908 raise Exception("EAP result timed out")
1909 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1910 raise Exception("TLS certificate error not reported")
1911 if "AltSubject mismatch" not in ev:
1912 raise Exception("altsubject mismatch not reported")
1914 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1915 "CTRL-EVENT-EAP-FAILURE",
1916 "CTRL-EVENT-CONNECTED",
1917 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1919 raise Exception("EAP result(2) timed out")
1920 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1921 raise Exception("EAP failure not reported")
1923 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1924 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1926 raise Exception("EAP result(3) timed out")
1927 if "CTRL-EVENT-DISCONNECTED" not in ev:
1928 raise Exception("Disconnection not reported")
1930 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1932 raise Exception("Network block disabling not reported")
1934 dev[0].request("REMOVE_NETWORK all")
1936 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1937 """WPA2-Enterprise connection using UNAUTH-TLS"""
1938 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1939 hostapd.add_ap(apdev[0]['ifname'], params)
1940 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1941 ca_cert="auth_serv/ca.pem")
1942 eap_reauth(dev[0], "UNAUTH-TLS")
1944 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1945 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1946 check_cert_probe_support(dev[0])
1947 skip_with_fips(dev[0])
1948 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1950 hostapd.add_ap(apdev[0]['ifname'], params)
1951 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1952 identity="probe", ca_cert="probe://",
1953 wait_connect=False, scan_freq="2412")
1954 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1956 raise Exception("Association and EAP start timed out")
1957 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1959 raise Exception("No peer server certificate event seen")
1960 if "hash=" + srv_cert_hash not in ev:
1961 raise Exception("Expected server certificate hash not reported")
1962 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1964 raise Exception("EAP result timed out")
1965 if "Server certificate chain probe" not in ev:
1966 raise Exception("Server certificate probe not reported")
1967 dev[0].wait_disconnected(timeout=10)
1968 dev[0].request("REMOVE_NETWORK all")
1970 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1971 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1972 password="password", phase2="auth=MSCHAPV2",
1973 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1974 wait_connect=False, scan_freq="2412")
1975 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1977 raise Exception("Association and EAP start timed out")
1978 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1980 raise Exception("EAP result timed out")
1981 if "Server certificate mismatch" not in ev:
1982 raise Exception("Server certificate mismatch not reported")
1983 dev[0].wait_disconnected(timeout=10)
1984 dev[0].request("REMOVE_NETWORK all")
1986 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1987 anonymous_identity="ttls", password="password",
1988 ca_cert="hash://server/sha256/" + srv_cert_hash,
1989 phase2="auth=MSCHAPV2")
1991 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1992 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1993 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1994 hostapd.add_ap(apdev[0]['ifname'], params)
1995 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1996 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1997 password="password", phase2="auth=MSCHAPV2",
1998 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1999 wait_connect=False, scan_freq="2412")
2000 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2001 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2002 password="password", phase2="auth=MSCHAPV2",
2003 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2004 wait_connect=False, scan_freq="2412")
2005 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2006 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2007 password="password", phase2="auth=MSCHAPV2",
2008 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2009 wait_connect=False, scan_freq="2412")
2010 for i in range(0, 3):
2011 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2013 raise Exception("Association and EAP start timed out")
2014 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2016 raise Exception("Did not report EAP method initialization failure")
2018 def test_ap_wpa2_eap_pwd(dev, apdev):
2019 """WPA2-Enterprise connection using EAP-pwd"""
2020 check_eap_capa(dev[0], "PWD")
2021 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2022 hostapd.add_ap(apdev[0]['ifname'], params)
2023 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2024 eap_reauth(dev[0], "PWD")
2025 dev[0].request("REMOVE_NETWORK all")
2027 eap_connect(dev[1], apdev[0], "PWD",
2028 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2029 password="secret password",
2032 logger.info("Negative test with incorrect password")
2033 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2034 expect_failure=True, local_error_report=True)
2036 eap_connect(dev[0], apdev[0], "PWD",
2037 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2038 password="secret password",
2041 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2042 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2043 check_eap_capa(dev[0], "PWD")
2044 skip_with_fips(dev[0])
2045 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2046 hostapd.add_ap(apdev[0]['ifname'], params)
2047 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2048 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2049 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2050 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2051 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2052 expect_failure=True, local_error_report=True)
2054 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2055 """WPA2-Enterprise connection using various EAP-pwd groups"""
2056 check_eap_capa(dev[0], "PWD")
2057 tls = dev[0].request("GET tls_library")
2058 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2059 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2060 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2061 groups = [ 19, 20, 21, 25, 26 ]
2062 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2063 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2064 groups += [ 27, 28, 29, 30 ]
2066 logger.info("Group %d" % i)
2067 params['pwd_group'] = str(i)
2068 hostapd.add_ap(apdev[0]['ifname'], params)
2070 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2071 password="secret password")
2072 dev[0].request("REMOVE_NETWORK all")
2073 dev[0].wait_disconnected()
2074 dev[0].dump_monitor()
2076 if "BoringSSL" in tls and i in [ 25 ]:
2077 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2078 dev[0].request("DISCONNECT")
2080 dev[0].request("REMOVE_NETWORK all")
2081 dev[0].dump_monitor()
2085 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2086 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2087 check_eap_capa(dev[0], "PWD")
2088 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2089 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2090 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2091 params['pwd_group'] = "0"
2092 hostapd.add_ap(apdev[0]['ifname'], params)
2093 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2094 identity="pwd user", password="secret password",
2095 scan_freq="2412", wait_connect=False)
2096 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2098 raise Exception("Timeout on EAP failure report")
2100 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2101 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2102 check_eap_capa(dev[0], "PWD")
2103 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2104 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2105 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2106 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2107 "pwd_group": "19", "fragment_size": "40" }
2108 hostapd.add_ap(apdev[0]['ifname'], params)
2109 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2111 def test_ap_wpa2_eap_gpsk(dev, apdev):
2112 """WPA2-Enterprise connection using EAP-GPSK"""
2113 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2114 hostapd.add_ap(apdev[0]['ifname'], params)
2115 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2116 password="abcdefghijklmnop0123456789abcdef")
2117 eap_reauth(dev[0], "GPSK")
2119 logger.info("Test forced algorithm selection")
2120 for phase1 in [ "cipher=1", "cipher=2" ]:
2121 dev[0].set_network_quoted(id, "phase1", phase1)
2122 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2124 raise Exception("EAP success timed out")
2125 dev[0].wait_connected(timeout=10)
2127 logger.info("Test failed algorithm negotiation")
2128 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2129 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2131 raise Exception("EAP failure timed out")
2133 logger.info("Negative test with incorrect password")
2134 dev[0].request("REMOVE_NETWORK all")
2135 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2136 password="ffcdefghijklmnop0123456789abcdef",
2137 expect_failure=True)
2139 def test_ap_wpa2_eap_sake(dev, apdev):
2140 """WPA2-Enterprise connection using EAP-SAKE"""
2141 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2142 hostapd.add_ap(apdev[0]['ifname'], params)
2143 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2144 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2145 eap_reauth(dev[0], "SAKE")
2147 logger.info("Negative test with incorrect password")
2148 dev[0].request("REMOVE_NETWORK all")
2149 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2150 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2151 expect_failure=True)
2153 def test_ap_wpa2_eap_eke(dev, apdev):
2154 """WPA2-Enterprise connection using EAP-EKE"""
2155 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2156 hostapd.add_ap(apdev[0]['ifname'], params)
2157 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2158 eap_reauth(dev[0], "EKE")
2160 logger.info("Test forced algorithm selection")
2161 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2162 "dhgroup=4 encr=1 prf=2 mac=2",
2163 "dhgroup=3 encr=1 prf=2 mac=2",
2164 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2165 dev[0].set_network_quoted(id, "phase1", phase1)
2166 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2168 raise Exception("EAP success timed out")
2169 dev[0].wait_connected(timeout=10)
2171 logger.info("Test failed algorithm negotiation")
2172 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2173 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2175 raise Exception("EAP failure timed out")
2177 logger.info("Negative test with incorrect password")
2178 dev[0].request("REMOVE_NETWORK all")
2179 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2180 expect_failure=True)
2182 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2183 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2184 if not params['long']:
2185 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2186 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2187 hostapd.add_ap(apdev[0]['ifname'], params)
2190 for i in range(100):
2192 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2193 identity="eke user", password="hello",
2194 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2195 scan_freq="2412", wait_connect=False)
2197 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2198 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2200 raise Exception("No connected/disconnected event")
2201 if "CTRL-EVENT-DISCONNECTED" in ev:
2203 # The RADIUS server limits on active sessions can be hit when
2204 # going through this test case, so try to give some more time
2205 # for the server to remove sessions.
2206 logger.info("Failed to connect i=%d j=%d" % (i, j))
2207 dev[j].request("REMOVE_NETWORK all")
2211 dev[j].request("REMOVE_NETWORK all")
2212 dev[j].wait_disconnected()
2213 dev[j].dump_monitor()
2214 logger.info("Total success=%d failure=%d" % (success, fail))
2216 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2217 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2218 params = int_eap_server_params()
2219 params['server_id'] = 'example.server@w1.fi'
2220 hostapd.add_ap(apdev[0]['ifname'], params)
2221 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2223 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2224 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2225 params = int_eap_server_params()
2226 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2227 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2229 for count,func in [ (1, "eap_eke_build_commit"),
2230 (2, "eap_eke_build_commit"),
2231 (3, "eap_eke_build_commit"),
2232 (1, "eap_eke_build_confirm"),
2233 (2, "eap_eke_build_confirm"),
2234 (1, "eap_eke_process_commit"),
2235 (2, "eap_eke_process_commit"),
2236 (1, "eap_eke_process_confirm"),
2237 (1, "eap_eke_process_identity"),
2238 (2, "eap_eke_process_identity"),
2239 (3, "eap_eke_process_identity"),
2240 (4, "eap_eke_process_identity") ]:
2241 with alloc_fail(hapd, count, func):
2242 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2243 expect_failure=True)
2244 dev[0].request("REMOVE_NETWORK all")
2246 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2247 (1, "eap_eke_get_session_id", "hello"),
2248 (1, "eap_eke_getKey", "hello"),
2249 (1, "eap_eke_build_msg", "hello"),
2250 (1, "eap_eke_build_failure", "wrong"),
2251 (1, "eap_eke_build_identity", "hello"),
2252 (2, "eap_eke_build_identity", "hello") ]:
2253 with alloc_fail(hapd, count, func):
2254 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2255 eap="EKE", identity="eke user", password=pw,
2256 wait_connect=False, scan_freq="2412")
2257 # This would eventually time out, but we can stop after having
2258 # reached the allocation failure.
2261 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2263 dev[0].request("REMOVE_NETWORK all")
2265 for count in range(1, 1000):
2267 with alloc_fail(hapd, count, "eap_server_sm_step"):
2268 dev[0].connect("test-wpa2-eap",
2269 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2270 eap="EKE", identity="eke user", password=pw,
2271 wait_connect=False, scan_freq="2412")
2272 # This would eventually time out, but we can stop after having
2273 # reached the allocation failure.
2276 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2278 dev[0].request("REMOVE_NETWORK all")
2279 except Exception, e:
2280 if str(e) == "Allocation failure did not trigger":
2282 raise Exception("Too few allocation failures")
2283 logger.info("%d allocation failures tested" % (count - 1))
2287 def test_ap_wpa2_eap_ikev2(dev, apdev):
2288 """WPA2-Enterprise connection using EAP-IKEv2"""
2289 check_eap_capa(dev[0], "IKEV2")
2290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2291 hostapd.add_ap(apdev[0]['ifname'], params)
2292 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2293 password="ike password")
2294 eap_reauth(dev[0], "IKEV2")
2295 dev[0].request("REMOVE_NETWORK all")
2296 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2297 password="ike password", fragment_size="50")
2299 logger.info("Negative test with incorrect password")
2300 dev[0].request("REMOVE_NETWORK all")
2301 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2302 password="ike-password", expect_failure=True)
2304 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2305 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2306 check_eap_capa(dev[0], "IKEV2")
2307 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2308 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2309 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2310 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2311 "fragment_size": "50" }
2312 hostapd.add_ap(apdev[0]['ifname'], params)
2313 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2314 password="ike password")
2315 eap_reauth(dev[0], "IKEV2")
2317 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2318 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2319 check_eap_capa(dev[0], "IKEV2")
2320 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2321 hostapd.add_ap(apdev[0]['ifname'], params)
2323 tests = [ (1, "dh_init"),
2325 (1, "dh_derive_shared") ]
2326 for count, func in tests:
2327 with alloc_fail(dev[0], count, func):
2328 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2329 identity="ikev2 user", password="ike password",
2330 wait_connect=False, scan_freq="2412")
2331 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2333 raise Exception("EAP method not selected")
2335 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2338 dev[0].request("REMOVE_NETWORK all")
2340 tests = [ (1, "os_get_random;dh_init") ]
2341 for count, func in tests:
2342 with fail_test(dev[0], count, func):
2343 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2344 identity="ikev2 user", password="ike password",
2345 wait_connect=False, scan_freq="2412")
2346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2348 raise Exception("EAP method not selected")
2350 if "0:" in dev[0].request("GET_FAIL"):
2353 dev[0].request("REMOVE_NETWORK all")
2355 def test_ap_wpa2_eap_pax(dev, apdev):
2356 """WPA2-Enterprise connection using EAP-PAX"""
2357 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2358 hostapd.add_ap(apdev[0]['ifname'], params)
2359 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2360 password_hex="0123456789abcdef0123456789abcdef")
2361 eap_reauth(dev[0], "PAX")
2363 logger.info("Negative test with incorrect password")
2364 dev[0].request("REMOVE_NETWORK all")
2365 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2366 password_hex="ff23456789abcdef0123456789abcdef",
2367 expect_failure=True)
2369 def test_ap_wpa2_eap_psk(dev, apdev):
2370 """WPA2-Enterprise connection using EAP-PSK"""
2371 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2372 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2373 params["ieee80211w"] = "2"
2374 hostapd.add_ap(apdev[0]['ifname'], params)
2375 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2376 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2377 eap_reauth(dev[0], "PSK", sha256=True)
2378 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2379 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2381 bss = dev[0].get_bss(apdev[0]['bssid'])
2382 if 'flags' not in bss:
2383 raise Exception("Could not get BSS flags from BSS table")
2384 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2385 raise Exception("Unexpected BSS flags: " + bss['flags'])
2387 logger.info("Negative test with incorrect password")
2388 dev[0].request("REMOVE_NETWORK all")
2389 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2390 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2391 expect_failure=True)
2393 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2394 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2395 skip_with_fips(dev[0])
2396 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2397 hostapd.add_ap(apdev[0]['ifname'], params)
2398 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2399 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2400 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2401 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2402 (1, "=aes_128_eax_encrypt"),
2403 (1, "omac1_aes_vector"),
2404 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2405 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2406 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2407 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2408 (1, "=aes_128_eax_decrypt") ]
2409 for count, func in tests:
2410 with alloc_fail(dev[0], count, func):
2411 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2412 identity="psk.user@example.com",
2413 password_hex="0123456789abcdef0123456789abcdef",
2414 wait_connect=False, scan_freq="2412")
2415 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2417 raise Exception("EAP method not selected")
2419 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2422 dev[0].request("REMOVE_NETWORK all")
2424 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2425 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2426 identity="psk.user@example.com",
2427 password_hex="0123456789abcdef0123456789abcdef",
2428 wait_connect=False, scan_freq="2412")
2429 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2431 raise Exception("EAP method failure not reported")
2432 dev[0].request("REMOVE_NETWORK all")
2434 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2435 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2436 check_eap_capa(dev[0], "MSCHAPV2")
2437 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2438 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2439 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2440 identity="user", password="password", phase2="auth=MSCHAPV2",
2441 ca_cert="auth_serv/ca.pem", wait_connect=False,
2443 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2444 hwsim_utils.test_connectivity(dev[0], hapd)
2445 eap_reauth(dev[0], "PEAP", rsn=False)
2446 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2447 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2448 status = dev[0].get_status(extra="VERBOSE")
2449 if 'portControl' not in status:
2450 raise Exception("portControl missing from STATUS-VERBOSE")
2451 if status['portControl'] != 'Auto':
2452 raise Exception("Unexpected portControl value: " + status['portControl'])
2453 if 'eap_session_id' not in status:
2454 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2455 if not status['eap_session_id'].startswith("19"):
2456 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2458 def test_ap_wpa2_eap_interactive(dev, apdev):
2459 """WPA2-Enterprise connection using interactive identity/password entry"""
2460 check_eap_capa(dev[0], "MSCHAPV2")
2461 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2462 hostapd.add_ap(apdev[0]['ifname'], params)
2463 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2465 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2466 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2468 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2469 "TTLS", "ttls", None, "auth=MSCHAPV2",
2470 "DOMAIN\mschapv2 user", "password"),
2471 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2472 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2473 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2474 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2475 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2476 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2477 ("Connection with dynamic PEAP/EAP-GTC password entry",
2478 "PEAP", None, "user", "auth=GTC", None, "password") ]
2479 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2481 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2482 anonymous_identity=anon, identity=identity,
2483 ca_cert="auth_serv/ca.pem", phase2=phase2,
2484 wait_connect=False, scan_freq="2412")
2486 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2488 raise Exception("Request for identity timed out")
2489 id = ev.split(':')[0].split('-')[-1]
2490 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2491 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2493 raise Exception("Request for password timed out")
2494 id = ev.split(':')[0].split('-')[-1]
2495 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2496 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2497 dev[0].wait_connected(timeout=10)
2498 dev[0].request("REMOVE_NETWORK all")
2500 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2501 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2502 check_eap_capa(dev[0], "MSCHAPV2")
2503 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2504 hostapd.add_ap(apdev[0]['ifname'], params)
2505 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2507 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2508 only_add_network=True)
2510 req_id = "DOMAIN\mschapv2 user"
2511 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2512 anonymous_identity="ttls", identity=None,
2513 password="password",
2514 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2515 wait_connect=False, scan_freq="2412")
2516 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2518 raise Exception("Request for identity timed out")
2519 id = ev.split(':')[0].split('-')[-1]
2520 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2521 dev[0].wait_connected(timeout=10)
2523 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2524 raise Exception("Failed to enable network")
2525 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2527 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2528 dev[0].request("REMOVE_NETWORK all")
2530 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2531 """WPA2-Enterprise connection using EAP vendor test"""
2532 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2533 hostapd.add_ap(apdev[0]['ifname'], params)
2534 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2535 eap_reauth(dev[0], "VENDOR-TEST")
2536 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2539 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2540 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2541 check_eap_capa(dev[0], "FAST")
2542 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2543 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2544 eap_connect(dev[0], apdev[0], "FAST", "user",
2545 anonymous_identity="FAST", password="password",
2546 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2547 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2548 hwsim_utils.test_connectivity(dev[0], hapd)
2549 res = eap_reauth(dev[0], "FAST")
2550 if res['tls_session_reused'] != '1':
2551 raise Exception("EAP-FAST could not use PAC session ticket")
2553 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2554 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2555 check_eap_capa(dev[0], "FAST")
2556 pac_file = os.path.join(params['logdir'], "fast.pac")
2557 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2558 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2559 hostapd.add_ap(apdev[0]['ifname'], params)
2562 eap_connect(dev[0], apdev[0], "FAST", "user",
2563 anonymous_identity="FAST", password="password",
2564 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2565 phase1="fast_provisioning=1", pac_file=pac_file)
2566 with open(pac_file, "r") as f:
2568 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2569 raise Exception("PAC file header missing")
2570 if "PAC-Key=" not in data:
2571 raise Exception("PAC-Key missing from PAC file")
2572 dev[0].request("REMOVE_NETWORK all")
2573 eap_connect(dev[0], apdev[0], "FAST", "user",
2574 anonymous_identity="FAST", password="password",
2575 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2578 eap_connect(dev[1], apdev[0], "FAST", "user",
2579 anonymous_identity="FAST", password="password",
2580 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2581 phase1="fast_provisioning=1 fast_pac_format=binary",
2583 dev[1].request("REMOVE_NETWORK all")
2584 eap_connect(dev[1], apdev[0], "FAST", "user",
2585 anonymous_identity="FAST", password="password",
2586 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2587 phase1="fast_pac_format=binary",
2595 os.remove(pac_file2)
2599 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2600 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2601 check_eap_capa(dev[0], "FAST")
2602 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2603 hostapd.add_ap(apdev[0]['ifname'], params)
2604 eap_connect(dev[0], apdev[0], "FAST", "user",
2605 anonymous_identity="FAST", password="password",
2606 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2607 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2608 pac_file="blob://fast_pac_bin")
2609 res = eap_reauth(dev[0], "FAST")
2610 if res['tls_session_reused'] != '1':
2611 raise Exception("EAP-FAST could not use PAC session ticket")
2613 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2614 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2615 check_eap_capa(dev[0], "FAST")
2616 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2617 hostapd.add_ap(apdev[0]['ifname'], params)
2619 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2620 identity="user", anonymous_identity="FAST",
2621 password="password",
2622 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2623 pac_file="blob://fast_pac_not_in_use",
2624 wait_connect=False, scan_freq="2412")
2625 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2627 raise Exception("Timeout on EAP failure report")
2628 dev[0].request("REMOVE_NETWORK all")
2630 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2631 identity="user", anonymous_identity="FAST",
2632 password="password",
2633 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2634 wait_connect=False, scan_freq="2412")
2635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2637 raise Exception("Timeout on EAP failure report")
2639 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2640 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2641 check_eap_capa(dev[0], "FAST")
2642 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2643 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2644 eap_connect(dev[0], apdev[0], "FAST", "user",
2645 anonymous_identity="FAST", password="password",
2646 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2647 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2648 hwsim_utils.test_connectivity(dev[0], hapd)
2649 res = eap_reauth(dev[0], "FAST")
2650 if res['tls_session_reused'] != '1':
2651 raise Exception("EAP-FAST could not use PAC session ticket")
2653 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2654 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2655 check_eap_capa(dev[0], "FAST")
2656 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2657 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2658 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2659 anonymous_identity="FAST", password="password",
2660 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2661 phase1="fast_provisioning=2",
2662 pac_file="blob://fast_pac_auth")
2663 dev[0].set_network_quoted(id, "identity", "user2")
2664 dev[0].wait_disconnected()
2665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2667 raise Exception("EAP-FAST not started")
2668 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2670 raise Exception("EAP failure not reported")
2671 dev[0].wait_disconnected()
2673 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2674 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2675 check_eap_capa(dev[0], "FAST")
2676 tls = dev[0].request("GET tls_library")
2677 if tls.startswith("OpenSSL"):
2678 func = "openssl_tls_prf"
2680 elif tls.startswith("internal"):
2681 func = "tls_connection_prf"
2684 raise HwsimSkip("Unsupported TLS library")
2685 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2686 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2687 with alloc_fail(dev[0], count, func):
2688 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2689 identity="user", anonymous_identity="FAST",
2690 password="password", ca_cert="auth_serv/ca.pem",
2692 phase1="fast_provisioning=2",
2693 pac_file="blob://fast_pac_auth",
2694 wait_connect=False, scan_freq="2412")
2695 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2697 raise Exception("EAP failure not reported")
2698 dev[0].request("DISCONNECT")
2700 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2701 """EAP-FAST/MSCHAPv2 and server OOM"""
2702 check_eap_capa(dev[0], "FAST")
2704 params = int_eap_server_params()
2705 params['dh_file'] = 'auth_serv/dh.conf'
2706 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2707 params['eap_fast_a_id'] = '1011'
2708 params['eap_fast_a_id_info'] = 'another test server'
2709 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2711 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2712 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2713 anonymous_identity="FAST", password="password",
2714 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2715 phase1="fast_provisioning=1",
2716 pac_file="blob://fast_pac",
2717 expect_failure=True)
2718 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2720 raise Exception("No EAP failure reported")
2721 dev[0].wait_disconnected()
2722 dev[0].request("DISCONNECT")
2724 dev[0].select_network(id, freq="2412")
2726 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2727 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2728 check_ocsp_support(dev[0])
2729 check_pkcs12_support(dev[0])
2730 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2731 hostapd.add_ap(apdev[0]['ifname'], params)
2732 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2733 private_key="auth_serv/user.pkcs12",
2734 private_key_passwd="whatever", ocsp=2)
2736 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
2737 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
2738 check_ocsp_multi_support(dev[0])
2739 check_pkcs12_support(dev[0])
2741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2742 hostapd.add_ap(apdev[0]['ifname'], params)
2743 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2744 private_key="auth_serv/user.pkcs12",
2745 private_key_passwd="whatever", ocsp=2)
2747 def int_eap_server_params():
2748 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2749 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2750 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2751 "ca_cert": "auth_serv/ca.pem",
2752 "server_cert": "auth_serv/server.pem",
2753 "private_key": "auth_serv/server.key",
2754 "dh_file": "auth_serv/dh.conf" }
2757 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2758 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2759 check_ocsp_support(dev[0])
2760 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2761 if not os.path.exists(ocsp):
2762 raise HwsimSkip("No OCSP response available")
2763 params = int_eap_server_params()
2764 params["ocsp_stapling_response"] = ocsp
2765 hostapd.add_ap(apdev[0]['ifname'], params)
2766 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2767 identity="tls user", ca_cert="auth_serv/ca.pem",
2768 private_key="auth_serv/user.pkcs12",
2769 private_key_passwd="whatever", ocsp=2,
2772 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2773 """EAP-TLS and CA signed OCSP response (good)"""
2774 check_ocsp_support(dev[0])
2775 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2776 if not os.path.exists(ocsp):
2777 raise HwsimSkip("No OCSP response available")
2778 params = int_eap_server_params()
2779 params["ocsp_stapling_response"] = ocsp
2780 hostapd.add_ap(apdev[0]['ifname'], params)
2781 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2782 identity="tls user", ca_cert="auth_serv/ca.pem",
2783 private_key="auth_serv/user.pkcs12",
2784 private_key_passwd="whatever", ocsp=2,
2787 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2788 """EAP-TLS and CA signed OCSP response (revoked)"""
2789 check_ocsp_support(dev[0])
2790 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2791 if not os.path.exists(ocsp):
2792 raise HwsimSkip("No OCSP response available")
2793 params = int_eap_server_params()
2794 params["ocsp_stapling_response"] = ocsp
2795 hostapd.add_ap(apdev[0]['ifname'], params)
2796 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2797 identity="tls user", ca_cert="auth_serv/ca.pem",
2798 private_key="auth_serv/user.pkcs12",
2799 private_key_passwd="whatever", ocsp=2,
2800 wait_connect=False, scan_freq="2412")
2803 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2805 raise Exception("Timeout on EAP status")
2806 if 'bad certificate status response' in ev:
2808 if 'certificate revoked' in ev:
2812 raise Exception("Unexpected number of EAP status messages")
2814 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2816 raise Exception("Timeout on EAP failure report")
2818 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2819 """EAP-TLS and CA signed OCSP response (unknown)"""
2820 check_ocsp_support(dev[0])
2821 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2822 if not os.path.exists(ocsp):
2823 raise HwsimSkip("No OCSP response available")
2824 params = int_eap_server_params()
2825 params["ocsp_stapling_response"] = ocsp
2826 hostapd.add_ap(apdev[0]['ifname'], params)
2827 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2828 identity="tls user", ca_cert="auth_serv/ca.pem",
2829 private_key="auth_serv/user.pkcs12",
2830 private_key_passwd="whatever", ocsp=2,
2831 wait_connect=False, scan_freq="2412")
2834 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2836 raise Exception("Timeout on EAP status")
2837 if 'bad certificate status response' in ev:
2841 raise Exception("Unexpected number of EAP status messages")
2843 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2845 raise Exception("Timeout on EAP failure report")
2847 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2848 """EAP-TLS and server signed OCSP response"""
2849 check_ocsp_support(dev[0])
2850 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2851 if not os.path.exists(ocsp):
2852 raise HwsimSkip("No OCSP response available")
2853 params = int_eap_server_params()
2854 params["ocsp_stapling_response"] = ocsp
2855 hostapd.add_ap(apdev[0]['ifname'], params)
2856 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2857 identity="tls user", ca_cert="auth_serv/ca.pem",
2858 private_key="auth_serv/user.pkcs12",
2859 private_key_passwd="whatever", ocsp=2,
2860 wait_connect=False, scan_freq="2412")
2863 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2865 raise Exception("Timeout on EAP status")
2866 if 'bad certificate status response' in ev:
2870 raise Exception("Unexpected number of EAP status messages")
2872 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2874 raise Exception("Timeout on EAP failure report")
2876 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2877 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2878 check_ocsp_support(dev[0])
2879 params = int_eap_server_params()
2880 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2881 hostapd.add_ap(apdev[0]['ifname'], params)
2882 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2883 identity="tls user", ca_cert="auth_serv/ca.pem",
2884 private_key="auth_serv/user.pkcs12",
2885 private_key_passwd="whatever", ocsp=2,
2886 wait_connect=False, scan_freq="2412")
2889 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2891 raise Exception("Timeout on EAP status")
2892 if 'bad certificate status response' in ev:
2896 raise Exception("Unexpected number of EAP status messages")
2898 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2900 raise Exception("Timeout on EAP failure report")
2902 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2903 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2904 check_ocsp_support(dev[0])
2905 params = int_eap_server_params()
2906 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2907 hostapd.add_ap(apdev[0]['ifname'], params)
2908 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2909 identity="tls user", ca_cert="auth_serv/ca.pem",
2910 private_key="auth_serv/user.pkcs12",
2911 private_key_passwd="whatever", ocsp=2,
2912 wait_connect=False, scan_freq="2412")
2915 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2917 raise Exception("Timeout on EAP status")
2918 if 'bad certificate status response' in ev:
2922 raise Exception("Unexpected number of EAP status messages")
2924 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2926 raise Exception("Timeout on EAP failure report")
2928 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2929 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2930 check_ocsp_support(dev[0])
2931 params = int_eap_server_params()
2932 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2933 hostapd.add_ap(apdev[0]['ifname'], params)
2934 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2935 identity="tls user", ca_cert="auth_serv/ca.pem",
2936 private_key="auth_serv/user.pkcs12",
2937 private_key_passwd="whatever", ocsp=2,
2938 wait_connect=False, scan_freq="2412")
2941 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2943 raise Exception("Timeout on EAP status")
2944 if 'bad certificate status response' in ev:
2948 raise Exception("Unexpected number of EAP status messages")
2950 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2952 raise Exception("Timeout on EAP failure report")
2954 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2955 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2956 check_ocsp_support(dev[0])
2957 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2958 if not os.path.exists(ocsp):
2959 raise HwsimSkip("No OCSP response available")
2960 params = int_eap_server_params()
2961 params["ocsp_stapling_response"] = ocsp
2962 hostapd.add_ap(apdev[0]['ifname'], params)
2963 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2964 identity="pap user", ca_cert="auth_serv/ca.pem",
2965 anonymous_identity="ttls", password="password",
2966 phase2="auth=PAP", ocsp=2,
2967 wait_connect=False, scan_freq="2412")
2970 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2972 raise Exception("Timeout on EAP status")
2973 if 'bad certificate status response' in ev:
2975 if 'certificate revoked' in ev:
2979 raise Exception("Unexpected number of EAP status messages")
2981 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2983 raise Exception("Timeout on EAP failure report")
2985 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2986 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2987 check_ocsp_support(dev[0])
2988 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2989 if not os.path.exists(ocsp):
2990 raise HwsimSkip("No OCSP response available")
2991 params = int_eap_server_params()
2992 params["ocsp_stapling_response"] = ocsp
2993 hostapd.add_ap(apdev[0]['ifname'], params)
2994 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2995 identity="pap user", ca_cert="auth_serv/ca.pem",
2996 anonymous_identity="ttls", password="password",
2997 phase2="auth=PAP", ocsp=2,
2998 wait_connect=False, scan_freq="2412")
3001 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3003 raise Exception("Timeout on EAP status")
3004 if 'bad certificate status response' in ev:
3008 raise Exception("Unexpected number of EAP status messages")
3010 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3012 raise Exception("Timeout on EAP failure report")
3014 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3015 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3016 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3017 if not os.path.exists(ocsp):
3018 raise HwsimSkip("No OCSP response available")
3019 params = int_eap_server_params()
3020 params["ocsp_stapling_response"] = ocsp
3021 hostapd.add_ap(apdev[0]['ifname'], params)
3022 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3023 identity="pap user", ca_cert="auth_serv/ca.pem",
3024 anonymous_identity="ttls", password="password",
3025 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3027 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
3028 """EAP-TLS and CA signed OCSP multi response (revoked)"""
3029 check_ocsp_support(dev[0])
3030 check_ocsp_multi_support(dev[0])
3032 ocsp_revoked = os.path.join(params['logdir'],
3033 "ocsp-resp-ca-signed-revoked.der")
3034 if not os.path.exists(ocsp_revoked):
3035 raise HwsimSkip("No OCSP response (revoked) available")
3036 ocsp_unknown = os.path.join(params['logdir'],
3037 "ocsp-resp-ca-signed-unknown.der")
3038 if not os.path.exists(ocsp_unknown):
3039 raise HwsimSkip("No OCSP response(unknown) available")
3041 with open(ocsp_revoked, "r") as f:
3042 resp_revoked = f.read()
3043 with open(ocsp_unknown, "r") as f:
3044 resp_unknown = f.read()
3046 fd, fn = tempfile.mkstemp()
3048 # This is not really a valid order of the OCSPResponse items in the
3049 # list, but this works for now to verify parsing and processing of
3050 # multiple responses.
3051 f = os.fdopen(fd, 'w')
3052 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3053 f.write(resp_unknown)
3054 f.write(struct.pack(">L", len(resp_revoked))[1:4])
3055 f.write(resp_revoked)
3056 f.write(struct.pack(">L", 0)[1:4])
3057 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3058 f.write(resp_unknown)
3061 params = int_eap_server_params()
3062 params["ocsp_stapling_response_multi"] = fn
3063 hostapd.add_ap(apdev[0]['ifname'], params)
3064 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3065 identity="tls user", ca_cert="auth_serv/ca.pem",
3066 private_key="auth_serv/user.pkcs12",
3067 private_key_passwd="whatever", ocsp=1,
3068 wait_connect=False, scan_freq="2412")
3071 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3072 "CTRL-EVENT-EAP-SUCCESS"])
3074 raise Exception("Timeout on EAP status")
3075 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3076 raise Exception("Unexpected EAP-Success")
3077 if 'bad certificate status response' in ev:
3079 if 'certificate revoked' in ev:
3083 raise Exception("Unexpected number of EAP status messages")
3087 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
3088 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3089 check_domain_match_full(dev[0])
3090 params = int_eap_server_params()
3091 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3092 params["private_key"] = "auth_serv/server-no-dnsname.key"
3093 hostapd.add_ap(apdev[0]['ifname'], params)
3094 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3095 identity="tls user", ca_cert="auth_serv/ca.pem",
3096 private_key="auth_serv/user.pkcs12",
3097 private_key_passwd="whatever",
3098 domain_suffix_match="server3.w1.fi",
3101 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
3102 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
3103 check_domain_match(dev[0])
3104 params = int_eap_server_params()
3105 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3106 params["private_key"] = "auth_serv/server-no-dnsname.key"
3107 hostapd.add_ap(apdev[0]['ifname'], params)
3108 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3109 identity="tls user", ca_cert="auth_serv/ca.pem",
3110 private_key="auth_serv/user.pkcs12",
3111 private_key_passwd="whatever",
3112 domain_match="server3.w1.fi",
3115 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
3116 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3117 check_domain_match_full(dev[0])
3118 params = int_eap_server_params()
3119 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3120 params["private_key"] = "auth_serv/server-no-dnsname.key"
3121 hostapd.add_ap(apdev[0]['ifname'], params)
3122 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3123 identity="tls user", ca_cert="auth_serv/ca.pem",
3124 private_key="auth_serv/user.pkcs12",
3125 private_key_passwd="whatever",
3126 domain_suffix_match="w1.fi",
3129 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
3130 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3131 check_domain_suffix_match(dev[0])
3132 params = int_eap_server_params()
3133 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3134 params["private_key"] = "auth_serv/server-no-dnsname.key"
3135 hostapd.add_ap(apdev[0]['ifname'], params)
3136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3137 identity="tls user", ca_cert="auth_serv/ca.pem",
3138 private_key="auth_serv/user.pkcs12",
3139 private_key_passwd="whatever",
3140 domain_suffix_match="example.com",
3143 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3144 identity="tls user", ca_cert="auth_serv/ca.pem",
3145 private_key="auth_serv/user.pkcs12",
3146 private_key_passwd="whatever",
3147 domain_suffix_match="erver3.w1.fi",
3150 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3152 raise Exception("Timeout on EAP failure report")
3153 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3155 raise Exception("Timeout on EAP failure report (2)")
3157 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3158 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3159 check_domain_match(dev[0])
3160 params = int_eap_server_params()
3161 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3162 params["private_key"] = "auth_serv/server-no-dnsname.key"
3163 hostapd.add_ap(apdev[0]['ifname'], params)
3164 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3165 identity="tls user", ca_cert="auth_serv/ca.pem",
3166 private_key="auth_serv/user.pkcs12",
3167 private_key_passwd="whatever",
3168 domain_match="example.com",
3171 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3172 identity="tls user", ca_cert="auth_serv/ca.pem",
3173 private_key="auth_serv/user.pkcs12",
3174 private_key_passwd="whatever",
3175 domain_match="w1.fi",
3178 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3180 raise Exception("Timeout on EAP failure report")
3181 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3183 raise Exception("Timeout on EAP failure report (2)")
3185 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3186 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3187 skip_with_fips(dev[0])
3188 params = int_eap_server_params()
3189 params["server_cert"] = "auth_serv/server-expired.pem"
3190 params["private_key"] = "auth_serv/server-expired.key"
3191 hostapd.add_ap(apdev[0]['ifname'], params)
3192 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3193 identity="mschap user", password="password",
3194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3197 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3199 raise Exception("Timeout on EAP certificate error report")
3200 if "reason=4" not in ev or "certificate has expired" not in ev:
3201 raise Exception("Unexpected failure reason: " + ev)
3202 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3204 raise Exception("Timeout on EAP failure report")
3206 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3207 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3208 skip_with_fips(dev[0])
3209 params = int_eap_server_params()
3210 params["server_cert"] = "auth_serv/server-expired.pem"
3211 params["private_key"] = "auth_serv/server-expired.key"
3212 hostapd.add_ap(apdev[0]['ifname'], params)
3213 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3214 identity="mschap user", password="password",
3215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3216 phase1="tls_disable_time_checks=1",
3219 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3220 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3221 skip_with_fips(dev[0])
3222 params = int_eap_server_params()
3223 params["server_cert"] = "auth_serv/server-long-duration.pem"
3224 params["private_key"] = "auth_serv/server-long-duration.key"
3225 hostapd.add_ap(apdev[0]['ifname'], params)
3226 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3227 identity="mschap user", password="password",
3228 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3231 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3232 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3233 skip_with_fips(dev[0])
3234 params = int_eap_server_params()
3235 params["server_cert"] = "auth_serv/server-eku-client.pem"
3236 params["private_key"] = "auth_serv/server-eku-client.key"
3237 hostapd.add_ap(apdev[0]['ifname'], params)
3238 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3239 identity="mschap user", password="password",
3240 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3243 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3245 raise Exception("Timeout on EAP failure report")
3247 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3248 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3249 skip_with_fips(dev[0])
3250 params = int_eap_server_params()
3251 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3252 params["private_key"] = "auth_serv/server-eku-client-server.key"
3253 hostapd.add_ap(apdev[0]['ifname'], params)
3254 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3255 identity="mschap user", password="password",
3256 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3259 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3260 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3261 skip_with_fips(dev[0])
3262 params = int_eap_server_params()
3263 del params["server_cert"]
3264 params["private_key"] = "auth_serv/server.pkcs12"
3265 hostapd.add_ap(apdev[0]['ifname'], params)
3266 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3267 identity="mschap user", password="password",
3268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3271 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3272 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3274 hostapd.add_ap(apdev[0]['ifname'], params)
3275 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3276 anonymous_identity="ttls", password="password",
3277 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3278 dh_file="auth_serv/dh.conf")
3280 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3281 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3282 check_dh_dsa_support(dev[0])
3283 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3284 hostapd.add_ap(apdev[0]['ifname'], params)
3285 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3286 anonymous_identity="ttls", password="password",
3287 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3288 dh_file="auth_serv/dsaparam.pem")
3290 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3291 """EAP-TTLS and DH params file not found"""
3292 skip_with_fips(dev[0])
3293 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3294 hostapd.add_ap(apdev[0]['ifname'], params)
3295 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3296 identity="mschap user", password="password",
3297 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3298 dh_file="auth_serv/dh-no-such-file.conf",
3299 scan_freq="2412", wait_connect=False)
3300 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3302 raise Exception("EAP failure timed out")
3303 dev[0].request("REMOVE_NETWORK all")
3304 dev[0].wait_disconnected()
3306 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3307 """EAP-TTLS and invalid DH params file"""
3308 skip_with_fips(dev[0])
3309 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3310 hostapd.add_ap(apdev[0]['ifname'], params)
3311 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3312 identity="mschap user", password="password",
3313 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3314 dh_file="auth_serv/ca.pem",
3315 scan_freq="2412", wait_connect=False)
3316 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3318 raise Exception("EAP failure timed out")
3319 dev[0].request("REMOVE_NETWORK all")
3320 dev[0].wait_disconnected()
3322 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3323 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3324 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3325 hostapd.add_ap(apdev[0]['ifname'], params)
3326 dh = read_pem("auth_serv/dh2.conf")
3327 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3328 raise Exception("Could not set dhparams blob")
3329 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3330 anonymous_identity="ttls", password="password",
3331 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3332 dh_file="blob://dhparams")
3334 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3335 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3336 params = int_eap_server_params()
3337 params["dh_file"] = "auth_serv/dh2.conf"
3338 hostapd.add_ap(apdev[0]['ifname'], params)
3339 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3340 anonymous_identity="ttls", password="password",
3341 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3343 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3344 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3345 params = int_eap_server_params()
3346 params["dh_file"] = "auth_serv/dsaparam.pem"
3347 hostapd.add_ap(apdev[0]['ifname'], params)
3348 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3349 anonymous_identity="ttls", password="password",
3350 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3352 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3353 """EAP-TLS server and dhparams file not found"""
3354 params = int_eap_server_params()
3355 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3356 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3357 if "FAIL" not in hapd.request("ENABLE"):
3358 raise Exception("Invalid configuration accepted")
3360 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3361 """EAP-TLS server and invalid dhparams file"""
3362 params = int_eap_server_params()
3363 params["dh_file"] = "auth_serv/ca.pem"
3364 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3365 if "FAIL" not in hapd.request("ENABLE"):
3366 raise Exception("Invalid configuration accepted")
3368 def test_ap_wpa2_eap_reauth(dev, apdev):
3369 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3370 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3371 params['eap_reauth_period'] = '2'
3372 hostapd.add_ap(apdev[0]['ifname'], params)
3373 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3374 password_hex="0123456789abcdef0123456789abcdef")
3375 logger.info("Wait for reauthentication")
3376 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3378 raise Exception("Timeout on reauthentication")
3379 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3381 raise Exception("Timeout on reauthentication")
3382 for i in range(0, 20):
3383 state = dev[0].get_status_field("wpa_state")
3384 if state == "COMPLETED":
3387 if state != "COMPLETED":
3388 raise Exception("Reauthentication did not complete")
3390 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3391 """Optional displayable message in EAP Request-Identity"""
3392 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3393 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3394 hostapd.add_ap(apdev[0]['ifname'], params)
3395 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3396 password_hex="0123456789abcdef0123456789abcdef")
3398 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3399 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3400 check_hlr_auc_gw_support()
3401 params = int_eap_server_params()
3402 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3403 params['eap_sim_aka_result_ind'] = "1"
3404 hostapd.add_ap(apdev[0]['ifname'], params)
3406 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3407 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3408 phase1="result_ind=1")
3409 eap_reauth(dev[0], "SIM")
3410 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3411 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3413 dev[0].request("REMOVE_NETWORK all")
3414 dev[1].request("REMOVE_NETWORK all")
3416 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3417 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3418 phase1="result_ind=1")
3419 eap_reauth(dev[0], "AKA")
3420 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3421 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3423 dev[0].request("REMOVE_NETWORK all")
3424 dev[1].request("REMOVE_NETWORK all")
3426 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3427 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3428 phase1="result_ind=1")
3429 eap_reauth(dev[0], "AKA'")
3430 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3431 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3433 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3434 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3435 skip_with_fips(dev[0])
3436 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3437 hostapd.add_ap(apdev[0]['ifname'], params)
3438 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3439 eap="TTLS", identity="mschap user",
3440 wait_connect=False, scan_freq="2412", ieee80211w="1",
3441 anonymous_identity="ttls", password="password",
3442 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3444 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3446 raise Exception("EAP roundtrip limit not reached")
3448 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3449 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3450 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3451 hostapd.add_ap(apdev[0]['ifname'], params)
3452 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3453 eap="PSK", identity="vendor-test",
3454 password_hex="ff23456789abcdef0123456789abcdef",
3458 for i in range(0, 5):
3459 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3461 raise Exception("Association and EAP start timed out")
3462 if "refuse proposed method" in ev:
3466 raise Exception("Unexpected EAP status: " + ev)
3468 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3470 raise Exception("EAP failure timed out")
3472 def test_ap_wpa2_eap_sql(dev, apdev, params):
3473 """WPA2-Enterprise connection using SQLite for user DB"""
3474 skip_with_fips(dev[0])
3478 raise HwsimSkip("No sqlite3 module available")
3479 dbfile = os.path.join(params['logdir'], "eap-user.db")
3484 con = sqlite3.connect(dbfile)
3487 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3488 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3489 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3490 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3491 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3492 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3493 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3494 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3497 params = int_eap_server_params()
3498 params["eap_user_file"] = "sqlite:" + dbfile
3499 hostapd.add_ap(apdev[0]['ifname'], params)
3500 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3501 anonymous_identity="ttls", password="password",
3502 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3503 dev[0].request("REMOVE_NETWORK all")
3504 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3505 anonymous_identity="ttls", password="password",
3506 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3507 dev[1].request("REMOVE_NETWORK all")
3508 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3509 anonymous_identity="ttls", password="password",
3510 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3511 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3512 anonymous_identity="ttls", password="password",
3513 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3517 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3518 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3519 params = int_eap_server_params()
3520 hostapd.add_ap(apdev[0]['ifname'], params)
3521 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3522 identity="\x80", password="password", wait_connect=False)
3523 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3524 identity="a\x80", password="password", wait_connect=False)
3525 for i in range(0, 2):
3526 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3528 raise Exception("Association and EAP start timed out")
3529 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3531 raise Exception("EAP method selection timed out")
3533 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3534 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3535 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3536 hostapd.add_ap(apdev[0]['ifname'], params)
3537 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3538 identity="\x80", password="password", wait_connect=False)
3539 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3540 identity="a\x80", password="password", wait_connect=False)
3541 for i in range(0, 2):
3542 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3544 raise Exception("Association and EAP start timed out")
3545 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3547 raise Exception("EAP method selection timed out")
3549 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3550 """OpenSSL cipher suite configuration on wpa_supplicant"""
3551 tls = dev[0].request("GET tls_library")
3552 if not tls.startswith("OpenSSL"):
3553 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3554 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3555 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3556 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3557 anonymous_identity="ttls", password="password",
3558 openssl_ciphers="AES128",
3559 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3560 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3561 anonymous_identity="ttls", password="password",
3562 openssl_ciphers="EXPORT",
3563 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3564 expect_failure=True, maybe_local_error=True)
3565 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3566 identity="pap user", anonymous_identity="ttls",
3567 password="password",
3568 openssl_ciphers="FOO",
3569 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3571 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3573 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3574 dev[2].request("DISCONNECT")
3576 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3577 """OpenSSL cipher suite configuration on hostapd"""
3578 tls = dev[0].request("GET tls_library")
3579 if not tls.startswith("OpenSSL"):
3580 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3581 params = int_eap_server_params()
3582 params['openssl_ciphers'] = "AES256"
3583 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3584 tls = hapd.request("GET tls_library")
3585 if not tls.startswith("OpenSSL"):
3586 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3587 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3588 anonymous_identity="ttls", password="password",
3589 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3590 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3591 anonymous_identity="ttls", password="password",
3592 openssl_ciphers="AES128",
3593 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3594 expect_failure=True)
3595 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3596 anonymous_identity="ttls", password="password",
3597 openssl_ciphers="HIGH:!ADH",
3598 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3600 params['openssl_ciphers'] = "FOO"
3601 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3602 if "FAIL" not in hapd2.request("ENABLE"):
3603 raise Exception("Invalid openssl_ciphers value accepted")
3605 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3606 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3607 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3608 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3609 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3610 pid = find_wpas_process(dev[0])
3611 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3612 anonymous_identity="ttls", password=password,
3613 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3614 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3615 # event has been delivered, so verify that wpa_supplicant has returned to
3616 # eloop before reading process memory.
3619 buf = read_process_memory(pid, password)
3621 dev[0].request("DISCONNECT")
3622 dev[0].wait_disconnected()
3630 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3631 for l in f.readlines():
3632 if "EAP-TTLS: Derived key - hexdump" in l:
3633 val = l.strip().split(':')[3].replace(' ', '')
3634 msk = binascii.unhexlify(val)
3635 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3636 val = l.strip().split(':')[3].replace(' ', '')
3637 emsk = binascii.unhexlify(val)
3638 if "WPA: PMK - hexdump" in l:
3639 val = l.strip().split(':')[3].replace(' ', '')
3640 pmk = binascii.unhexlify(val)
3641 if "WPA: PTK - hexdump" in l:
3642 val = l.strip().split(':')[3].replace(' ', '')
3643 ptk = binascii.unhexlify(val)
3644 if "WPA: Group Key - hexdump" in l:
3645 val = l.strip().split(':')[3].replace(' ', '')
3646 gtk = binascii.unhexlify(val)
3647 if not msk or not emsk or not pmk or not ptk or not gtk:
3648 raise Exception("Could not find keys from debug log")
3650 raise Exception("Unexpected GTK length")
3656 fname = os.path.join(params['logdir'],
3657 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3659 logger.info("Checking keys in memory while associated")
3660 get_key_locations(buf, password, "Password")
3661 get_key_locations(buf, pmk, "PMK")
3662 get_key_locations(buf, msk, "MSK")
3663 get_key_locations(buf, emsk, "EMSK")
3664 if password not in buf:
3665 raise HwsimSkip("Password not found while associated")
3667 raise HwsimSkip("PMK not found while associated")
3669 raise Exception("KCK not found while associated")
3671 raise Exception("KEK not found while associated")
3673 raise Exception("TK found from memory")
3675 get_key_locations(buf, gtk, "GTK")
3676 raise Exception("GTK found from memory")
3678 logger.info("Checking keys in memory after disassociation")
3679 buf = read_process_memory(pid, password)
3681 # Note: Password is still present in network configuration
3682 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3684 get_key_locations(buf, password, "Password")
3685 get_key_locations(buf, pmk, "PMK")
3686 get_key_locations(buf, msk, "MSK")
3687 get_key_locations(buf, emsk, "EMSK")
3688 verify_not_present(buf, kck, fname, "KCK")
3689 verify_not_present(buf, kek, fname, "KEK")
3690 verify_not_present(buf, tk, fname, "TK")
3691 verify_not_present(buf, gtk, fname, "GTK")
3693 dev[0].request("PMKSA_FLUSH")
3694 dev[0].set_network_quoted(id, "identity", "foo")
3695 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3696 buf = read_process_memory(pid, password)
3697 get_key_locations(buf, password, "Password")
3698 get_key_locations(buf, pmk, "PMK")
3699 get_key_locations(buf, msk, "MSK")
3700 get_key_locations(buf, emsk, "EMSK")
3701 verify_not_present(buf, pmk, fname, "PMK")
3703 dev[0].request("REMOVE_NETWORK all")
3705 logger.info("Checking keys in memory after network profile removal")
3706 buf = read_process_memory(pid, password)
3708 get_key_locations(buf, password, "Password")
3709 get_key_locations(buf, pmk, "PMK")
3710 get_key_locations(buf, msk, "MSK")
3711 get_key_locations(buf, emsk, "EMSK")
3712 verify_not_present(buf, password, fname, "password")
3713 verify_not_present(buf, pmk, fname, "PMK")
3714 verify_not_present(buf, kck, fname, "KCK")
3715 verify_not_present(buf, kek, fname, "KEK")
3716 verify_not_present(buf, tk, fname, "TK")
3717 verify_not_present(buf, gtk, fname, "GTK")
3718 verify_not_present(buf, msk, fname, "MSK")
3719 verify_not_present(buf, emsk, fname, "EMSK")
3721 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3722 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3723 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3724 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3725 bssid = apdev[0]['bssid']
3726 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3727 anonymous_identity="ttls", password="password",
3728 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3730 # Send unexpected WEP EAPOL-Key; this gets dropped
3731 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3733 raise Exception("EAPOL_RX to wpa_supplicant failed")
3735 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3736 """WPA2-EAP and wpas interface in a bridge"""
3740 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3742 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3743 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3744 subprocess.call(['brctl', 'delbr', br_ifname])
3745 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3747 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3749 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3753 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3754 subprocess.call(['brctl', 'addbr', br_ifname])
3755 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3756 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3757 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3758 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3759 wpas.interface_add(ifname, br_ifname=br_ifname)
3762 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3763 password_hex="0123456789abcdef0123456789abcdef")
3765 eap_reauth(wpas, "PAX")
3767 # Try again as a regression test for packet socket workaround
3768 eap_reauth(wpas, "PAX")
3770 wpas.request("DISCONNECT")
3771 wpas.wait_disconnected()
3773 wpas.request("RECONNECT")
3774 wpas.wait_connected()
3777 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3778 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3781 key_mgmt = hapd.get_config()['key_mgmt']
3782 if key_mgmt.split(' ')[0] != "WPA-EAP":
3783 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3784 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3785 anonymous_identity="ttls", password="password",
3786 ca_cert="auth_serv/ca.pem",
3787 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3788 eap_reauth(dev[0], "TTLS")
3790 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3791 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3792 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3793 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3794 key_mgmt = hapd.get_config()['key_mgmt']
3795 if key_mgmt.split(' ')[0] != "WPA-EAP":
3796 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3797 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3798 anonymous_identity="ttls", password="password",
3799 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3801 eap_reauth(dev[0], "TTLS")
3803 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3804 """EAP-TLS and server checking CRL"""
3805 params = int_eap_server_params()
3806 params['check_crl'] = '1'
3807 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3809 # check_crl=1 and no CRL available --> reject connection
3810 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3811 client_cert="auth_serv/user.pem",
3812 private_key="auth_serv/user.key", expect_failure=True)
3813 dev[0].request("REMOVE_NETWORK all")
3816 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3819 # check_crl=1 and valid CRL --> accept
3820 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3821 client_cert="auth_serv/user.pem",
3822 private_key="auth_serv/user.key")
3823 dev[0].request("REMOVE_NETWORK all")
3826 hapd.set("check_crl", "2")
3829 # check_crl=2 and valid CRL --> accept
3830 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3831 client_cert="auth_serv/user.pem",
3832 private_key="auth_serv/user.key")
3833 dev[0].request("REMOVE_NETWORK all")
3835 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3836 """EAP-TLS and OOM"""
3837 check_subject_match_support(dev[0])
3838 check_altsubject_match_support(dev[0])
3839 check_domain_match(dev[0])
3840 check_domain_match_full(dev[0])
3842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3843 hostapd.add_ap(apdev[0]['ifname'], params)
3845 tests = [ (1, "tls_connection_set_subject_match"),
3846 (2, "tls_connection_set_subject_match"),
3847 (3, "tls_connection_set_subject_match"),
3848 (4, "tls_connection_set_subject_match") ]
3849 for count, func in tests:
3850 with alloc_fail(dev[0], count, func):
3851 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3852 identity="tls user", ca_cert="auth_serv/ca.pem",
3853 client_cert="auth_serv/user.pem",
3854 private_key="auth_serv/user.key",
3855 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3856 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3857 domain_suffix_match="server.w1.fi",
3858 domain_match="server.w1.fi",
3859 wait_connect=False, scan_freq="2412")
3860 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3861 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3863 raise Exception("No passphrase request")
3864 dev[0].request("REMOVE_NETWORK all")
3865 dev[0].wait_disconnected()
3867 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3868 """WPA2-Enterprise connection using MAC ACL"""
3869 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3870 params["macaddr_acl"] = "2"
3871 hostapd.add_ap(apdev[0]['ifname'], params)
3872 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3873 client_cert="auth_serv/user.pem",
3874 private_key="auth_serv/user.key")
3876 def test_ap_wpa2_eap_oom(dev, apdev):
3877 """EAP server and OOM"""
3878 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3879 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3880 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3882 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3883 # The first attempt fails, but STA will send EAPOL-Start to retry and
3885 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3886 identity="tls user", ca_cert="auth_serv/ca.pem",
3887 client_cert="auth_serv/user.pem",
3888 private_key="auth_serv/user.key",
3891 def check_tls_ver(dev, ap, phase1, expected):
3892 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3893 client_cert="auth_serv/user.pem",
3894 private_key="auth_serv/user.key",
3896 ver = dev.get_status_field("eap_tls_version")
3898 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3900 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3901 """EAP-TLS and TLS version configuration"""
3902 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3903 hostapd.add_ap(apdev[0]['ifname'], params)
3905 tls = dev[0].request("GET tls_library")
3906 if tls.startswith("OpenSSL"):
3907 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3908 check_tls_ver(dev[0], apdev[0],
3909 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3911 elif tls.startswith("internal"):
3912 check_tls_ver(dev[0], apdev[0],
3913 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3914 check_tls_ver(dev[1], apdev[0],
3915 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3916 check_tls_ver(dev[2], apdev[0],
3917 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3919 def test_rsn_ie_proto_eap_sta(dev, apdev):
3920 """RSN element protocol testing for EAP cases on STA side"""
3921 bssid = apdev[0]['bssid']
3922 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3923 # This is the RSN element used normally by hostapd
3924 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3925 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3926 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3927 identity="gpsk user",
3928 password="abcdefghijklmnop0123456789abcdef",
3931 tests = [ ('No RSN Capabilities field',
3932 '30120100000fac040100000fac040100000fac01'),
3933 ('No AKM Suite fields',
3934 '300c0100000fac040100000fac04'),
3935 ('No Pairwise Cipher Suite fields',
3936 '30060100000fac04'),
3937 ('No Group Data Cipher Suite field',
3939 for txt,ie in tests:
3940 dev[0].request("DISCONNECT")
3941 dev[0].wait_disconnected()
3944 hapd.set('own_ie_override', ie)
3946 dev[0].request("BSS_FLUSH 0")
3947 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3948 dev[0].select_network(id, freq=2412)
3949 dev[0].wait_connected()
3951 def check_tls_session_resumption_capa(dev, hapd):
3952 tls = hapd.request("GET tls_library")
3953 if not tls.startswith("OpenSSL"):
3954 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3956 tls = dev.request("GET tls_library")
3957 if not tls.startswith("OpenSSL"):
3958 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3960 def test_eap_ttls_pap_session_resumption(dev, apdev):
3961 """EAP-TTLS/PAP session resumption"""
3962 params = int_eap_server_params()
3963 params['tls_session_lifetime'] = '60'
3964 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3965 check_tls_session_resumption_capa(dev[0], hapd)
3966 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3967 anonymous_identity="ttls", password="password",
3968 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3970 if dev[0].get_status_field("tls_session_reused") != '0':
3971 raise Exception("Unexpected session resumption on the first connection")
3973 dev[0].request("REAUTHENTICATE")
3974 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3976 raise Exception("EAP success timed out")
3977 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3979 raise Exception("Key handshake with the AP timed out")
3980 if dev[0].get_status_field("tls_session_reused") != '1':
3981 raise Exception("Session resumption not used on the second connection")
3983 def test_eap_ttls_chap_session_resumption(dev, apdev):
3984 """EAP-TTLS/CHAP session resumption"""
3985 params = int_eap_server_params()
3986 params['tls_session_lifetime'] = '60'
3987 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3988 check_tls_session_resumption_capa(dev[0], hapd)
3989 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3990 anonymous_identity="ttls", password="password",
3991 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3992 if dev[0].get_status_field("tls_session_reused") != '0':
3993 raise Exception("Unexpected session resumption on the first connection")
3995 dev[0].request("REAUTHENTICATE")
3996 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3998 raise Exception("EAP success timed out")
3999 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4001 raise Exception("Key handshake with the AP timed out")
4002 if dev[0].get_status_field("tls_session_reused") != '1':
4003 raise Exception("Session resumption not used on the second connection")
4005 def test_eap_ttls_mschap_session_resumption(dev, apdev):
4006 """EAP-TTLS/MSCHAP session resumption"""
4007 check_domain_suffix_match(dev[0])
4008 params = int_eap_server_params()
4009 params['tls_session_lifetime'] = '60'
4010 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4011 check_tls_session_resumption_capa(dev[0], hapd)
4012 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
4013 anonymous_identity="ttls", password="password",
4014 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4015 domain_suffix_match="server.w1.fi")
4016 if dev[0].get_status_field("tls_session_reused") != '0':
4017 raise Exception("Unexpected session resumption on the first connection")
4019 dev[0].request("REAUTHENTICATE")
4020 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4022 raise Exception("EAP success timed out")
4023 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4025 raise Exception("Key handshake with the AP timed out")
4026 if dev[0].get_status_field("tls_session_reused") != '1':
4027 raise Exception("Session resumption not used on the second connection")
4029 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
4030 """EAP-TTLS/MSCHAPv2 session resumption"""
4031 check_domain_suffix_match(dev[0])
4032 check_eap_capa(dev[0], "MSCHAPV2")
4033 params = int_eap_server_params()
4034 params['tls_session_lifetime'] = '60'
4035 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4036 check_tls_session_resumption_capa(dev[0], hapd)
4037 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
4038 anonymous_identity="ttls", password="password",
4039 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4040 domain_suffix_match="server.w1.fi")
4041 if dev[0].get_status_field("tls_session_reused") != '0':
4042 raise Exception("Unexpected session resumption on the first connection")
4044 dev[0].request("REAUTHENTICATE")
4045 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4047 raise Exception("EAP success timed out")
4048 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4050 raise Exception("Key handshake with the AP timed out")
4051 if dev[0].get_status_field("tls_session_reused") != '1':
4052 raise Exception("Session resumption not used on the second connection")
4054 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
4055 """EAP-TTLS/EAP-GTC session resumption"""
4056 params = int_eap_server_params()
4057 params['tls_session_lifetime'] = '60'
4058 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4059 check_tls_session_resumption_capa(dev[0], hapd)
4060 eap_connect(dev[0], apdev[0], "TTLS", "user",
4061 anonymous_identity="ttls", password="password",
4062 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
4063 if dev[0].get_status_field("tls_session_reused") != '0':
4064 raise Exception("Unexpected session resumption on the first connection")
4066 dev[0].request("REAUTHENTICATE")
4067 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4069 raise Exception("EAP success timed out")
4070 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4072 raise Exception("Key handshake with the AP timed out")
4073 if dev[0].get_status_field("tls_session_reused") != '1':
4074 raise Exception("Session resumption not used on the second connection")
4076 def test_eap_ttls_no_session_resumption(dev, apdev):
4077 """EAP-TTLS session resumption disabled on server"""
4078 params = int_eap_server_params()
4079 params['tls_session_lifetime'] = '0'
4080 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4081 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4082 anonymous_identity="ttls", password="password",
4083 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4085 if dev[0].get_status_field("tls_session_reused") != '0':
4086 raise Exception("Unexpected session resumption on the first connection")
4088 dev[0].request("REAUTHENTICATE")
4089 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4091 raise Exception("EAP success timed out")
4092 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4094 raise Exception("Key handshake with the AP timed out")
4095 if dev[0].get_status_field("tls_session_reused") != '0':
4096 raise Exception("Unexpected session resumption on the second connection")
4098 def test_eap_peap_session_resumption(dev, apdev):
4099 """EAP-PEAP session resumption"""
4100 params = int_eap_server_params()
4101 params['tls_session_lifetime'] = '60'
4102 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4103 check_tls_session_resumption_capa(dev[0], hapd)
4104 eap_connect(dev[0], apdev[0], "PEAP", "user",
4105 anonymous_identity="peap", password="password",
4106 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4107 if dev[0].get_status_field("tls_session_reused") != '0':
4108 raise Exception("Unexpected session resumption on the first connection")
4110 dev[0].request("REAUTHENTICATE")
4111 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4113 raise Exception("EAP success timed out")
4114 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4116 raise Exception("Key handshake with the AP timed out")
4117 if dev[0].get_status_field("tls_session_reused") != '1':
4118 raise Exception("Session resumption not used on the second connection")
4120 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
4121 """EAP-PEAP session resumption with crypto binding"""
4122 params = int_eap_server_params()
4123 params['tls_session_lifetime'] = '60'
4124 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4125 check_tls_session_resumption_capa(dev[0], hapd)
4126 eap_connect(dev[0], apdev[0], "PEAP", "user",
4127 anonymous_identity="peap", password="password",
4128 phase1="peapver=0 crypto_binding=2",
4129 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4130 if dev[0].get_status_field("tls_session_reused") != '0':
4131 raise Exception("Unexpected session resumption on the first connection")
4133 dev[0].request("REAUTHENTICATE")
4134 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4136 raise Exception("EAP success timed out")
4137 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4139 raise Exception("Key handshake with the AP timed out")
4140 if dev[0].get_status_field("tls_session_reused") != '1':
4141 raise Exception("Session resumption not used on the second connection")
4143 def test_eap_peap_no_session_resumption(dev, apdev):
4144 """EAP-PEAP session resumption disabled on server"""
4145 params = int_eap_server_params()
4146 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4147 eap_connect(dev[0], apdev[0], "PEAP", "user",
4148 anonymous_identity="peap", password="password",
4149 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4150 if dev[0].get_status_field("tls_session_reused") != '0':
4151 raise Exception("Unexpected session resumption on the first connection")
4153 dev[0].request("REAUTHENTICATE")
4154 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4156 raise Exception("EAP success timed out")
4157 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4159 raise Exception("Key handshake with the AP timed out")
4160 if dev[0].get_status_field("tls_session_reused") != '0':
4161 raise Exception("Unexpected session resumption on the second connection")
4163 def test_eap_tls_session_resumption(dev, apdev):
4164 """EAP-TLS session resumption"""
4165 params = int_eap_server_params()
4166 params['tls_session_lifetime'] = '60'
4167 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4168 check_tls_session_resumption_capa(dev[0], hapd)
4169 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4170 client_cert="auth_serv/user.pem",
4171 private_key="auth_serv/user.key")
4172 if dev[0].get_status_field("tls_session_reused") != '0':
4173 raise Exception("Unexpected session resumption on the first connection")
4175 dev[0].request("REAUTHENTICATE")
4176 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4178 raise Exception("EAP success timed out")
4179 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4181 raise Exception("Key handshake with the AP timed out")
4182 if dev[0].get_status_field("tls_session_reused") != '1':
4183 raise Exception("Session resumption not used on the second connection")
4185 dev[0].request("REAUTHENTICATE")
4186 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4188 raise Exception("EAP success timed out")
4189 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4191 raise Exception("Key handshake with the AP timed out")
4192 if dev[0].get_status_field("tls_session_reused") != '1':
4193 raise Exception("Session resumption not used on the third connection")
4195 def test_eap_tls_session_resumption_expiration(dev, apdev):
4196 """EAP-TLS session resumption"""
4197 params = int_eap_server_params()
4198 params['tls_session_lifetime'] = '1'
4199 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4200 check_tls_session_resumption_capa(dev[0], hapd)
4201 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4202 client_cert="auth_serv/user.pem",
4203 private_key="auth_serv/user.key")
4204 if dev[0].get_status_field("tls_session_reused") != '0':
4205 raise Exception("Unexpected session resumption on the first connection")
4207 # Allow multiple attempts since OpenSSL may not expire the cached entry
4212 dev[0].request("REAUTHENTICATE")
4213 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4215 raise Exception("EAP success timed out")
4216 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4218 raise Exception("Key handshake with the AP timed out")
4219 if dev[0].get_status_field("tls_session_reused") == '0':
4221 if dev[0].get_status_field("tls_session_reused") != '0':
4222 raise Exception("Session resumption used after lifetime expiration")
4224 def test_eap_tls_no_session_resumption(dev, apdev):
4225 """EAP-TLS session resumption disabled on server"""
4226 params = int_eap_server_params()
4227 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4228 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4229 client_cert="auth_serv/user.pem",
4230 private_key="auth_serv/user.key")
4231 if dev[0].get_status_field("tls_session_reused") != '0':
4232 raise Exception("Unexpected session resumption on the first connection")
4234 dev[0].request("REAUTHENTICATE")
4235 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4237 raise Exception("EAP success timed out")
4238 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4240 raise Exception("Key handshake with the AP timed out")
4241 if dev[0].get_status_field("tls_session_reused") != '0':
4242 raise Exception("Unexpected session resumption on the second connection")
4244 def test_eap_tls_session_resumption_radius(dev, apdev):
4245 """EAP-TLS session resumption (RADIUS)"""
4246 params = { "ssid": "as", "beacon_int": "2000",
4247 "radius_server_clients": "auth_serv/radius_clients.conf",
4248 "radius_server_auth_port": '18128',
4250 "eap_user_file": "auth_serv/eap_user.conf",
4251 "ca_cert": "auth_serv/ca.pem",
4252 "server_cert": "auth_serv/server.pem",
4253 "private_key": "auth_serv/server.key",
4254 "tls_session_lifetime": "60" }
4255 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4256 check_tls_session_resumption_capa(dev[0], authsrv)
4258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4259 params['auth_server_port'] = "18128"
4260 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4261 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4262 client_cert="auth_serv/user.pem",
4263 private_key="auth_serv/user.key")
4264 if dev[0].get_status_field("tls_session_reused") != '0':
4265 raise Exception("Unexpected session resumption on the first connection")
4267 dev[0].request("REAUTHENTICATE")
4268 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4270 raise Exception("EAP success timed out")
4271 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4273 raise Exception("Key handshake with the AP timed out")
4274 if dev[0].get_status_field("tls_session_reused") != '1':
4275 raise Exception("Session resumption not used on the second connection")
4277 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4278 """EAP-TLS session resumption disabled (RADIUS)"""
4279 params = { "ssid": "as", "beacon_int": "2000",
4280 "radius_server_clients": "auth_serv/radius_clients.conf",
4281 "radius_server_auth_port": '18128',
4283 "eap_user_file": "auth_serv/eap_user.conf",
4284 "ca_cert": "auth_serv/ca.pem",
4285 "server_cert": "auth_serv/server.pem",
4286 "private_key": "auth_serv/server.key",
4287 "tls_session_lifetime": "0" }
4288 hostapd.add_ap(apdev[1]['ifname'], params)
4290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4291 params['auth_server_port'] = "18128"
4292 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4293 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4294 client_cert="auth_serv/user.pem",
4295 private_key="auth_serv/user.key")
4296 if dev[0].get_status_field("tls_session_reused") != '0':
4297 raise Exception("Unexpected session resumption on the first connection")
4299 dev[0].request("REAUTHENTICATE")
4300 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4302 raise Exception("EAP success timed out")
4303 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4305 raise Exception("Key handshake with the AP timed out")
4306 if dev[0].get_status_field("tls_session_reused") != '0':
4307 raise Exception("Unexpected session resumption on the second connection")
4309 def test_eap_mschapv2_errors(dev, apdev):
4310 """EAP-MSCHAPv2 error cases"""
4311 check_eap_capa(dev[0], "MSCHAPV2")
4312 check_eap_capa(dev[0], "FAST")
4314 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4315 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4316 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4317 identity="phase1-user", password="password",
4319 dev[0].request("REMOVE_NETWORK all")
4320 dev[0].wait_disconnected()
4322 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4323 (1, "nt_password_hash;mschapv2_derive_response"),
4324 (1, "nt_password_hash;=mschapv2_derive_response"),
4325 (1, "generate_nt_response;mschapv2_derive_response"),
4326 (1, "generate_authenticator_response;mschapv2_derive_response"),
4327 (1, "nt_password_hash;=mschapv2_derive_response"),
4328 (1, "get_master_key;mschapv2_derive_response"),
4329 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4330 for count, func in tests:
4331 with fail_test(dev[0], count, func):
4332 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4333 identity="phase1-user", password="password",
4334 wait_connect=False, scan_freq="2412")
4335 wait_fail_trigger(dev[0], "GET_FAIL")
4336 dev[0].request("REMOVE_NETWORK all")
4337 dev[0].wait_disconnected()
4339 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4340 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4341 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4342 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4343 for count, func in tests:
4344 with fail_test(dev[0], count, func):
4345 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4346 identity="phase1-user",
4347 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4348 wait_connect=False, scan_freq="2412")
4349 wait_fail_trigger(dev[0], "GET_FAIL")
4350 dev[0].request("REMOVE_NETWORK all")
4351 dev[0].wait_disconnected()
4353 tests = [ (1, "eap_mschapv2_init"),
4354 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4355 (1, "eap_msg_alloc;eap_mschapv2_success"),
4356 (1, "eap_mschapv2_getKey") ]
4357 for count, func in tests:
4358 with alloc_fail(dev[0], count, func):
4359 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4360 identity="phase1-user", password="password",
4361 wait_connect=False, scan_freq="2412")
4362 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4363 dev[0].request("REMOVE_NETWORK all")
4364 dev[0].wait_disconnected()
4366 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4367 for count, func in tests:
4368 with alloc_fail(dev[0], count, func):
4369 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4370 identity="phase1-user", password="wrong password",
4371 wait_connect=False, scan_freq="2412")
4372 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4373 dev[0].request("REMOVE_NETWORK all")
4374 dev[0].wait_disconnected()
4376 tests = [ (2, "eap_mschapv2_init"),
4377 (3, "eap_mschapv2_init") ]
4378 for count, func in tests:
4379 with alloc_fail(dev[0], count, func):
4380 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4381 anonymous_identity="FAST", identity="user",
4382 password="password",
4383 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4384 phase1="fast_provisioning=1",
4385 pac_file="blob://fast_pac",
4386 wait_connect=False, scan_freq="2412")
4387 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4388 dev[0].request("REMOVE_NETWORK all")
4389 dev[0].wait_disconnected()
4391 def test_eap_gpsk_errors(dev, apdev):
4392 """EAP-GPSK error cases"""
4393 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4395 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4396 identity="gpsk user",
4397 password="abcdefghijklmnop0123456789abcdef",
4399 dev[0].request("REMOVE_NETWORK all")
4400 dev[0].wait_disconnected()
4402 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4403 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4405 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4407 (1, "eap_gpsk_derive_keys_helper", None),
4408 (2, "eap_gpsk_derive_keys_helper", None),
4409 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4411 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4413 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4414 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4415 (1, "eap_gpsk_derive_mid_helper", None) ]
4416 for count, func, phase1 in tests:
4417 with fail_test(dev[0], count, func):
4418 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4419 identity="gpsk user",
4420 password="abcdefghijklmnop0123456789abcdef",
4422 wait_connect=False, scan_freq="2412")
4423 wait_fail_trigger(dev[0], "GET_FAIL")
4424 dev[0].request("REMOVE_NETWORK all")
4425 dev[0].wait_disconnected()
4427 tests = [ (1, "eap_gpsk_init"),
4428 (2, "eap_gpsk_init"),
4429 (3, "eap_gpsk_init"),
4430 (1, "eap_gpsk_process_id_server"),
4431 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4432 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4433 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4434 (1, "eap_gpsk_derive_keys"),
4435 (1, "eap_gpsk_derive_keys_helper"),
4436 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4437 (1, "eap_gpsk_getKey"),
4438 (1, "eap_gpsk_get_emsk"),
4439 (1, "eap_gpsk_get_session_id") ]
4440 for count, func in tests:
4441 with alloc_fail(dev[0], count, func):
4442 dev[0].request("ERP_FLUSH")
4443 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4444 identity="gpsk user", erp="1",
4445 password="abcdefghijklmnop0123456789abcdef",
4446 wait_connect=False, scan_freq="2412")
4447 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4448 dev[0].request("REMOVE_NETWORK all")
4449 dev[0].wait_disconnected()
4451 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4452 """EAP-SIM DB error cases"""
4453 sockpath = '/tmp/hlr_auc_gw.sock-test'
4458 hparams = int_eap_server_params()
4459 hparams['eap_sim_db'] = 'unix:' + sockpath
4460 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4462 # Initial test with hlr_auc_gw socket not available
4463 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4464 eap="SIM", identity="1232010000000000",
4465 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4466 scan_freq="2412", wait_connect=False)
4467 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4469 raise Exception("EAP-Failure not reported")
4470 dev[0].wait_disconnected()
4471 dev[0].request("DISCONNECT")
4473 # Test with invalid responses and response timeout
4475 class test_handler(SocketServer.DatagramRequestHandler):
4477 data = self.request[0].strip()
4478 socket = self.request[1]
4479 logger.debug("Received hlr_auc_gw request: " + data)
4480 # EAP-SIM DB: Failed to parse response string
4481 socket.sendto("FOO", self.client_address)
4482 # EAP-SIM DB: Failed to parse response string
4483 socket.sendto("FOO 1", self.client_address)
4484 # EAP-SIM DB: Unknown external response
4485 socket.sendto("FOO 1 2", self.client_address)
4486 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4488 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4491 dev[0].select_network(id)
4492 server.handle_request()
4493 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4495 raise Exception("EAP-Failure not reported")
4496 dev[0].wait_disconnected()
4497 dev[0].request("DISCONNECT")
4499 # Test with a valid response
4501 class test_handler2(SocketServer.DatagramRequestHandler):
4503 data = self.request[0].strip()
4504 socket = self.request[1]
4505 logger.debug("Received hlr_auc_gw request: " + data)
4506 fname = os.path.join(params['logdir'],
4507 'hlr_auc_gw.milenage_db')
4508 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4510 stdout=subprocess.PIPE)
4511 res = cmd.stdout.read().strip()
4513 logger.debug("hlr_auc_gw response: " + res)
4514 socket.sendto(res, self.client_address)
4516 server.RequestHandlerClass = test_handler2
4518 dev[0].select_network(id)
4519 server.handle_request()
4520 dev[0].wait_connected()
4521 dev[0].request("DISCONNECT")
4522 dev[0].wait_disconnected()
4524 def test_eap_tls_sha512(dev, apdev, params):
4525 """EAP-TLS with SHA512 signature"""
4526 params = int_eap_server_params()
4527 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4528 params["server_cert"] = "auth_serv/sha512-server.pem"
4529 params["private_key"] = "auth_serv/sha512-server.key"
4530 hostapd.add_ap(apdev[0]['ifname'], params)
4532 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4533 identity="tls user sha512",
4534 ca_cert="auth_serv/sha512-ca.pem",
4535 client_cert="auth_serv/sha512-user.pem",
4536 private_key="auth_serv/sha512-user.key",
4538 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4539 identity="tls user sha512",
4540 ca_cert="auth_serv/sha512-ca.pem",
4541 client_cert="auth_serv/sha384-user.pem",
4542 private_key="auth_serv/sha384-user.key",
4545 def test_eap_tls_sha384(dev, apdev, params):
4546 """EAP-TLS with SHA384 signature"""
4547 params = int_eap_server_params()
4548 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4549 params["server_cert"] = "auth_serv/sha384-server.pem"
4550 params["private_key"] = "auth_serv/sha384-server.key"
4551 hostapd.add_ap(apdev[0]['ifname'], params)
4553 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4554 identity="tls user sha512",
4555 ca_cert="auth_serv/sha512-ca.pem",
4556 client_cert="auth_serv/sha512-user.pem",
4557 private_key="auth_serv/sha512-user.key",
4559 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4560 identity="tls user sha512",
4561 ca_cert="auth_serv/sha512-ca.pem",
4562 client_cert="auth_serv/sha384-user.pem",
4563 private_key="auth_serv/sha384-user.key",
4566 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4567 """WPA2-Enterprise AP and association request RSN IE differences"""
4568 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4569 hostapd.add_ap(apdev[0]['ifname'], params)
4571 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4572 params["ieee80211w"] = "2"
4573 hostapd.add_ap(apdev[1]['ifname'], params)
4575 # Success cases with optional RSN IE fields removed one by one
4576 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4577 "30140100000fac040100000fac040100000fac010000"),
4578 ("Extra PMKIDCount field in RSN IE",
4579 "30160100000fac040100000fac040100000fac0100000000"),
4580 ("Extra Group Management Cipher Suite in RSN IE",
4581 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4582 ("Extra undefined extension field in RSN IE",
4583 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4584 ("RSN IE without RSN Capabilities",
4585 "30120100000fac040100000fac040100000fac01"),
4586 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4587 ("RSN IE without pairwise", "30060100000fac04"),
4588 ("RSN IE without group", "30020100") ]
4589 for title, ie in tests:
4591 set_test_assoc_ie(dev[0], ie)
4592 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4593 identity="gpsk user",
4594 password="abcdefghijklmnop0123456789abcdef",
4596 dev[0].request("REMOVE_NETWORK all")
4597 dev[0].wait_disconnected()
4599 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4600 "30140100000fac040100000fac040100000fac01cc00"),
4601 ("Group management cipher included in assoc req RSN IE",
4602 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4603 for title, ie in tests:
4605 set_test_assoc_ie(dev[0], ie)
4606 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4607 eap="GPSK", identity="gpsk user",
4608 password="abcdefghijklmnop0123456789abcdef",
4610 dev[0].request("REMOVE_NETWORK all")
4611 dev[0].wait_disconnected()
4613 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4614 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4615 for title, ie, status in tests:
4617 set_test_assoc_ie(dev[0], ie)
4618 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4619 identity="gpsk user",
4620 password="abcdefghijklmnop0123456789abcdef",
4621 scan_freq="2412", wait_connect=False)
4622 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4624 raise Exception("Association rejection not reported")
4625 if "status_code=" + str(status) not in ev:
4626 raise Exception("Unexpected status code: " + ev)
4627 dev[0].request("REMOVE_NETWORK all")
4628 dev[0].dump_monitor()
4630 tests = [ ("Management frame protection not enabled",
4631 "30140100000fac040100000fac040100000fac010000", 31),
4632 ("Unsupported management group cipher",
4633 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4634 for title, ie, status in tests:
4636 set_test_assoc_ie(dev[0], ie)
4637 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4638 eap="GPSK", identity="gpsk user",
4639 password="abcdefghijklmnop0123456789abcdef",
4640 scan_freq="2412", wait_connect=False)
4641 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4643 raise Exception("Association rejection not reported")
4644 if "status_code=" + str(status) not in ev:
4645 raise Exception("Unexpected status code: " + ev)
4646 dev[0].request("REMOVE_NETWORK all")
4647 dev[0].dump_monitor()
4649 def test_eap_tls_ext_cert_check(dev, apdev):
4650 """EAP-TLS and external server certification validation"""
4651 # With internal server certificate chain validation
4652 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4653 identity="tls user",
4654 ca_cert="auth_serv/ca.pem",
4655 client_cert="auth_serv/user.pem",
4656 private_key="auth_serv/user.key",
4657 phase1="tls_ext_cert_check=1", scan_freq="2412",
4658 only_add_network=True)
4659 run_ext_cert_check(dev, apdev, id)
4661 def test_eap_ttls_ext_cert_check(dev, apdev):
4662 """EAP-TTLS and external server certification validation"""
4663 # Without internal server certificate chain validation
4664 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4665 identity="pap user", anonymous_identity="ttls",
4666 password="password", phase2="auth=PAP",
4667 phase1="tls_ext_cert_check=1", scan_freq="2412",
4668 only_add_network=True)
4669 run_ext_cert_check(dev, apdev, id)
4671 def test_eap_peap_ext_cert_check(dev, apdev):
4672 """EAP-PEAP and external server certification validation"""
4673 # With internal server certificate chain validation
4674 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4675 identity="user", anonymous_identity="peap",
4676 ca_cert="auth_serv/ca.pem",
4677 password="password", phase2="auth=MSCHAPV2",
4678 phase1="tls_ext_cert_check=1", scan_freq="2412",
4679 only_add_network=True)
4680 run_ext_cert_check(dev, apdev, id)
4682 def test_eap_fast_ext_cert_check(dev, apdev):
4683 """EAP-FAST and external server certification validation"""
4684 check_eap_capa(dev[0], "FAST")
4685 # With internal server certificate chain validation
4686 dev[0].request("SET blob fast_pac_auth_ext ")
4687 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4688 identity="user", anonymous_identity="FAST",
4689 ca_cert="auth_serv/ca.pem",
4690 password="password", phase2="auth=GTC",
4691 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4692 pac_file="blob://fast_pac_auth_ext",
4694 only_add_network=True)
4695 run_ext_cert_check(dev, apdev, id)
4697 def run_ext_cert_check(dev, apdev, net_id):
4698 check_ext_cert_check_support(dev[0])
4699 if not openssl_imported:
4700 raise HwsimSkip("OpenSSL python method not available")
4702 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4703 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4705 dev[0].select_network(net_id)
4708 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4709 "CTRL-REQ-EXT_CERT_CHECK",
4710 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4712 raise Exception("No peer server certificate event seen")
4713 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4716 vals = ev.split(' ')
4718 if v.startswith("depth="):
4719 depth = int(v.split('=')[1])
4720 elif v.startswith("cert="):
4721 cert = v.split('=')[1]
4722 if depth is not None and cert:
4723 certs[depth] = binascii.unhexlify(cert)
4724 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4725 raise Exception("Unexpected EAP-Success")
4726 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4727 id = ev.split(':')[0].split('-')[-1]
4730 raise Exception("Server certificate not received")
4732 raise Exception("Server certificate issuer not received")
4734 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4736 cn = cert.get_subject().commonName
4737 logger.info("Server certificate CN=" + cn)
4739 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4741 icn = issuer.get_subject().commonName
4742 logger.info("Issuer certificate CN=" + icn)
4744 if cn != "server.w1.fi":
4745 raise Exception("Unexpected server certificate CN: " + cn)
4746 if icn != "Root CA":
4747 raise Exception("Unexpected server certificate issuer CN: " + icn)
4749 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4751 raise Exception("Unexpected EAP-Success before external check result indication")
4753 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4754 dev[0].wait_connected()
4756 dev[0].request("DISCONNECT")
4757 dev[0].wait_disconnected()
4758 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4759 raise Exception("PMKSA_FLUSH failed")
4760 dev[0].request("SET blob fast_pac_auth_ext ")
4761 dev[0].request("RECONNECT")
4763 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4765 raise Exception("No peer server certificate event seen (2)")
4766 id = ev.split(':')[0].split('-')[-1]
4767 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4768 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4770 raise Exception("EAP-Failure not reported")
4771 dev[0].request("REMOVE_NETWORK all")
4772 dev[0].wait_disconnected()