1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
92 raise Exception("EAP method selection timed out")
94 raise Exception("Unexpected EAP method")
96 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
98 raise Exception("EAP failure timed out")
99 ev = dev.wait_disconnected(timeout=10)
100 if maybe_local_error and "locally_generated=1" in ev:
102 if not local_error_report:
103 if "reason=23" not in ev:
104 raise Exception("Proper reason code for disconnection not reported")
106 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
108 raise Exception("EAP success timed out")
111 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
113 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
115 raise Exception("Association with the AP timed out")
116 status = dev.get_status()
117 if status["wpa_state"] != "COMPLETED":
118 raise Exception("Connection not completed")
120 if status["suppPortStatus"] != "Authorized":
121 raise Exception("Port not authorized")
122 if method not in status["selectedMethod"]:
123 raise Exception("Incorrect EAP method status")
125 e = "WPA2-EAP-SHA256"
127 e = "WPA2/IEEE 802.1X/EAP"
129 e = "WPA/IEEE 802.1X/EAP"
130 if status["key_mgmt"] != e:
131 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
134 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
135 dev.request("REAUTHENTICATE")
136 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
137 expect_failure=expect_failure)
139 def test_ap_wpa2_eap_sim(dev, apdev):
140 """WPA2-Enterprise connection using EAP-SIM"""
141 check_hlr_auc_gw_support()
142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
144 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
145 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 hwsim_utils.test_connectivity(dev[0], hapd)
147 eap_reauth(dev[0], "SIM")
149 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
155 logger.info("Negative test with incorrect key")
156 dev[0].request("REMOVE_NETWORK all")
157 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
158 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
161 logger.info("Invalid GSM-Milenage key")
162 dev[0].request("REMOVE_NETWORK all")
163 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
164 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
167 logger.info("Invalid GSM-Milenage key(2)")
168 dev[0].request("REMOVE_NETWORK all")
169 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
170 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
173 logger.info("Invalid GSM-Milenage key(3)")
174 dev[0].request("REMOVE_NETWORK all")
175 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
176 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
179 logger.info("Invalid GSM-Milenage key(4)")
180 dev[0].request("REMOVE_NETWORK all")
181 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
182 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
185 logger.info("Missing key configuration")
186 dev[0].request("REMOVE_NETWORK all")
187 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
191 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
192 check_hlr_auc_gw_support()
196 raise HwsimSkip("No sqlite3 module available")
197 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
198 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
199 params['auth_server_port'] = "1814"
200 hostapd.add_ap(apdev[0]['ifname'], params)
201 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
202 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
204 logger.info("SIM fast re-authentication")
205 eap_reauth(dev[0], "SIM")
207 logger.info("SIM full auth with pseudonym")
210 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
211 eap_reauth(dev[0], "SIM")
213 logger.info("SIM full auth with permanent identity")
216 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
217 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
218 eap_reauth(dev[0], "SIM")
220 logger.info("SIM reauth with mismatching MK")
223 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
224 eap_reauth(dev[0], "SIM", expect_failure=True)
225 dev[0].request("REMOVE_NETWORK all")
227 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
228 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 eap_reauth(dev[0], "SIM")
235 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
236 logger.info("SIM reauth with mismatching counter")
237 eap_reauth(dev[0], "SIM")
238 dev[0].request("REMOVE_NETWORK all")
240 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
241 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
244 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
245 logger.info("SIM reauth with max reauth count reached")
246 eap_reauth(dev[0], "SIM")
248 def test_ap_wpa2_eap_sim_config(dev, apdev):
249 """EAP-SIM configuration options"""
250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
251 hostapd.add_ap(apdev[0]['ifname'], params)
252 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
253 identity="1232010000000000",
254 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 phase1="sim_min_num_chal=1",
256 wait_connect=False, scan_freq="2412")
257 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
259 raise Exception("No EAP error message seen")
260 dev[0].request("REMOVE_NETWORK all")
262 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263 identity="1232010000000000",
264 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265 phase1="sim_min_num_chal=4",
266 wait_connect=False, scan_freq="2412")
267 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
269 raise Exception("No EAP error message seen (2)")
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
274 phase1="sim_min_num_chal=2")
275 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
276 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
277 anonymous_identity="345678")
279 def test_ap_wpa2_eap_sim_ext(dev, apdev):
280 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
282 _test_ap_wpa2_eap_sim_ext(dev, apdev)
284 dev[0].request("SET external_sim 0")
286 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
287 check_hlr_auc_gw_support()
288 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
289 hostapd.add_ap(apdev[0]['ifname'], params)
290 dev[0].request("SET external_sim 1")
291 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
292 identity="1232010000000000",
293 wait_connect=False, scan_freq="2412")
294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
296 raise Exception("Network connected timed out")
298 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
300 raise Exception("Wait for external SIM processing request timed out")
302 if p[1] != "GSM-AUTH":
303 raise Exception("Unexpected CTRL-REQ-SIM type")
304 rid = p[0].split('-')[3]
307 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
308 # This will fail during processing, but the ctrl_iface command succeeds
309 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
310 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
312 raise Exception("EAP failure not reported")
313 dev[0].request("DISCONNECT")
314 dev[0].wait_disconnected()
317 dev[0].select_network(id, freq="2412")
318 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
320 raise Exception("Wait for external SIM processing request timed out")
322 if p[1] != "GSM-AUTH":
323 raise Exception("Unexpected CTRL-REQ-SIM type")
324 rid = p[0].split('-')[3]
325 # This will fail during GSM auth validation
326 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
327 raise Exception("CTRL-RSP-SIM failed")
328 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
330 raise Exception("EAP failure not reported")
331 dev[0].request("DISCONNECT")
332 dev[0].wait_disconnected()
335 dev[0].select_network(id, freq="2412")
336 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
338 raise Exception("Wait for external SIM processing request timed out")
340 if p[1] != "GSM-AUTH":
341 raise Exception("Unexpected CTRL-REQ-SIM type")
342 rid = p[0].split('-')[3]
343 # This will fail during GSM auth validation
344 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
345 raise Exception("CTRL-RSP-SIM failed")
346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
348 raise Exception("EAP failure not reported")
349 dev[0].request("DISCONNECT")
350 dev[0].wait_disconnected()
353 dev[0].select_network(id, freq="2412")
354 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
356 raise Exception("Wait for external SIM processing request timed out")
358 if p[1] != "GSM-AUTH":
359 raise Exception("Unexpected CTRL-REQ-SIM type")
360 rid = p[0].split('-')[3]
361 # This will fail during GSM auth validation
362 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
363 raise Exception("CTRL-RSP-SIM failed")
364 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
366 raise Exception("EAP failure not reported")
367 dev[0].request("DISCONNECT")
368 dev[0].wait_disconnected()
371 dev[0].select_network(id, freq="2412")
372 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
374 raise Exception("Wait for external SIM processing request timed out")
376 if p[1] != "GSM-AUTH":
377 raise Exception("Unexpected CTRL-REQ-SIM type")
378 rid = p[0].split('-')[3]
379 # This will fail during GSM auth validation
380 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
381 raise Exception("CTRL-RSP-SIM failed")
382 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
384 raise Exception("EAP failure not reported")
385 dev[0].request("DISCONNECT")
386 dev[0].wait_disconnected()
389 dev[0].select_network(id, freq="2412")
390 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
392 raise Exception("Wait for external SIM processing request timed out")
394 if p[1] != "GSM-AUTH":
395 raise Exception("Unexpected CTRL-REQ-SIM type")
396 rid = p[0].split('-')[3]
397 # This will fail during GSM auth validation
398 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
399 raise Exception("CTRL-RSP-SIM failed")
400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
402 raise Exception("EAP failure not reported")
403 dev[0].request("DISCONNECT")
404 dev[0].wait_disconnected()
407 dev[0].select_network(id, freq="2412")
408 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
410 raise Exception("Wait for external SIM processing request timed out")
412 if p[1] != "GSM-AUTH":
413 raise Exception("Unexpected CTRL-REQ-SIM type")
414 rid = p[0].split('-')[3]
415 # This will fail during GSM auth validation
416 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
417 raise Exception("CTRL-RSP-SIM failed")
418 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
420 raise Exception("EAP failure not reported")
422 def test_ap_wpa2_eap_sim_oom(dev, apdev):
423 """EAP-SIM and OOM"""
424 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
425 hostapd.add_ap(apdev[0]['ifname'], params)
426 tests = [ (1, "milenage_f2345"),
427 (2, "milenage_f2345"),
428 (3, "milenage_f2345"),
429 (4, "milenage_f2345"),
430 (5, "milenage_f2345"),
431 (6, "milenage_f2345"),
432 (7, "milenage_f2345"),
433 (8, "milenage_f2345"),
434 (9, "milenage_f2345"),
435 (10, "milenage_f2345"),
436 (11, "milenage_f2345"),
437 (12, "milenage_f2345") ]
438 for count, func in tests:
439 with alloc_fail(dev[0], count, func):
440 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
441 identity="1232010000000000",
442 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
443 wait_connect=False, scan_freq="2412")
444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
446 raise Exception("EAP method not selected")
447 dev[0].wait_disconnected()
448 dev[0].request("REMOVE_NETWORK all")
450 def test_ap_wpa2_eap_aka(dev, apdev):
451 """WPA2-Enterprise connection using EAP-AKA"""
452 check_hlr_auc_gw_support()
453 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
454 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
455 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
456 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
457 hwsim_utils.test_connectivity(dev[0], hapd)
458 eap_reauth(dev[0], "AKA")
460 logger.info("Negative test with incorrect key")
461 dev[0].request("REMOVE_NETWORK all")
462 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
463 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
466 logger.info("Invalid Milenage key")
467 dev[0].request("REMOVE_NETWORK all")
468 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
469 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
472 logger.info("Invalid Milenage key(2)")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
477 logger.info("Invalid Milenage key(3)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
482 logger.info("Invalid Milenage key(4)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
487 logger.info("Invalid Milenage key(5)")
488 dev[0].request("REMOVE_NETWORK all")
489 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
490 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
493 logger.info("Invalid Milenage key(6)")
494 dev[0].request("REMOVE_NETWORK all")
495 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
496 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
499 logger.info("Missing key configuration")
500 dev[0].request("REMOVE_NETWORK all")
501 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
504 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
505 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
506 check_hlr_auc_gw_support()
510 raise HwsimSkip("No sqlite3 module available")
511 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
513 params['auth_server_port'] = "1814"
514 hostapd.add_ap(apdev[0]['ifname'], params)
515 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
516 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
518 logger.info("AKA fast re-authentication")
519 eap_reauth(dev[0], "AKA")
521 logger.info("AKA full auth with pseudonym")
524 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
525 eap_reauth(dev[0], "AKA")
527 logger.info("AKA full auth with permanent identity")
530 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
531 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
532 eap_reauth(dev[0], "AKA")
534 logger.info("AKA reauth with mismatching MK")
537 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
538 eap_reauth(dev[0], "AKA", expect_failure=True)
539 dev[0].request("REMOVE_NETWORK all")
541 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
542 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 eap_reauth(dev[0], "AKA")
549 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
550 logger.info("AKA reauth with mismatching counter")
551 eap_reauth(dev[0], "AKA")
552 dev[0].request("REMOVE_NETWORK all")
554 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
555 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
558 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
559 logger.info("AKA reauth with max reauth count reached")
560 eap_reauth(dev[0], "AKA")
562 def test_ap_wpa2_eap_aka_config(dev, apdev):
563 """EAP-AKA configuration options"""
564 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
565 hostapd.add_ap(apdev[0]['ifname'], params)
566 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
567 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
568 anonymous_identity="2345678")
570 def test_ap_wpa2_eap_aka_ext(dev, apdev):
571 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
573 _test_ap_wpa2_eap_aka_ext(dev, apdev)
575 dev[0].request("SET external_sim 0")
577 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
578 check_hlr_auc_gw_support()
579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
580 hostapd.add_ap(apdev[0]['ifname'], params)
581 dev[0].request("SET external_sim 1")
582 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
583 identity="0232010000000000",
584 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
585 wait_connect=False, scan_freq="2412")
586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
588 raise Exception("Network connected timed out")
590 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
592 raise Exception("Wait for external SIM processing request timed out")
594 if p[1] != "UMTS-AUTH":
595 raise Exception("Unexpected CTRL-REQ-SIM type")
596 rid = p[0].split('-')[3]
599 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
600 # This will fail during processing, but the ctrl_iface command succeeds
601 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
604 raise Exception("EAP failure not reported")
605 dev[0].request("DISCONNECT")
606 dev[0].wait_disconnected()
609 dev[0].select_network(id, freq="2412")
610 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
612 raise Exception("Wait for external SIM processing request timed out")
614 if p[1] != "UMTS-AUTH":
615 raise Exception("Unexpected CTRL-REQ-SIM type")
616 rid = p[0].split('-')[3]
617 # This will fail during UMTS auth validation
618 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
619 raise Exception("CTRL-RSP-SIM failed")
620 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
622 raise Exception("Wait for external SIM processing request timed out")
624 if p[1] != "UMTS-AUTH":
625 raise Exception("Unexpected CTRL-REQ-SIM type")
626 rid = p[0].split('-')[3]
627 # This will fail during UMTS auth validation
628 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
629 raise Exception("CTRL-RSP-SIM failed")
630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
632 raise Exception("EAP failure not reported")
633 dev[0].request("DISCONNECT")
634 dev[0].wait_disconnected()
637 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
640 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
641 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
642 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
643 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
645 dev[0].select_network(id, freq="2412")
646 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
648 raise Exception("Wait for external SIM processing request timed out")
650 if p[1] != "UMTS-AUTH":
651 raise Exception("Unexpected CTRL-REQ-SIM type")
652 rid = p[0].split('-')[3]
653 # This will fail during UMTS auth validation
654 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
655 raise Exception("CTRL-RSP-SIM failed")
656 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
658 raise Exception("EAP failure not reported")
659 dev[0].request("DISCONNECT")
660 dev[0].wait_disconnected()
663 def test_ap_wpa2_eap_aka_prime(dev, apdev):
664 """WPA2-Enterprise connection using EAP-AKA'"""
665 check_hlr_auc_gw_support()
666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
667 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
668 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
669 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
670 hwsim_utils.test_connectivity(dev[0], hapd)
671 eap_reauth(dev[0], "AKA'")
673 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
674 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
675 identity="6555444333222111@both",
676 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
677 wait_connect=False, scan_freq="2412")
678 dev[1].wait_connected(timeout=15)
680 logger.info("Negative test with incorrect key")
681 dev[0].request("REMOVE_NETWORK all")
682 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
683 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
686 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
687 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
688 check_hlr_auc_gw_support()
692 raise HwsimSkip("No sqlite3 module available")
693 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
694 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
695 params['auth_server_port'] = "1814"
696 hostapd.add_ap(apdev[0]['ifname'], params)
697 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
698 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
700 logger.info("AKA' fast re-authentication")
701 eap_reauth(dev[0], "AKA'")
703 logger.info("AKA' full auth with pseudonym")
706 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
707 eap_reauth(dev[0], "AKA'")
709 logger.info("AKA' full auth with permanent identity")
712 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
713 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
714 eap_reauth(dev[0], "AKA'")
716 logger.info("AKA' reauth with mismatching k_aut")
719 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
720 eap_reauth(dev[0], "AKA'", expect_failure=True)
721 dev[0].request("REMOVE_NETWORK all")
723 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 eap_reauth(dev[0], "AKA'")
731 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
732 logger.info("AKA' reauth with mismatching counter")
733 eap_reauth(dev[0], "AKA'")
734 dev[0].request("REMOVE_NETWORK all")
736 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
737 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
740 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
741 logger.info("AKA' reauth with max reauth count reached")
742 eap_reauth(dev[0], "AKA'")
744 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
745 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
746 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
747 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
748 key_mgmt = hapd.get_config()['key_mgmt']
749 if key_mgmt.split(' ')[0] != "WPA-EAP":
750 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
751 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
752 anonymous_identity="ttls", password="password",
753 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
754 hwsim_utils.test_connectivity(dev[0], hapd)
755 eap_reauth(dev[0], "TTLS")
756 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
757 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
759 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
760 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
761 check_subject_match_support(dev[0])
762 check_altsubject_match_support(dev[0])
763 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
764 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
765 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
766 anonymous_identity="ttls", password="password",
767 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
768 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
769 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
770 eap_reauth(dev[0], "TTLS")
772 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
773 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
774 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
775 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
776 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
777 anonymous_identity="ttls", password="wrong",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
780 eap_connect(dev[1], apdev[0], "TTLS", "user",
781 anonymous_identity="ttls", password="password",
782 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
786 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
787 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
788 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
789 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
790 anonymous_identity="ttls", password="password",
791 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
792 hwsim_utils.test_connectivity(dev[0], hapd)
793 eap_reauth(dev[0], "TTLS")
795 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
796 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
797 check_altsubject_match_support(dev[0])
798 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
799 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
800 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
801 anonymous_identity="ttls", password="password",
802 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
803 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
804 eap_reauth(dev[0], "TTLS")
806 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
807 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
808 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
809 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
810 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
811 anonymous_identity="ttls", password="wrong",
812 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
814 eap_connect(dev[1], apdev[0], "TTLS", "user",
815 anonymous_identity="ttls", password="password",
816 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
819 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
820 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
823 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
824 anonymous_identity="ttls", password="password",
825 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
826 domain_suffix_match="server.w1.fi")
827 hwsim_utils.test_connectivity(dev[0], hapd)
828 eap_reauth(dev[0], "TTLS")
829 dev[0].request("REMOVE_NETWORK all")
830 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
831 anonymous_identity="ttls", password="password",
832 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
835 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
836 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
837 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
838 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
839 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
840 anonymous_identity="ttls", password="wrong",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
843 eap_connect(dev[1], apdev[0], "TTLS", "user",
844 anonymous_identity="ttls", password="password",
845 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
847 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
848 anonymous_identity="ttls", password="password",
849 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
852 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
853 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
854 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
855 hostapd.add_ap(apdev[0]['ifname'], params)
856 hapd = hostapd.Hostapd(apdev[0]['ifname'])
857 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
858 anonymous_identity="ttls", password="password",
859 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
860 domain_suffix_match="server.w1.fi")
861 hwsim_utils.test_connectivity(dev[0], hapd)
862 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
863 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
864 eap_reauth(dev[0], "TTLS")
865 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
866 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
867 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
868 raise Exception("dot1xAuthEapolFramesRx did not increase")
869 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
870 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
871 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
872 raise Exception("backendAuthSuccesses did not increase")
874 logger.info("Password as hash value")
875 dev[0].request("REMOVE_NETWORK all")
876 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
877 anonymous_identity="ttls",
878 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
879 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
881 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
882 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
883 check_domain_match_full(dev[0])
884 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
885 hostapd.add_ap(apdev[0]['ifname'], params)
886 hapd = hostapd.Hostapd(apdev[0]['ifname'])
887 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
888 anonymous_identity="ttls", password="password",
889 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
890 domain_suffix_match="w1.fi")
891 hwsim_utils.test_connectivity(dev[0], hapd)
892 eap_reauth(dev[0], "TTLS")
894 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
895 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
897 hostapd.add_ap(apdev[0]['ifname'], params)
898 hapd = hostapd.Hostapd(apdev[0]['ifname'])
899 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
900 anonymous_identity="ttls", password="password",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
902 domain_match="Server.w1.fi")
903 hwsim_utils.test_connectivity(dev[0], hapd)
904 eap_reauth(dev[0], "TTLS")
906 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
908 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
909 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
910 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
911 anonymous_identity="ttls", password="password1",
912 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
914 eap_connect(dev[1], apdev[0], "TTLS", "user",
915 anonymous_identity="ttls", password="password",
916 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
919 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
921 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
922 hostapd.add_ap(apdev[0]['ifname'], params)
923 hapd = hostapd.Hostapd(apdev[0]['ifname'])
924 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
925 anonymous_identity="ttls", password="secret-åäö-€-password",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
927 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
928 anonymous_identity="ttls",
929 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
930 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
932 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
933 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
935 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
936 eap_connect(dev[0], apdev[0], "TTLS", "user",
937 anonymous_identity="ttls", password="password",
938 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
939 hwsim_utils.test_connectivity(dev[0], hapd)
940 eap_reauth(dev[0], "TTLS")
942 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
943 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
945 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
946 eap_connect(dev[0], apdev[0], "TTLS", "user",
947 anonymous_identity="ttls", password="wrong",
948 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
951 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
952 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
953 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
954 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
955 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
956 anonymous_identity="ttls", password="password",
957 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
960 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
961 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
962 params = int_eap_server_params()
963 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
964 with alloc_fail(hapd, 1, "eap_gtc_init"):
965 eap_connect(dev[0], apdev[0], "TTLS", "user",
966 anonymous_identity="ttls", password="password",
967 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
969 dev[0].request("REMOVE_NETWORK all")
971 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
972 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
973 eap="TTLS", identity="user",
974 anonymous_identity="ttls", password="password",
975 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
976 wait_connect=False, scan_freq="2412")
977 # This would eventually time out, but we can stop after having reached
978 # the allocation failure.
981 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
984 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
985 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
986 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
987 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
988 eap_connect(dev[0], apdev[0], "TTLS", "user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
991 hwsim_utils.test_connectivity(dev[0], hapd)
992 eap_reauth(dev[0], "TTLS")
994 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
995 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
996 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
997 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
998 eap_connect(dev[0], apdev[0], "TTLS", "user",
999 anonymous_identity="ttls", password="wrong",
1000 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1001 expect_failure=True)
1003 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1004 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1005 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1006 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1007 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1008 anonymous_identity="ttls", password="password",
1009 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1010 expect_failure=True)
1012 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1013 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1014 params = int_eap_server_params()
1015 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1016 with alloc_fail(hapd, 1, "eap_md5_init"):
1017 eap_connect(dev[0], apdev[0], "TTLS", "user",
1018 anonymous_identity="ttls", password="password",
1019 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1020 expect_failure=True)
1021 dev[0].request("REMOVE_NETWORK all")
1023 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1024 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1025 eap="TTLS", identity="user",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1028 wait_connect=False, scan_freq="2412")
1029 # This would eventually time out, but we can stop after having reached
1030 # the allocation failure.
1033 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1036 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1037 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1038 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1039 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1040 eap_connect(dev[0], apdev[0], "TTLS", "user",
1041 anonymous_identity="ttls", password="password",
1042 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1043 hwsim_utils.test_connectivity(dev[0], hapd)
1044 eap_reauth(dev[0], "TTLS")
1046 logger.info("Negative test with incorrect password")
1047 dev[0].request("REMOVE_NETWORK all")
1048 eap_connect(dev[0], apdev[0], "TTLS", "user",
1049 anonymous_identity="ttls", password="password1",
1050 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1051 expect_failure=True)
1053 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1054 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1056 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1057 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1058 anonymous_identity="ttls", password="password",
1059 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1060 expect_failure=True)
1062 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1063 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1064 params = int_eap_server_params()
1065 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1066 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1067 eap_connect(dev[0], apdev[0], "TTLS", "user",
1068 anonymous_identity="ttls", password="password",
1069 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1070 expect_failure=True)
1071 dev[0].request("REMOVE_NETWORK all")
1073 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1075 eap="TTLS", identity="user",
1076 anonymous_identity="ttls", password="password",
1077 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1078 wait_connect=False, scan_freq="2412")
1079 # This would eventually time out, but we can stop after having reached
1080 # the allocation failure.
1083 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1085 dev[0].request("REMOVE_NETWORK all")
1087 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1088 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1089 eap="TTLS", identity="user",
1090 anonymous_identity="ttls", password="password",
1091 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1092 wait_connect=False, scan_freq="2412")
1093 # This would eventually time out, but we can stop after having reached
1094 # the allocation failure.
1097 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1099 dev[0].request("REMOVE_NETWORK all")
1101 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1102 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1103 eap="TTLS", identity="user",
1104 anonymous_identity="ttls", password="wrong",
1105 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1106 wait_connect=False, scan_freq="2412")
1107 # This would eventually time out, but we can stop after having reached
1108 # the allocation failure.
1111 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1113 dev[0].request("REMOVE_NETWORK all")
1115 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1116 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1117 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1118 hostapd.add_ap(apdev[0]['ifname'], params)
1119 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1120 anonymous_identity="0232010000000000@ttls",
1121 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1122 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1124 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1125 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1126 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1127 hostapd.add_ap(apdev[0]['ifname'], params)
1128 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1129 anonymous_identity="0232010000000000@peap",
1130 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1131 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1133 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1134 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1135 check_eap_capa(dev[0], "FAST")
1136 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1137 hostapd.add_ap(apdev[0]['ifname'], params)
1138 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1139 anonymous_identity="0232010000000000@fast",
1140 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1141 phase1="fast_provisioning=2",
1142 pac_file="blob://fast_pac_auth_aka",
1143 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1145 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1146 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1147 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1149 eap_connect(dev[0], apdev[0], "PEAP", "user",
1150 anonymous_identity="peap", password="password",
1151 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1152 hwsim_utils.test_connectivity(dev[0], hapd)
1153 eap_reauth(dev[0], "PEAP")
1154 dev[0].request("REMOVE_NETWORK all")
1155 eap_connect(dev[0], apdev[0], "PEAP", "user",
1156 anonymous_identity="peap", password="password",
1157 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1158 fragment_size="200")
1160 logger.info("Password as hash value")
1161 dev[0].request("REMOVE_NETWORK all")
1162 eap_connect(dev[0], apdev[0], "PEAP", "user",
1163 anonymous_identity="peap",
1164 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1165 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1167 logger.info("Negative test with incorrect password")
1168 dev[0].request("REMOVE_NETWORK all")
1169 eap_connect(dev[0], apdev[0], "PEAP", "user",
1170 anonymous_identity="peap", password="password1",
1171 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1172 expect_failure=True)
1174 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1175 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1176 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1177 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1178 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1179 anonymous_identity="peap", password="password",
1180 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1181 hwsim_utils.test_connectivity(dev[0], hapd)
1182 eap_reauth(dev[0], "PEAP")
1184 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1185 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1186 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1187 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1188 eap_connect(dev[0], apdev[0], "PEAP", "user",
1189 anonymous_identity="peap", password="wrong",
1190 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1191 expect_failure=True)
1193 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1194 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1195 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1196 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1197 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1198 ca_cert="auth_serv/ca.pem",
1199 phase1="peapver=0 crypto_binding=2",
1200 phase2="auth=MSCHAPV2")
1201 hwsim_utils.test_connectivity(dev[0], hapd)
1202 eap_reauth(dev[0], "PEAP")
1204 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1205 ca_cert="auth_serv/ca.pem",
1206 phase1="peapver=0 crypto_binding=1",
1207 phase2="auth=MSCHAPV2")
1208 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1209 ca_cert="auth_serv/ca.pem",
1210 phase1="peapver=0 crypto_binding=0",
1211 phase2="auth=MSCHAPV2")
1213 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1214 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1215 params = int_eap_server_params()
1216 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1217 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1218 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1219 ca_cert="auth_serv/ca.pem",
1220 phase1="peapver=0 crypto_binding=2",
1221 phase2="auth=MSCHAPV2",
1222 expect_failure=True, local_error_report=True)
1224 def test_ap_wpa2_eap_peap_params(dev, apdev):
1225 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227 hostapd.add_ap(apdev[0]['ifname'], params)
1228 eap_connect(dev[0], apdev[0], "PEAP", "user",
1229 anonymous_identity="peap", password="password",
1230 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1231 phase1="peapver=0 peaplabel=1",
1232 expect_failure=True)
1233 dev[0].request("REMOVE_NETWORK all")
1234 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peap_outer_success=1",
1237 phase2="auth=MSCHAPV2")
1238 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1239 ca_cert="auth_serv/ca.pem",
1240 phase1="peap_outer_success=2",
1241 phase2="auth=MSCHAPV2")
1242 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1244 anonymous_identity="peap", password="password",
1245 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1246 phase1="peapver=1 peaplabel=1",
1247 wait_connect=False, scan_freq="2412")
1248 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1250 raise Exception("No EAP success seen")
1251 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1253 raise Exception("Unexpected connection")
1255 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1256 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258 hostapd.add_ap(apdev[0]['ifname'], params)
1259 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1260 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1261 ca_cert2="auth_serv/ca.pem",
1262 client_cert2="auth_serv/user.pem",
1263 private_key2="auth_serv/user.key")
1264 eap_reauth(dev[0], "PEAP")
1266 def test_ap_wpa2_eap_tls(dev, apdev):
1267 """WPA2-Enterprise connection using EAP-TLS"""
1268 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1269 hostapd.add_ap(apdev[0]['ifname'], params)
1270 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1271 client_cert="auth_serv/user.pem",
1272 private_key="auth_serv/user.key")
1273 eap_reauth(dev[0], "TLS")
1275 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1276 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1277 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1278 hostapd.add_ap(apdev[0]['ifname'], params)
1279 cert = read_pem("auth_serv/ca.pem")
1280 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1281 raise Exception("Could not set cacert blob")
1282 cert = read_pem("auth_serv/user.pem")
1283 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1284 raise Exception("Could not set usercert blob")
1285 key = read_pem("auth_serv/user.rsa-key")
1286 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1287 raise Exception("Could not set cacert blob")
1288 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1289 client_cert="blob://usercert",
1290 private_key="blob://userkey")
1292 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1293 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1294 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1295 hostapd.add_ap(apdev[0]['ifname'], params)
1296 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1297 private_key="auth_serv/user.pkcs12",
1298 private_key_passwd="whatever")
1299 dev[0].request("REMOVE_NETWORK all")
1300 dev[0].wait_disconnected()
1302 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1303 identity="tls user",
1304 ca_cert="auth_serv/ca.pem",
1305 private_key="auth_serv/user.pkcs12",
1306 wait_connect=False, scan_freq="2412")
1307 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1309 raise Exception("Request for private key passphrase timed out")
1310 id = ev.split(':')[0].split('-')[-1]
1311 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1312 dev[0].wait_connected(timeout=10)
1313 dev[0].request("REMOVE_NETWORK all")
1314 dev[0].wait_disconnected()
1316 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1317 private_key="auth_serv/user2.pkcs12",
1318 private_key_passwd="whatever")
1319 dev[0].request("REMOVE_NETWORK all")
1320 dev[0].wait_disconnected()
1322 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1323 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1324 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1325 hostapd.add_ap(apdev[0]['ifname'], params)
1326 cert = read_pem("auth_serv/ca.pem")
1327 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1328 raise Exception("Could not set cacert blob")
1329 with open("auth_serv/user.pkcs12", "rb") as f:
1330 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1331 raise Exception("Could not set pkcs12 blob")
1332 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1333 private_key="blob://pkcs12",
1334 private_key_passwd="whatever")
1336 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1337 """WPA2-Enterprise negative test - incorrect trust root"""
1338 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1339 hostapd.add_ap(apdev[0]['ifname'], params)
1340 cert = read_pem("auth_serv/ca-incorrect.pem")
1341 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1342 raise Exception("Could not set cacert blob")
1343 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1344 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1345 password="password", phase2="auth=MSCHAPV2",
1346 ca_cert="blob://cacert",
1347 wait_connect=False, scan_freq="2412")
1348 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1349 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1350 password="password", phase2="auth=MSCHAPV2",
1351 ca_cert="auth_serv/ca-incorrect.pem",
1352 wait_connect=False, scan_freq="2412")
1354 for dev in (dev[0], dev[1]):
1355 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1357 raise Exception("Association and EAP start timed out")
1359 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1361 raise Exception("EAP method selection timed out")
1362 if "TTLS" not in ev:
1363 raise Exception("Unexpected EAP method")
1365 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1366 "CTRL-EVENT-EAP-SUCCESS",
1367 "CTRL-EVENT-EAP-FAILURE",
1368 "CTRL-EVENT-CONNECTED",
1369 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1371 raise Exception("EAP result timed out")
1372 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1373 raise Exception("TLS certificate error not reported")
1375 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1376 "CTRL-EVENT-EAP-FAILURE",
1377 "CTRL-EVENT-CONNECTED",
1378 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1380 raise Exception("EAP result(2) timed out")
1381 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1382 raise Exception("EAP failure not reported")
1384 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1385 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1387 raise Exception("EAP result(3) timed out")
1388 if "CTRL-EVENT-DISCONNECTED" not in ev:
1389 raise Exception("Disconnection not reported")
1391 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1393 raise Exception("Network block disabling not reported")
1395 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1396 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1397 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1398 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1399 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1400 identity="pap user", anonymous_identity="ttls",
1401 password="password", phase2="auth=PAP",
1402 ca_cert="auth_serv/ca.pem",
1403 wait_connect=True, scan_freq="2412")
1404 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1405 identity="pap user", anonymous_identity="ttls",
1406 password="password", phase2="auth=PAP",
1407 ca_cert="auth_serv/ca-incorrect.pem",
1408 only_add_network=True, scan_freq="2412")
1410 dev[0].request("DISCONNECT")
1411 dev[0].wait_disconnected()
1412 dev[0].dump_monitor()
1413 dev[0].select_network(id, freq="2412")
1415 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1417 raise Exception("EAP-TTLS not re-started")
1419 ev = dev[0].wait_disconnected(timeout=15)
1420 if "reason=23" not in ev:
1421 raise Exception("Proper reason code for disconnection not reported")
1423 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1424 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1425 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1426 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1427 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1428 identity="pap user", anonymous_identity="ttls",
1429 password="password", phase2="auth=PAP",
1430 wait_connect=True, scan_freq="2412")
1431 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1432 identity="pap user", anonymous_identity="ttls",
1433 password="password", phase2="auth=PAP",
1434 ca_cert="auth_serv/ca-incorrect.pem",
1435 only_add_network=True, scan_freq="2412")
1437 dev[0].request("DISCONNECT")
1438 dev[0].wait_disconnected()
1439 dev[0].dump_monitor()
1440 dev[0].select_network(id, freq="2412")
1442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1444 raise Exception("EAP-TTLS not re-started")
1446 ev = dev[0].wait_disconnected(timeout=15)
1447 if "reason=23" not in ev:
1448 raise Exception("Proper reason code for disconnection not reported")
1450 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1451 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1452 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1453 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1454 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1455 identity="pap user", anonymous_identity="ttls",
1456 password="password", phase2="auth=PAP",
1457 ca_cert="auth_serv/ca.pem",
1458 wait_connect=True, scan_freq="2412")
1459 dev[0].request("DISCONNECT")
1460 dev[0].wait_disconnected()
1461 dev[0].dump_monitor()
1462 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1463 dev[0].select_network(id, freq="2412")
1465 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1467 raise Exception("EAP-TTLS not re-started")
1469 ev = dev[0].wait_disconnected(timeout=15)
1470 if "reason=23" not in ev:
1471 raise Exception("Proper reason code for disconnection not reported")
1473 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1474 """WPA2-Enterprise negative test - domain suffix mismatch"""
1475 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1476 hostapd.add_ap(apdev[0]['ifname'], params)
1477 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1478 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1479 password="password", phase2="auth=MSCHAPV2",
1480 ca_cert="auth_serv/ca.pem",
1481 domain_suffix_match="incorrect.example.com",
1482 wait_connect=False, scan_freq="2412")
1484 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1486 raise Exception("Association and EAP start timed out")
1488 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1490 raise Exception("EAP method selection timed out")
1491 if "TTLS" not in ev:
1492 raise Exception("Unexpected EAP method")
1494 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1495 "CTRL-EVENT-EAP-SUCCESS",
1496 "CTRL-EVENT-EAP-FAILURE",
1497 "CTRL-EVENT-CONNECTED",
1498 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1500 raise Exception("EAP result timed out")
1501 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1502 raise Exception("TLS certificate error not reported")
1503 if "Domain suffix mismatch" not in ev:
1504 raise Exception("Domain suffix mismatch not reported")
1506 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1507 "CTRL-EVENT-EAP-FAILURE",
1508 "CTRL-EVENT-CONNECTED",
1509 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1511 raise Exception("EAP result(2) timed out")
1512 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1513 raise Exception("EAP failure not reported")
1515 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1516 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1518 raise Exception("EAP result(3) timed out")
1519 if "CTRL-EVENT-DISCONNECTED" not in ev:
1520 raise Exception("Disconnection not reported")
1522 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1524 raise Exception("Network block disabling not reported")
1526 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1527 """WPA2-Enterprise negative test - domain mismatch"""
1528 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1529 hostapd.add_ap(apdev[0]['ifname'], params)
1530 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1531 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1532 password="password", phase2="auth=MSCHAPV2",
1533 ca_cert="auth_serv/ca.pem",
1534 domain_match="w1.fi",
1535 wait_connect=False, scan_freq="2412")
1537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1539 raise Exception("Association and EAP start timed out")
1541 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1543 raise Exception("EAP method selection timed out")
1544 if "TTLS" not in ev:
1545 raise Exception("Unexpected EAP method")
1547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1548 "CTRL-EVENT-EAP-SUCCESS",
1549 "CTRL-EVENT-EAP-FAILURE",
1550 "CTRL-EVENT-CONNECTED",
1551 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1553 raise Exception("EAP result timed out")
1554 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1555 raise Exception("TLS certificate error not reported")
1556 if "Domain mismatch" not in ev:
1557 raise Exception("Domain mismatch not reported")
1559 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1560 "CTRL-EVENT-EAP-FAILURE",
1561 "CTRL-EVENT-CONNECTED",
1562 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1564 raise Exception("EAP result(2) timed out")
1565 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1566 raise Exception("EAP failure not reported")
1568 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1569 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1571 raise Exception("EAP result(3) timed out")
1572 if "CTRL-EVENT-DISCONNECTED" not in ev:
1573 raise Exception("Disconnection not reported")
1575 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1577 raise Exception("Network block disabling not reported")
1579 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1580 """WPA2-Enterprise negative test - subject mismatch"""
1581 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1582 hostapd.add_ap(apdev[0]['ifname'], params)
1583 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1584 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1585 password="password", phase2="auth=MSCHAPV2",
1586 ca_cert="auth_serv/ca.pem",
1587 subject_match="/C=FI/O=w1.fi/CN=example.com",
1588 wait_connect=False, scan_freq="2412")
1590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1592 raise Exception("Association and EAP start timed out")
1594 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1595 "EAP: Failed to initialize EAP method"], timeout=10)
1597 raise Exception("EAP method selection timed out")
1598 if "EAP: Failed to initialize EAP method" in ev:
1599 tls = dev[0].request("GET tls_library")
1600 if tls.startswith("OpenSSL"):
1601 raise Exception("Failed to select EAP method")
1602 logger.info("subject_match not supported - connection failed, so test succeeded")
1604 if "TTLS" not in ev:
1605 raise Exception("Unexpected EAP method")
1607 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1608 "CTRL-EVENT-EAP-SUCCESS",
1609 "CTRL-EVENT-EAP-FAILURE",
1610 "CTRL-EVENT-CONNECTED",
1611 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1613 raise Exception("EAP result timed out")
1614 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1615 raise Exception("TLS certificate error not reported")
1616 if "Subject mismatch" not in ev:
1617 raise Exception("Subject mismatch not reported")
1619 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1620 "CTRL-EVENT-EAP-FAILURE",
1621 "CTRL-EVENT-CONNECTED",
1622 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1624 raise Exception("EAP result(2) timed out")
1625 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1626 raise Exception("EAP failure not reported")
1628 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1629 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1631 raise Exception("EAP result(3) timed out")
1632 if "CTRL-EVENT-DISCONNECTED" not in ev:
1633 raise Exception("Disconnection not reported")
1635 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1637 raise Exception("Network block disabling not reported")
1639 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1640 """WPA2-Enterprise negative test - altsubject mismatch"""
1641 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1642 hostapd.add_ap(apdev[0]['ifname'], params)
1644 tests = [ "incorrect.example.com",
1645 "DNS:incorrect.example.com",
1649 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1651 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1652 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1653 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1654 password="password", phase2="auth=MSCHAPV2",
1655 ca_cert="auth_serv/ca.pem",
1656 altsubject_match=match,
1657 wait_connect=False, scan_freq="2412")
1659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1661 raise Exception("Association and EAP start timed out")
1663 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1664 "EAP: Failed to initialize EAP method"], timeout=10)
1666 raise Exception("EAP method selection timed out")
1667 if "EAP: Failed to initialize EAP method" in ev:
1668 tls = dev[0].request("GET tls_library")
1669 if tls.startswith("OpenSSL"):
1670 raise Exception("Failed to select EAP method")
1671 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1673 if "TTLS" not in ev:
1674 raise Exception("Unexpected EAP method")
1676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1677 "CTRL-EVENT-EAP-SUCCESS",
1678 "CTRL-EVENT-EAP-FAILURE",
1679 "CTRL-EVENT-CONNECTED",
1680 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1682 raise Exception("EAP result timed out")
1683 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1684 raise Exception("TLS certificate error not reported")
1685 if "AltSubject mismatch" not in ev:
1686 raise Exception("altsubject mismatch not reported")
1688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1689 "CTRL-EVENT-EAP-FAILURE",
1690 "CTRL-EVENT-CONNECTED",
1691 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1693 raise Exception("EAP result(2) timed out")
1694 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1695 raise Exception("EAP failure not reported")
1697 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1698 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1700 raise Exception("EAP result(3) timed out")
1701 if "CTRL-EVENT-DISCONNECTED" not in ev:
1702 raise Exception("Disconnection not reported")
1704 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1706 raise Exception("Network block disabling not reported")
1708 dev[0].request("REMOVE_NETWORK all")
1710 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1711 """WPA2-Enterprise connection using UNAUTH-TLS"""
1712 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1713 hostapd.add_ap(apdev[0]['ifname'], params)
1714 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1715 ca_cert="auth_serv/ca.pem")
1716 eap_reauth(dev[0], "UNAUTH-TLS")
1718 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1719 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1720 check_cert_probe_support(dev[0])
1721 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1722 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1723 hostapd.add_ap(apdev[0]['ifname'], params)
1724 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1725 identity="probe", ca_cert="probe://",
1726 wait_connect=False, scan_freq="2412")
1727 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1729 raise Exception("Association and EAP start timed out")
1730 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1732 raise Exception("No peer server certificate event seen")
1733 if "hash=" + srv_cert_hash not in ev:
1734 raise Exception("Expected server certificate hash not reported")
1735 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1737 raise Exception("EAP result timed out")
1738 if "Server certificate chain probe" not in ev:
1739 raise Exception("Server certificate probe not reported")
1740 dev[0].wait_disconnected(timeout=10)
1741 dev[0].request("REMOVE_NETWORK all")
1743 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1744 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1745 password="password", phase2="auth=MSCHAPV2",
1746 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1747 wait_connect=False, scan_freq="2412")
1748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1750 raise Exception("Association and EAP start timed out")
1751 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1753 raise Exception("EAP result timed out")
1754 if "Server certificate mismatch" not in ev:
1755 raise Exception("Server certificate mismatch not reported")
1756 dev[0].wait_disconnected(timeout=10)
1757 dev[0].request("REMOVE_NETWORK all")
1759 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1760 anonymous_identity="ttls", password="password",
1761 ca_cert="hash://server/sha256/" + srv_cert_hash,
1762 phase2="auth=MSCHAPV2")
1764 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1765 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1766 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1767 hostapd.add_ap(apdev[0]['ifname'], params)
1768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1769 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1770 password="password", phase2="auth=MSCHAPV2",
1771 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1772 wait_connect=False, scan_freq="2412")
1773 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1774 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1775 password="password", phase2="auth=MSCHAPV2",
1776 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1777 wait_connect=False, scan_freq="2412")
1778 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1779 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1780 password="password", phase2="auth=MSCHAPV2",
1781 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1782 wait_connect=False, scan_freq="2412")
1783 for i in range(0, 3):
1784 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1786 raise Exception("Association and EAP start timed out")
1787 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1789 raise Exception("Did not report EAP method initialization failure")
1791 def test_ap_wpa2_eap_pwd(dev, apdev):
1792 """WPA2-Enterprise connection using EAP-pwd"""
1793 check_eap_capa(dev[0], "PWD")
1794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1795 hostapd.add_ap(apdev[0]['ifname'], params)
1796 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1797 eap_reauth(dev[0], "PWD")
1798 dev[0].request("REMOVE_NETWORK all")
1800 eap_connect(dev[1], apdev[0], "PWD",
1801 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1802 password="secret password",
1805 logger.info("Negative test with incorrect password")
1806 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1807 expect_failure=True, local_error_report=True)
1809 eap_connect(dev[0], apdev[0], "PWD",
1810 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1811 password="secret password",
1814 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1815 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1816 check_eap_capa(dev[0], "PWD")
1817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1818 hostapd.add_ap(apdev[0]['ifname'], params)
1819 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1820 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1821 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1822 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1823 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1824 expect_failure=True, local_error_report=True)
1826 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1827 """WPA2-Enterprise connection using various EAP-pwd groups"""
1828 check_eap_capa(dev[0], "PWD")
1829 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1830 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1831 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1832 for i in [ 19, 20, 21, 25, 26 ]:
1833 params['pwd_group'] = str(i)
1834 hostapd.add_ap(apdev[0]['ifname'], params)
1835 dev[0].request("REMOVE_NETWORK all")
1836 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1838 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1839 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1840 check_eap_capa(dev[0], "PWD")
1841 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1842 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1843 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1844 params['pwd_group'] = "0"
1845 hostapd.add_ap(apdev[0]['ifname'], params)
1846 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1847 identity="pwd user", password="secret password",
1848 scan_freq="2412", wait_connect=False)
1849 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1851 raise Exception("Timeout on EAP failure report")
1853 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1854 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1855 check_eap_capa(dev[0], "PWD")
1856 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1857 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1858 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1859 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1860 "pwd_group": "19", "fragment_size": "40" }
1861 hostapd.add_ap(apdev[0]['ifname'], params)
1862 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1864 def test_ap_wpa2_eap_gpsk(dev, apdev):
1865 """WPA2-Enterprise connection using EAP-GPSK"""
1866 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1867 hostapd.add_ap(apdev[0]['ifname'], params)
1868 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1869 password="abcdefghijklmnop0123456789abcdef")
1870 eap_reauth(dev[0], "GPSK")
1872 logger.info("Test forced algorithm selection")
1873 for phase1 in [ "cipher=1", "cipher=2" ]:
1874 dev[0].set_network_quoted(id, "phase1", phase1)
1875 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1877 raise Exception("EAP success timed out")
1878 dev[0].wait_connected(timeout=10)
1880 logger.info("Test failed algorithm negotiation")
1881 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1882 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1884 raise Exception("EAP failure timed out")
1886 logger.info("Negative test with incorrect password")
1887 dev[0].request("REMOVE_NETWORK all")
1888 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1889 password="ffcdefghijklmnop0123456789abcdef",
1890 expect_failure=True)
1892 def test_ap_wpa2_eap_sake(dev, apdev):
1893 """WPA2-Enterprise connection using EAP-SAKE"""
1894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1895 hostapd.add_ap(apdev[0]['ifname'], params)
1896 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1897 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1898 eap_reauth(dev[0], "SAKE")
1900 logger.info("Negative test with incorrect password")
1901 dev[0].request("REMOVE_NETWORK all")
1902 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1903 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1904 expect_failure=True)
1906 def test_ap_wpa2_eap_eke(dev, apdev):
1907 """WPA2-Enterprise connection using EAP-EKE"""
1908 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1909 hostapd.add_ap(apdev[0]['ifname'], params)
1910 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1911 eap_reauth(dev[0], "EKE")
1913 logger.info("Test forced algorithm selection")
1914 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1915 "dhgroup=4 encr=1 prf=2 mac=2",
1916 "dhgroup=3 encr=1 prf=2 mac=2",
1917 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1918 dev[0].set_network_quoted(id, "phase1", phase1)
1919 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1921 raise Exception("EAP success timed out")
1922 dev[0].wait_connected(timeout=10)
1924 logger.info("Test failed algorithm negotiation")
1925 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1926 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1928 raise Exception("EAP failure timed out")
1930 logger.info("Negative test with incorrect password")
1931 dev[0].request("REMOVE_NETWORK all")
1932 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1933 expect_failure=True)
1935 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1936 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1937 params = int_eap_server_params()
1938 params['server_id'] = 'example.server@w1.fi'
1939 hostapd.add_ap(apdev[0]['ifname'], params)
1940 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1942 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1943 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1944 params = int_eap_server_params()
1945 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1946 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1948 for count,func in [ (1, "eap_eke_build_commit"),
1949 (2, "eap_eke_build_commit"),
1950 (3, "eap_eke_build_commit"),
1951 (1, "eap_eke_build_confirm"),
1952 (2, "eap_eke_build_confirm"),
1953 (1, "eap_eke_process_commit"),
1954 (2, "eap_eke_process_commit"),
1955 (1, "eap_eke_process_confirm"),
1956 (1, "eap_eke_process_identity"),
1957 (2, "eap_eke_process_identity"),
1958 (3, "eap_eke_process_identity"),
1959 (4, "eap_eke_process_identity") ]:
1960 with alloc_fail(hapd, count, func):
1961 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1962 expect_failure=True)
1963 dev[0].request("REMOVE_NETWORK all")
1965 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1966 (1, "eap_eke_get_session_id", "hello"),
1967 (1, "eap_eke_getKey", "hello"),
1968 (1, "eap_eke_build_msg", "hello"),
1969 (1, "eap_eke_build_failure", "wrong"),
1970 (1, "eap_eke_build_identity", "hello"),
1971 (2, "eap_eke_build_identity", "hello") ]:
1972 with alloc_fail(hapd, count, func):
1973 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1974 eap="EKE", identity="eke user", password=pw,
1975 wait_connect=False, scan_freq="2412")
1976 # This would eventually time out, but we can stop after having
1977 # reached the allocation failure.
1980 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1982 dev[0].request("REMOVE_NETWORK all")
1984 for count in range(1, 1000):
1986 with alloc_fail(hapd, count, "eap_server_sm_step"):
1987 dev[0].connect("test-wpa2-eap",
1988 key_mgmt="WPA-EAP WPA-EAP-SHA256",
1989 eap="EKE", identity="eke user", password=pw,
1990 wait_connect=False, scan_freq="2412")
1991 # This would eventually time out, but we can stop after having
1992 # reached the allocation failure.
1995 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1997 dev[0].request("REMOVE_NETWORK all")
1998 except Exception, e:
1999 if str(e) == "Allocation failure did not trigger":
2001 raise Exception("Too few allocation failures")
2002 logger.info("%d allocation failures tested" % (count - 1))
2006 def test_ap_wpa2_eap_ikev2(dev, apdev):
2007 """WPA2-Enterprise connection using EAP-IKEv2"""
2008 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2009 hostapd.add_ap(apdev[0]['ifname'], params)
2010 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2011 password="ike password")
2012 eap_reauth(dev[0], "IKEV2")
2013 dev[0].request("REMOVE_NETWORK all")
2014 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2015 password="ike password", fragment_size="50")
2017 logger.info("Negative test with incorrect password")
2018 dev[0].request("REMOVE_NETWORK all")
2019 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2020 password="ike-password", expect_failure=True)
2022 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2023 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2024 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2025 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2026 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2027 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2028 "fragment_size": "50" }
2029 hostapd.add_ap(apdev[0]['ifname'], params)
2030 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2031 password="ike password")
2032 eap_reauth(dev[0], "IKEV2")
2034 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2035 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2036 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2037 hostapd.add_ap(apdev[0]['ifname'], params)
2039 tests = [ (1, "dh_init"),
2041 (1, "dh_derive_shared") ]
2042 for count, func in tests:
2043 with alloc_fail(dev[0], count, func):
2044 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2045 identity="ikev2 user", password="ike password",
2046 wait_connect=False, scan_freq="2412")
2047 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2049 raise Exception("EAP method not selected")
2051 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2054 dev[0].request("REMOVE_NETWORK all")
2056 tests = [ (1, "os_get_random;dh_init") ]
2057 for count, func in tests:
2058 with fail_test(dev[0], count, func):
2059 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2060 identity="ikev2 user", password="ike password",
2061 wait_connect=False, scan_freq="2412")
2062 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2064 raise Exception("EAP method not selected")
2066 if "0:" in dev[0].request("GET_FAIL"):
2069 dev[0].request("REMOVE_NETWORK all")
2071 def test_ap_wpa2_eap_pax(dev, apdev):
2072 """WPA2-Enterprise connection using EAP-PAX"""
2073 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2074 hostapd.add_ap(apdev[0]['ifname'], params)
2075 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2076 password_hex="0123456789abcdef0123456789abcdef")
2077 eap_reauth(dev[0], "PAX")
2079 logger.info("Negative test with incorrect password")
2080 dev[0].request("REMOVE_NETWORK all")
2081 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2082 password_hex="ff23456789abcdef0123456789abcdef",
2083 expect_failure=True)
2085 def test_ap_wpa2_eap_psk(dev, apdev):
2086 """WPA2-Enterprise connection using EAP-PSK"""
2087 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2088 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2089 params["ieee80211w"] = "2"
2090 hostapd.add_ap(apdev[0]['ifname'], params)
2091 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2092 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2093 eap_reauth(dev[0], "PSK", sha256=True)
2094 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2095 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2097 bss = dev[0].get_bss(apdev[0]['bssid'])
2098 if 'flags' not in bss:
2099 raise Exception("Could not get BSS flags from BSS table")
2100 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2101 raise Exception("Unexpected BSS flags: " + bss['flags'])
2103 logger.info("Negative test with incorrect password")
2104 dev[0].request("REMOVE_NETWORK all")
2105 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2106 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2107 expect_failure=True)
2109 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2110 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2111 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2112 hostapd.add_ap(apdev[0]['ifname'], params)
2113 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2114 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2115 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2116 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2117 (1, "=aes_128_eax_encrypt"),
2118 (1, "omac1_aes_vector"),
2119 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2120 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2121 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2122 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2123 (1, "=aes_128_eax_decrypt") ]
2124 for count, func in tests:
2125 with alloc_fail(dev[0], count, func):
2126 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2127 identity="psk.user@example.com",
2128 password_hex="0123456789abcdef0123456789abcdef",
2129 wait_connect=False, scan_freq="2412")
2130 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2132 raise Exception("EAP method not selected")
2134 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2137 dev[0].request("REMOVE_NETWORK all")
2139 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2140 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2141 identity="psk.user@example.com",
2142 password_hex="0123456789abcdef0123456789abcdef",
2143 wait_connect=False, scan_freq="2412")
2144 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2146 raise Exception("EAP method failure not reported")
2147 dev[0].request("REMOVE_NETWORK all")
2149 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2150 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2151 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2152 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2153 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2154 identity="user", password="password", phase2="auth=MSCHAPV2",
2155 ca_cert="auth_serv/ca.pem", wait_connect=False,
2157 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2158 hwsim_utils.test_connectivity(dev[0], hapd)
2159 eap_reauth(dev[0], "PEAP", rsn=False)
2160 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2161 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2162 status = dev[0].get_status(extra="VERBOSE")
2163 if 'portControl' not in status:
2164 raise Exception("portControl missing from STATUS-VERBOSE")
2165 if status['portControl'] != 'Auto':
2166 raise Exception("Unexpected portControl value: " + status['portControl'])
2167 if 'eap_session_id' not in status:
2168 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2169 if not status['eap_session_id'].startswith("19"):
2170 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2172 def test_ap_wpa2_eap_interactive(dev, apdev):
2173 """WPA2-Enterprise connection using interactive identity/password entry"""
2174 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2175 hostapd.add_ap(apdev[0]['ifname'], params)
2176 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2178 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2179 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2181 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2182 "TTLS", "ttls", None, "auth=MSCHAPV2",
2183 "DOMAIN\mschapv2 user", "password"),
2184 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2185 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2186 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2187 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2188 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2189 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2190 ("Connection with dynamic PEAP/EAP-GTC password entry",
2191 "PEAP", None, "user", "auth=GTC", None, "password") ]
2192 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2194 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2195 anonymous_identity=anon, identity=identity,
2196 ca_cert="auth_serv/ca.pem", phase2=phase2,
2197 wait_connect=False, scan_freq="2412")
2199 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2201 raise Exception("Request for identity timed out")
2202 id = ev.split(':')[0].split('-')[-1]
2203 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2204 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2206 raise Exception("Request for password timed out")
2207 id = ev.split(':')[0].split('-')[-1]
2208 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2209 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2210 dev[0].wait_connected(timeout=10)
2211 dev[0].request("REMOVE_NETWORK all")
2213 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2214 """WPA2-Enterprise connection using EAP vendor test"""
2215 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2216 hostapd.add_ap(apdev[0]['ifname'], params)
2217 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2218 eap_reauth(dev[0], "VENDOR-TEST")
2219 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2222 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2223 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2224 check_eap_capa(dev[0], "FAST")
2225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2226 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2227 eap_connect(dev[0], apdev[0], "FAST", "user",
2228 anonymous_identity="FAST", password="password",
2229 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2230 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2231 hwsim_utils.test_connectivity(dev[0], hapd)
2232 res = eap_reauth(dev[0], "FAST")
2233 if res['tls_session_reused'] != '1':
2234 raise Exception("EAP-FAST could not use PAC session ticket")
2236 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2237 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2238 check_eap_capa(dev[0], "FAST")
2239 pac_file = os.path.join(params['logdir'], "fast.pac")
2240 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2241 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2242 hostapd.add_ap(apdev[0]['ifname'], params)
2245 eap_connect(dev[0], apdev[0], "FAST", "user",
2246 anonymous_identity="FAST", password="password",
2247 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2248 phase1="fast_provisioning=1", pac_file=pac_file)
2249 with open(pac_file, "r") as f:
2251 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2252 raise Exception("PAC file header missing")
2253 if "PAC-Key=" not in data:
2254 raise Exception("PAC-Key missing from PAC file")
2255 dev[0].request("REMOVE_NETWORK all")
2256 eap_connect(dev[0], apdev[0], "FAST", "user",
2257 anonymous_identity="FAST", password="password",
2258 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2261 eap_connect(dev[1], apdev[0], "FAST", "user",
2262 anonymous_identity="FAST", password="password",
2263 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2264 phase1="fast_provisioning=1 fast_pac_format=binary",
2266 dev[1].request("REMOVE_NETWORK all")
2267 eap_connect(dev[1], apdev[0], "FAST", "user",
2268 anonymous_identity="FAST", password="password",
2269 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2270 phase1="fast_pac_format=binary",
2278 os.remove(pac_file2)
2282 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2283 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2284 check_eap_capa(dev[0], "FAST")
2285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2286 hostapd.add_ap(apdev[0]['ifname'], params)
2287 eap_connect(dev[0], apdev[0], "FAST", "user",
2288 anonymous_identity="FAST", password="password",
2289 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2290 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2291 pac_file="blob://fast_pac_bin")
2292 res = eap_reauth(dev[0], "FAST")
2293 if res['tls_session_reused'] != '1':
2294 raise Exception("EAP-FAST could not use PAC session ticket")
2296 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2297 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2298 check_eap_capa(dev[0], "FAST")
2299 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2300 hostapd.add_ap(apdev[0]['ifname'], params)
2302 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2303 identity="user", anonymous_identity="FAST",
2304 password="password",
2305 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2306 pac_file="blob://fast_pac_not_in_use",
2307 wait_connect=False, scan_freq="2412")
2308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2310 raise Exception("Timeout on EAP failure report")
2311 dev[0].request("REMOVE_NETWORK all")
2313 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2314 identity="user", anonymous_identity="FAST",
2315 password="password",
2316 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2317 wait_connect=False, scan_freq="2412")
2318 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2320 raise Exception("Timeout on EAP failure report")
2322 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2323 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2324 check_eap_capa(dev[0], "FAST")
2325 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2326 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2327 eap_connect(dev[0], apdev[0], "FAST", "user",
2328 anonymous_identity="FAST", password="password",
2329 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2330 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2331 hwsim_utils.test_connectivity(dev[0], hapd)
2332 res = eap_reauth(dev[0], "FAST")
2333 if res['tls_session_reused'] != '1':
2334 raise Exception("EAP-FAST could not use PAC session ticket")
2336 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2337 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2338 check_eap_capa(dev[0], "FAST")
2339 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2340 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2341 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2342 anonymous_identity="FAST", password="password",
2343 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2344 phase1="fast_provisioning=2",
2345 pac_file="blob://fast_pac_auth")
2346 dev[0].set_network_quoted(id, "identity", "user2")
2347 dev[0].wait_disconnected()
2348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2350 raise Exception("EAP-FAST not started")
2351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2353 raise Exception("EAP failure not reported")
2354 dev[0].wait_disconnected()
2356 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2357 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2358 check_eap_capa(dev[0], "FAST")
2359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2360 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2361 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2362 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2363 identity="user", anonymous_identity="FAST",
2364 password="password", ca_cert="auth_serv/ca.pem",
2366 phase1="fast_provisioning=2",
2367 pac_file="blob://fast_pac_auth",
2368 wait_connect=False, scan_freq="2412")
2369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2371 raise Exception("EAP failure not reported")
2372 dev[0].request("DISCONNECT")
2374 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2375 """EAP-FAST/MSCHAPv2 and server OOM"""
2376 check_eap_capa(dev[0], "FAST")
2378 params = int_eap_server_params()
2379 params['dh_file'] = 'auth_serv/dh.conf'
2380 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2381 params['eap_fast_a_id'] = '1011'
2382 params['eap_fast_a_id_info'] = 'another test server'
2383 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2385 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2386 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2387 anonymous_identity="FAST", password="password",
2388 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2389 phase1="fast_provisioning=1",
2390 pac_file="blob://fast_pac",
2391 expect_failure=True)
2392 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2394 raise Exception("No EAP failure reported")
2395 dev[0].wait_disconnected()
2396 dev[0].request("DISCONNECT")
2398 dev[0].select_network(id, freq="2412")
2400 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2401 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2402 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2403 hostapd.add_ap(apdev[0]['ifname'], params)
2404 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2405 private_key="auth_serv/user.pkcs12",
2406 private_key_passwd="whatever", ocsp=2)
2408 def int_eap_server_params():
2409 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2410 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2411 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2412 "ca_cert": "auth_serv/ca.pem",
2413 "server_cert": "auth_serv/server.pem",
2414 "private_key": "auth_serv/server.key" }
2417 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2418 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2419 params = int_eap_server_params()
2420 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2421 hostapd.add_ap(apdev[0]['ifname'], params)
2422 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2423 identity="tls user", ca_cert="auth_serv/ca.pem",
2424 private_key="auth_serv/user.pkcs12",
2425 private_key_passwd="whatever", ocsp=2,
2426 wait_connect=False, scan_freq="2412")
2429 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2431 raise Exception("Timeout on EAP status")
2432 if 'bad certificate status response' in ev:
2436 raise Exception("Unexpected number of EAP status messages")
2438 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2440 raise Exception("Timeout on EAP failure report")
2442 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2443 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2444 params = int_eap_server_params()
2445 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2446 hostapd.add_ap(apdev[0]['ifname'], params)
2447 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2448 identity="tls user", ca_cert="auth_serv/ca.pem",
2449 private_key="auth_serv/user.pkcs12",
2450 private_key_passwd="whatever", ocsp=2,
2451 wait_connect=False, scan_freq="2412")
2454 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2456 raise Exception("Timeout on EAP status")
2457 if 'bad certificate status response' in ev:
2461 raise Exception("Unexpected number of EAP status messages")
2463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2465 raise Exception("Timeout on EAP failure report")
2467 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2468 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2469 params = int_eap_server_params()
2470 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2471 hostapd.add_ap(apdev[0]['ifname'], params)
2472 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2473 identity="tls user", ca_cert="auth_serv/ca.pem",
2474 private_key="auth_serv/user.pkcs12",
2475 private_key_passwd="whatever", ocsp=2,
2476 wait_connect=False, scan_freq="2412")
2479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2481 raise Exception("Timeout on EAP status")
2482 if 'bad certificate status response' in ev:
2486 raise Exception("Unexpected number of EAP status messages")
2488 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2490 raise Exception("Timeout on EAP failure report")
2492 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2493 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2494 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2495 if not os.path.exists(ocsp):
2496 raise HwsimSkip("No OCSP response available")
2497 params = int_eap_server_params()
2498 params["ocsp_stapling_response"] = ocsp
2499 hostapd.add_ap(apdev[0]['ifname'], params)
2500 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2501 identity="pap user", ca_cert="auth_serv/ca.pem",
2502 anonymous_identity="ttls", password="password",
2503 phase2="auth=PAP", ocsp=2,
2504 wait_connect=False, scan_freq="2412")
2507 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2509 raise Exception("Timeout on EAP status")
2510 if 'bad certificate status response' in ev:
2512 if 'certificate revoked' in ev:
2516 raise Exception("Unexpected number of EAP status messages")
2518 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2520 raise Exception("Timeout on EAP failure report")
2522 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2523 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2524 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2525 if not os.path.exists(ocsp):
2526 raise HwsimSkip("No OCSP response available")
2527 params = int_eap_server_params()
2528 params["ocsp_stapling_response"] = ocsp
2529 hostapd.add_ap(apdev[0]['ifname'], params)
2530 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2531 identity="pap user", ca_cert="auth_serv/ca.pem",
2532 anonymous_identity="ttls", password="password",
2533 phase2="auth=PAP", ocsp=2,
2534 wait_connect=False, scan_freq="2412")
2537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2539 raise Exception("Timeout on EAP status")
2540 if 'bad certificate status response' in ev:
2544 raise Exception("Unexpected number of EAP status messages")
2546 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2548 raise Exception("Timeout on EAP failure report")
2550 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2551 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2552 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2553 if not os.path.exists(ocsp):
2554 raise HwsimSkip("No OCSP response available")
2555 params = int_eap_server_params()
2556 params["ocsp_stapling_response"] = ocsp
2557 hostapd.add_ap(apdev[0]['ifname'], params)
2558 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2559 identity="pap user", ca_cert="auth_serv/ca.pem",
2560 anonymous_identity="ttls", password="password",
2561 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2563 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2564 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2565 params = int_eap_server_params()
2566 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2567 params["private_key"] = "auth_serv/server-no-dnsname.key"
2568 hostapd.add_ap(apdev[0]['ifname'], params)
2569 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2570 identity="tls user", ca_cert="auth_serv/ca.pem",
2571 private_key="auth_serv/user.pkcs12",
2572 private_key_passwd="whatever",
2573 domain_suffix_match="server3.w1.fi",
2576 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2577 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2578 params = int_eap_server_params()
2579 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2580 params["private_key"] = "auth_serv/server-no-dnsname.key"
2581 hostapd.add_ap(apdev[0]['ifname'], params)
2582 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2583 identity="tls user", ca_cert="auth_serv/ca.pem",
2584 private_key="auth_serv/user.pkcs12",
2585 private_key_passwd="whatever",
2586 domain_match="server3.w1.fi",
2589 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2590 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2591 check_domain_match_full(dev[0])
2592 params = int_eap_server_params()
2593 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2594 params["private_key"] = "auth_serv/server-no-dnsname.key"
2595 hostapd.add_ap(apdev[0]['ifname'], params)
2596 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2597 identity="tls user", ca_cert="auth_serv/ca.pem",
2598 private_key="auth_serv/user.pkcs12",
2599 private_key_passwd="whatever",
2600 domain_suffix_match="w1.fi",
2603 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2604 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2605 params = int_eap_server_params()
2606 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2607 params["private_key"] = "auth_serv/server-no-dnsname.key"
2608 hostapd.add_ap(apdev[0]['ifname'], params)
2609 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2610 identity="tls user", ca_cert="auth_serv/ca.pem",
2611 private_key="auth_serv/user.pkcs12",
2612 private_key_passwd="whatever",
2613 domain_suffix_match="example.com",
2616 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2617 identity="tls user", ca_cert="auth_serv/ca.pem",
2618 private_key="auth_serv/user.pkcs12",
2619 private_key_passwd="whatever",
2620 domain_suffix_match="erver3.w1.fi",
2623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2625 raise Exception("Timeout on EAP failure report")
2626 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2628 raise Exception("Timeout on EAP failure report (2)")
2630 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2631 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2632 params = int_eap_server_params()
2633 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2634 params["private_key"] = "auth_serv/server-no-dnsname.key"
2635 hostapd.add_ap(apdev[0]['ifname'], params)
2636 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2637 identity="tls user", ca_cert="auth_serv/ca.pem",
2638 private_key="auth_serv/user.pkcs12",
2639 private_key_passwd="whatever",
2640 domain_match="example.com",
2643 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2644 identity="tls user", ca_cert="auth_serv/ca.pem",
2645 private_key="auth_serv/user.pkcs12",
2646 private_key_passwd="whatever",
2647 domain_match="w1.fi",
2650 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2652 raise Exception("Timeout on EAP failure report")
2653 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2655 raise Exception("Timeout on EAP failure report (2)")
2657 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2658 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2659 params = int_eap_server_params()
2660 params["server_cert"] = "auth_serv/server-expired.pem"
2661 params["private_key"] = "auth_serv/server-expired.key"
2662 hostapd.add_ap(apdev[0]['ifname'], params)
2663 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2664 identity="mschap user", password="password",
2665 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2668 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2670 raise Exception("Timeout on EAP certificate error report")
2671 if "reason=4" not in ev or "certificate has expired" not in ev:
2672 raise Exception("Unexpected failure reason: " + ev)
2673 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2675 raise Exception("Timeout on EAP failure report")
2677 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2678 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2679 params = int_eap_server_params()
2680 params["server_cert"] = "auth_serv/server-expired.pem"
2681 params["private_key"] = "auth_serv/server-expired.key"
2682 hostapd.add_ap(apdev[0]['ifname'], params)
2683 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2684 identity="mschap user", password="password",
2685 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2686 phase1="tls_disable_time_checks=1",
2689 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2690 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2691 params = int_eap_server_params()
2692 params["server_cert"] = "auth_serv/server-long-duration.pem"
2693 params["private_key"] = "auth_serv/server-long-duration.key"
2694 hostapd.add_ap(apdev[0]['ifname'], params)
2695 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2696 identity="mschap user", password="password",
2697 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2700 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2701 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2702 params = int_eap_server_params()
2703 params["server_cert"] = "auth_serv/server-eku-client.pem"
2704 params["private_key"] = "auth_serv/server-eku-client.key"
2705 hostapd.add_ap(apdev[0]['ifname'], params)
2706 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2707 identity="mschap user", password="password",
2708 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2713 raise Exception("Timeout on EAP failure report")
2715 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2716 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2717 params = int_eap_server_params()
2718 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2719 params["private_key"] = "auth_serv/server-eku-client-server.key"
2720 hostapd.add_ap(apdev[0]['ifname'], params)
2721 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2722 identity="mschap user", password="password",
2723 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2726 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2727 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2728 params = int_eap_server_params()
2729 del params["server_cert"]
2730 params["private_key"] = "auth_serv/server.pkcs12"
2731 hostapd.add_ap(apdev[0]['ifname'], params)
2732 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2733 identity="mschap user", password="password",
2734 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2737 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2738 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2739 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2740 hostapd.add_ap(apdev[0]['ifname'], params)
2741 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2742 anonymous_identity="ttls", password="password",
2743 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2744 dh_file="auth_serv/dh.conf")
2746 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2747 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2749 hostapd.add_ap(apdev[0]['ifname'], params)
2750 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2751 anonymous_identity="ttls", password="password",
2752 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2753 dh_file="auth_serv/dsaparam.pem")
2755 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2756 """EAP-TTLS and DH params file not found"""
2757 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2758 hostapd.add_ap(apdev[0]['ifname'], params)
2759 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2760 identity="mschap user", password="password",
2761 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2762 dh_file="auth_serv/dh-no-such-file.conf",
2763 scan_freq="2412", wait_connect=False)
2764 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2766 raise Exception("EAP failure timed out")
2767 dev[0].request("REMOVE_NETWORK all")
2768 dev[0].wait_disconnected()
2770 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2771 """EAP-TTLS and invalid DH params file"""
2772 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2773 hostapd.add_ap(apdev[0]['ifname'], params)
2774 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2775 identity="mschap user", password="password",
2776 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2777 dh_file="auth_serv/ca.pem",
2778 scan_freq="2412", wait_connect=False)
2779 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2781 raise Exception("EAP failure timed out")
2782 dev[0].request("REMOVE_NETWORK all")
2783 dev[0].wait_disconnected()
2785 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2786 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2787 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2788 hostapd.add_ap(apdev[0]['ifname'], params)
2789 dh = read_pem("auth_serv/dh2.conf")
2790 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2791 raise Exception("Could not set dhparams blob")
2792 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2793 anonymous_identity="ttls", password="password",
2794 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2795 dh_file="blob://dhparams")
2797 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2798 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2799 params = int_eap_server_params()
2800 params["dh_file"] = "auth_serv/dh2.conf"
2801 hostapd.add_ap(apdev[0]['ifname'], params)
2802 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2803 anonymous_identity="ttls", password="password",
2804 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2806 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2807 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2808 params = int_eap_server_params()
2809 params["dh_file"] = "auth_serv/dsaparam.pem"
2810 hostapd.add_ap(apdev[0]['ifname'], params)
2811 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2812 anonymous_identity="ttls", password="password",
2813 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2815 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2816 """EAP-TLS server and dhparams file not found"""
2817 params = int_eap_server_params()
2818 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2819 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2820 if "FAIL" not in hapd.request("ENABLE"):
2821 raise Exception("Invalid configuration accepted")
2823 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2824 """EAP-TLS server and invalid dhparams file"""
2825 params = int_eap_server_params()
2826 params["dh_file"] = "auth_serv/ca.pem"
2827 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2828 if "FAIL" not in hapd.request("ENABLE"):
2829 raise Exception("Invalid configuration accepted")
2831 def test_ap_wpa2_eap_reauth(dev, apdev):
2832 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2834 params['eap_reauth_period'] = '2'
2835 hostapd.add_ap(apdev[0]['ifname'], params)
2836 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2837 password_hex="0123456789abcdef0123456789abcdef")
2838 logger.info("Wait for reauthentication")
2839 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2841 raise Exception("Timeout on reauthentication")
2842 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2844 raise Exception("Timeout on reauthentication")
2845 for i in range(0, 20):
2846 state = dev[0].get_status_field("wpa_state")
2847 if state == "COMPLETED":
2850 if state != "COMPLETED":
2851 raise Exception("Reauthentication did not complete")
2853 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2854 """Optional displayable message in EAP Request-Identity"""
2855 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2856 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2857 hostapd.add_ap(apdev[0]['ifname'], params)
2858 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2859 password_hex="0123456789abcdef0123456789abcdef")
2861 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2862 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2863 check_hlr_auc_gw_support()
2864 params = int_eap_server_params()
2865 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2866 params['eap_sim_aka_result_ind'] = "1"
2867 hostapd.add_ap(apdev[0]['ifname'], params)
2869 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2870 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2871 phase1="result_ind=1")
2872 eap_reauth(dev[0], "SIM")
2873 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2874 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2876 dev[0].request("REMOVE_NETWORK all")
2877 dev[1].request("REMOVE_NETWORK all")
2879 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2880 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2881 phase1="result_ind=1")
2882 eap_reauth(dev[0], "AKA")
2883 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2884 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2886 dev[0].request("REMOVE_NETWORK all")
2887 dev[1].request("REMOVE_NETWORK all")
2889 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2890 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2891 phase1="result_ind=1")
2892 eap_reauth(dev[0], "AKA'")
2893 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2894 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2896 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2897 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2898 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2899 hostapd.add_ap(apdev[0]['ifname'], params)
2900 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2901 eap="TTLS", identity="mschap user",
2902 wait_connect=False, scan_freq="2412", ieee80211w="1",
2903 anonymous_identity="ttls", password="password",
2904 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2906 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2908 raise Exception("EAP roundtrip limit not reached")
2910 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2911 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2912 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2913 hostapd.add_ap(apdev[0]['ifname'], params)
2914 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2915 eap="PSK", identity="vendor-test",
2916 password_hex="ff23456789abcdef0123456789abcdef",
2920 for i in range(0, 5):
2921 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2923 raise Exception("Association and EAP start timed out")
2924 if "refuse proposed method" in ev:
2928 raise Exception("Unexpected EAP status: " + ev)
2930 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2932 raise Exception("EAP failure timed out")
2934 def test_ap_wpa2_eap_sql(dev, apdev, params):
2935 """WPA2-Enterprise connection using SQLite for user DB"""
2939 raise HwsimSkip("No sqlite3 module available")
2940 dbfile = os.path.join(params['logdir'], "eap-user.db")
2945 con = sqlite3.connect(dbfile)
2948 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2949 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2950 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2951 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2952 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2953 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2954 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2955 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2958 params = int_eap_server_params()
2959 params["eap_user_file"] = "sqlite:" + dbfile
2960 hostapd.add_ap(apdev[0]['ifname'], params)
2961 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2962 anonymous_identity="ttls", password="password",
2963 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2964 dev[0].request("REMOVE_NETWORK all")
2965 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2966 anonymous_identity="ttls", password="password",
2967 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2968 dev[1].request("REMOVE_NETWORK all")
2969 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2970 anonymous_identity="ttls", password="password",
2971 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2972 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2973 anonymous_identity="ttls", password="password",
2974 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2978 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2979 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2980 params = int_eap_server_params()
2981 hostapd.add_ap(apdev[0]['ifname'], params)
2982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2983 identity="\x80", password="password", wait_connect=False)
2984 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2985 identity="a\x80", password="password", wait_connect=False)
2986 for i in range(0, 2):
2987 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2989 raise Exception("Association and EAP start timed out")
2990 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2992 raise Exception("EAP method selection timed out")
2994 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2995 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2996 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2997 hostapd.add_ap(apdev[0]['ifname'], params)
2998 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2999 identity="\x80", password="password", wait_connect=False)
3000 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3001 identity="a\x80", password="password", wait_connect=False)
3002 for i in range(0, 2):
3003 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3005 raise Exception("Association and EAP start timed out")
3006 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3008 raise Exception("EAP method selection timed out")
3010 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3011 """OpenSSL cipher suite configuration on wpa_supplicant"""
3012 tls = dev[0].request("GET tls_library")
3013 if not tls.startswith("OpenSSL"):
3014 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3015 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3016 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3017 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3018 anonymous_identity="ttls", password="password",
3019 openssl_ciphers="AES128",
3020 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3021 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3022 anonymous_identity="ttls", password="password",
3023 openssl_ciphers="EXPORT",
3024 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3025 expect_failure=True, maybe_local_error=True)
3026 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3027 identity="pap user", anonymous_identity="ttls",
3028 password="password",
3029 openssl_ciphers="FOO",
3030 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3032 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3034 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3035 dev[2].request("DISCONNECT")
3037 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3038 """OpenSSL cipher suite configuration on hostapd"""
3039 tls = dev[0].request("GET tls_library")
3040 if not tls.startswith("OpenSSL"):
3041 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3042 params = int_eap_server_params()
3043 params['openssl_ciphers'] = "AES256"
3044 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3045 tls = hapd.request("GET tls_library")
3046 if not tls.startswith("OpenSSL"):
3047 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3048 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3049 anonymous_identity="ttls", password="password",
3050 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3051 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3052 anonymous_identity="ttls", password="password",
3053 openssl_ciphers="AES128",
3054 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3055 expect_failure=True)
3056 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3057 anonymous_identity="ttls", password="password",
3058 openssl_ciphers="HIGH:!ADH",
3059 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3061 params['openssl_ciphers'] = "FOO"
3062 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3063 if "FAIL" not in hapd2.request("ENABLE"):
3064 raise Exception("Invalid openssl_ciphers value accepted")
3066 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3067 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3068 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3069 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3070 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3071 pid = find_wpas_process(dev[0])
3072 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3073 anonymous_identity="ttls", password=password,
3074 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3076 buf = read_process_memory(pid, password)
3078 dev[0].request("DISCONNECT")
3079 dev[0].wait_disconnected()
3087 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3088 for l in f.readlines():
3089 if "EAP-TTLS: Derived key - hexdump" in l:
3090 val = l.strip().split(':')[3].replace(' ', '')
3091 msk = binascii.unhexlify(val)
3092 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3093 val = l.strip().split(':')[3].replace(' ', '')
3094 emsk = binascii.unhexlify(val)
3095 if "WPA: PMK - hexdump" in l:
3096 val = l.strip().split(':')[3].replace(' ', '')
3097 pmk = binascii.unhexlify(val)
3098 if "WPA: PTK - hexdump" in l:
3099 val = l.strip().split(':')[3].replace(' ', '')
3100 ptk = binascii.unhexlify(val)
3101 if "WPA: Group Key - hexdump" in l:
3102 val = l.strip().split(':')[3].replace(' ', '')
3103 gtk = binascii.unhexlify(val)
3104 if not msk or not emsk or not pmk or not ptk or not gtk:
3105 raise Exception("Could not find keys from debug log")
3107 raise Exception("Unexpected GTK length")
3113 fname = os.path.join(params['logdir'],
3114 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3116 logger.info("Checking keys in memory while associated")
3117 get_key_locations(buf, password, "Password")
3118 get_key_locations(buf, pmk, "PMK")
3119 get_key_locations(buf, msk, "MSK")
3120 get_key_locations(buf, emsk, "EMSK")
3121 if password not in buf:
3122 raise HwsimSkip("Password not found while associated")
3124 raise HwsimSkip("PMK not found while associated")
3126 raise Exception("KCK not found while associated")
3128 raise Exception("KEK not found while associated")
3130 raise Exception("TK found from memory")
3132 raise Exception("GTK found from memory")
3134 logger.info("Checking keys in memory after disassociation")
3135 buf = read_process_memory(pid, password)
3137 # Note: Password is still present in network configuration
3138 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3140 get_key_locations(buf, password, "Password")
3141 get_key_locations(buf, pmk, "PMK")
3142 get_key_locations(buf, msk, "MSK")
3143 get_key_locations(buf, emsk, "EMSK")
3144 verify_not_present(buf, kck, fname, "KCK")
3145 verify_not_present(buf, kek, fname, "KEK")
3146 verify_not_present(buf, tk, fname, "TK")
3147 verify_not_present(buf, gtk, fname, "GTK")
3149 dev[0].request("PMKSA_FLUSH")
3150 dev[0].set_network_quoted(id, "identity", "foo")
3151 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3152 buf = read_process_memory(pid, password)
3153 get_key_locations(buf, password, "Password")
3154 get_key_locations(buf, pmk, "PMK")
3155 get_key_locations(buf, msk, "MSK")
3156 get_key_locations(buf, emsk, "EMSK")
3157 verify_not_present(buf, pmk, fname, "PMK")
3159 dev[0].request("REMOVE_NETWORK all")
3161 logger.info("Checking keys in memory after network profile removal")
3162 buf = read_process_memory(pid, password)
3164 get_key_locations(buf, password, "Password")
3165 get_key_locations(buf, pmk, "PMK")
3166 get_key_locations(buf, msk, "MSK")
3167 get_key_locations(buf, emsk, "EMSK")
3168 verify_not_present(buf, password, fname, "password")
3169 verify_not_present(buf, pmk, fname, "PMK")
3170 verify_not_present(buf, kck, fname, "KCK")
3171 verify_not_present(buf, kek, fname, "KEK")
3172 verify_not_present(buf, tk, fname, "TK")
3173 verify_not_present(buf, gtk, fname, "GTK")
3174 verify_not_present(buf, msk, fname, "MSK")
3175 verify_not_present(buf, emsk, fname, "EMSK")
3177 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3178 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3179 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3180 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3181 bssid = apdev[0]['bssid']
3182 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3183 anonymous_identity="ttls", password="password",
3184 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3186 # Send unexpected WEP EAPOL-Key; this gets dropped
3187 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3189 raise Exception("EAPOL_RX to wpa_supplicant failed")
3191 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3192 """WPA2-EAP and wpas interface in a bridge"""
3196 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3198 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3199 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3200 subprocess.call(['brctl', 'delbr', br_ifname])
3201 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3203 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3204 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3205 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3209 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3210 subprocess.call(['brctl', 'addbr', br_ifname])
3211 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3212 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3213 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3214 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3215 wpas.interface_add(ifname, br_ifname=br_ifname)
3217 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3218 password_hex="0123456789abcdef0123456789abcdef")
3219 eap_reauth(wpas, "PAX")
3220 # Try again as a regression test for packet socket workaround
3221 eap_reauth(wpas, "PAX")
3222 wpas.request("DISCONNECT")
3223 wpas.wait_disconnected()
3224 wpas.request("RECONNECT")
3225 wpas.wait_connected()
3227 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3228 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3229 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3230 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3231 key_mgmt = hapd.get_config()['key_mgmt']
3232 if key_mgmt.split(' ')[0] != "WPA-EAP":
3233 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3234 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3235 anonymous_identity="ttls", password="password",
3236 ca_cert="auth_serv/ca.pem",
3237 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3238 eap_reauth(dev[0], "TTLS")
3240 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3241 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3242 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3243 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3244 key_mgmt = hapd.get_config()['key_mgmt']
3245 if key_mgmt.split(' ')[0] != "WPA-EAP":
3246 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3247 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3248 anonymous_identity="ttls", password="password",
3249 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3251 eap_reauth(dev[0], "TTLS")
3253 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3254 """EAP-TLS and server checking CRL"""
3255 params = int_eap_server_params()
3256 params['check_crl'] = '1'
3257 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3259 # check_crl=1 and no CRL available --> reject connection
3260 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3261 client_cert="auth_serv/user.pem",
3262 private_key="auth_serv/user.key", expect_failure=True)
3263 dev[0].request("REMOVE_NETWORK all")
3266 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3269 # check_crl=1 and valid CRL --> accept
3270 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3271 client_cert="auth_serv/user.pem",
3272 private_key="auth_serv/user.key")
3273 dev[0].request("REMOVE_NETWORK all")
3276 hapd.set("check_crl", "2")
3279 # check_crl=2 and valid CRL --> accept
3280 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3281 client_cert="auth_serv/user.pem",
3282 private_key="auth_serv/user.key")
3283 dev[0].request("REMOVE_NETWORK all")
3285 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3286 """EAP-TLS and OOM"""
3287 check_subject_match_support(dev[0])
3288 check_altsubject_match_support(dev[0])
3289 check_domain_match_full(dev[0])
3291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3292 hostapd.add_ap(apdev[0]['ifname'], params)
3294 tests = [ (1, "tls_connection_set_subject_match"),
3295 (2, "tls_connection_set_subject_match"),
3296 (3, "tls_connection_set_subject_match"),
3297 (4, "tls_connection_set_subject_match") ]
3298 for count, func in tests:
3299 with alloc_fail(dev[0], count, func):
3300 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3301 identity="tls user", ca_cert="auth_serv/ca.pem",
3302 client_cert="auth_serv/user.pem",
3303 private_key="auth_serv/user.key",
3304 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3305 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3306 domain_suffix_match="server.w1.fi",
3307 domain_match="server.w1.fi",
3308 wait_connect=False, scan_freq="2412")
3309 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3310 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3312 raise Exception("No passphrase request")
3313 dev[0].request("REMOVE_NETWORK all")
3314 dev[0].wait_disconnected()
3316 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3317 """WPA2-Enterprise connection using MAC ACL"""
3318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3319 params["macaddr_acl"] = "2"
3320 hostapd.add_ap(apdev[0]['ifname'], params)
3321 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3322 client_cert="auth_serv/user.pem",
3323 private_key="auth_serv/user.key")
3325 def test_ap_wpa2_eap_oom(dev, apdev):
3326 """EAP server and OOM"""
3327 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3328 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3329 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3331 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3332 # The first attempt fails, but STA will send EAPOL-Start to retry and
3334 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3335 identity="tls user", ca_cert="auth_serv/ca.pem",
3336 client_cert="auth_serv/user.pem",
3337 private_key="auth_serv/user.key",
3340 def check_tls_ver(dev, ap, phase1, expected):
3341 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3342 client_cert="auth_serv/user.pem",
3343 private_key="auth_serv/user.key",
3345 ver = dev.get_status_field("eap_tls_version")
3347 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3349 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3350 """EAP-TLS and TLS version configuration"""
3351 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3352 hostapd.add_ap(apdev[0]['ifname'], params)
3354 tls = dev[0].request("GET tls_library")
3355 if tls.startswith("OpenSSL"):
3356 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3357 check_tls_ver(dev[0], apdev[0],
3358 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3360 check_tls_ver(dev[1], apdev[0],
3361 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3362 check_tls_ver(dev[2], apdev[0],
3363 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")