1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, ap, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 hapd = hostapd.Hostapd(ap['ifname'])
121 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
122 eap=method, identity=identity,
123 wait_connect=False, scan_freq="2412", ieee80211w="1",
125 eap_check_auth(dev, method, True, sha256=sha256,
126 expect_failure=expect_failure,
127 local_error_report=local_error_report,
128 maybe_local_error=maybe_local_error)
131 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
137 expect_failure=False, local_error_report=False,
138 maybe_local_error=False):
139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
141 raise Exception("Association and EAP start timed out")
142 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev:
147 if maybe_local_error:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev = dev.wait_disconnected(timeout=10)
157 if maybe_local_error and "locally_generated=1" in ev:
159 if not local_error_report:
160 if "reason=23" not in ev:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
165 raise Exception("EAP success timed out")
168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
170 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
172 raise Exception("Association with the AP timed out")
173 status = dev.get_status()
174 if status["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if "selectedMethod" not in status:
180 logger.info("Status: " + str(status))
181 raise Exception("No selectedMethod in status")
182 if method not in status["selectedMethod"]:
183 raise Exception("Incorrect EAP method status")
185 e = "WPA2-EAP-SHA256"
187 e = "WPA2/IEEE 802.1X/EAP"
189 e = "WPA/IEEE 802.1X/EAP"
190 if status["key_mgmt"] != e:
191 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
194 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
195 dev.request("REAUTHENTICATE")
196 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
197 expect_failure=expect_failure)
199 def test_ap_wpa2_eap_sim(dev, apdev):
200 """WPA2-Enterprise connection using EAP-SIM"""
201 check_hlr_auc_gw_support()
202 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
203 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
204 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
205 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 hwsim_utils.test_connectivity(dev[0], hapd)
207 eap_reauth(dev[0], "SIM")
209 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
215 logger.info("Negative test with incorrect key")
216 dev[0].request("REMOVE_NETWORK all")
217 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
218 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
221 logger.info("Invalid GSM-Milenage key")
222 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
227 logger.info("Invalid GSM-Milenage key(2)")
228 dev[0].request("REMOVE_NETWORK all")
229 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
230 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
233 logger.info("Invalid GSM-Milenage key(3)")
234 dev[0].request("REMOVE_NETWORK all")
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
239 logger.info("Invalid GSM-Milenage key(4)")
240 dev[0].request("REMOVE_NETWORK all")
241 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
242 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
245 logger.info("Missing key configuration")
246 dev[0].request("REMOVE_NETWORK all")
247 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
250 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
251 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
252 check_hlr_auc_gw_support()
256 raise HwsimSkip("No sqlite3 module available")
257 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
259 params['auth_server_port'] = "1814"
260 hostapd.add_ap(apdev[0]['ifname'], params)
261 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
264 logger.info("SIM fast re-authentication")
265 eap_reauth(dev[0], "SIM")
267 logger.info("SIM full auth with pseudonym")
270 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
271 eap_reauth(dev[0], "SIM")
273 logger.info("SIM full auth with permanent identity")
276 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
277 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
278 eap_reauth(dev[0], "SIM")
280 logger.info("SIM reauth with mismatching MK")
283 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
284 eap_reauth(dev[0], "SIM", expect_failure=True)
285 dev[0].request("REMOVE_NETWORK all")
287 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
288 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
291 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
292 eap_reauth(dev[0], "SIM")
295 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 logger.info("SIM reauth with mismatching counter")
297 eap_reauth(dev[0], "SIM")
298 dev[0].request("REMOVE_NETWORK all")
300 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
301 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
305 logger.info("SIM reauth with max reauth count reached")
306 eap_reauth(dev[0], "SIM")
308 def test_ap_wpa2_eap_sim_config(dev, apdev):
309 """EAP-SIM configuration options"""
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
313 identity="1232010000000000",
314 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
315 phase1="sim_min_num_chal=1",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
319 raise Exception("No EAP error message seen")
320 dev[0].request("REMOVE_NETWORK all")
322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
323 identity="1232010000000000",
324 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
325 phase1="sim_min_num_chal=4",
326 wait_connect=False, scan_freq="2412")
327 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
329 raise Exception("No EAP error message seen (2)")
330 dev[0].request("REMOVE_NETWORK all")
332 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1="sim_min_num_chal=2")
335 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
336 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 anonymous_identity="345678")
339 def test_ap_wpa2_eap_sim_ext(dev, apdev):
340 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
342 _test_ap_wpa2_eap_sim_ext(dev, apdev)
344 dev[0].request("SET external_sim 0")
346 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
347 check_hlr_auc_gw_support()
348 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
349 hostapd.add_ap(apdev[0]['ifname'], params)
350 dev[0].request("SET external_sim 1")
351 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
352 identity="1232010000000000",
353 wait_connect=False, scan_freq="2412")
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
356 raise Exception("Network connected timed out")
358 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
360 raise Exception("Wait for external SIM processing request timed out")
362 if p[1] != "GSM-AUTH":
363 raise Exception("Unexpected CTRL-REQ-SIM type")
364 rid = p[0].split('-')[3]
367 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
368 # This will fail during processing, but the ctrl_iface command succeeds
369 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
372 raise Exception("EAP failure not reported")
373 dev[0].request("DISCONNECT")
374 dev[0].wait_disconnected()
377 dev[0].select_network(id, freq="2412")
378 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
380 raise Exception("Wait for external SIM processing request timed out")
382 if p[1] != "GSM-AUTH":
383 raise Exception("Unexpected CTRL-REQ-SIM type")
384 rid = p[0].split('-')[3]
385 # This will fail during GSM auth validation
386 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
387 raise Exception("CTRL-RSP-SIM failed")
388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
390 raise Exception("EAP failure not reported")
391 dev[0].request("DISCONNECT")
392 dev[0].wait_disconnected()
395 dev[0].select_network(id, freq="2412")
396 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
398 raise Exception("Wait for external SIM processing request timed out")
400 if p[1] != "GSM-AUTH":
401 raise Exception("Unexpected CTRL-REQ-SIM type")
402 rid = p[0].split('-')[3]
403 # This will fail during GSM auth validation
404 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
405 raise Exception("CTRL-RSP-SIM failed")
406 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
408 raise Exception("EAP failure not reported")
409 dev[0].request("DISCONNECT")
410 dev[0].wait_disconnected()
413 dev[0].select_network(id, freq="2412")
414 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
416 raise Exception("Wait for external SIM processing request timed out")
418 if p[1] != "GSM-AUTH":
419 raise Exception("Unexpected CTRL-REQ-SIM type")
420 rid = p[0].split('-')[3]
421 # This will fail during GSM auth validation
422 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
423 raise Exception("CTRL-RSP-SIM failed")
424 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
426 raise Exception("EAP failure not reported")
427 dev[0].request("DISCONNECT")
428 dev[0].wait_disconnected()
431 dev[0].select_network(id, freq="2412")
432 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
434 raise Exception("Wait for external SIM processing request timed out")
436 if p[1] != "GSM-AUTH":
437 raise Exception("Unexpected CTRL-REQ-SIM type")
438 rid = p[0].split('-')[3]
439 # This will fail during GSM auth validation
440 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
441 raise Exception("CTRL-RSP-SIM failed")
442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
444 raise Exception("EAP failure not reported")
445 dev[0].request("DISCONNECT")
446 dev[0].wait_disconnected()
449 dev[0].select_network(id, freq="2412")
450 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
452 raise Exception("Wait for external SIM processing request timed out")
454 if p[1] != "GSM-AUTH":
455 raise Exception("Unexpected CTRL-REQ-SIM type")
456 rid = p[0].split('-')[3]
457 # This will fail during GSM auth validation
458 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
459 raise Exception("CTRL-RSP-SIM failed")
460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
462 raise Exception("EAP failure not reported")
463 dev[0].request("DISCONNECT")
464 dev[0].wait_disconnected()
467 dev[0].select_network(id, freq="2412")
468 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
470 raise Exception("Wait for external SIM processing request timed out")
472 if p[1] != "GSM-AUTH":
473 raise Exception("Unexpected CTRL-REQ-SIM type")
474 rid = p[0].split('-')[3]
475 # This will fail during GSM auth validation
476 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
477 raise Exception("CTRL-RSP-SIM failed")
478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
480 raise Exception("EAP failure not reported")
482 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
483 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
485 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
487 dev[0].request("SET external_sim 0")
489 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
490 check_hlr_auc_gw_support()
491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
492 hostapd.add_ap(apdev[0]['ifname'], params)
493 dev[0].request("SET external_sim 1")
494 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
495 identity="1232010000000000",
496 wait_connect=False, scan_freq="2412")
498 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid = p[0].split('-')[3]
505 rand = p[2].split(' ')[0]
507 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
509 "auth_serv/hlr_auc_gw.milenage_db",
510 "GSM-AUTH-REQ 232010000000000 " + rand])
511 if "GSM-AUTH-RESP" not in res:
512 raise Exception("Unexpected hlr_auc_gw response")
513 resp = res.split(' ')[2].rstrip()
515 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
516 dev[0].wait_connected(timeout=15)
517 dev[0].request("DISCONNECT")
518 dev[0].wait_disconnected()
520 # Replace SIM, but forget to drop the previous pseudonym identity
521 dev[0].set_network_quoted(id, "identity", "1232010000000009")
522 dev[0].select_network(id, freq="2412")
524 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
526 raise Exception("Wait for external SIM processing request timed out")
528 if p[1] != "GSM-AUTH":
529 raise Exception("Unexpected CTRL-REQ-SIM type")
530 rid = p[0].split('-')[3]
531 rand = p[2].split(' ')[0]
533 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
535 "auth_serv/hlr_auc_gw.milenage_db",
536 "GSM-AUTH-REQ 232010000000009 " + rand])
537 if "GSM-AUTH-RESP" not in res:
538 raise Exception("Unexpected hlr_auc_gw response")
539 resp = res.split(' ')[2].rstrip()
541 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
544 raise Exception("EAP-Failure not reported")
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected()
548 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
549 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
553 dev[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
556 check_hlr_auc_gw_support()
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 hostapd.add_ap(apdev[0]['ifname'], params)
559 dev[0].request("SET external_sim 1")
560 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
561 identity="1232010000000000",
562 wait_connect=False, scan_freq="2412")
564 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid = p[0].split('-')[3]
571 rand = p[2].split(' ')[0]
573 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand])
577 if "GSM-AUTH-RESP" not in res:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp = res.split(' ')[2].rstrip()
581 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
582 dev[0].wait_connected(timeout=15)
583 dev[0].request("DISCONNECT")
584 dev[0].wait_disconnected()
586 # Replace SIM and drop the previous pseudonym identity
587 dev[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev[0].set_network(id, "anonymous_identity", "NULL")
589 dev[0].select_network(id, freq="2412")
591 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
593 raise Exception("Wait for external SIM processing request timed out")
595 if p[1] != "GSM-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid = p[0].split('-')[3]
598 rand = p[2].split(' ')[0]
600 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
602 "auth_serv/hlr_auc_gw.milenage_db",
603 "GSM-AUTH-REQ 232010000000009 " + rand])
604 if "GSM-AUTH-RESP" not in res:
605 raise Exception("Unexpected hlr_auc_gw response")
606 resp = res.split(' ')[2].rstrip()
608 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
609 dev[0].wait_connected()
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
613 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
614 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
616 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
618 dev[0].request("SET external_sim 0")
620 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
621 check_hlr_auc_gw_support()
622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
623 hostapd.add_ap(apdev[0]['ifname'], params)
624 dev[0].request("SET external_sim 1")
625 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
626 wait_connect=False, scan_freq="2412")
628 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
630 raise Exception("Request for identity timed out")
631 rid = ev.split(':')[0].split('-')[-1]
632 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
634 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
636 raise Exception("Wait for external SIM processing request timed out")
638 if p[1] != "GSM-AUTH":
639 raise Exception("Unexpected CTRL-REQ-SIM type")
640 rid = p[0].split('-')[3]
641 rand = p[2].split(' ')[0]
643 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
645 "auth_serv/hlr_auc_gw.milenage_db",
646 "GSM-AUTH-REQ 232010000000000 " + rand])
647 if "GSM-AUTH-RESP" not in res:
648 raise Exception("Unexpected hlr_auc_gw response")
649 resp = res.split(' ')[2].rstrip()
651 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
652 dev[0].wait_connected(timeout=15)
653 dev[0].request("DISCONNECT")
654 dev[0].wait_disconnected()
656 # Replace SIM and drop the previous permanent and pseudonym identities
657 dev[0].set_network(id, "identity", "NULL")
658 dev[0].set_network(id, "anonymous_identity", "NULL")
659 dev[0].select_network(id, freq="2412")
661 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
663 raise Exception("Request for identity timed out")
664 rid = ev.split(':')[0].split('-')[-1]
665 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
667 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
669 raise Exception("Wait for external SIM processing request timed out")
671 if p[1] != "GSM-AUTH":
672 raise Exception("Unexpected CTRL-REQ-SIM type")
673 rid = p[0].split('-')[3]
674 rand = p[2].split(' ')[0]
676 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
678 "auth_serv/hlr_auc_gw.milenage_db",
679 "GSM-AUTH-REQ 232010000000009 " + rand])
680 if "GSM-AUTH-RESP" not in res:
681 raise Exception("Unexpected hlr_auc_gw response")
682 resp = res.split(' ')[2].rstrip()
684 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
685 dev[0].wait_connected()
686 dev[0].request("DISCONNECT")
687 dev[0].wait_disconnected()
689 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
690 """EAP-SIM with external GSM auth and auth failing"""
692 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
694 dev[0].request("SET external_sim 0")
696 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
697 check_hlr_auc_gw_support()
698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
699 hostapd.add_ap(apdev[0]['ifname'], params)
700 dev[0].request("SET external_sim 1")
701 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
702 identity="1232010000000000",
703 wait_connect=False, scan_freq="2412")
705 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 rid = p[0].split('-')[3]
710 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
713 raise Exception("EAP failure not reported")
714 dev[0].request("REMOVE_NETWORK all")
715 dev[0].wait_disconnected()
717 def test_ap_wpa2_eap_sim_oom(dev, apdev):
718 """EAP-SIM and OOM"""
719 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
720 hostapd.add_ap(apdev[0]['ifname'], params)
721 tests = [ (1, "milenage_f2345"),
722 (2, "milenage_f2345"),
723 (3, "milenage_f2345"),
724 (4, "milenage_f2345"),
725 (5, "milenage_f2345"),
726 (6, "milenage_f2345"),
727 (7, "milenage_f2345"),
728 (8, "milenage_f2345"),
729 (9, "milenage_f2345"),
730 (10, "milenage_f2345"),
731 (11, "milenage_f2345"),
732 (12, "milenage_f2345") ]
733 for count, func in tests:
734 with fail_test(dev[0], count, func):
735 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
736 identity="1232010000000000",
737 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
738 wait_connect=False, scan_freq="2412")
739 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
741 raise Exception("EAP method not selected")
742 dev[0].wait_disconnected()
743 dev[0].request("REMOVE_NETWORK all")
745 def test_ap_wpa2_eap_aka(dev, apdev):
746 """WPA2-Enterprise connection using EAP-AKA"""
747 check_hlr_auc_gw_support()
748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
749 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
750 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
751 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
752 hwsim_utils.test_connectivity(dev[0], hapd)
753 eap_reauth(dev[0], "AKA")
755 logger.info("Negative test with incorrect key")
756 dev[0].request("REMOVE_NETWORK all")
757 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
758 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
761 logger.info("Invalid Milenage key")
762 dev[0].request("REMOVE_NETWORK all")
763 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
764 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
767 logger.info("Invalid Milenage key(2)")
768 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
769 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
772 logger.info("Invalid Milenage key(3)")
773 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
774 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
777 logger.info("Invalid Milenage key(4)")
778 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
779 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
782 logger.info("Invalid Milenage key(5)")
783 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
785 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
788 logger.info("Invalid Milenage key(6)")
789 dev[0].request("REMOVE_NETWORK all")
790 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
791 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
794 logger.info("Missing key configuration")
795 dev[0].request("REMOVE_NETWORK all")
796 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
799 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
800 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
801 check_hlr_auc_gw_support()
805 raise HwsimSkip("No sqlite3 module available")
806 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
807 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
808 params['auth_server_port'] = "1814"
809 hostapd.add_ap(apdev[0]['ifname'], params)
810 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
811 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
813 logger.info("AKA fast re-authentication")
814 eap_reauth(dev[0], "AKA")
816 logger.info("AKA full auth with pseudonym")
819 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
820 eap_reauth(dev[0], "AKA")
822 logger.info("AKA full auth with permanent identity")
825 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
826 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
827 eap_reauth(dev[0], "AKA")
829 logger.info("AKA reauth with mismatching MK")
832 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
833 eap_reauth(dev[0], "AKA", expect_failure=True)
834 dev[0].request("REMOVE_NETWORK all")
836 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
837 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
840 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
841 eap_reauth(dev[0], "AKA")
844 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
845 logger.info("AKA reauth with mismatching counter")
846 eap_reauth(dev[0], "AKA")
847 dev[0].request("REMOVE_NETWORK all")
849 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
850 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
853 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
854 logger.info("AKA reauth with max reauth count reached")
855 eap_reauth(dev[0], "AKA")
857 def test_ap_wpa2_eap_aka_config(dev, apdev):
858 """EAP-AKA configuration options"""
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
862 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
863 anonymous_identity="2345678")
865 def test_ap_wpa2_eap_aka_ext(dev, apdev):
866 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
868 _test_ap_wpa2_eap_aka_ext(dev, apdev)
870 dev[0].request("SET external_sim 0")
872 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
873 check_hlr_auc_gw_support()
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hostapd.add_ap(apdev[0]['ifname'], params)
876 dev[0].request("SET external_sim 1")
877 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
878 identity="0232010000000000",
879 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
880 wait_connect=False, scan_freq="2412")
881 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
883 raise Exception("Network connected timed out")
885 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
887 raise Exception("Wait for external SIM processing request timed out")
889 if p[1] != "UMTS-AUTH":
890 raise Exception("Unexpected CTRL-REQ-SIM type")
891 rid = p[0].split('-')[3]
894 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
895 # This will fail during processing, but the ctrl_iface command succeeds
896 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
899 raise Exception("EAP failure not reported")
900 dev[0].request("DISCONNECT")
901 dev[0].wait_disconnected()
903 dev[0].dump_monitor()
905 dev[0].select_network(id, freq="2412")
906 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
908 raise Exception("Wait for external SIM processing request timed out")
910 if p[1] != "UMTS-AUTH":
911 raise Exception("Unexpected CTRL-REQ-SIM type")
912 rid = p[0].split('-')[3]
913 # This will fail during UMTS auth validation
914 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
915 raise Exception("CTRL-RSP-SIM failed")
916 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
918 raise Exception("Wait for external SIM processing request timed out")
920 if p[1] != "UMTS-AUTH":
921 raise Exception("Unexpected CTRL-REQ-SIM type")
922 rid = p[0].split('-')[3]
923 # This will fail during UMTS auth validation
924 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
925 raise Exception("CTRL-RSP-SIM failed")
926 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
928 raise Exception("EAP failure not reported")
929 dev[0].request("DISCONNECT")
930 dev[0].wait_disconnected()
932 dev[0].dump_monitor()
934 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
936 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
937 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
938 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
939 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
940 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
942 dev[0].select_network(id, freq="2412")
943 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
945 raise Exception("Wait for external SIM processing request timed out")
947 if p[1] != "UMTS-AUTH":
948 raise Exception("Unexpected CTRL-REQ-SIM type")
949 rid = p[0].split('-')[3]
950 # This will fail during UMTS auth validation
951 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
952 raise Exception("CTRL-RSP-SIM failed")
953 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
955 raise Exception("EAP failure not reported")
956 dev[0].request("DISCONNECT")
957 dev[0].wait_disconnected()
959 dev[0].dump_monitor()
961 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
962 """EAP-AKA with external UMTS auth and auth failing"""
964 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
966 dev[0].request("SET external_sim 0")
968 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
969 check_hlr_auc_gw_support()
970 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
971 hostapd.add_ap(apdev[0]['ifname'], params)
972 dev[0].request("SET external_sim 1")
973 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
974 identity="0232010000000000",
975 wait_connect=False, scan_freq="2412")
977 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
979 raise Exception("Wait for external SIM processing request timed out")
981 rid = p[0].split('-')[3]
982 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
985 raise Exception("EAP failure not reported")
986 dev[0].request("REMOVE_NETWORK all")
987 dev[0].wait_disconnected()
989 def test_ap_wpa2_eap_aka_prime(dev, apdev):
990 """WPA2-Enterprise connection using EAP-AKA'"""
991 check_hlr_auc_gw_support()
992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
995 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
996 hwsim_utils.test_connectivity(dev[0], hapd)
997 eap_reauth(dev[0], "AKA'")
999 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1000 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1001 identity="6555444333222111@both",
1002 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1003 wait_connect=False, scan_freq="2412")
1004 dev[1].wait_connected(timeout=15)
1006 logger.info("Negative test with incorrect key")
1007 dev[0].request("REMOVE_NETWORK all")
1008 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1009 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1010 expect_failure=True)
1012 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1013 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1014 check_hlr_auc_gw_support()
1018 raise HwsimSkip("No sqlite3 module available")
1019 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1021 params['auth_server_port'] = "1814"
1022 hostapd.add_ap(apdev[0]['ifname'], params)
1023 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1024 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1026 logger.info("AKA' fast re-authentication")
1027 eap_reauth(dev[0], "AKA'")
1029 logger.info("AKA' full auth with pseudonym")
1032 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1033 eap_reauth(dev[0], "AKA'")
1035 logger.info("AKA' full auth with permanent identity")
1038 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1039 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1040 eap_reauth(dev[0], "AKA'")
1042 logger.info("AKA' reauth with mismatching k_aut")
1045 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1046 eap_reauth(dev[0], "AKA'", expect_failure=True)
1047 dev[0].request("REMOVE_NETWORK all")
1049 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1050 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1053 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1054 eap_reauth(dev[0], "AKA'")
1057 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1058 logger.info("AKA' reauth with mismatching counter")
1059 eap_reauth(dev[0], "AKA'")
1060 dev[0].request("REMOVE_NETWORK all")
1062 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1063 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1066 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1067 logger.info("AKA' reauth with max reauth count reached")
1068 eap_reauth(dev[0], "AKA'")
1070 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1071 """EAP-AKA' with external UMTS auth and auth failing"""
1073 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1075 dev[0].request("SET external_sim 0")
1077 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1078 check_hlr_auc_gw_support()
1079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1080 hostapd.add_ap(apdev[0]['ifname'], params)
1081 dev[0].request("SET external_sim 1")
1082 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1083 identity="6555444333222111",
1084 wait_connect=False, scan_freq="2412")
1086 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1088 raise Exception("Wait for external SIM processing request timed out")
1089 p = ev.split(':', 2)
1090 rid = p[0].split('-')[3]
1091 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1092 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1094 raise Exception("EAP failure not reported")
1095 dev[0].request("REMOVE_NETWORK all")
1096 dev[0].wait_disconnected()
1098 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1099 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1100 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1101 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1102 key_mgmt = hapd.get_config()['key_mgmt']
1103 if key_mgmt.split(' ')[0] != "WPA-EAP":
1104 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1105 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1106 anonymous_identity="ttls", password="password",
1107 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1108 hwsim_utils.test_connectivity(dev[0], hapd)
1109 eap_reauth(dev[0], "TTLS")
1110 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1111 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1113 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1114 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1115 check_subject_match_support(dev[0])
1116 check_altsubject_match_support(dev[0])
1117 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1118 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1119 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1120 anonymous_identity="ttls", password="password",
1121 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1122 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1123 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1124 eap_reauth(dev[0], "TTLS")
1126 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1127 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1129 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1130 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1131 anonymous_identity="ttls", password="wrong",
1132 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1133 expect_failure=True)
1134 eap_connect(dev[1], apdev[0], "TTLS", "user",
1135 anonymous_identity="ttls", password="password",
1136 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1137 expect_failure=True)
1139 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1140 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1141 skip_with_fips(dev[0])
1142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1144 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1145 anonymous_identity="ttls", password="password",
1146 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1147 hwsim_utils.test_connectivity(dev[0], hapd)
1148 eap_reauth(dev[0], "TTLS")
1150 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1152 skip_with_fips(dev[0])
1153 check_altsubject_match_support(dev[0])
1154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1155 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1156 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1157 anonymous_identity="ttls", password="password",
1158 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1159 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1160 eap_reauth(dev[0], "TTLS")
1162 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1163 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1164 skip_with_fips(dev[0])
1165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1166 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1167 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1168 anonymous_identity="ttls", password="wrong",
1169 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1170 expect_failure=True)
1171 eap_connect(dev[1], apdev[0], "TTLS", "user",
1172 anonymous_identity="ttls", password="password",
1173 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1174 expect_failure=True)
1176 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1177 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1178 skip_with_fips(dev[0])
1179 check_domain_suffix_match(dev[0])
1180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1181 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1182 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1183 anonymous_identity="ttls", password="password",
1184 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1185 domain_suffix_match="server.w1.fi")
1186 hwsim_utils.test_connectivity(dev[0], hapd)
1187 eap_reauth(dev[0], "TTLS")
1188 dev[0].request("REMOVE_NETWORK all")
1189 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1190 anonymous_identity="ttls", password="password",
1191 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1192 fragment_size="200")
1193 dev[0].request("REMOVE_NETWORK all")
1194 dev[0].wait_disconnected()
1195 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1196 anonymous_identity="ttls",
1197 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1200 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1201 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1202 skip_with_fips(dev[0])
1203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1204 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1205 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1206 anonymous_identity="ttls", password="wrong",
1207 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1208 expect_failure=True)
1209 eap_connect(dev[1], apdev[0], "TTLS", "user",
1210 anonymous_identity="ttls", password="password",
1211 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1212 expect_failure=True)
1213 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
1214 anonymous_identity="ttls", password="password",
1215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1216 expect_failure=True)
1218 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1219 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1220 check_domain_suffix_match(dev[0])
1221 check_eap_capa(dev[0], "MSCHAPV2")
1222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1223 hostapd.add_ap(apdev[0]['ifname'], params)
1224 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1225 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1226 anonymous_identity="ttls", password="password",
1227 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1228 domain_suffix_match="server.w1.fi")
1229 hwsim_utils.test_connectivity(dev[0], hapd)
1230 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1231 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1232 eap_reauth(dev[0], "TTLS")
1233 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1234 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1235 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1236 raise Exception("dot1xAuthEapolFramesRx did not increase")
1237 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1238 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1239 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1240 raise Exception("backendAuthSuccesses did not increase")
1242 logger.info("Password as hash value")
1243 dev[0].request("REMOVE_NETWORK all")
1244 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1245 anonymous_identity="ttls",
1246 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1247 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1249 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1250 """EAP-TTLS with invalid phase2 parameter values"""
1251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1252 hostapd.add_ap(apdev[0]['ifname'], params)
1253 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1254 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1255 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1258 identity="DOMAIN\mschapv2 user",
1259 anonymous_identity="ttls", password="password",
1260 ca_cert="auth_serv/ca.pem", phase2=t,
1261 wait_connect=False, scan_freq="2412")
1262 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1263 if ev is None or "method=21" not in ev:
1264 raise Exception("EAP-TTLS not started")
1265 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1266 "CTRL-EVENT-CONNECTED"], timeout=5)
1267 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1268 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1269 dev[0].request("REMOVE_NETWORK all")
1270 dev[0].wait_disconnected()
1271 dev[0].dump_monitor()
1273 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1274 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1275 check_domain_match_full(dev[0])
1276 skip_with_fips(dev[0])
1277 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1278 hostapd.add_ap(apdev[0]['ifname'], params)
1279 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1280 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1281 anonymous_identity="ttls", password="password",
1282 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1283 domain_suffix_match="w1.fi")
1284 hwsim_utils.test_connectivity(dev[0], hapd)
1285 eap_reauth(dev[0], "TTLS")
1287 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1288 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1289 check_domain_match(dev[0])
1290 skip_with_fips(dev[0])
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hostapd.add_ap(apdev[0]['ifname'], params)
1293 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1294 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1295 anonymous_identity="ttls", password="password",
1296 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1297 domain_match="Server.w1.fi")
1298 hwsim_utils.test_connectivity(dev[0], hapd)
1299 eap_reauth(dev[0], "TTLS")
1301 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1302 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1303 skip_with_fips(dev[0])
1304 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1305 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1306 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1307 anonymous_identity="ttls", password="password1",
1308 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1309 expect_failure=True)
1310 eap_connect(dev[1], apdev[0], "TTLS", "user",
1311 anonymous_identity="ttls", password="password",
1312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1313 expect_failure=True)
1315 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1316 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1317 skip_with_fips(dev[0])
1318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1319 hostapd.add_ap(apdev[0]['ifname'], params)
1320 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1321 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1322 anonymous_identity="ttls", password="secret-åäö-€-password",
1323 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1324 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1325 anonymous_identity="ttls",
1326 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1327 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1328 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1329 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1330 eap="TTLS", identity="utf8-user-hash",
1331 anonymous_identity="ttls", password_hex=p,
1332 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1333 wait_connect=False, scan_freq="2412")
1334 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1336 raise Exception("No failure reported")
1337 dev[2].request("REMOVE_NETWORK all")
1338 dev[2].wait_disconnected()
1340 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1341 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1343 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1344 eap_connect(dev[0], apdev[0], "TTLS", "user",
1345 anonymous_identity="ttls", password="password",
1346 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1347 hwsim_utils.test_connectivity(dev[0], hapd)
1348 eap_reauth(dev[0], "TTLS")
1350 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1351 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1352 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1353 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1354 eap_connect(dev[0], apdev[0], "TTLS", "user",
1355 anonymous_identity="ttls", password="wrong",
1356 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1357 expect_failure=True)
1359 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1360 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1361 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1362 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1363 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1364 anonymous_identity="ttls", password="password",
1365 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1366 expect_failure=True)
1368 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1369 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1370 params = int_eap_server_params()
1371 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1372 with alloc_fail(hapd, 1, "eap_gtc_init"):
1373 eap_connect(dev[0], apdev[0], "TTLS", "user",
1374 anonymous_identity="ttls", password="password",
1375 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1376 expect_failure=True)
1377 dev[0].request("REMOVE_NETWORK all")
1379 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1380 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1381 eap="TTLS", identity="user",
1382 anonymous_identity="ttls", password="password",
1383 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1384 wait_connect=False, scan_freq="2412")
1385 # This would eventually time out, but we can stop after having reached
1386 # the allocation failure.
1389 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1392 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1393 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1394 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1395 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1397 tests = [ "eap_gtc_init",
1398 "eap_msg_alloc;eap_gtc_process" ]
1400 with alloc_fail(dev[0], 1, func):
1401 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1403 eap="TTLS", identity="user",
1404 anonymous_identity="ttls", password="password",
1405 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1407 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1408 dev[0].request("REMOVE_NETWORK all")
1409 dev[0].wait_disconnected()
1411 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1412 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1413 check_eap_capa(dev[0], "MD5")
1414 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1415 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1416 eap_connect(dev[0], apdev[0], "TTLS", "user",
1417 anonymous_identity="ttls", password="password",
1418 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1419 hwsim_utils.test_connectivity(dev[0], hapd)
1420 eap_reauth(dev[0], "TTLS")
1422 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1423 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1424 check_eap_capa(dev[0], "MD5")
1425 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1426 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1427 eap_connect(dev[0], apdev[0], "TTLS", "user",
1428 anonymous_identity="ttls", password="wrong",
1429 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1430 expect_failure=True)
1432 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1433 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1434 check_eap_capa(dev[0], "MD5")
1435 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1436 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1437 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1438 anonymous_identity="ttls", password="password",
1439 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1440 expect_failure=True)
1442 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1443 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1444 check_eap_capa(dev[0], "MD5")
1445 params = int_eap_server_params()
1446 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1447 with alloc_fail(hapd, 1, "eap_md5_init"):
1448 eap_connect(dev[0], apdev[0], "TTLS", "user",
1449 anonymous_identity="ttls", password="password",
1450 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1451 expect_failure=True)
1452 dev[0].request("REMOVE_NETWORK all")
1454 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1455 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1456 eap="TTLS", identity="user",
1457 anonymous_identity="ttls", password="password",
1458 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1459 wait_connect=False, scan_freq="2412")
1460 # This would eventually time out, but we can stop after having reached
1461 # the allocation failure.
1464 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1467 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1468 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1469 check_eap_capa(dev[0], "MSCHAPV2")
1470 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1471 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1472 eap_connect(dev[0], apdev[0], "TTLS", "user",
1473 anonymous_identity="ttls", password="password",
1474 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1475 hwsim_utils.test_connectivity(dev[0], hapd)
1476 eap_reauth(dev[0], "TTLS")
1478 logger.info("Negative test with incorrect password")
1479 dev[0].request("REMOVE_NETWORK all")
1480 eap_connect(dev[0], apdev[0], "TTLS", "user",
1481 anonymous_identity="ttls", password="password1",
1482 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1483 expect_failure=True)
1485 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1486 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1487 check_eap_capa(dev[0], "MSCHAPV2")
1488 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1489 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1490 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1491 anonymous_identity="ttls", password="password",
1492 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1493 expect_failure=True)
1495 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1496 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1497 check_eap_capa(dev[0], "MSCHAPV2")
1498 params = int_eap_server_params()
1499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1500 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1501 eap_connect(dev[0], apdev[0], "TTLS", "user",
1502 anonymous_identity="ttls", password="password",
1503 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1504 expect_failure=True)
1505 dev[0].request("REMOVE_NETWORK all")
1507 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1509 eap="TTLS", identity="user",
1510 anonymous_identity="ttls", password="password",
1511 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1512 wait_connect=False, scan_freq="2412")
1513 # This would eventually time out, but we can stop after having reached
1514 # the allocation failure.
1517 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1519 dev[0].request("REMOVE_NETWORK all")
1521 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1522 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1523 eap="TTLS", identity="user",
1524 anonymous_identity="ttls", password="password",
1525 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1526 wait_connect=False, scan_freq="2412")
1527 # This would eventually time out, but we can stop after having reached
1528 # the allocation failure.
1531 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1533 dev[0].request("REMOVE_NETWORK all")
1535 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1537 eap="TTLS", identity="user",
1538 anonymous_identity="ttls", password="wrong",
1539 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1540 wait_connect=False, scan_freq="2412")
1541 # This would eventually time out, but we can stop after having reached
1542 # the allocation failure.
1545 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1547 dev[0].request("REMOVE_NETWORK all")
1549 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1550 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1552 hostapd.add_ap(apdev[0]['ifname'], params)
1553 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1554 anonymous_identity="0232010000000000@ttls",
1555 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1556 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1558 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1559 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1561 hostapd.add_ap(apdev[0]['ifname'], params)
1562 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1563 anonymous_identity="0232010000000000@peap",
1564 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1565 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1567 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1568 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1569 check_eap_capa(dev[0], "FAST")
1570 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1571 hostapd.add_ap(apdev[0]['ifname'], params)
1572 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1573 anonymous_identity="0232010000000000@fast",
1574 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1575 phase1="fast_provisioning=2",
1576 pac_file="blob://fast_pac_auth_aka",
1577 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1579 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1580 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1581 check_eap_capa(dev[0], "MSCHAPV2")
1582 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1583 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1584 eap_connect(dev[0], apdev[0], "PEAP", "user",
1585 anonymous_identity="peap", password="password",
1586 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1587 hwsim_utils.test_connectivity(dev[0], hapd)
1588 eap_reauth(dev[0], "PEAP")
1589 dev[0].request("REMOVE_NETWORK all")
1590 eap_connect(dev[0], apdev[0], "PEAP", "user",
1591 anonymous_identity="peap", password="password",
1592 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1593 fragment_size="200")
1595 logger.info("Password as hash value")
1596 dev[0].request("REMOVE_NETWORK all")
1597 eap_connect(dev[0], apdev[0], "PEAP", "user",
1598 anonymous_identity="peap",
1599 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1600 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1602 logger.info("Negative test with incorrect password")
1603 dev[0].request("REMOVE_NETWORK all")
1604 eap_connect(dev[0], apdev[0], "PEAP", "user",
1605 anonymous_identity="peap", password="password1",
1606 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1607 expect_failure=True)
1609 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1610 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1611 check_eap_capa(dev[0], "MSCHAPV2")
1612 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1613 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1614 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1615 anonymous_identity="peap", password="password",
1616 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1617 hwsim_utils.test_connectivity(dev[0], hapd)
1618 eap_reauth(dev[0], "PEAP")
1620 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1621 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1622 check_eap_capa(dev[0], "MSCHAPV2")
1623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1624 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1625 eap_connect(dev[0], apdev[0], "PEAP", "user",
1626 anonymous_identity="peap", password="wrong",
1627 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1628 expect_failure=True)
1630 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1631 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1632 check_eap_capa(dev[0], "MSCHAPV2")
1633 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1634 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1635 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1636 ca_cert="auth_serv/ca.pem",
1637 phase1="peapver=0 crypto_binding=2",
1638 phase2="auth=MSCHAPV2")
1639 hwsim_utils.test_connectivity(dev[0], hapd)
1640 eap_reauth(dev[0], "PEAP")
1642 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1643 ca_cert="auth_serv/ca.pem",
1644 phase1="peapver=0 crypto_binding=1",
1645 phase2="auth=MSCHAPV2")
1646 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1647 ca_cert="auth_serv/ca.pem",
1648 phase1="peapver=0 crypto_binding=0",
1649 phase2="auth=MSCHAPV2")
1651 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1652 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1653 check_eap_capa(dev[0], "MSCHAPV2")
1654 params = int_eap_server_params()
1655 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1656 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1657 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1658 ca_cert="auth_serv/ca.pem",
1659 phase1="peapver=0 crypto_binding=2",
1660 phase2="auth=MSCHAPV2",
1661 expect_failure=True, local_error_report=True)
1663 def test_ap_wpa2_eap_peap_params(dev, apdev):
1664 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1665 check_eap_capa(dev[0], "MSCHAPV2")
1666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1667 hostapd.add_ap(apdev[0]['ifname'], params)
1668 eap_connect(dev[0], apdev[0], "PEAP", "user",
1669 anonymous_identity="peap", password="password",
1670 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1671 phase1="peapver=0 peaplabel=1",
1672 expect_failure=True)
1673 dev[0].request("REMOVE_NETWORK all")
1674 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1676 anonymous_identity="peap", password="password",
1677 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1678 phase1="peap_outer_success=0",
1679 wait_connect=False, scan_freq="2412")
1680 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1682 raise Exception("No EAP success seen")
1683 # This won't succeed to connect with peap_outer_success=0, so stop here.
1684 dev[0].request("REMOVE_NETWORK all")
1685 dev[0].wait_disconnected()
1686 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1687 ca_cert="auth_serv/ca.pem",
1688 phase1="peap_outer_success=1",
1689 phase2="auth=MSCHAPV2")
1690 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1691 ca_cert="auth_serv/ca.pem",
1692 phase1="peap_outer_success=2",
1693 phase2="auth=MSCHAPV2")
1694 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1696 anonymous_identity="peap", password="password",
1697 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1698 phase1="peapver=1 peaplabel=1",
1699 wait_connect=False, scan_freq="2412")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1702 raise Exception("No EAP success seen")
1703 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1705 raise Exception("Unexpected connection")
1707 tests = [ ("peap-ver0", ""),
1709 ("peap-ver0", "peapver=0"),
1710 ("peap-ver1", "peapver=1") ]
1711 for anon,phase1 in tests:
1712 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1713 identity="user", anonymous_identity=anon,
1714 password="password", phase1=phase1,
1715 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1717 dev[0].request("REMOVE_NETWORK all")
1718 dev[0].wait_disconnected()
1720 tests = [ ("peap-ver0", "peapver=1"),
1721 ("peap-ver1", "peapver=0") ]
1722 for anon,phase1 in tests:
1723 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1724 identity="user", anonymous_identity=anon,
1725 password="password", phase1=phase1,
1726 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1727 wait_connect=False, scan_freq="2412")
1728 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1730 raise Exception("No EAP-Failure seen")
1731 dev[0].request("REMOVE_NETWORK all")
1732 dev[0].wait_disconnected()
1734 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1735 ca_cert="auth_serv/ca.pem",
1736 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1737 phase2="auth=MSCHAPV2")
1739 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1740 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1742 hostapd.add_ap(apdev[0]['ifname'], params)
1743 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1744 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1745 ca_cert2="auth_serv/ca.pem",
1746 client_cert2="auth_serv/user.pem",
1747 private_key2="auth_serv/user.key")
1748 eap_reauth(dev[0], "PEAP")
1750 def test_ap_wpa2_eap_tls(dev, apdev):
1751 """WPA2-Enterprise connection using EAP-TLS"""
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1755 client_cert="auth_serv/user.pem",
1756 private_key="auth_serv/user.key")
1757 eap_reauth(dev[0], "TLS")
1759 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1760 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1761 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1762 hostapd.add_ap(apdev[0]['ifname'], params)
1763 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1764 client_cert="auth_serv/user.pem",
1765 private_key="auth_serv/user.key.pkcs8",
1766 private_key_passwd="whatever")
1768 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1769 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1770 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1771 hostapd.add_ap(apdev[0]['ifname'], params)
1772 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1773 client_cert="auth_serv/user.pem",
1774 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1775 private_key_passwd="whatever")
1777 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1778 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1780 hostapd.add_ap(apdev[0]['ifname'], params)
1781 cert = read_pem("auth_serv/ca.pem")
1782 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1783 raise Exception("Could not set cacert blob")
1784 cert = read_pem("auth_serv/user.pem")
1785 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1786 raise Exception("Could not set usercert blob")
1787 key = read_pem("auth_serv/user.rsa-key")
1788 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1789 raise Exception("Could not set cacert blob")
1790 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1791 client_cert="blob://usercert",
1792 private_key="blob://userkey")
1794 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1795 """EAP-TLS and config blob missing"""
1796 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1797 hostapd.add_ap(apdev[0]['ifname'], params)
1798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1799 identity="tls user",
1800 ca_cert="blob://testing-blob-does-not-exist",
1801 client_cert="blob://testing-blob-does-not-exist",
1802 private_key="blob://testing-blob-does-not-exist",
1803 wait_connect=False, scan_freq="2412")
1804 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1806 raise Exception("EAP failure not reported")
1807 dev[0].request("REMOVE_NETWORK all")
1808 dev[0].wait_disconnected()
1810 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1811 """EAP-TLS and TLS Message Length in unfragmented packets"""
1812 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1813 hostapd.add_ap(apdev[0]['ifname'], params)
1814 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1815 phase1="include_tls_length=1",
1816 client_cert="auth_serv/user.pem",
1817 private_key="auth_serv/user.key")
1819 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1820 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1821 check_pkcs12_support(dev[0])
1822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1823 hostapd.add_ap(apdev[0]['ifname'], params)
1824 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1825 private_key="auth_serv/user.pkcs12",
1826 private_key_passwd="whatever")
1827 dev[0].request("REMOVE_NETWORK all")
1828 dev[0].wait_disconnected()
1830 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1831 identity="tls user",
1832 ca_cert="auth_serv/ca.pem",
1833 private_key="auth_serv/user.pkcs12",
1834 wait_connect=False, scan_freq="2412")
1835 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1837 raise Exception("Request for private key passphrase timed out")
1838 id = ev.split(':')[0].split('-')[-1]
1839 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1840 dev[0].wait_connected(timeout=10)
1841 dev[0].request("REMOVE_NETWORK all")
1842 dev[0].wait_disconnected()
1844 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1845 # different files to cover both cases of the extra certificate being the
1846 # one that signed the client certificate and it being unrelated to the
1847 # client certificate.
1848 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1850 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1851 ca_cert="auth_serv/ca.pem",
1853 private_key_passwd="whatever")
1854 dev[0].request("REMOVE_NETWORK all")
1855 dev[0].wait_disconnected()
1857 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1858 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1859 check_pkcs12_support(dev[0])
1860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861 hostapd.add_ap(apdev[0]['ifname'], params)
1862 cert = read_pem("auth_serv/ca.pem")
1863 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1864 raise Exception("Could not set cacert blob")
1865 with open("auth_serv/user.pkcs12", "rb") as f:
1866 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1867 raise Exception("Could not set pkcs12 blob")
1868 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1869 private_key="blob://pkcs12",
1870 private_key_passwd="whatever")
1872 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1873 """WPA2-Enterprise negative test - incorrect trust root"""
1874 check_eap_capa(dev[0], "MSCHAPV2")
1875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1876 hostapd.add_ap(apdev[0]['ifname'], params)
1877 cert = read_pem("auth_serv/ca-incorrect.pem")
1878 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1879 raise Exception("Could not set cacert blob")
1880 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1881 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1882 password="password", phase2="auth=MSCHAPV2",
1883 ca_cert="blob://cacert",
1884 wait_connect=False, scan_freq="2412")
1885 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1886 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1887 password="password", phase2="auth=MSCHAPV2",
1888 ca_cert="auth_serv/ca-incorrect.pem",
1889 wait_connect=False, scan_freq="2412")
1891 for dev in (dev[0], dev[1]):
1892 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
1894 raise Exception("Association and EAP start timed out")
1896 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1898 raise Exception("EAP method selection timed out")
1899 if "TTLS" not in ev:
1900 raise Exception("Unexpected EAP method")
1902 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1903 "CTRL-EVENT-EAP-SUCCESS",
1904 "CTRL-EVENT-EAP-FAILURE",
1905 "CTRL-EVENT-CONNECTED",
1906 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1908 raise Exception("EAP result timed out")
1909 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1910 raise Exception("TLS certificate error not reported")
1912 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1913 "CTRL-EVENT-EAP-FAILURE",
1914 "CTRL-EVENT-CONNECTED",
1915 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1917 raise Exception("EAP result(2) timed out")
1918 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1919 raise Exception("EAP failure not reported")
1921 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1922 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1924 raise Exception("EAP result(3) timed out")
1925 if "CTRL-EVENT-DISCONNECTED" not in ev:
1926 raise Exception("Disconnection not reported")
1928 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1930 raise Exception("Network block disabling not reported")
1932 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1933 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1935 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1936 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1937 identity="pap user", anonymous_identity="ttls",
1938 password="password", phase2="auth=PAP",
1939 ca_cert="auth_serv/ca.pem",
1940 wait_connect=True, scan_freq="2412")
1941 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1942 identity="pap user", anonymous_identity="ttls",
1943 password="password", phase2="auth=PAP",
1944 ca_cert="auth_serv/ca-incorrect.pem",
1945 only_add_network=True, scan_freq="2412")
1947 dev[0].request("DISCONNECT")
1948 dev[0].wait_disconnected()
1949 dev[0].dump_monitor()
1950 dev[0].select_network(id, freq="2412")
1952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1954 raise Exception("EAP-TTLS not re-started")
1956 ev = dev[0].wait_disconnected(timeout=15)
1957 if "reason=23" not in ev:
1958 raise Exception("Proper reason code for disconnection not reported")
1960 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1961 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1962 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1963 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1964 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1965 identity="pap user", anonymous_identity="ttls",
1966 password="password", phase2="auth=PAP",
1967 wait_connect=True, scan_freq="2412")
1968 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1969 identity="pap user", anonymous_identity="ttls",
1970 password="password", phase2="auth=PAP",
1971 ca_cert="auth_serv/ca-incorrect.pem",
1972 only_add_network=True, scan_freq="2412")
1974 dev[0].request("DISCONNECT")
1975 dev[0].wait_disconnected()
1976 dev[0].dump_monitor()
1977 dev[0].select_network(id, freq="2412")
1979 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1981 raise Exception("EAP-TTLS not re-started")
1983 ev = dev[0].wait_disconnected(timeout=15)
1984 if "reason=23" not in ev:
1985 raise Exception("Proper reason code for disconnection not reported")
1987 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1988 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1989 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1990 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1991 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1992 identity="pap user", anonymous_identity="ttls",
1993 password="password", phase2="auth=PAP",
1994 ca_cert="auth_serv/ca.pem",
1995 wait_connect=True, scan_freq="2412")
1996 dev[0].request("DISCONNECT")
1997 dev[0].wait_disconnected()
1998 dev[0].dump_monitor()
1999 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2000 dev[0].select_network(id, freq="2412")
2002 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2004 raise Exception("EAP-TTLS not re-started")
2006 ev = dev[0].wait_disconnected(timeout=15)
2007 if "reason=23" not in ev:
2008 raise Exception("Proper reason code for disconnection not reported")
2010 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2011 """WPA2-Enterprise negative test - domain suffix mismatch"""
2012 check_domain_suffix_match(dev[0])
2013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2014 hostapd.add_ap(apdev[0]['ifname'], params)
2015 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2016 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2017 password="password", phase2="auth=MSCHAPV2",
2018 ca_cert="auth_serv/ca.pem",
2019 domain_suffix_match="incorrect.example.com",
2020 wait_connect=False, scan_freq="2412")
2022 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2024 raise Exception("Association and EAP start timed out")
2026 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2028 raise Exception("EAP method selection timed out")
2029 if "TTLS" not in ev:
2030 raise Exception("Unexpected EAP method")
2032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2033 "CTRL-EVENT-EAP-SUCCESS",
2034 "CTRL-EVENT-EAP-FAILURE",
2035 "CTRL-EVENT-CONNECTED",
2036 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2038 raise Exception("EAP result timed out")
2039 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2040 raise Exception("TLS certificate error not reported")
2041 if "Domain suffix mismatch" not in ev:
2042 raise Exception("Domain suffix mismatch not reported")
2044 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2045 "CTRL-EVENT-EAP-FAILURE",
2046 "CTRL-EVENT-CONNECTED",
2047 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2049 raise Exception("EAP result(2) timed out")
2050 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2051 raise Exception("EAP failure not reported")
2053 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2054 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2056 raise Exception("EAP result(3) timed out")
2057 if "CTRL-EVENT-DISCONNECTED" not in ev:
2058 raise Exception("Disconnection not reported")
2060 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2062 raise Exception("Network block disabling not reported")
2064 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2065 """WPA2-Enterprise negative test - domain mismatch"""
2066 check_domain_match(dev[0])
2067 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2068 hostapd.add_ap(apdev[0]['ifname'], params)
2069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2070 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2071 password="password", phase2="auth=MSCHAPV2",
2072 ca_cert="auth_serv/ca.pem",
2073 domain_match="w1.fi",
2074 wait_connect=False, scan_freq="2412")
2076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2078 raise Exception("Association and EAP start timed out")
2080 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2082 raise Exception("EAP method selection timed out")
2083 if "TTLS" not in ev:
2084 raise Exception("Unexpected EAP method")
2086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2087 "CTRL-EVENT-EAP-SUCCESS",
2088 "CTRL-EVENT-EAP-FAILURE",
2089 "CTRL-EVENT-CONNECTED",
2090 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2092 raise Exception("EAP result timed out")
2093 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2094 raise Exception("TLS certificate error not reported")
2095 if "Domain mismatch" not in ev:
2096 raise Exception("Domain mismatch not reported")
2098 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2099 "CTRL-EVENT-EAP-FAILURE",
2100 "CTRL-EVENT-CONNECTED",
2101 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2103 raise Exception("EAP result(2) timed out")
2104 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2105 raise Exception("EAP failure not reported")
2107 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2108 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2110 raise Exception("EAP result(3) timed out")
2111 if "CTRL-EVENT-DISCONNECTED" not in ev:
2112 raise Exception("Disconnection not reported")
2114 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2116 raise Exception("Network block disabling not reported")
2118 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2119 """WPA2-Enterprise negative test - subject mismatch"""
2120 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2121 hostapd.add_ap(apdev[0]['ifname'], params)
2122 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2123 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2124 password="password", phase2="auth=MSCHAPV2",
2125 ca_cert="auth_serv/ca.pem",
2126 subject_match="/C=FI/O=w1.fi/CN=example.com",
2127 wait_connect=False, scan_freq="2412")
2129 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2131 raise Exception("Association and EAP start timed out")
2133 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2134 "EAP: Failed to initialize EAP method"], timeout=10)
2136 raise Exception("EAP method selection timed out")
2137 if "EAP: Failed to initialize EAP method" in ev:
2138 tls = dev[0].request("GET tls_library")
2139 if tls.startswith("OpenSSL"):
2140 raise Exception("Failed to select EAP method")
2141 logger.info("subject_match not supported - connection failed, so test succeeded")
2143 if "TTLS" not in ev:
2144 raise Exception("Unexpected EAP method")
2146 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2147 "CTRL-EVENT-EAP-SUCCESS",
2148 "CTRL-EVENT-EAP-FAILURE",
2149 "CTRL-EVENT-CONNECTED",
2150 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2152 raise Exception("EAP result timed out")
2153 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2154 raise Exception("TLS certificate error not reported")
2155 if "Subject mismatch" not in ev:
2156 raise Exception("Subject mismatch not reported")
2158 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2159 "CTRL-EVENT-EAP-FAILURE",
2160 "CTRL-EVENT-CONNECTED",
2161 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2163 raise Exception("EAP result(2) timed out")
2164 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2165 raise Exception("EAP failure not reported")
2167 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2170 raise Exception("EAP result(3) timed out")
2171 if "CTRL-EVENT-DISCONNECTED" not in ev:
2172 raise Exception("Disconnection not reported")
2174 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2176 raise Exception("Network block disabling not reported")
2178 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2179 """WPA2-Enterprise negative test - altsubject mismatch"""
2180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2181 hostapd.add_ap(apdev[0]['ifname'], params)
2183 tests = [ "incorrect.example.com",
2184 "DNS:incorrect.example.com",
2188 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2190 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2191 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2192 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2193 password="password", phase2="auth=MSCHAPV2",
2194 ca_cert="auth_serv/ca.pem",
2195 altsubject_match=match,
2196 wait_connect=False, scan_freq="2412")
2198 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2200 raise Exception("Association and EAP start timed out")
2202 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2203 "EAP: Failed to initialize EAP method"], timeout=10)
2205 raise Exception("EAP method selection timed out")
2206 if "EAP: Failed to initialize EAP method" in ev:
2207 tls = dev[0].request("GET tls_library")
2208 if tls.startswith("OpenSSL"):
2209 raise Exception("Failed to select EAP method")
2210 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2212 if "TTLS" not in ev:
2213 raise Exception("Unexpected EAP method")
2215 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2216 "CTRL-EVENT-EAP-SUCCESS",
2217 "CTRL-EVENT-EAP-FAILURE",
2218 "CTRL-EVENT-CONNECTED",
2219 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2221 raise Exception("EAP result timed out")
2222 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2223 raise Exception("TLS certificate error not reported")
2224 if "AltSubject mismatch" not in ev:
2225 raise Exception("altsubject mismatch not reported")
2227 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2228 "CTRL-EVENT-EAP-FAILURE",
2229 "CTRL-EVENT-CONNECTED",
2230 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2232 raise Exception("EAP result(2) timed out")
2233 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2234 raise Exception("EAP failure not reported")
2236 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2237 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2239 raise Exception("EAP result(3) timed out")
2240 if "CTRL-EVENT-DISCONNECTED" not in ev:
2241 raise Exception("Disconnection not reported")
2243 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2245 raise Exception("Network block disabling not reported")
2247 dev[0].request("REMOVE_NETWORK all")
2249 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2250 """WPA2-Enterprise connection using UNAUTH-TLS"""
2251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2252 hostapd.add_ap(apdev[0]['ifname'], params)
2253 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
2254 ca_cert="auth_serv/ca.pem")
2255 eap_reauth(dev[0], "UNAUTH-TLS")
2257 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2258 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2259 check_cert_probe_support(dev[0])
2260 skip_with_fips(dev[0])
2261 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2263 hostapd.add_ap(apdev[0]['ifname'], params)
2264 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2265 identity="probe", ca_cert="probe://",
2266 wait_connect=False, scan_freq="2412")
2267 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2269 raise Exception("Association and EAP start timed out")
2270 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2272 raise Exception("No peer server certificate event seen")
2273 if "hash=" + srv_cert_hash not in ev:
2274 raise Exception("Expected server certificate hash not reported")
2275 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2277 raise Exception("EAP result timed out")
2278 if "Server certificate chain probe" not in ev:
2279 raise Exception("Server certificate probe not reported")
2280 dev[0].wait_disconnected(timeout=10)
2281 dev[0].request("REMOVE_NETWORK all")
2283 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2284 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2285 password="password", phase2="auth=MSCHAPV2",
2286 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2287 wait_connect=False, scan_freq="2412")
2288 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2290 raise Exception("Association and EAP start timed out")
2291 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2293 raise Exception("EAP result timed out")
2294 if "Server certificate mismatch" not in ev:
2295 raise Exception("Server certificate mismatch not reported")
2296 dev[0].wait_disconnected(timeout=10)
2297 dev[0].request("REMOVE_NETWORK all")
2299 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
2300 anonymous_identity="ttls", password="password",
2301 ca_cert="hash://server/sha256/" + srv_cert_hash,
2302 phase2="auth=MSCHAPV2")
2304 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2305 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2306 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2307 hostapd.add_ap(apdev[0]['ifname'], params)
2308 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2309 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2310 password="password", phase2="auth=MSCHAPV2",
2311 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2312 wait_connect=False, scan_freq="2412")
2313 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2314 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2315 password="password", phase2="auth=MSCHAPV2",
2316 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2317 wait_connect=False, scan_freq="2412")
2318 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2319 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2320 password="password", phase2="auth=MSCHAPV2",
2321 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2322 wait_connect=False, scan_freq="2412")
2323 for i in range(0, 3):
2324 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2326 raise Exception("Association and EAP start timed out")
2327 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2329 raise Exception("Did not report EAP method initialization failure")
2331 def test_ap_wpa2_eap_pwd(dev, apdev):
2332 """WPA2-Enterprise connection using EAP-pwd"""
2333 check_eap_capa(dev[0], "PWD")
2334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2335 hostapd.add_ap(apdev[0]['ifname'], params)
2336 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2337 eap_reauth(dev[0], "PWD")
2338 dev[0].request("REMOVE_NETWORK all")
2340 eap_connect(dev[1], apdev[0], "PWD",
2341 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2342 password="secret password",
2345 logger.info("Negative test with incorrect password")
2346 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2347 expect_failure=True, local_error_report=True)
2349 eap_connect(dev[0], apdev[0], "PWD",
2350 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2351 password="secret password",
2354 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2355 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2356 check_eap_capa(dev[0], "PWD")
2357 skip_with_fips(dev[0])
2358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2359 hostapd.add_ap(apdev[0]['ifname'], params)
2360 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2361 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2362 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2363 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2364 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2365 expect_failure=True, local_error_report=True)
2367 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2368 """WPA2-Enterprise connection using various EAP-pwd groups"""
2369 check_eap_capa(dev[0], "PWD")
2370 tls = dev[0].request("GET tls_library")
2371 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2372 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2373 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2374 groups = [ 19, 20, 21, 25, 26 ]
2375 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2376 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2377 groups += [ 27, 28, 29, 30 ]
2379 logger.info("Group %d" % i)
2380 params['pwd_group'] = str(i)
2381 hostapd.add_ap(apdev[0]['ifname'], params)
2383 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2384 password="secret password")
2385 dev[0].request("REMOVE_NETWORK all")
2386 dev[0].wait_disconnected()
2387 dev[0].dump_monitor()
2389 if "BoringSSL" in tls and i in [ 25 ]:
2390 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2391 dev[0].request("DISCONNECT")
2393 dev[0].request("REMOVE_NETWORK all")
2394 dev[0].dump_monitor()
2398 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2399 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2400 check_eap_capa(dev[0], "PWD")
2401 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2402 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2403 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2404 params['pwd_group'] = "0"
2405 hostapd.add_ap(apdev[0]['ifname'], params)
2406 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2407 identity="pwd user", password="secret password",
2408 scan_freq="2412", wait_connect=False)
2409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2411 raise Exception("Timeout on EAP failure report")
2413 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2414 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2415 check_eap_capa(dev[0], "PWD")
2416 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2417 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2418 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2419 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2420 "pwd_group": "19", "fragment_size": "40" }
2421 hostapd.add_ap(apdev[0]['ifname'], params)
2422 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2424 def test_ap_wpa2_eap_gpsk(dev, apdev):
2425 """WPA2-Enterprise connection using EAP-GPSK"""
2426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2427 hostapd.add_ap(apdev[0]['ifname'], params)
2428 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2429 password="abcdefghijklmnop0123456789abcdef")
2430 eap_reauth(dev[0], "GPSK")
2432 logger.info("Test forced algorithm selection")
2433 for phase1 in [ "cipher=1", "cipher=2" ]:
2434 dev[0].set_network_quoted(id, "phase1", phase1)
2435 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2437 raise Exception("EAP success timed out")
2438 dev[0].wait_connected(timeout=10)
2440 logger.info("Test failed algorithm negotiation")
2441 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2444 raise Exception("EAP failure timed out")
2446 logger.info("Negative test with incorrect password")
2447 dev[0].request("REMOVE_NETWORK all")
2448 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2449 password="ffcdefghijklmnop0123456789abcdef",
2450 expect_failure=True)
2452 def test_ap_wpa2_eap_sake(dev, apdev):
2453 """WPA2-Enterprise connection using EAP-SAKE"""
2454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2455 hostapd.add_ap(apdev[0]['ifname'], params)
2456 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2457 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2458 eap_reauth(dev[0], "SAKE")
2460 logger.info("Negative test with incorrect password")
2461 dev[0].request("REMOVE_NETWORK all")
2462 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2463 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2464 expect_failure=True)
2466 def test_ap_wpa2_eap_eke(dev, apdev):
2467 """WPA2-Enterprise connection using EAP-EKE"""
2468 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2469 hostapd.add_ap(apdev[0]['ifname'], params)
2470 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2471 eap_reauth(dev[0], "EKE")
2473 logger.info("Test forced algorithm selection")
2474 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2475 "dhgroup=4 encr=1 prf=2 mac=2",
2476 "dhgroup=3 encr=1 prf=2 mac=2",
2477 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2478 dev[0].set_network_quoted(id, "phase1", phase1)
2479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2481 raise Exception("EAP success timed out")
2482 dev[0].wait_connected(timeout=10)
2484 logger.info("Test failed algorithm negotiation")
2485 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2486 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2488 raise Exception("EAP failure timed out")
2490 logger.info("Negative test with incorrect password")
2491 dev[0].request("REMOVE_NETWORK all")
2492 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2493 expect_failure=True)
2495 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2496 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2497 if not params['long']:
2498 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2500 hostapd.add_ap(apdev[0]['ifname'], params)
2503 for i in range(100):
2505 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2506 identity="eke user", password="hello",
2507 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2508 scan_freq="2412", wait_connect=False)
2510 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2511 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2513 raise Exception("No connected/disconnected event")
2514 if "CTRL-EVENT-DISCONNECTED" in ev:
2516 # The RADIUS server limits on active sessions can be hit when
2517 # going through this test case, so try to give some more time
2518 # for the server to remove sessions.
2519 logger.info("Failed to connect i=%d j=%d" % (i, j))
2520 dev[j].request("REMOVE_NETWORK all")
2524 dev[j].request("REMOVE_NETWORK all")
2525 dev[j].wait_disconnected()
2526 dev[j].dump_monitor()
2527 logger.info("Total success=%d failure=%d" % (success, fail))
2529 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2530 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2531 params = int_eap_server_params()
2532 params['server_id'] = 'example.server@w1.fi'
2533 hostapd.add_ap(apdev[0]['ifname'], params)
2534 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2536 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2537 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2538 params = int_eap_server_params()
2539 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2540 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2542 for count,func in [ (1, "eap_eke_build_commit"),
2543 (2, "eap_eke_build_commit"),
2544 (3, "eap_eke_build_commit"),
2545 (1, "eap_eke_build_confirm"),
2546 (2, "eap_eke_build_confirm"),
2547 (1, "eap_eke_process_commit"),
2548 (2, "eap_eke_process_commit"),
2549 (1, "eap_eke_process_confirm"),
2550 (1, "eap_eke_process_identity"),
2551 (2, "eap_eke_process_identity"),
2552 (3, "eap_eke_process_identity"),
2553 (4, "eap_eke_process_identity") ]:
2554 with alloc_fail(hapd, count, func):
2555 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2556 expect_failure=True)
2557 dev[0].request("REMOVE_NETWORK all")
2559 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2560 (1, "eap_eke_get_session_id", "hello"),
2561 (1, "eap_eke_getKey", "hello"),
2562 (1, "eap_eke_build_msg", "hello"),
2563 (1, "eap_eke_build_failure", "wrong"),
2564 (1, "eap_eke_build_identity", "hello"),
2565 (2, "eap_eke_build_identity", "hello") ]:
2566 with alloc_fail(hapd, count, func):
2567 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2568 eap="EKE", identity="eke user", password=pw,
2569 wait_connect=False, scan_freq="2412")
2570 # This would eventually time out, but we can stop after having
2571 # reached the allocation failure.
2574 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2576 dev[0].request("REMOVE_NETWORK all")
2578 for count in range(1, 1000):
2580 with alloc_fail(hapd, count, "eap_server_sm_step"):
2581 dev[0].connect("test-wpa2-eap",
2582 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2583 eap="EKE", identity="eke user", password=pw,
2584 wait_connect=False, scan_freq="2412")
2585 # This would eventually time out, but we can stop after having
2586 # reached the allocation failure.
2589 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2591 dev[0].request("REMOVE_NETWORK all")
2592 except Exception, e:
2593 if str(e) == "Allocation failure did not trigger":
2595 raise Exception("Too few allocation failures")
2596 logger.info("%d allocation failures tested" % (count - 1))
2600 def test_ap_wpa2_eap_ikev2(dev, apdev):
2601 """WPA2-Enterprise connection using EAP-IKEv2"""
2602 check_eap_capa(dev[0], "IKEV2")
2603 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2604 hostapd.add_ap(apdev[0]['ifname'], params)
2605 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2606 password="ike password")
2607 eap_reauth(dev[0], "IKEV2")
2608 dev[0].request("REMOVE_NETWORK all")
2609 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2610 password="ike password", fragment_size="50")
2612 logger.info("Negative test with incorrect password")
2613 dev[0].request("REMOVE_NETWORK all")
2614 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2615 password="ike-password", expect_failure=True)
2616 dev[0].request("REMOVE_NETWORK all")
2618 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2619 password="ike password", fragment_size="0")
2620 dev[0].request("REMOVE_NETWORK all")
2621 dev[0].wait_disconnected()
2623 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2624 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2625 check_eap_capa(dev[0], "IKEV2")
2626 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2627 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2628 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2629 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2630 "fragment_size": "50" }
2631 hostapd.add_ap(apdev[0]['ifname'], params)
2632 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2633 password="ike password")
2634 eap_reauth(dev[0], "IKEV2")
2636 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2637 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2638 check_eap_capa(dev[0], "IKEV2")
2639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2640 hostapd.add_ap(apdev[0]['ifname'], params)
2642 tests = [ (1, "dh_init"),
2644 (1, "dh_derive_shared") ]
2645 for count, func in tests:
2646 with alloc_fail(dev[0], count, func):
2647 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2648 identity="ikev2 user", password="ike password",
2649 wait_connect=False, scan_freq="2412")
2650 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2652 raise Exception("EAP method not selected")
2654 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2657 dev[0].request("REMOVE_NETWORK all")
2659 tests = [ (1, "os_get_random;dh_init") ]
2660 for count, func in tests:
2661 with fail_test(dev[0], count, func):
2662 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2663 identity="ikev2 user", password="ike password",
2664 wait_connect=False, scan_freq="2412")
2665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2667 raise Exception("EAP method not selected")
2669 if "0:" in dev[0].request("GET_FAIL"):
2672 dev[0].request("REMOVE_NETWORK all")
2674 def test_ap_wpa2_eap_pax(dev, apdev):
2675 """WPA2-Enterprise connection using EAP-PAX"""
2676 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2677 hostapd.add_ap(apdev[0]['ifname'], params)
2678 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2679 password_hex="0123456789abcdef0123456789abcdef")
2680 eap_reauth(dev[0], "PAX")
2682 logger.info("Negative test with incorrect password")
2683 dev[0].request("REMOVE_NETWORK all")
2684 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2685 password_hex="ff23456789abcdef0123456789abcdef",
2686 expect_failure=True)
2688 def test_ap_wpa2_eap_psk(dev, apdev):
2689 """WPA2-Enterprise connection using EAP-PSK"""
2690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2691 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2692 params["ieee80211w"] = "2"
2693 hostapd.add_ap(apdev[0]['ifname'], params)
2694 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2695 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2696 eap_reauth(dev[0], "PSK", sha256=True)
2697 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2698 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2700 bss = dev[0].get_bss(apdev[0]['bssid'])
2701 if 'flags' not in bss:
2702 raise Exception("Could not get BSS flags from BSS table")
2703 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2704 raise Exception("Unexpected BSS flags: " + bss['flags'])
2706 logger.info("Negative test with incorrect password")
2707 dev[0].request("REMOVE_NETWORK all")
2708 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2709 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2710 expect_failure=True)
2712 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2713 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2714 skip_with_fips(dev[0])
2715 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2716 hostapd.add_ap(apdev[0]['ifname'], params)
2717 tests = [ (1, "=aes_128_eax_encrypt"),
2718 (1, "=aes_128_eax_decrypt") ]
2719 for count, func in tests:
2720 with alloc_fail(dev[0], count, func):
2721 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2722 identity="psk.user@example.com",
2723 password_hex="0123456789abcdef0123456789abcdef",
2724 wait_connect=False, scan_freq="2412")
2725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2727 raise Exception("EAP method not selected")
2728 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2729 note="Failure not triggered: %d:%s" % (count, func))
2730 dev[0].request("REMOVE_NETWORK all")
2731 dev[0].wait_disconnected()
2733 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2734 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2735 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2736 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2737 (1, "omac1_aes_vector"),
2738 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2739 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2740 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2741 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2742 for count, func in tests:
2743 with fail_test(dev[0], count, func):
2744 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2745 identity="psk.user@example.com",
2746 password_hex="0123456789abcdef0123456789abcdef",
2747 wait_connect=False, scan_freq="2412")
2748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2750 raise Exception("EAP method not selected")
2751 wait_fail_trigger(dev[0], "GET_FAIL",
2752 note="Failure not triggered: %d:%s" % (count, func))
2753 dev[0].request("REMOVE_NETWORK all")
2754 dev[0].wait_disconnected()
2756 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
2757 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2758 identity="psk.user@example.com",
2759 password_hex="0123456789abcdef0123456789abcdef",
2760 wait_connect=False, scan_freq="2412")
2761 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2763 raise Exception("EAP method failure not reported")
2764 dev[0].request("REMOVE_NETWORK all")
2765 dev[0].wait_disconnected()
2767 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2768 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2769 check_eap_capa(dev[0], "MSCHAPV2")
2770 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2771 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2772 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2773 identity="user", password="password", phase2="auth=MSCHAPV2",
2774 ca_cert="auth_serv/ca.pem", wait_connect=False,
2776 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2777 hwsim_utils.test_connectivity(dev[0], hapd)
2778 eap_reauth(dev[0], "PEAP", rsn=False)
2779 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2780 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2781 status = dev[0].get_status(extra="VERBOSE")
2782 if 'portControl' not in status:
2783 raise Exception("portControl missing from STATUS-VERBOSE")
2784 if status['portControl'] != 'Auto':
2785 raise Exception("Unexpected portControl value: " + status['portControl'])
2786 if 'eap_session_id' not in status:
2787 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2788 if not status['eap_session_id'].startswith("19"):
2789 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2791 def test_ap_wpa2_eap_interactive(dev, apdev):
2792 """WPA2-Enterprise connection using interactive identity/password entry"""
2793 check_eap_capa(dev[0], "MSCHAPV2")
2794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2795 hostapd.add_ap(apdev[0]['ifname'], params)
2796 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2798 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2799 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2801 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2802 "TTLS", "ttls", None, "auth=MSCHAPV2",
2803 "DOMAIN\mschapv2 user", "password"),
2804 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2805 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2806 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2807 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2808 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2809 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2810 ("Connection with dynamic PEAP/EAP-GTC password entry",
2811 "PEAP", None, "user", "auth=GTC", None, "password") ]
2812 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2814 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2815 anonymous_identity=anon, identity=identity,
2816 ca_cert="auth_serv/ca.pem", phase2=phase2,
2817 wait_connect=False, scan_freq="2412")
2819 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2821 raise Exception("Request for identity timed out")
2822 id = ev.split(':')[0].split('-')[-1]
2823 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2824 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2826 raise Exception("Request for password timed out")
2827 id = ev.split(':')[0].split('-')[-1]
2828 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2829 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2830 dev[0].wait_connected(timeout=10)
2831 dev[0].request("REMOVE_NETWORK all")
2833 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2834 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2835 check_eap_capa(dev[0], "MSCHAPV2")
2836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2837 hostapd.add_ap(apdev[0]['ifname'], params)
2838 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2840 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2841 only_add_network=True)
2843 req_id = "DOMAIN\mschapv2 user"
2844 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2845 anonymous_identity="ttls", identity=None,
2846 password="password",
2847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2848 wait_connect=False, scan_freq="2412")
2849 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2851 raise Exception("Request for identity timed out")
2852 id = ev.split(':')[0].split('-')[-1]
2853 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2854 dev[0].wait_connected(timeout=10)
2856 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2857 raise Exception("Failed to enable network")
2858 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2860 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2861 dev[0].request("REMOVE_NETWORK all")
2863 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2864 """WPA2-Enterprise connection using EAP vendor test"""
2865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2866 hostapd.add_ap(apdev[0]['ifname'], params)
2867 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2868 eap_reauth(dev[0], "VENDOR-TEST")
2869 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2872 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
2873 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2875 hostapd.add_ap(apdev[0]['ifname'], params)
2877 tests = [ "eap_vendor_test_init",
2878 "eap_msg_alloc;eap_vendor_test_process",
2879 "eap_vendor_test_getKey" ]
2881 with alloc_fail(dev[0], 1, func):
2882 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
2884 eap="VENDOR-TEST", identity="vendor-test",
2886 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
2887 dev[0].request("REMOVE_NETWORK all")
2888 dev[0].wait_disconnected()
2890 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2891 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2892 check_eap_capa(dev[0], "FAST")
2893 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2894 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2895 eap_connect(dev[0], apdev[0], "FAST", "user",
2896 anonymous_identity="FAST", password="password",
2897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2898 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2899 hwsim_utils.test_connectivity(dev[0], hapd)
2900 res = eap_reauth(dev[0], "FAST")
2901 if res['tls_session_reused'] != '1':
2902 raise Exception("EAP-FAST could not use PAC session ticket")
2904 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2905 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2906 check_eap_capa(dev[0], "FAST")
2907 pac_file = os.path.join(params['logdir'], "fast.pac")
2908 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2910 hostapd.add_ap(apdev[0]['ifname'], params)
2913 eap_connect(dev[0], apdev[0], "FAST", "user",
2914 anonymous_identity="FAST", password="password",
2915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2916 phase1="fast_provisioning=1", pac_file=pac_file)
2917 with open(pac_file, "r") as f:
2919 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2920 raise Exception("PAC file header missing")
2921 if "PAC-Key=" not in data:
2922 raise Exception("PAC-Key missing from PAC file")
2923 dev[0].request("REMOVE_NETWORK all")
2924 eap_connect(dev[0], apdev[0], "FAST", "user",
2925 anonymous_identity="FAST", password="password",
2926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2929 eap_connect(dev[1], apdev[0], "FAST", "user",
2930 anonymous_identity="FAST", password="password",
2931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2932 phase1="fast_provisioning=1 fast_pac_format=binary",
2934 dev[1].request("REMOVE_NETWORK all")
2935 eap_connect(dev[1], apdev[0], "FAST", "user",
2936 anonymous_identity="FAST", password="password",
2937 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2938 phase1="fast_pac_format=binary",
2946 os.remove(pac_file2)
2950 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2951 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2952 check_eap_capa(dev[0], "FAST")
2953 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2954 hostapd.add_ap(apdev[0]['ifname'], params)
2955 eap_connect(dev[0], apdev[0], "FAST", "user",
2956 anonymous_identity="FAST", password="password",
2957 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2958 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2959 pac_file="blob://fast_pac_bin")
2960 res = eap_reauth(dev[0], "FAST")
2961 if res['tls_session_reused'] != '1':
2962 raise Exception("EAP-FAST could not use PAC session ticket")
2964 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2965 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2966 check_eap_capa(dev[0], "FAST")
2967 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2968 hostapd.add_ap(apdev[0]['ifname'], params)
2970 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2971 identity="user", anonymous_identity="FAST",
2972 password="password",
2973 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2974 pac_file="blob://fast_pac_not_in_use",
2975 wait_connect=False, scan_freq="2412")
2976 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2978 raise Exception("Timeout on EAP failure report")
2979 dev[0].request("REMOVE_NETWORK all")
2981 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2982 identity="user", anonymous_identity="FAST",
2983 password="password",
2984 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2985 wait_connect=False, scan_freq="2412")
2986 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2988 raise Exception("Timeout on EAP failure report")
2990 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2991 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2992 check_eap_capa(dev[0], "FAST")
2993 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2994 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2995 eap_connect(dev[0], apdev[0], "FAST", "user",
2996 anonymous_identity="FAST", password="password",
2997 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2998 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2999 hwsim_utils.test_connectivity(dev[0], hapd)
3000 res = eap_reauth(dev[0], "FAST")
3001 if res['tls_session_reused'] != '1':
3002 raise Exception("EAP-FAST could not use PAC session ticket")
3004 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3005 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3006 check_eap_capa(dev[0], "FAST")
3007 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3008 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3009 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3010 anonymous_identity="FAST", password="password",
3011 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3012 phase1="fast_provisioning=2",
3013 pac_file="blob://fast_pac_auth")
3014 dev[0].set_network_quoted(id, "identity", "user2")
3015 dev[0].wait_disconnected()
3016 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3018 raise Exception("EAP-FAST not started")
3019 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3021 raise Exception("EAP failure not reported")
3022 dev[0].wait_disconnected()
3024 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3025 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3026 check_eap_capa(dev[0], "FAST")
3027 tls = dev[0].request("GET tls_library")
3028 if tls.startswith("OpenSSL"):
3029 func = "openssl_tls_prf"
3031 elif tls.startswith("internal"):
3032 func = "tls_connection_prf"
3035 raise HwsimSkip("Unsupported TLS library")
3036 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3037 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3038 with alloc_fail(dev[0], count, func):
3039 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3040 identity="user", anonymous_identity="FAST",
3041 password="password", ca_cert="auth_serv/ca.pem",
3043 phase1="fast_provisioning=2",
3044 pac_file="blob://fast_pac_auth",
3045 wait_connect=False, scan_freq="2412")
3046 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3048 raise Exception("EAP failure not reported")
3049 dev[0].request("DISCONNECT")
3051 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3052 """EAP-FAST/MSCHAPv2 and server OOM"""
3053 check_eap_capa(dev[0], "FAST")
3055 params = int_eap_server_params()
3056 params['dh_file'] = 'auth_serv/dh.conf'
3057 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3058 params['eap_fast_a_id'] = '1011'
3059 params['eap_fast_a_id_info'] = 'another test server'
3060 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3062 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3063 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3064 anonymous_identity="FAST", password="password",
3065 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3066 phase1="fast_provisioning=1",
3067 pac_file="blob://fast_pac",
3068 expect_failure=True)
3069 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3071 raise Exception("No EAP failure reported")
3072 dev[0].wait_disconnected()
3073 dev[0].request("DISCONNECT")
3075 dev[0].select_network(id, freq="2412")
3077 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3078 """EAP-FAST and different TLS cipher suites"""
3079 check_eap_capa(dev[0], "FAST")
3080 tls = dev[0].request("GET tls_library")
3081 if not tls.startswith("OpenSSL"):
3082 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3084 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3085 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3087 dev[0].request("SET blob fast_pac_ciphers ")
3088 eap_connect(dev[0], apdev[0], "FAST", "user",
3089 anonymous_identity="FAST", password="password",
3090 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3091 phase1="fast_provisioning=2",
3092 pac_file="blob://fast_pac_ciphers")
3093 res = dev[0].get_status_field('EAP TLS cipher')
3094 dev[0].request("REMOVE_NETWORK all")
3095 dev[0].wait_disconnected()
3096 if res != "DHE-RSA-AES256-SHA":
3097 raise Exception("Unexpected cipher suite for provisioning: " + res)
3099 tests = [ "DHE-RSA-AES128-SHA",
3103 "DHE-RSA-AES256-SHA" ]
3104 for cipher in tests:
3105 eap_connect(dev[0], apdev[0], "FAST", "user",
3106 openssl_ciphers=cipher,
3107 anonymous_identity="FAST", password="password",
3108 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3109 pac_file="blob://fast_pac_ciphers")
3110 res = dev[0].get_status_field('EAP TLS cipher')
3111 dev[0].request("REMOVE_NETWORK all")
3112 dev[0].wait_disconnected()
3114 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3116 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3117 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3118 check_ocsp_support(dev[0])
3119 check_pkcs12_support(dev[0])
3120 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3121 hostapd.add_ap(apdev[0]['ifname'], params)
3122 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3123 private_key="auth_serv/user.pkcs12",
3124 private_key_passwd="whatever", ocsp=2)
3126 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3127 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3128 check_ocsp_multi_support(dev[0])
3129 check_pkcs12_support(dev[0])
3131 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3132 hostapd.add_ap(apdev[0]['ifname'], params)
3133 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3134 private_key="auth_serv/user.pkcs12",
3135 private_key_passwd="whatever", ocsp=2)
3137 def int_eap_server_params():
3138 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3139 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3140 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3141 "ca_cert": "auth_serv/ca.pem",
3142 "server_cert": "auth_serv/server.pem",
3143 "private_key": "auth_serv/server.key",
3144 "dh_file": "auth_serv/dh.conf" }
3147 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3148 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3149 check_ocsp_support(dev[0])
3150 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3151 if not os.path.exists(ocsp):
3152 raise HwsimSkip("No OCSP response available")
3153 params = int_eap_server_params()
3154 params["ocsp_stapling_response"] = ocsp
3155 hostapd.add_ap(apdev[0]['ifname'], params)
3156 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3157 identity="tls user", ca_cert="auth_serv/ca.pem",
3158 private_key="auth_serv/user.pkcs12",
3159 private_key_passwd="whatever", ocsp=2,
3162 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3163 """EAP-TLS and CA signed OCSP response (good)"""
3164 check_ocsp_support(dev[0])
3165 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3166 if not os.path.exists(ocsp):
3167 raise HwsimSkip("No OCSP response available")
3168 params = int_eap_server_params()
3169 params["ocsp_stapling_response"] = ocsp
3170 hostapd.add_ap(apdev[0]['ifname'], params)
3171 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3172 identity="tls user", ca_cert="auth_serv/ca.pem",
3173 private_key="auth_serv/user.pkcs12",
3174 private_key_passwd="whatever", ocsp=2,
3177 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3178 """EAP-TLS and CA signed OCSP response (revoked)"""
3179 check_ocsp_support(dev[0])
3180 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3181 if not os.path.exists(ocsp):
3182 raise HwsimSkip("No OCSP response available")
3183 params = int_eap_server_params()
3184 params["ocsp_stapling_response"] = ocsp
3185 hostapd.add_ap(apdev[0]['ifname'], params)
3186 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3187 identity="tls user", ca_cert="auth_serv/ca.pem",
3188 private_key="auth_serv/user.pkcs12",
3189 private_key_passwd="whatever", ocsp=2,
3190 wait_connect=False, scan_freq="2412")
3193 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3195 raise Exception("Timeout on EAP status")
3196 if 'bad certificate status response' in ev:
3198 if 'certificate revoked' in ev:
3202 raise Exception("Unexpected number of EAP status messages")
3204 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3206 raise Exception("Timeout on EAP failure report")
3208 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3209 """EAP-TLS and CA signed OCSP response (unknown)"""
3210 check_ocsp_support(dev[0])
3211 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3212 if not os.path.exists(ocsp):
3213 raise HwsimSkip("No OCSP response available")
3214 params = int_eap_server_params()
3215 params["ocsp_stapling_response"] = ocsp
3216 hostapd.add_ap(apdev[0]['ifname'], params)
3217 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3218 identity="tls user", ca_cert="auth_serv/ca.pem",
3219 private_key="auth_serv/user.pkcs12",
3220 private_key_passwd="whatever", ocsp=2,
3221 wait_connect=False, scan_freq="2412")
3224 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3226 raise Exception("Timeout on EAP status")
3227 if 'bad certificate status response' in ev:
3231 raise Exception("Unexpected number of EAP status messages")
3233 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3235 raise Exception("Timeout on EAP failure report")
3237 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3238 """EAP-TLS and server signed OCSP response"""
3239 check_ocsp_support(dev[0])
3240 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3241 if not os.path.exists(ocsp):
3242 raise HwsimSkip("No OCSP response available")
3243 params = int_eap_server_params()
3244 params["ocsp_stapling_response"] = ocsp
3245 hostapd.add_ap(apdev[0]['ifname'], params)
3246 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3247 identity="tls user", ca_cert="auth_serv/ca.pem",
3248 private_key="auth_serv/user.pkcs12",
3249 private_key_passwd="whatever", ocsp=2,
3250 wait_connect=False, scan_freq="2412")
3253 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3255 raise Exception("Timeout on EAP status")
3256 if 'bad certificate status response' in ev:
3260 raise Exception("Unexpected number of EAP status messages")
3262 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3264 raise Exception("Timeout on EAP failure report")
3266 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3267 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3268 check_ocsp_support(dev[0])
3269 params = int_eap_server_params()
3270 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3271 hostapd.add_ap(apdev[0]['ifname'], params)
3272 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3273 identity="tls user", ca_cert="auth_serv/ca.pem",
3274 private_key="auth_serv/user.pkcs12",
3275 private_key_passwd="whatever", ocsp=2,
3276 wait_connect=False, scan_freq="2412")
3279 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3281 raise Exception("Timeout on EAP status")
3282 if 'bad certificate status response' in ev:
3286 raise Exception("Unexpected number of EAP status messages")
3288 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3290 raise Exception("Timeout on EAP failure report")
3292 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3293 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3294 check_ocsp_support(dev[0])
3295 params = int_eap_server_params()
3296 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3297 hostapd.add_ap(apdev[0]['ifname'], params)
3298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3299 identity="tls user", ca_cert="auth_serv/ca.pem",
3300 private_key="auth_serv/user.pkcs12",
3301 private_key_passwd="whatever", ocsp=2,
3302 wait_connect=False, scan_freq="2412")
3305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3307 raise Exception("Timeout on EAP status")
3308 if 'bad certificate status response' in ev:
3312 raise Exception("Unexpected number of EAP status messages")
3314 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3316 raise Exception("Timeout on EAP failure report")
3318 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
3319 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3320 check_ocsp_support(dev[0])
3321 params = int_eap_server_params()
3322 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3323 hostapd.add_ap(apdev[0]['ifname'], params)
3324 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3325 identity="tls user", ca_cert="auth_serv/ca.pem",
3326 private_key="auth_serv/user.pkcs12",
3327 private_key_passwd="whatever", ocsp=2,
3328 wait_connect=False, scan_freq="2412")
3331 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3333 raise Exception("Timeout on EAP status")
3334 if 'bad certificate status response' in ev:
3338 raise Exception("Unexpected number of EAP status messages")
3340 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3342 raise Exception("Timeout on EAP failure report")
3344 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
3345 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3346 check_ocsp_support(dev[0])
3347 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
3348 if not os.path.exists(ocsp):
3349 raise HwsimSkip("No OCSP response available")
3350 params = int_eap_server_params()
3351 params["ocsp_stapling_response"] = ocsp
3352 hostapd.add_ap(apdev[0]['ifname'], params)
3353 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3354 identity="pap user", ca_cert="auth_serv/ca.pem",
3355 anonymous_identity="ttls", password="password",
3356 phase2="auth=PAP", ocsp=2,
3357 wait_connect=False, scan_freq="2412")
3360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3362 raise Exception("Timeout on EAP status")
3363 if 'bad certificate status response' in ev:
3365 if 'certificate revoked' in ev:
3369 raise Exception("Unexpected number of EAP status messages")
3371 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3373 raise Exception("Timeout on EAP failure report")
3375 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
3376 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3377 check_ocsp_support(dev[0])
3378 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3379 if not os.path.exists(ocsp):
3380 raise HwsimSkip("No OCSP response available")
3381 params = int_eap_server_params()
3382 params["ocsp_stapling_response"] = ocsp
3383 hostapd.add_ap(apdev[0]['ifname'], params)
3384 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3385 identity="pap user", ca_cert="auth_serv/ca.pem",
3386 anonymous_identity="ttls", password="password",
3387 phase2="auth=PAP", ocsp=2,
3388 wait_connect=False, scan_freq="2412")
3391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3393 raise Exception("Timeout on EAP status")
3394 if 'bad certificate status response' in ev:
3398 raise Exception("Unexpected number of EAP status messages")
3400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3402 raise Exception("Timeout on EAP failure report")
3404 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3405 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3406 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3407 if not os.path.exists(ocsp):
3408 raise HwsimSkip("No OCSP response available")
3409 params = int_eap_server_params()
3410 params["ocsp_stapling_response"] = ocsp
3411 hostapd.add_ap(apdev[0]['ifname'], params)
3412 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3413 identity="pap user", ca_cert="auth_serv/ca.pem",
3414 anonymous_identity="ttls", password="password",
3415 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3417 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
3418 """EAP-TLS with intermediate server/user CA"""
3419 params = int_eap_server_params()
3420 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3421 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3422 params["private_key"] = "auth_serv/iCA-server/server.key"
3423 hostapd.add_ap(apdev[0]['ifname'], params)
3424 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3425 identity="tls user",
3426 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3427 client_cert="auth_serv/iCA-user/user.pem",
3428 private_key="auth_serv/iCA-user/user.key",
3431 def root_ocsp(cert):
3432 ca = "auth_serv/ca.pem"
3434 fd2, fn2 = tempfile.mkstemp()
3437 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3438 "-no_nonce", "-sha256", "-text" ]
3439 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3440 stderr=subprocess.PIPE)
3441 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3444 logger.info("OCSP request:\n" + res)
3446 fd, fn = tempfile.mkstemp()
3448 arg = [ "openssl", "ocsp", "-index", "rootCA/index.txt",
3449 "-rsigner", ca, "-rkey", "auth_serv/caa-key.pem",
3450 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3451 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3453 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3454 stderr=subprocess.PIPE)
3455 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3458 logger.info("OCSP response:\n" + res)
3463 prefix = "auth_serv/iCA-server/"
3464 ca = prefix + "cacert.pem"
3465 cert = prefix + cert
3467 fd2, fn2 = tempfile.mkstemp()
3470 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3471 "-no_nonce", "-sha256", "-text" ]
3472 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3473 stderr=subprocess.PIPE)
3474 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3477 logger.info("OCSP request:\n" + res)
3479 fd, fn = tempfile.mkstemp()
3481 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
3482 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
3483 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3484 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3486 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3487 stderr=subprocess.PIPE)
3488 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3491 logger.info("OCSP response:\n" + res)
3495 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
3496 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3497 params = int_eap_server_params()
3498 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3499 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3500 params["private_key"] = "auth_serv/iCA-server/server.key"
3501 fn = ica_ocsp("server.pem")
3502 params["ocsp_stapling_response"] = fn
3504 hostapd.add_ap(apdev[0]['ifname'], params)
3505 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3506 identity="tls user",
3507 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3508 client_cert="auth_serv/iCA-user/user.pem",
3509 private_key="auth_serv/iCA-user/user.key",
3510 scan_freq="2412", ocsp=2)
3514 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
3515 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3516 params = int_eap_server_params()
3517 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3518 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3519 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3520 fn = ica_ocsp("server-revoked.pem")
3521 params["ocsp_stapling_response"] = fn
3523 hostapd.add_ap(apdev[0]['ifname'], params)
3524 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3525 identity="tls user",
3526 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3527 client_cert="auth_serv/iCA-user/user.pem",
3528 private_key="auth_serv/iCA-user/user.key",
3529 scan_freq="2412", ocsp=1, wait_connect=False)
3532 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3533 "CTRL-EVENT-EAP-SUCCESS"])
3535 raise Exception("Timeout on EAP status")
3536 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3537 raise Exception("Unexpected EAP-Success")
3538 if 'bad certificate status response' in ev:
3540 if 'certificate revoked' in ev:
3544 raise Exception("Unexpected number of EAP status messages")
3546 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3548 raise Exception("Timeout on EAP failure report")
3549 dev[0].request("REMOVE_NETWORK all")
3550 dev[0].wait_disconnected()
3554 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
3555 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3556 check_ocsp_support(dev[0])
3557 check_ocsp_multi_support(dev[0])
3559 params = int_eap_server_params()
3560 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3561 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3562 params["private_key"] = "auth_serv/iCA-server/server.key"
3563 fn = ica_ocsp("server.pem")
3564 params["ocsp_stapling_response"] = fn
3566 hostapd.add_ap(apdev[0]['ifname'], params)
3567 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3568 identity="tls user",
3569 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3570 client_cert="auth_serv/iCA-user/user.pem",
3571 private_key="auth_serv/iCA-user/user.key",
3572 scan_freq="2412", ocsp=3, wait_connect=False)
3575 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3576 "CTRL-EVENT-EAP-SUCCESS"])
3578 raise Exception("Timeout on EAP status")
3579 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3580 raise Exception("Unexpected EAP-Success")
3581 if 'bad certificate status response' in ev:
3583 if 'certificate revoked' in ev:
3587 raise Exception("Unexpected number of EAP status messages")
3589 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3591 raise Exception("Timeout on EAP failure report")
3592 dev[0].request("REMOVE_NETWORK all")
3593 dev[0].wait_disconnected()
3597 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
3598 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3599 check_ocsp_support(dev[0])
3600 check_ocsp_multi_support(dev[0])
3602 params = int_eap_server_params()
3603 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3604 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3605 params["private_key"] = "auth_serv/iCA-server/server.key"
3606 fn = ica_ocsp("server.pem")
3607 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
3608 params["ocsp_stapling_response"] = fn
3610 with open(fn, "r") as f:
3611 resp_server = f.read()
3612 with open(fn2, "r") as f:
3615 fd3, fn3 = tempfile.mkstemp()
3617 f = os.fdopen(fd3, 'w')
3618 f.write(struct.pack(">L", len(resp_server))[1:4])
3619 f.write(resp_server)
3620 f.write(struct.pack(">L", len(resp_ica))[1:4])
3624 params["ocsp_stapling_response_multi"] = fn3
3626 hostapd.add_ap(apdev[0]['ifname'], params)
3627 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3628 identity="tls user",
3629 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3630 client_cert="auth_serv/iCA-user/user.pem",
3631 private_key="auth_serv/iCA-user/user.key",
3632 scan_freq="2412", ocsp=3, wait_connect=False)
3635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3636 "CTRL-EVENT-EAP-SUCCESS"])
3638 raise Exception("Timeout on EAP status")
3639 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3640 raise Exception("Unexpected EAP-Success")
3641 if 'bad certificate status response' in ev:
3643 if 'certificate revoked' in ev:
3647 raise Exception("Unexpected number of EAP status messages")
3649 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3651 raise Exception("Timeout on EAP failure report")
3652 dev[0].request("REMOVE_NETWORK all")
3653 dev[0].wait_disconnected()
3659 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
3660 """EAP-TLS and CA signed OCSP multi response (revoked)"""
3661 check_ocsp_support(dev[0])
3662 check_ocsp_multi_support(dev[0])
3664 ocsp_revoked = os.path.join(params['logdir'],
3665 "ocsp-resp-ca-signed-revoked.der")
3666 if not os.path.exists(ocsp_revoked):
3667 raise HwsimSkip("No OCSP response (revoked) available")
3668 ocsp_unknown = os.path.join(params['logdir'],
3669 "ocsp-resp-ca-signed-unknown.der")
3670 if not os.path.exists(ocsp_unknown):
3671 raise HwsimSkip("No OCSP response(unknown) available")
3673 with open(ocsp_revoked, "r") as f:
3674 resp_revoked = f.read()
3675 with open(ocsp_unknown, "r") as f:
3676 resp_unknown = f.read()
3678 fd, fn = tempfile.mkstemp()
3680 # This is not really a valid order of the OCSPResponse items in the
3681 # list, but this works for now to verify parsing and processing of
3682 # multiple responses.
3683 f = os.fdopen(fd, 'w')
3684 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3685 f.write(resp_unknown)
3686 f.write(struct.pack(">L", len(resp_revoked))[1:4])
3687 f.write(resp_revoked)
3688 f.write(struct.pack(">L", 0)[1:4])
3689 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3690 f.write(resp_unknown)
3693 params = int_eap_server_params()
3694 params["ocsp_stapling_response_multi"] = fn
3695 hostapd.add_ap(apdev[0]['ifname'], params)
3696 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3697 identity="tls user", ca_cert="auth_serv/ca.pem",
3698 private_key="auth_serv/user.pkcs12",
3699 private_key_passwd="whatever", ocsp=1,
3700 wait_connect=False, scan_freq="2412")
3703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3704 "CTRL-EVENT-EAP-SUCCESS"])
3706 raise Exception("Timeout on EAP status")
3707 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3708 raise Exception("Unexpected EAP-Success")
3709 if 'bad certificate status response' in ev:
3711 if 'certificate revoked' in ev:
3715 raise Exception("Unexpected number of EAP status messages")
3719 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
3720 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3721 check_domain_match_full(dev[0])
3722 params = int_eap_server_params()
3723 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3724 params["private_key"] = "auth_serv/server-no-dnsname.key"
3725 hostapd.add_ap(apdev[0]['ifname'], params)
3726 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3727 identity="tls user", ca_cert="auth_serv/ca.pem",
3728 private_key="auth_serv/user.pkcs12",
3729 private_key_passwd="whatever",
3730 domain_suffix_match="server3.w1.fi",
3733 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
3734 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
3735 check_domain_match(dev[0])
3736 params = int_eap_server_params()
3737 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3738 params["private_key"] = "auth_serv/server-no-dnsname.key"
3739 hostapd.add_ap(apdev[0]['ifname'], params)
3740 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3741 identity="tls user", ca_cert="auth_serv/ca.pem",
3742 private_key="auth_serv/user.pkcs12",
3743 private_key_passwd="whatever",
3744 domain_match="server3.w1.fi",
3747 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
3748 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3749 check_domain_match_full(dev[0])
3750 params = int_eap_server_params()
3751 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3752 params["private_key"] = "auth_serv/server-no-dnsname.key"
3753 hostapd.add_ap(apdev[0]['ifname'], params)
3754 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3755 identity="tls user", ca_cert="auth_serv/ca.pem",
3756 private_key="auth_serv/user.pkcs12",
3757 private_key_passwd="whatever",
3758 domain_suffix_match="w1.fi",
3761 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
3762 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3763 check_domain_suffix_match(dev[0])
3764 params = int_eap_server_params()
3765 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3766 params["private_key"] = "auth_serv/server-no-dnsname.key"
3767 hostapd.add_ap(apdev[0]['ifname'], params)
3768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3769 identity="tls user", ca_cert="auth_serv/ca.pem",
3770 private_key="auth_serv/user.pkcs12",
3771 private_key_passwd="whatever",
3772 domain_suffix_match="example.com",
3775 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3776 identity="tls user", ca_cert="auth_serv/ca.pem",
3777 private_key="auth_serv/user.pkcs12",
3778 private_key_passwd="whatever",
3779 domain_suffix_match="erver3.w1.fi",
3782 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3784 raise Exception("Timeout on EAP failure report")
3785 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3787 raise Exception("Timeout on EAP failure report (2)")
3789 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3790 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3791 check_domain_match(dev[0])
3792 params = int_eap_server_params()
3793 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3794 params["private_key"] = "auth_serv/server-no-dnsname.key"
3795 hostapd.add_ap(apdev[0]['ifname'], params)
3796 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3797 identity="tls user", ca_cert="auth_serv/ca.pem",
3798 private_key="auth_serv/user.pkcs12",
3799 private_key_passwd="whatever",
3800 domain_match="example.com",
3803 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3804 identity="tls user", ca_cert="auth_serv/ca.pem",
3805 private_key="auth_serv/user.pkcs12",
3806 private_key_passwd="whatever",
3807 domain_match="w1.fi",
3810 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3812 raise Exception("Timeout on EAP failure report")
3813 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3815 raise Exception("Timeout on EAP failure report (2)")
3817 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3818 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3819 skip_with_fips(dev[0])
3820 params = int_eap_server_params()
3821 params["server_cert"] = "auth_serv/server-expired.pem"
3822 params["private_key"] = "auth_serv/server-expired.key"
3823 hostapd.add_ap(apdev[0]['ifname'], params)
3824 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3825 identity="mschap user", password="password",
3826 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3829 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3831 raise Exception("Timeout on EAP certificate error report")
3832 if "reason=4" not in ev or "certificate has expired" not in ev:
3833 raise Exception("Unexpected failure reason: " + ev)
3834 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3836 raise Exception("Timeout on EAP failure report")
3838 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3839 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3840 skip_with_fips(dev[0])
3841 params = int_eap_server_params()
3842 params["server_cert"] = "auth_serv/server-expired.pem"
3843 params["private_key"] = "auth_serv/server-expired.key"
3844 hostapd.add_ap(apdev[0]['ifname'], params)
3845 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3846 identity="mschap user", password="password",
3847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3848 phase1="tls_disable_time_checks=1",
3851 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3852 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3853 skip_with_fips(dev[0])
3854 params = int_eap_server_params()
3855 params["server_cert"] = "auth_serv/server-long-duration.pem"
3856 params["private_key"] = "auth_serv/server-long-duration.key"
3857 hostapd.add_ap(apdev[0]['ifname'], params)
3858 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3859 identity="mschap user", password="password",
3860 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3863 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3864 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3865 skip_with_fips(dev[0])
3866 params = int_eap_server_params()
3867 params["server_cert"] = "auth_serv/server-eku-client.pem"
3868 params["private_key"] = "auth_serv/server-eku-client.key"
3869 hostapd.add_ap(apdev[0]['ifname'], params)
3870 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3871 identity="mschap user", password="password",
3872 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3875 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3877 raise Exception("Timeout on EAP failure report")
3879 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3880 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3881 skip_with_fips(dev[0])
3882 params = int_eap_server_params()
3883 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3884 params["private_key"] = "auth_serv/server-eku-client-server.key"
3885 hostapd.add_ap(apdev[0]['ifname'], params)
3886 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3887 identity="mschap user", password="password",
3888 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3891 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3892 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3893 skip_with_fips(dev[0])
3894 params = int_eap_server_params()
3895 del params["server_cert"]
3896 params["private_key"] = "auth_serv/server.pkcs12"
3897 hostapd.add_ap(apdev[0]['ifname'], params)
3898 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3899 identity="mschap user", password="password",
3900 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3903 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3904 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3905 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3906 hostapd.add_ap(apdev[0]['ifname'], params)
3907 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3908 anonymous_identity="ttls", password="password",
3909 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3910 dh_file="auth_serv/dh.conf")
3912 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3913 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3914 check_dh_dsa_support(dev[0])
3915 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3916 hostapd.add_ap(apdev[0]['ifname'], params)
3917 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3918 anonymous_identity="ttls", password="password",
3919 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3920 dh_file="auth_serv/dsaparam.pem")
3922 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3923 """EAP-TTLS and DH params file not found"""
3924 skip_with_fips(dev[0])
3925 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3926 hostapd.add_ap(apdev[0]['ifname'], params)
3927 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3928 identity="mschap user", password="password",
3929 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3930 dh_file="auth_serv/dh-no-such-file.conf",
3931 scan_freq="2412", wait_connect=False)
3932 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3934 raise Exception("EAP failure timed out")
3935 dev[0].request("REMOVE_NETWORK all")
3936 dev[0].wait_disconnected()
3938 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3939 """EAP-TTLS and invalid DH params file"""
3940 skip_with_fips(dev[0])
3941 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3942 hostapd.add_ap(apdev[0]['ifname'], params)
3943 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3944 identity="mschap user", password="password",
3945 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3946 dh_file="auth_serv/ca.pem",
3947 scan_freq="2412", wait_connect=False)
3948 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3950 raise Exception("EAP failure timed out")
3951 dev[0].request("REMOVE_NETWORK all")
3952 dev[0].wait_disconnected()
3954 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3955 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3956 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3957 hostapd.add_ap(apdev[0]['ifname'], params)
3958 dh = read_pem("auth_serv/dh2.conf")
3959 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3960 raise Exception("Could not set dhparams blob")
3961 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3962 anonymous_identity="ttls", password="password",
3963 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3964 dh_file="blob://dhparams")
3966 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3967 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3968 params = int_eap_server_params()
3969 params["dh_file"] = "auth_serv/dh2.conf"
3970 hostapd.add_ap(apdev[0]['ifname'], params)
3971 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3972 anonymous_identity="ttls", password="password",
3973 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3975 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3976 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3977 params = int_eap_server_params()
3978 params["dh_file"] = "auth_serv/dsaparam.pem"
3979 hostapd.add_ap(apdev[0]['ifname'], params)
3980 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3981 anonymous_identity="ttls", password="password",
3982 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3984 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3985 """EAP-TLS server and dhparams file not found"""
3986 params = int_eap_server_params()
3987 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3988 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3989 if "FAIL" not in hapd.request("ENABLE"):
3990 raise Exception("Invalid configuration accepted")
3992 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3993 """EAP-TLS server and invalid dhparams file"""
3994 params = int_eap_server_params()
3995 params["dh_file"] = "auth_serv/ca.pem"
3996 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3997 if "FAIL" not in hapd.request("ENABLE"):
3998 raise Exception("Invalid configuration accepted")
4000 def test_ap_wpa2_eap_reauth(dev, apdev):
4001 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4003 params['eap_reauth_period'] = '2'
4004 hostapd.add_ap(apdev[0]['ifname'], params)
4005 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4006 password_hex="0123456789abcdef0123456789abcdef")
4007 logger.info("Wait for reauthentication")
4008 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4010 raise Exception("Timeout on reauthentication")
4011 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4013 raise Exception("Timeout on reauthentication")
4014 for i in range(0, 20):
4015 state = dev[0].get_status_field("wpa_state")
4016 if state == "COMPLETED":
4019 if state != "COMPLETED":
4020 raise Exception("Reauthentication did not complete")
4022 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4023 """Optional displayable message in EAP Request-Identity"""
4024 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4025 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4026 hostapd.add_ap(apdev[0]['ifname'], params)
4027 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4028 password_hex="0123456789abcdef0123456789abcdef")
4030 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4031 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4032 check_hlr_auc_gw_support()
4033 params = int_eap_server_params()
4034 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4035 params['eap_sim_aka_result_ind'] = "1"
4036 hostapd.add_ap(apdev[0]['ifname'], params)
4038 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
4039 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4040 phase1="result_ind=1")
4041 eap_reauth(dev[0], "SIM")
4042 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
4043 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4045 dev[0].request("REMOVE_NETWORK all")
4046 dev[1].request("REMOVE_NETWORK all")
4048 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
4049 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4050 phase1="result_ind=1")
4051 eap_reauth(dev[0], "AKA")
4052 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
4053 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4055 dev[0].request("REMOVE_NETWORK all")
4056 dev[1].request("REMOVE_NETWORK all")
4058 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
4059 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4060 phase1="result_ind=1")
4061 eap_reauth(dev[0], "AKA'")
4062 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
4063 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4065 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4066 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4067 skip_with_fips(dev[0])
4068 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4069 hostapd.add_ap(apdev[0]['ifname'], params)
4070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4071 eap="TTLS", identity="mschap user",
4072 wait_connect=False, scan_freq="2412", ieee80211w="1",
4073 anonymous_identity="ttls", password="password",
4074 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4076 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
4078 raise Exception("EAP roundtrip limit not reached")
4080 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4081 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4082 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4083 hostapd.add_ap(apdev[0]['ifname'], params)
4084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4085 eap="PSK", identity="vendor-test",
4086 password_hex="ff23456789abcdef0123456789abcdef",
4090 for i in range(0, 5):
4091 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4093 raise Exception("Association and EAP start timed out")
4094 if "refuse proposed method" in ev:
4098 raise Exception("Unexpected EAP status: " + ev)
4100 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4102 raise Exception("EAP failure timed out")
4104 def test_ap_wpa2_eap_sql(dev, apdev, params):
4105 """WPA2-Enterprise connection using SQLite for user DB"""
4106 skip_with_fips(dev[0])
4110 raise HwsimSkip("No sqlite3 module available")
4111 dbfile = os.path.join(params['logdir'], "eap-user.db")
4116 con = sqlite3.connect(dbfile)
4119 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4120 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4121 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4122 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4123 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4124 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4125 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4126 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4129 params = int_eap_server_params()
4130 params["eap_user_file"] = "sqlite:" + dbfile
4131 hostapd.add_ap(apdev[0]['ifname'], params)
4132 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
4133 anonymous_identity="ttls", password="password",
4134 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4135 dev[0].request("REMOVE_NETWORK all")
4136 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
4137 anonymous_identity="ttls", password="password",
4138 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4139 dev[1].request("REMOVE_NETWORK all")
4140 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
4141 anonymous_identity="ttls", password="password",
4142 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4143 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
4144 anonymous_identity="ttls", password="password",
4145 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4149 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4150 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4151 params = int_eap_server_params()
4152 hostapd.add_ap(apdev[0]['ifname'], params)
4153 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4154 identity="\x80", password="password", wait_connect=False)
4155 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4156 identity="a\x80", password="password", wait_connect=False)
4157 for i in range(0, 2):
4158 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4160 raise Exception("Association and EAP start timed out")
4161 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4163 raise Exception("EAP method selection timed out")
4165 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4166 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4167 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4168 hostapd.add_ap(apdev[0]['ifname'], params)
4169 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4170 identity="\x80", password="password", wait_connect=False)
4171 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4172 identity="a\x80", password="password", wait_connect=False)
4173 for i in range(0, 2):
4174 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4176 raise Exception("Association and EAP start timed out")
4177 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4179 raise Exception("EAP method selection timed out")
4181 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4182 """OpenSSL cipher suite configuration on wpa_supplicant"""
4183 tls = dev[0].request("GET tls_library")
4184 if not tls.startswith("OpenSSL"):
4185 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4186 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4187 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4188 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4189 anonymous_identity="ttls", password="password",
4190 openssl_ciphers="AES128",
4191 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4192 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4193 anonymous_identity="ttls", password="password",
4194 openssl_ciphers="EXPORT",
4195 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4196 expect_failure=True, maybe_local_error=True)
4197 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4198 identity="pap user", anonymous_identity="ttls",
4199 password="password",
4200 openssl_ciphers="FOO",
4201 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4203 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4205 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4206 dev[2].request("DISCONNECT")
4208 def test_openssl_cipher_suite_config_hapd(dev, apdev):
4209 """OpenSSL cipher suite configuration on hostapd"""
4210 tls = dev[0].request("GET tls_library")
4211 if not tls.startswith("OpenSSL"):
4212 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
4213 params = int_eap_server_params()
4214 params['openssl_ciphers'] = "AES256"
4215 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4216 tls = hapd.request("GET tls_library")
4217 if not tls.startswith("OpenSSL"):
4218 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4219 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4220 anonymous_identity="ttls", password="password",
4221 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4222 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4223 anonymous_identity="ttls", password="password",
4224 openssl_ciphers="AES128",
4225 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4226 expect_failure=True)
4227 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
4228 anonymous_identity="ttls", password="password",
4229 openssl_ciphers="HIGH:!ADH",
4230 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4232 params['openssl_ciphers'] = "FOO"
4233 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
4234 if "FAIL" not in hapd2.request("ENABLE"):
4235 raise Exception("Invalid openssl_ciphers value accepted")
4237 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
4238 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4239 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4240 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
4241 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4242 pid = find_wpas_process(dev[0])
4243 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
4244 anonymous_identity="ttls", password=password,
4245 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4246 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4247 # event has been delivered, so verify that wpa_supplicant has returned to
4248 # eloop before reading process memory.
4251 buf = read_process_memory(pid, password)
4253 dev[0].request("DISCONNECT")
4254 dev[0].wait_disconnected()
4262 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
4263 for l in f.readlines():
4264 if "EAP-TTLS: Derived key - hexdump" in l:
4265 val = l.strip().split(':')[3].replace(' ', '')
4266 msk = binascii.unhexlify(val)
4267 if "EAP-TTLS: Derived EMSK - hexdump" in l:
4268 val = l.strip().split(':')[3].replace(' ', '')
4269 emsk = binascii.unhexlify(val)
4270 if "WPA: PMK - hexdump" in l:
4271 val = l.strip().split(':')[3].replace(' ', '')
4272 pmk = binascii.unhexlify(val)
4273 if "WPA: PTK - hexdump" in l:
4274 val = l.strip().split(':')[3].replace(' ', '')
4275 ptk = binascii.unhexlify(val)
4276 if "WPA: Group Key - hexdump" in l:
4277 val = l.strip().split(':')[3].replace(' ', '')
4278 gtk = binascii.unhexlify(val)
4279 if not msk or not emsk or not pmk or not ptk or not gtk:
4280 raise Exception("Could not find keys from debug log")
4282 raise Exception("Unexpected GTK length")
4288 fname = os.path.join(params['logdir'],
4289 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4291 logger.info("Checking keys in memory while associated")
4292 get_key_locations(buf, password, "Password")
4293 get_key_locations(buf, pmk, "PMK")
4294 get_key_locations(buf, msk, "MSK")
4295 get_key_locations(buf, emsk, "EMSK")
4296 if password not in buf:
4297 raise HwsimSkip("Password not found while associated")
4299 raise HwsimSkip("PMK not found while associated")
4301 raise Exception("KCK not found while associated")
4303 raise Exception("KEK not found while associated")
4305 raise Exception("TK found from memory")
4307 get_key_locations(buf, gtk, "GTK")
4308 raise Exception("GTK found from memory")
4310 logger.info("Checking keys in memory after disassociation")
4311 buf = read_process_memory(pid, password)
4313 # Note: Password is still present in network configuration
4314 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4316 get_key_locations(buf, password, "Password")
4317 get_key_locations(buf, pmk, "PMK")
4318 get_key_locations(buf, msk, "MSK")
4319 get_key_locations(buf, emsk, "EMSK")
4320 verify_not_present(buf, kck, fname, "KCK")
4321 verify_not_present(buf, kek, fname, "KEK")
4322 verify_not_present(buf, tk, fname, "TK")
4323 verify_not_present(buf, gtk, fname, "GTK")
4325 dev[0].request("PMKSA_FLUSH")
4326 dev[0].set_network_quoted(id, "identity", "foo")
4327 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4328 buf = read_process_memory(pid, password)
4329 get_key_locations(buf, password, "Password")
4330 get_key_locations(buf, pmk, "PMK")
4331 get_key_locations(buf, msk, "MSK")
4332 get_key_locations(buf, emsk, "EMSK")
4333 verify_not_present(buf, pmk, fname, "PMK")
4335 dev[0].request("REMOVE_NETWORK all")
4337 logger.info("Checking keys in memory after network profile removal")
4338 buf = read_process_memory(pid, password)
4340 get_key_locations(buf, password, "Password")
4341 get_key_locations(buf, pmk, "PMK")
4342 get_key_locations(buf, msk, "MSK")
4343 get_key_locations(buf, emsk, "EMSK")
4344 verify_not_present(buf, password, fname, "password")
4345 verify_not_present(buf, pmk, fname, "PMK")
4346 verify_not_present(buf, kck, fname, "KCK")
4347 verify_not_present(buf, kek, fname, "KEK")
4348 verify_not_present(buf, tk, fname, "TK")
4349 verify_not_present(buf, gtk, fname, "GTK")
4350 verify_not_present(buf, msk, fname, "MSK")
4351 verify_not_present(buf, emsk, fname, "EMSK")
4353 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
4354 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4357 bssid = apdev[0]['bssid']
4358 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4359 anonymous_identity="ttls", password="password",
4360 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4362 # Send unexpected WEP EAPOL-Key; this gets dropped
4363 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4365 raise Exception("EAPOL_RX to wpa_supplicant failed")
4367 def test_ap_wpa2_eap_in_bridge(dev, apdev):
4368 """WPA2-EAP and wpas interface in a bridge"""
4372 _test_ap_wpa2_eap_in_bridge(dev, apdev)
4374 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
4375 subprocess.call(['brctl', 'delif', br_ifname, ifname])
4376 subprocess.call(['brctl', 'delbr', br_ifname])
4377 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
4379 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
4380 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4381 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4385 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
4386 subprocess.call(['brctl', 'addbr', br_ifname])
4387 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
4388 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
4389 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
4390 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
4391 wpas.interface_add(ifname, br_ifname=br_ifname)
4394 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
4395 password_hex="0123456789abcdef0123456789abcdef")
4397 eap_reauth(wpas, "PAX")
4399 # Try again as a regression test for packet socket workaround
4400 eap_reauth(wpas, "PAX")
4402 wpas.request("DISCONNECT")
4403 wpas.wait_disconnected()
4405 wpas.request("RECONNECT")
4406 wpas.wait_connected()
4409 def test_ap_wpa2_eap_session_ticket(dev, apdev):
4410 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4411 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4412 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4413 key_mgmt = hapd.get_config()['key_mgmt']
4414 if key_mgmt.split(' ')[0] != "WPA-EAP":
4415 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4416 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4417 anonymous_identity="ttls", password="password",
4418 ca_cert="auth_serv/ca.pem",
4419 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
4420 eap_reauth(dev[0], "TTLS")
4422 def test_ap_wpa2_eap_no_workaround(dev, apdev):
4423 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4424 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4425 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4426 key_mgmt = hapd.get_config()['key_mgmt']
4427 if key_mgmt.split(' ')[0] != "WPA-EAP":
4428 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4429 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4430 anonymous_identity="ttls", password="password",
4431 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4433 eap_reauth(dev[0], "TTLS")
4435 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
4436 """EAP-TLS and server checking CRL"""
4437 params = int_eap_server_params()
4438 params['check_crl'] = '1'
4439 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4441 # check_crl=1 and no CRL available --> reject connection
4442 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4443 client_cert="auth_serv/user.pem",
4444 private_key="auth_serv/user.key", expect_failure=True)
4445 dev[0].request("REMOVE_NETWORK all")
4448 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
4451 # check_crl=1 and valid CRL --> accept
4452 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4453 client_cert="auth_serv/user.pem",
4454 private_key="auth_serv/user.key")
4455 dev[0].request("REMOVE_NETWORK all")
4458 hapd.set("check_crl", "2")
4461 # check_crl=2 and valid CRL --> accept
4462 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4463 client_cert="auth_serv/user.pem",
4464 private_key="auth_serv/user.key")
4465 dev[0].request("REMOVE_NETWORK all")
4467 def test_ap_wpa2_eap_tls_oom(dev, apdev):
4468 """EAP-TLS and OOM"""
4469 check_subject_match_support(dev[0])
4470 check_altsubject_match_support(dev[0])
4471 check_domain_match(dev[0])
4472 check_domain_match_full(dev[0])
4474 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4475 hostapd.add_ap(apdev[0]['ifname'], params)
4477 tests = [ (1, "tls_connection_set_subject_match"),
4478 (2, "tls_connection_set_subject_match"),
4479 (3, "tls_connection_set_subject_match"),
4480 (4, "tls_connection_set_subject_match") ]
4481 for count, func in tests:
4482 with alloc_fail(dev[0], count, func):
4483 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4484 identity="tls user", ca_cert="auth_serv/ca.pem",
4485 client_cert="auth_serv/user.pem",
4486 private_key="auth_serv/user.key",
4487 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
4488 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4489 domain_suffix_match="server.w1.fi",
4490 domain_match="server.w1.fi",
4491 wait_connect=False, scan_freq="2412")
4492 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4493 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
4495 raise Exception("No passphrase request")
4496 dev[0].request("REMOVE_NETWORK all")
4497 dev[0].wait_disconnected()
4499 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
4500 """WPA2-Enterprise connection using MAC ACL"""
4501 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4502 params["macaddr_acl"] = "2"
4503 hostapd.add_ap(apdev[0]['ifname'], params)
4504 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4505 client_cert="auth_serv/user.pem",
4506 private_key="auth_serv/user.key")
4508 def test_ap_wpa2_eap_oom(dev, apdev):
4509 """EAP server and OOM"""
4510 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4511 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4512 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
4514 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
4515 # The first attempt fails, but STA will send EAPOL-Start to retry and
4517 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4518 identity="tls user", ca_cert="auth_serv/ca.pem",
4519 client_cert="auth_serv/user.pem",
4520 private_key="auth_serv/user.key",
4523 def check_tls_ver(dev, ap, phase1, expected):
4524 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4525 client_cert="auth_serv/user.pem",
4526 private_key="auth_serv/user.key",
4528 ver = dev.get_status_field("eap_tls_version")
4530 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
4532 def test_ap_wpa2_eap_tls_versions(dev, apdev):
4533 """EAP-TLS and TLS version configuration"""
4534 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4535 hostapd.add_ap(apdev[0]['ifname'], params)
4537 tls = dev[0].request("GET tls_library")
4538 if tls.startswith("OpenSSL"):
4539 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
4540 check_tls_ver(dev[0], apdev[0],
4541 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4543 elif tls.startswith("internal"):
4544 check_tls_ver(dev[0], apdev[0],
4545 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4546 check_tls_ver(dev[1], apdev[0],
4547 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4548 check_tls_ver(dev[2], apdev[0],
4549 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4551 def test_rsn_ie_proto_eap_sta(dev, apdev):
4552 """RSN element protocol testing for EAP cases on STA side"""
4553 bssid = apdev[0]['bssid']
4554 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4555 # This is the RSN element used normally by hostapd
4556 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4557 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4558 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4559 identity="gpsk user",
4560 password="abcdefghijklmnop0123456789abcdef",
4563 tests = [ ('No RSN Capabilities field',
4564 '30120100000fac040100000fac040100000fac01'),
4565 ('No AKM Suite fields',
4566 '300c0100000fac040100000fac04'),
4567 ('No Pairwise Cipher Suite fields',
4568 '30060100000fac04'),
4569 ('No Group Data Cipher Suite field',
4571 for txt,ie in tests:
4572 dev[0].request("DISCONNECT")
4573 dev[0].wait_disconnected()
4576 hapd.set('own_ie_override', ie)
4578 dev[0].request("BSS_FLUSH 0")
4579 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
4580 dev[0].select_network(id, freq=2412)
4581 dev[0].wait_connected()
4583 dev[0].request("DISCONNECT")
4584 dev[0].wait_disconnected()
4585 dev[0].flush_scan_cache()
4587 def check_tls_session_resumption_capa(dev, hapd):
4588 tls = hapd.request("GET tls_library")
4589 if not tls.startswith("OpenSSL"):
4590 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4592 tls = dev.request("GET tls_library")
4593 if not tls.startswith("OpenSSL"):
4594 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
4596 def test_eap_ttls_pap_session_resumption(dev, apdev):
4597 """EAP-TTLS/PAP session resumption"""
4598 params = int_eap_server_params()
4599 params['tls_session_lifetime'] = '60'
4600 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4601 check_tls_session_resumption_capa(dev[0], hapd)
4602 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4603 anonymous_identity="ttls", password="password",
4604 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4606 if dev[0].get_status_field("tls_session_reused") != '0':
4607 raise Exception("Unexpected session resumption on the first connection")
4609 dev[0].request("REAUTHENTICATE")
4610 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4612 raise Exception("EAP success timed out")
4613 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4615 raise Exception("Key handshake with the AP timed out")
4616 if dev[0].get_status_field("tls_session_reused") != '1':
4617 raise Exception("Session resumption not used on the second connection")
4619 def test_eap_ttls_chap_session_resumption(dev, apdev):
4620 """EAP-TTLS/CHAP session resumption"""
4621 params = int_eap_server_params()
4622 params['tls_session_lifetime'] = '60'
4623 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4624 check_tls_session_resumption_capa(dev[0], hapd)
4625 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
4626 anonymous_identity="ttls", password="password",
4627 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
4628 if dev[0].get_status_field("tls_session_reused") != '0':
4629 raise Exception("Unexpected session resumption on the first connection")
4631 dev[0].request("REAUTHENTICATE")
4632 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4634 raise Exception("EAP success timed out")
4635 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4637 raise Exception("Key handshake with the AP timed out")
4638 if dev[0].get_status_field("tls_session_reused") != '1':
4639 raise Exception("Session resumption not used on the second connection")
4641 def test_eap_ttls_mschap_session_resumption(dev, apdev):
4642 """EAP-TTLS/MSCHAP session resumption"""
4643 check_domain_suffix_match(dev[0])
4644 params = int_eap_server_params()
4645 params['tls_session_lifetime'] = '60'
4646 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4647 check_tls_session_resumption_capa(dev[0], hapd)
4648 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
4649 anonymous_identity="ttls", password="password",
4650 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4651 domain_suffix_match="server.w1.fi")
4652 if dev[0].get_status_field("tls_session_reused") != '0':
4653 raise Exception("Unexpected session resumption on the first connection")
4655 dev[0].request("REAUTHENTICATE")
4656 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4658 raise Exception("EAP success timed out")
4659 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4661 raise Exception("Key handshake with the AP timed out")
4662 if dev[0].get_status_field("tls_session_reused") != '1':
4663 raise Exception("Session resumption not used on the second connection")
4665 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
4666 """EAP-TTLS/MSCHAPv2 session resumption"""
4667 check_domain_suffix_match(dev[0])
4668 check_eap_capa(dev[0], "MSCHAPV2")
4669 params = int_eap_server_params()
4670 params['tls_session_lifetime'] = '60'
4671 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4672 check_tls_session_resumption_capa(dev[0], hapd)
4673 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
4674 anonymous_identity="ttls", password="password",
4675 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4676 domain_suffix_match="server.w1.fi")
4677 if dev[0].get_status_field("tls_session_reused") != '0':
4678 raise Exception("Unexpected session resumption on the first connection")
4680 dev[0].request("REAUTHENTICATE")
4681 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4683 raise Exception("EAP success timed out")
4684 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4686 raise Exception("Key handshake with the AP timed out")
4687 if dev[0].get_status_field("tls_session_reused") != '1':
4688 raise Exception("Session resumption not used on the second connection")
4690 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
4691 """EAP-TTLS/EAP-GTC session resumption"""
4692 params = int_eap_server_params()
4693 params['tls_session_lifetime'] = '60'
4694 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4695 check_tls_session_resumption_capa(dev[0], hapd)
4696 eap_connect(dev[0], apdev[0], "TTLS", "user",
4697 anonymous_identity="ttls", password="password",
4698 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
4699 if dev[0].get_status_field("tls_session_reused") != '0':
4700 raise Exception("Unexpected session resumption on the first connection")
4702 dev[0].request("REAUTHENTICATE")
4703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4705 raise Exception("EAP success timed out")
4706 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4708 raise Exception("Key handshake with the AP timed out")
4709 if dev[0].get_status_field("tls_session_reused") != '1':
4710 raise Exception("Session resumption not used on the second connection")
4712 def test_eap_ttls_no_session_resumption(dev, apdev):
4713 """EAP-TTLS session resumption disabled on server"""
4714 params = int_eap_server_params()
4715 params['tls_session_lifetime'] = '0'
4716 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4717 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4718 anonymous_identity="ttls", password="password",
4719 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4721 if dev[0].get_status_field("tls_session_reused") != '0':
4722 raise Exception("Unexpected session resumption on the first connection")
4724 dev[0].request("REAUTHENTICATE")
4725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4727 raise Exception("EAP success timed out")
4728 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4730 raise Exception("Key handshake with the AP timed out")
4731 if dev[0].get_status_field("tls_session_reused") != '0':
4732 raise Exception("Unexpected session resumption on the second connection")
4734 def test_eap_peap_session_resumption(dev, apdev):
4735 """EAP-PEAP session resumption"""
4736 params = int_eap_server_params()
4737 params['tls_session_lifetime'] = '60'
4738 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4739 check_tls_session_resumption_capa(dev[0], hapd)
4740 eap_connect(dev[0], apdev[0], "PEAP", "user",
4741 anonymous_identity="peap", password="password",
4742 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4743 if dev[0].get_status_field("tls_session_reused") != '0':
4744 raise Exception("Unexpected session resumption on the first connection")
4746 dev[0].request("REAUTHENTICATE")
4747 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4749 raise Exception("EAP success timed out")
4750 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4752 raise Exception("Key handshake with the AP timed out")
4753 if dev[0].get_status_field("tls_session_reused") != '1':
4754 raise Exception("Session resumption not used on the second connection")
4756 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
4757 """EAP-PEAP session resumption with crypto binding"""
4758 params = int_eap_server_params()
4759 params['tls_session_lifetime'] = '60'
4760 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4761 check_tls_session_resumption_capa(dev[0], hapd)
4762 eap_connect(dev[0], apdev[0], "PEAP", "user",
4763 anonymous_identity="peap", password="password",
4764 phase1="peapver=0 crypto_binding=2",
4765 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4766 if dev[0].get_status_field("tls_session_reused") != '0':
4767 raise Exception("Unexpected session resumption on the first connection")
4769 dev[0].request("REAUTHENTICATE")
4770 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4772 raise Exception("EAP success timed out")
4773 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4775 raise Exception("Key handshake with the AP timed out")
4776 if dev[0].get_status_field("tls_session_reused") != '1':
4777 raise Exception("Session resumption not used on the second connection")
4779 def test_eap_peap_no_session_resumption(dev, apdev):
4780 """EAP-PEAP session resumption disabled on server"""
4781 params = int_eap_server_params()
4782 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4783 eap_connect(dev[0], apdev[0], "PEAP", "user",
4784 anonymous_identity="peap", password="password",
4785 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4786 if dev[0].get_status_field("tls_session_reused") != '0':
4787 raise Exception("Unexpected session resumption on the first connection")
4789 dev[0].request("REAUTHENTICATE")
4790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4792 raise Exception("EAP success timed out")
4793 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4795 raise Exception("Key handshake with the AP timed out")
4796 if dev[0].get_status_field("tls_session_reused") != '0':
4797 raise Exception("Unexpected session resumption on the second connection")
4799 def test_eap_tls_session_resumption(dev, apdev):
4800 """EAP-TLS session resumption"""
4801 params = int_eap_server_params()
4802 params['tls_session_lifetime'] = '60'
4803 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4804 check_tls_session_resumption_capa(dev[0], hapd)
4805 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4806 client_cert="auth_serv/user.pem",
4807 private_key="auth_serv/user.key")
4808 if dev[0].get_status_field("tls_session_reused") != '0':
4809 raise Exception("Unexpected session resumption on the first connection")
4811 dev[0].request("REAUTHENTICATE")
4812 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4814 raise Exception("EAP success timed out")
4815 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4817 raise Exception("Key handshake with the AP timed out")
4818 if dev[0].get_status_field("tls_session_reused") != '1':
4819 raise Exception("Session resumption not used on the second connection")
4821 dev[0].request("REAUTHENTICATE")
4822 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4824 raise Exception("EAP success timed out")
4825 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4827 raise Exception("Key handshake with the AP timed out")
4828 if dev[0].get_status_field("tls_session_reused") != '1':
4829 raise Exception("Session resumption not used on the third connection")
4831 def test_eap_tls_session_resumption_expiration(dev, apdev):
4832 """EAP-TLS session resumption"""
4833 params = int_eap_server_params()
4834 params['tls_session_lifetime'] = '1'
4835 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4836 check_tls_session_resumption_capa(dev[0], hapd)
4837 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4838 client_cert="auth_serv/user.pem",
4839 private_key="auth_serv/user.key")
4840 if dev[0].get_status_field("tls_session_reused") != '0':
4841 raise Exception("Unexpected session resumption on the first connection")
4843 # Allow multiple attempts since OpenSSL may not expire the cached entry
4848 dev[0].request("REAUTHENTICATE")
4849 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4851 raise Exception("EAP success timed out")
4852 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4854 raise Exception("Key handshake with the AP timed out")
4855 if dev[0].get_status_field("tls_session_reused") == '0':
4857 if dev[0].get_status_field("tls_session_reused") != '0':
4858 raise Exception("Session resumption used after lifetime expiration")
4860 def test_eap_tls_no_session_resumption(dev, apdev):
4861 """EAP-TLS session resumption disabled on server"""
4862 params = int_eap_server_params()
4863 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4864 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4865 client_cert="auth_serv/user.pem",
4866 private_key="auth_serv/user.key")
4867 if dev[0].get_status_field("tls_session_reused") != '0':
4868 raise Exception("Unexpected session resumption on the first connection")
4870 dev[0].request("REAUTHENTICATE")
4871 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4873 raise Exception("EAP success timed out")
4874 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4876 raise Exception("Key handshake with the AP timed out")
4877 if dev[0].get_status_field("tls_session_reused") != '0':
4878 raise Exception("Unexpected session resumption on the second connection")
4880 def test_eap_tls_session_resumption_radius(dev, apdev):
4881 """EAP-TLS session resumption (RADIUS)"""
4882 params = { "ssid": "as", "beacon_int": "2000",
4883 "radius_server_clients": "auth_serv/radius_clients.conf",
4884 "radius_server_auth_port": '18128',
4886 "eap_user_file": "auth_serv/eap_user.conf",
4887 "ca_cert": "auth_serv/ca.pem",
4888 "server_cert": "auth_serv/server.pem",
4889 "private_key": "auth_serv/server.key",
4890 "tls_session_lifetime": "60" }
4891 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4892 check_tls_session_resumption_capa(dev[0], authsrv)
4894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4895 params['auth_server_port'] = "18128"
4896 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4897 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4898 client_cert="auth_serv/user.pem",
4899 private_key="auth_serv/user.key")
4900 if dev[0].get_status_field("tls_session_reused") != '0':
4901 raise Exception("Unexpected session resumption on the first connection")
4903 dev[0].request("REAUTHENTICATE")
4904 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4906 raise Exception("EAP success timed out")
4907 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4909 raise Exception("Key handshake with the AP timed out")
4910 if dev[0].get_status_field("tls_session_reused") != '1':
4911 raise Exception("Session resumption not used on the second connection")
4913 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4914 """EAP-TLS session resumption disabled (RADIUS)"""
4915 params = { "ssid": "as", "beacon_int": "2000",
4916 "radius_server_clients": "auth_serv/radius_clients.conf",
4917 "radius_server_auth_port": '18128',
4919 "eap_user_file": "auth_serv/eap_user.conf",
4920 "ca_cert": "auth_serv/ca.pem",
4921 "server_cert": "auth_serv/server.pem",
4922 "private_key": "auth_serv/server.key",
4923 "tls_session_lifetime": "0" }
4924 hostapd.add_ap(apdev[1]['ifname'], params)
4926 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4927 params['auth_server_port'] = "18128"
4928 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4929 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4930 client_cert="auth_serv/user.pem",
4931 private_key="auth_serv/user.key")
4932 if dev[0].get_status_field("tls_session_reused") != '0':
4933 raise Exception("Unexpected session resumption on the first connection")
4935 dev[0].request("REAUTHENTICATE")
4936 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4938 raise Exception("EAP success timed out")
4939 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4941 raise Exception("Key handshake with the AP timed out")
4942 if dev[0].get_status_field("tls_session_reused") != '0':
4943 raise Exception("Unexpected session resumption on the second connection")
4945 def test_eap_mschapv2_errors(dev, apdev):
4946 """EAP-MSCHAPv2 error cases"""
4947 check_eap_capa(dev[0], "MSCHAPV2")
4948 check_eap_capa(dev[0], "FAST")
4950 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4951 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4952 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4953 identity="phase1-user", password="password",
4955 dev[0].request("REMOVE_NETWORK all")
4956 dev[0].wait_disconnected()
4958 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4959 (1, "nt_password_hash;mschapv2_derive_response"),
4960 (1, "nt_password_hash;=mschapv2_derive_response"),
4961 (1, "generate_nt_response;mschapv2_derive_response"),
4962 (1, "generate_authenticator_response;mschapv2_derive_response"),
4963 (1, "nt_password_hash;=mschapv2_derive_response"),
4964 (1, "get_master_key;mschapv2_derive_response"),
4965 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4966 for count, func in tests:
4967 with fail_test(dev[0], count, func):
4968 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4969 identity="phase1-user", password="password",
4970 wait_connect=False, scan_freq="2412")
4971 wait_fail_trigger(dev[0], "GET_FAIL")
4972 dev[0].request("REMOVE_NETWORK all")
4973 dev[0].wait_disconnected()
4975 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4976 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4977 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4978 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4979 for count, func in tests:
4980 with fail_test(dev[0], count, func):
4981 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4982 identity="phase1-user",
4983 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4984 wait_connect=False, scan_freq="2412")
4985 wait_fail_trigger(dev[0], "GET_FAIL")
4986 dev[0].request("REMOVE_NETWORK all")
4987 dev[0].wait_disconnected()
4989 tests = [ (1, "eap_mschapv2_init"),
4990 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4991 (1, "eap_msg_alloc;eap_mschapv2_success"),
4992 (1, "eap_mschapv2_getKey") ]
4993 for count, func in tests:
4994 with alloc_fail(dev[0], count, func):
4995 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4996 identity="phase1-user", password="password",
4997 wait_connect=False, scan_freq="2412")
4998 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4999 dev[0].request("REMOVE_NETWORK all")
5000 dev[0].wait_disconnected()
5002 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5003 for count, func in tests:
5004 with alloc_fail(dev[0], count, func):
5005 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5006 identity="phase1-user", password="wrong password",
5007 wait_connect=False, scan_freq="2412")
5008 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5009 dev[0].request("REMOVE_NETWORK all")
5010 dev[0].wait_disconnected()
5012 tests = [ (2, "eap_mschapv2_init"),
5013 (3, "eap_mschapv2_init") ]
5014 for count, func in tests:
5015 with alloc_fail(dev[0], count, func):
5016 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5017 anonymous_identity="FAST", identity="user",
5018 password="password",
5019 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5020 phase1="fast_provisioning=1",
5021 pac_file="blob://fast_pac",
5022 wait_connect=False, scan_freq="2412")
5023 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5024 dev[0].request("REMOVE_NETWORK all")
5025 dev[0].wait_disconnected()
5027 def test_eap_gpsk_errors(dev, apdev):
5028 """EAP-GPSK error cases"""
5029 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5030 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5031 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5032 identity="gpsk user",
5033 password="abcdefghijklmnop0123456789abcdef",
5035 dev[0].request("REMOVE_NETWORK all")
5036 dev[0].wait_disconnected()
5038 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5039 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5041 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5043 (1, "eap_gpsk_derive_keys_helper", None),
5044 (2, "eap_gpsk_derive_keys_helper", None),
5045 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5047 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5049 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5050 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5051 (1, "eap_gpsk_derive_mid_helper", None) ]
5052 for count, func, phase1 in tests:
5053 with fail_test(dev[0], count, func):
5054 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5055 identity="gpsk user",
5056 password="abcdefghijklmnop0123456789abcdef",
5058 wait_connect=False, scan_freq="2412")
5059 wait_fail_trigger(dev[0], "GET_FAIL")
5060 dev[0].request("REMOVE_NETWORK all")
5061 dev[0].wait_disconnected()
5063 tests = [ (1, "eap_gpsk_init"),
5064 (2, "eap_gpsk_init"),
5065 (3, "eap_gpsk_init"),
5066 (1, "eap_gpsk_process_id_server"),
5067 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5068 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5069 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5070 (1, "eap_gpsk_derive_keys"),
5071 (1, "eap_gpsk_derive_keys_helper"),
5072 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5073 (1, "eap_gpsk_getKey"),
5074 (1, "eap_gpsk_get_emsk"),
5075 (1, "eap_gpsk_get_session_id") ]
5076 for count, func in tests:
5077 with alloc_fail(dev[0], count, func):
5078 dev[0].request("ERP_FLUSH")
5079 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5080 identity="gpsk user", erp="1",
5081 password="abcdefghijklmnop0123456789abcdef",
5082 wait_connect=False, scan_freq="2412")
5083 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5084 dev[0].request("REMOVE_NETWORK all")
5085 dev[0].wait_disconnected()
5087 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5088 """EAP-SIM DB error cases"""
5089 sockpath = '/tmp/hlr_auc_gw.sock-test'
5094 hparams = int_eap_server_params()
5095 hparams['eap_sim_db'] = 'unix:' + sockpath
5096 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
5098 # Initial test with hlr_auc_gw socket not available
5099 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5100 eap="SIM", identity="1232010000000000",
5101 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5102 scan_freq="2412", wait_connect=False)
5103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5105 raise Exception("EAP-Failure not reported")
5106 dev[0].wait_disconnected()
5107 dev[0].request("DISCONNECT")
5109 # Test with invalid responses and response timeout
5111 class test_handler(SocketServer.DatagramRequestHandler):
5113 data = self.request[0].strip()
5114 socket = self.request[1]
5115 logger.debug("Received hlr_auc_gw request: " + data)
5116 # EAP-SIM DB: Failed to parse response string
5117 socket.sendto("FOO", self.client_address)
5118 # EAP-SIM DB: Failed to parse response string
5119 socket.sendto("FOO 1", self.client_address)
5120 # EAP-SIM DB: Unknown external response
5121 socket.sendto("FOO 1 2", self.client_address)
5122 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5124 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5127 dev[0].select_network(id)
5128 server.handle_request()
5129 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5131 raise Exception("EAP-Failure not reported")
5132 dev[0].wait_disconnected()
5133 dev[0].request("DISCONNECT")
5135 # Test with a valid response
5137 class test_handler2(SocketServer.DatagramRequestHandler):
5139 data = self.request[0].strip()
5140 socket = self.request[1]
5141 logger.debug("Received hlr_auc_gw request: " + data)
5142 fname = os.path.join(params['logdir'],
5143 'hlr_auc_gw.milenage_db')
5144 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5146 stdout=subprocess.PIPE)
5147 res = cmd.stdout.read().strip()
5149 logger.debug("hlr_auc_gw response: " + res)
5150 socket.sendto(res, self.client_address)
5152 server.RequestHandlerClass = test_handler2
5154 dev[0].select_network(id)
5155 server.handle_request()
5156 dev[0].wait_connected()
5157 dev[0].request("DISCONNECT")
5158 dev[0].wait_disconnected()
5160 def test_eap_tls_sha512(dev, apdev, params):
5161 """EAP-TLS with SHA512 signature"""
5162 params = int_eap_server_params()
5163 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5164 params["server_cert"] = "auth_serv/sha512-server.pem"
5165 params["private_key"] = "auth_serv/sha512-server.key"
5166 hostapd.add_ap(apdev[0]['ifname'], params)
5168 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5169 identity="tls user sha512",
5170 ca_cert="auth_serv/sha512-ca.pem",
5171 client_cert="auth_serv/sha512-user.pem",
5172 private_key="auth_serv/sha512-user.key",
5174 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5175 identity="tls user sha512",
5176 ca_cert="auth_serv/sha512-ca.pem",
5177 client_cert="auth_serv/sha384-user.pem",
5178 private_key="auth_serv/sha384-user.key",
5181 def test_eap_tls_sha384(dev, apdev, params):
5182 """EAP-TLS with SHA384 signature"""
5183 params = int_eap_server_params()
5184 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5185 params["server_cert"] = "auth_serv/sha384-server.pem"
5186 params["private_key"] = "auth_serv/sha384-server.key"
5187 hostapd.add_ap(apdev[0]['ifname'], params)
5189 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5190 identity="tls user sha512",
5191 ca_cert="auth_serv/sha512-ca.pem",
5192 client_cert="auth_serv/sha512-user.pem",
5193 private_key="auth_serv/sha512-user.key",
5195 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5196 identity="tls user sha512",
5197 ca_cert="auth_serv/sha512-ca.pem",
5198 client_cert="auth_serv/sha384-user.pem",
5199 private_key="auth_serv/sha384-user.key",
5202 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
5203 """WPA2-Enterprise AP and association request RSN IE differences"""
5204 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5205 hostapd.add_ap(apdev[0]['ifname'], params)
5207 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
5208 params["ieee80211w"] = "2"
5209 hostapd.add_ap(apdev[1]['ifname'], params)
5211 # Success cases with optional RSN IE fields removed one by one
5212 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5213 "30140100000fac040100000fac040100000fac010000"),
5214 ("Extra PMKIDCount field in RSN IE",
5215 "30160100000fac040100000fac040100000fac0100000000"),
5216 ("Extra Group Management Cipher Suite in RSN IE",
5217 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5218 ("Extra undefined extension field in RSN IE",
5219 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5220 ("RSN IE without RSN Capabilities",
5221 "30120100000fac040100000fac040100000fac01"),
5222 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5223 ("RSN IE without pairwise", "30060100000fac04"),
5224 ("RSN IE without group", "30020100") ]
5225 for title, ie in tests:
5227 set_test_assoc_ie(dev[0], ie)
5228 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5229 identity="gpsk user",
5230 password="abcdefghijklmnop0123456789abcdef",
5232 dev[0].request("REMOVE_NETWORK all")
5233 dev[0].wait_disconnected()
5235 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5236 "30140100000fac040100000fac040100000fac01cc00"),
5237 ("Group management cipher included in assoc req RSN IE",
5238 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5239 for title, ie in tests:
5241 set_test_assoc_ie(dev[0], ie)
5242 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5243 eap="GPSK", identity="gpsk user",
5244 password="abcdefghijklmnop0123456789abcdef",
5246 dev[0].request("REMOVE_NETWORK all")
5247 dev[0].wait_disconnected()
5249 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
5250 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5251 for title, ie, status in tests:
5253 set_test_assoc_ie(dev[0], ie)
5254 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5255 identity="gpsk user",
5256 password="abcdefghijklmnop0123456789abcdef",
5257 scan_freq="2412", wait_connect=False)
5258 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5260 raise Exception("Association rejection not reported")
5261 if "status_code=" + str(status) not in ev:
5262 raise Exception("Unexpected status code: " + ev)
5263 dev[0].request("REMOVE_NETWORK all")
5264 dev[0].dump_monitor()
5266 tests = [ ("Management frame protection not enabled",
5267 "30140100000fac040100000fac040100000fac010000", 31),
5268 ("Unsupported management group cipher",
5269 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5270 for title, ie, status in tests:
5272 set_test_assoc_ie(dev[0], ie)
5273 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5274 eap="GPSK", identity="gpsk user",
5275 password="abcdefghijklmnop0123456789abcdef",
5276 scan_freq="2412", wait_connect=False)
5277 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5279 raise Exception("Association rejection not reported")
5280 if "status_code=" + str(status) not in ev:
5281 raise Exception("Unexpected status code: " + ev)
5282 dev[0].request("REMOVE_NETWORK all")
5283 dev[0].dump_monitor()
5285 def test_eap_tls_ext_cert_check(dev, apdev):
5286 """EAP-TLS and external server certification validation"""
5287 # With internal server certificate chain validation
5288 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5289 identity="tls user",
5290 ca_cert="auth_serv/ca.pem",
5291 client_cert="auth_serv/user.pem",
5292 private_key="auth_serv/user.key",
5293 phase1="tls_ext_cert_check=1", scan_freq="2412",
5294 only_add_network=True)
5295 run_ext_cert_check(dev, apdev, id)
5297 def test_eap_ttls_ext_cert_check(dev, apdev):
5298 """EAP-TTLS and external server certification validation"""
5299 # Without internal server certificate chain validation
5300 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5301 identity="pap user", anonymous_identity="ttls",
5302 password="password", phase2="auth=PAP",
5303 phase1="tls_ext_cert_check=1", scan_freq="2412",
5304 only_add_network=True)
5305 run_ext_cert_check(dev, apdev, id)
5307 def test_eap_peap_ext_cert_check(dev, apdev):
5308 """EAP-PEAP and external server certification validation"""
5309 # With internal server certificate chain validation
5310 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5311 identity="user", anonymous_identity="peap",
5312 ca_cert="auth_serv/ca.pem",
5313 password="password", phase2="auth=MSCHAPV2",
5314 phase1="tls_ext_cert_check=1", scan_freq="2412",
5315 only_add_network=True)
5316 run_ext_cert_check(dev, apdev, id)
5318 def test_eap_fast_ext_cert_check(dev, apdev):
5319 """EAP-FAST and external server certification validation"""
5320 check_eap_capa(dev[0], "FAST")
5321 # With internal server certificate chain validation
5322 dev[0].request("SET blob fast_pac_auth_ext ")
5323 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
5324 identity="user", anonymous_identity="FAST",
5325 ca_cert="auth_serv/ca.pem",
5326 password="password", phase2="auth=GTC",
5327 phase1="tls_ext_cert_check=1 fast_provisioning=2",
5328 pac_file="blob://fast_pac_auth_ext",
5330 only_add_network=True)
5331 run_ext_cert_check(dev, apdev, id)
5333 def run_ext_cert_check(dev, apdev, net_id):
5334 check_ext_cert_check_support(dev[0])
5335 if not openssl_imported:
5336 raise HwsimSkip("OpenSSL python method not available")
5338 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5339 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5341 dev[0].select_network(net_id)
5344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5345 "CTRL-REQ-EXT_CERT_CHECK",
5346 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5348 raise Exception("No peer server certificate event seen")
5349 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
5352 vals = ev.split(' ')
5354 if v.startswith("depth="):
5355 depth = int(v.split('=')[1])
5356 elif v.startswith("cert="):
5357 cert = v.split('=')[1]
5358 if depth is not None and cert:
5359 certs[depth] = binascii.unhexlify(cert)
5360 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
5361 raise Exception("Unexpected EAP-Success")
5362 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
5363 id = ev.split(':')[0].split('-')[-1]
5366 raise Exception("Server certificate not received")
5368 raise Exception("Server certificate issuer not received")
5370 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5372 cn = cert.get_subject().commonName
5373 logger.info("Server certificate CN=" + cn)
5375 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5377 icn = issuer.get_subject().commonName
5378 logger.info("Issuer certificate CN=" + icn)
5380 if cn != "server.w1.fi":
5381 raise Exception("Unexpected server certificate CN: " + cn)
5382 if icn != "Root CA":
5383 raise Exception("Unexpected server certificate issuer CN: " + icn)
5385 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
5387 raise Exception("Unexpected EAP-Success before external check result indication")
5389 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5390 dev[0].wait_connected()
5392 dev[0].request("DISCONNECT")
5393 dev[0].wait_disconnected()
5394 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
5395 raise Exception("PMKSA_FLUSH failed")
5396 dev[0].request("SET blob fast_pac_auth_ext ")
5397 dev[0].request("RECONNECT")
5399 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
5401 raise Exception("No peer server certificate event seen (2)")
5402 id = ev.split(':')[0].split('-')[-1]
5403 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5404 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5406 raise Exception("EAP-Failure not reported")
5407 dev[0].request("REMOVE_NETWORK all")
5408 dev[0].wait_disconnected()
5410 def test_eap_tls_errors(dev, apdev):
5411 """EAP-TLS error cases"""
5412 params = int_eap_server_params()
5413 params['fragment_size'] = '100'
5414 hostapd.add_ap(apdev[0]['ifname'], params)
5415 with alloc_fail(dev[0], 1,
5416 "eap_peer_tls_reassemble_fragment"):
5417 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5418 identity="tls user", ca_cert="auth_serv/ca.pem",
5419 client_cert="auth_serv/user.pem",
5420 private_key="auth_serv/user.key",
5421 wait_connect=False, scan_freq="2412")
5422 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5423 dev[0].request("REMOVE_NETWORK all")
5424 dev[0].wait_disconnected()
5426 with alloc_fail(dev[0], 1, "eap_tls_init"):
5427 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5428 identity="tls user", ca_cert="auth_serv/ca.pem",
5429 client_cert="auth_serv/user.pem",
5430 private_key="auth_serv/user.key",
5431 wait_connect=False, scan_freq="2412")
5432 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5433 dev[0].request("REMOVE_NETWORK all")
5434 dev[0].wait_disconnected()
5436 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
5437 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5438 identity="tls user", ca_cert="auth_serv/ca.pem",
5439 client_cert="auth_serv/user.pem",
5440 private_key="auth_serv/user.key",
5442 wait_connect=False, scan_freq="2412")
5443 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5444 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
5446 raise Exception("No CTRL-REQ-PIN seen")
5447 dev[0].request("REMOVE_NETWORK all")
5448 dev[0].wait_disconnected()
5450 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
5451 "eap_peer_tls_derive_session_id;eap_tls_success",
5454 "eap_tls_get_session_id" ]
5456 with alloc_fail(dev[0], 1, func):
5457 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5458 identity="tls user", ca_cert="auth_serv/ca.pem",
5459 client_cert="auth_serv/user.pem",
5460 private_key="auth_serv/user.key",
5462 wait_connect=False, scan_freq="2412")
5463 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5464 dev[0].request("REMOVE_NETWORK all")
5465 dev[0].wait_disconnected()
5467 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
5468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5469 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5470 wait_connect=False, scan_freq="2412")
5471 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5472 dev[0].request("REMOVE_NETWORK all")
5473 dev[0].wait_disconnected()
5475 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
5476 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5477 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5478 wait_connect=False, scan_freq="2412")
5479 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5480 dev[0].request("REMOVE_NETWORK all")
5481 dev[0].wait_disconnected()
5483 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
5484 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5485 eap="WFA-UNAUTH-TLS",
5486 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5487 wait_connect=False, scan_freq="2412")
5488 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5489 dev[0].request("REMOVE_NETWORK all")
5490 dev[0].wait_disconnected()
5492 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
5493 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5494 eap="WFA-UNAUTH-TLS",
5495 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5496 wait_connect=False, scan_freq="2412")
5497 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5498 dev[0].request("REMOVE_NETWORK all")
5499 dev[0].wait_disconnected()