1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report)
78 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
80 raise Exception("No connection event received from hostapd")
83 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
84 expect_failure=False, local_error_report=False):
85 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
87 raise Exception("Association and EAP start timed out")
88 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
90 raise Exception("EAP method selection timed out")
92 raise Exception("Unexpected EAP method")
94 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
96 raise Exception("EAP failure timed out")
97 ev = dev.wait_disconnected(timeout=10)
98 if not local_error_report:
99 if "reason=23" not in ev:
100 raise Exception("Proper reason code for disconnection not reported")
102 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
104 raise Exception("EAP success timed out")
107 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
109 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
111 raise Exception("Association with the AP timed out")
112 status = dev.get_status()
113 if status["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
116 if status["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method not in status["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
121 e = "WPA2-EAP-SHA256"
123 e = "WPA2/IEEE 802.1X/EAP"
125 e = "WPA/IEEE 802.1X/EAP"
126 if status["key_mgmt"] != e:
127 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
130 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
131 dev.request("REAUTHENTICATE")
132 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
133 expect_failure=expect_failure)
135 def test_ap_wpa2_eap_sim(dev, apdev):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
140 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
141 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils.test_connectivity(dev[0], hapd)
143 eap_reauth(dev[0], "SIM")
145 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
146 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
151 logger.info("Negative test with incorrect key")
152 dev[0].request("REMOVE_NETWORK all")
153 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
154 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
157 logger.info("Invalid GSM-Milenage key")
158 dev[0].request("REMOVE_NETWORK all")
159 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
160 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
163 logger.info("Invalid GSM-Milenage key(2)")
164 dev[0].request("REMOVE_NETWORK all")
165 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
166 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
169 logger.info("Invalid GSM-Milenage key(3)")
170 dev[0].request("REMOVE_NETWORK all")
171 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
172 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
175 logger.info("Invalid GSM-Milenage key(4)")
176 dev[0].request("REMOVE_NETWORK all")
177 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
178 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
181 logger.info("Missing key configuration")
182 dev[0].request("REMOVE_NETWORK all")
183 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
192 raise HwsimSkip("No sqlite3 module available")
193 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
195 params['auth_server_port'] = "1814"
196 hostapd.add_ap(apdev[0]['ifname'], params)
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
200 logger.info("SIM fast re-authentication")
201 eap_reauth(dev[0], "SIM")
203 logger.info("SIM full auth with pseudonym")
206 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
209 logger.info("SIM full auth with permanent identity")
212 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev[0], "SIM")
216 logger.info("SIM reauth with mismatching MK")
219 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev[0], "SIM", expect_failure=True)
221 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger.info("SIM reauth with mismatching counter")
233 eap_reauth(dev[0], "SIM")
234 dev[0].request("REMOVE_NETWORK all")
236 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
237 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
240 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev[0], "SIM")
244 def test_ap_wpa2_eap_sim_config(dev, apdev):
245 """EAP-SIM configuration options"""
246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
247 hostapd.add_ap(apdev[0]['ifname'], params)
248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
249 identity="1232010000000000",
250 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1="sim_min_num_chal=1",
252 wait_connect=False, scan_freq="2412")
253 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
255 raise Exception("No EAP error message seen")
256 dev[0].request("REMOVE_NETWORK all")
258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
259 identity="1232010000000000",
260 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1="sim_min_num_chal=4",
262 wait_connect=False, scan_freq="2412")
263 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
265 raise Exception("No EAP error message seen (2)")
266 dev[0].request("REMOVE_NETWORK all")
268 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=2")
271 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity="345678")
275 def test_ap_wpa2_eap_sim_ext(dev, apdev):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
278 _test_ap_wpa2_eap_sim_ext(dev, apdev)
280 dev[0].request("SET external_sim 0")
282 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
283 check_hlr_auc_gw_support()
284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
285 hostapd.add_ap(apdev[0]['ifname'], params)
286 dev[0].request("SET external_sim 1")
287 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
288 identity="1232010000000000",
289 wait_connect=False, scan_freq="2412")
290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
292 raise Exception("Network connected timed out")
294 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
296 raise Exception("Wait for external SIM processing request timed out")
298 if p[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid = p[0].split('-')[3]
303 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
308 raise Exception("EAP failure not reported")
309 dev[0].request("DISCONNECT")
310 dev[0].wait_disconnected()
313 dev[0].select_network(id, freq="2412")
314 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
316 raise Exception("Wait for external SIM processing request timed out")
318 if p[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid = p[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
326 raise Exception("EAP failure not reported")
327 dev[0].request("DISCONNECT")
328 dev[0].wait_disconnected()
331 dev[0].select_network(id, freq="2412")
332 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid = p[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
344 raise Exception("EAP failure not reported")
345 dev[0].request("DISCONNECT")
346 dev[0].wait_disconnected()
349 dev[0].select_network(id, freq="2412")
350 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid = p[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
362 raise Exception("EAP failure not reported")
363 dev[0].request("DISCONNECT")
364 dev[0].wait_disconnected()
367 dev[0].select_network(id, freq="2412")
368 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid = p[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 raise Exception("EAP failure not reported")
381 dev[0].request("DISCONNECT")
382 dev[0].wait_disconnected()
385 dev[0].select_network(id, freq="2412")
386 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid = p[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
398 raise Exception("EAP failure not reported")
399 dev[0].request("DISCONNECT")
400 dev[0].wait_disconnected()
403 dev[0].select_network(id, freq="2412")
404 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid = p[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
416 raise Exception("EAP failure not reported")
418 def test_ap_wpa2_eap_sim_oom(dev, apdev):
419 """EAP-SIM and OOM"""
420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
421 hostapd.add_ap(apdev[0]['ifname'], params)
422 tests = [ (1, "milenage_f2345"),
423 (2, "milenage_f2345"),
424 (3, "milenage_f2345"),
425 (4, "milenage_f2345"),
426 (5, "milenage_f2345"),
427 (6, "milenage_f2345"),
428 (7, "milenage_f2345"),
429 (8, "milenage_f2345"),
430 (9, "milenage_f2345"),
431 (10, "milenage_f2345"),
432 (11, "milenage_f2345"),
433 (12, "milenage_f2345") ]
434 for count, func in tests:
435 with alloc_fail(dev[0], count, func):
436 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
437 identity="1232010000000000",
438 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
439 wait_connect=False, scan_freq="2412")
440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
442 raise Exception("EAP method not selected")
443 dev[0].wait_disconnected()
444 dev[0].request("REMOVE_NETWORK all")
446 def test_ap_wpa2_eap_aka(dev, apdev):
447 """WPA2-Enterprise connection using EAP-AKA"""
448 check_hlr_auc_gw_support()
449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
450 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
451 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
452 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
453 hwsim_utils.test_connectivity(dev[0], hapd)
454 eap_reauth(dev[0], "AKA")
456 logger.info("Negative test with incorrect key")
457 dev[0].request("REMOVE_NETWORK all")
458 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
459 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
462 logger.info("Invalid Milenage key")
463 dev[0].request("REMOVE_NETWORK all")
464 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
465 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
468 logger.info("Invalid Milenage key(2)")
469 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
470 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
473 logger.info("Invalid Milenage key(3)")
474 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
475 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
478 logger.info("Invalid Milenage key(4)")
479 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
480 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
483 logger.info("Invalid Milenage key(5)")
484 dev[0].request("REMOVE_NETWORK all")
485 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
486 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
489 logger.info("Invalid Milenage key(6)")
490 dev[0].request("REMOVE_NETWORK all")
491 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
492 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
495 logger.info("Missing key configuration")
496 dev[0].request("REMOVE_NETWORK all")
497 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
501 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
502 check_hlr_auc_gw_support()
506 raise HwsimSkip("No sqlite3 module available")
507 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
508 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
509 params['auth_server_port'] = "1814"
510 hostapd.add_ap(apdev[0]['ifname'], params)
511 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
512 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
514 logger.info("AKA fast re-authentication")
515 eap_reauth(dev[0], "AKA")
517 logger.info("AKA full auth with pseudonym")
520 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
521 eap_reauth(dev[0], "AKA")
523 logger.info("AKA full auth with permanent identity")
526 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
527 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
528 eap_reauth(dev[0], "AKA")
530 logger.info("AKA reauth with mismatching MK")
533 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
534 eap_reauth(dev[0], "AKA", expect_failure=True)
535 dev[0].request("REMOVE_NETWORK all")
537 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
538 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
541 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
542 eap_reauth(dev[0], "AKA")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 logger.info("AKA reauth with mismatching counter")
547 eap_reauth(dev[0], "AKA")
548 dev[0].request("REMOVE_NETWORK all")
550 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
551 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
554 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with max reauth count reached")
556 eap_reauth(dev[0], "AKA")
558 def test_ap_wpa2_eap_aka_config(dev, apdev):
559 """EAP-AKA configuration options"""
560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
561 hostapd.add_ap(apdev[0]['ifname'], params)
562 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
563 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
564 anonymous_identity="2345678")
566 def test_ap_wpa2_eap_aka_ext(dev, apdev):
567 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
569 _test_ap_wpa2_eap_aka_ext(dev, apdev)
571 dev[0].request("SET external_sim 0")
573 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
574 check_hlr_auc_gw_support()
575 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
576 hostapd.add_ap(apdev[0]['ifname'], params)
577 dev[0].request("SET external_sim 1")
578 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
579 identity="0232010000000000",
580 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
581 wait_connect=False, scan_freq="2412")
582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
584 raise Exception("Network connected timed out")
586 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
588 raise Exception("Wait for external SIM processing request timed out")
590 if p[1] != "UMTS-AUTH":
591 raise Exception("Unexpected CTRL-REQ-SIM type")
592 rid = p[0].split('-')[3]
595 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
596 # This will fail during processing, but the ctrl_iface command succeeds
597 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
600 raise Exception("EAP failure not reported")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected()
605 dev[0].select_network(id, freq="2412")
606 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
608 raise Exception("Wait for external SIM processing request timed out")
610 if p[1] != "UMTS-AUTH":
611 raise Exception("Unexpected CTRL-REQ-SIM type")
612 rid = p[0].split('-')[3]
613 # This will fail during UMTS auth validation
614 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
615 raise Exception("CTRL-RSP-SIM failed")
616 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
618 raise Exception("Wait for external SIM processing request timed out")
620 if p[1] != "UMTS-AUTH":
621 raise Exception("Unexpected CTRL-REQ-SIM type")
622 rid = p[0].split('-')[3]
623 # This will fail during UMTS auth validation
624 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
625 raise Exception("CTRL-RSP-SIM failed")
626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
628 raise Exception("EAP failure not reported")
629 dev[0].request("DISCONNECT")
630 dev[0].wait_disconnected()
633 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
635 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
636 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
637 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
638 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
641 dev[0].select_network(id, freq="2412")
642 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
644 raise Exception("Wait for external SIM processing request timed out")
646 if p[1] != "UMTS-AUTH":
647 raise Exception("Unexpected CTRL-REQ-SIM type")
648 rid = p[0].split('-')[3]
649 # This will fail during UMTS auth validation
650 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
651 raise Exception("CTRL-RSP-SIM failed")
652 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
654 raise Exception("EAP failure not reported")
655 dev[0].request("DISCONNECT")
656 dev[0].wait_disconnected()
659 def test_ap_wpa2_eap_aka_prime(dev, apdev):
660 """WPA2-Enterprise connection using EAP-AKA'"""
661 check_hlr_auc_gw_support()
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
664 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
665 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
666 hwsim_utils.test_connectivity(dev[0], hapd)
667 eap_reauth(dev[0], "AKA'")
669 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
670 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
671 identity="6555444333222111@both",
672 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
673 wait_connect=False, scan_freq="2412")
674 dev[1].wait_connected(timeout=15)
676 logger.info("Negative test with incorrect key")
677 dev[0].request("REMOVE_NETWORK all")
678 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
683 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
684 check_hlr_auc_gw_support()
688 raise HwsimSkip("No sqlite3 module available")
689 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
691 params['auth_server_port'] = "1814"
692 hostapd.add_ap(apdev[0]['ifname'], params)
693 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
694 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
696 logger.info("AKA' fast re-authentication")
697 eap_reauth(dev[0], "AKA'")
699 logger.info("AKA' full auth with pseudonym")
702 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
703 eap_reauth(dev[0], "AKA'")
705 logger.info("AKA' full auth with permanent identity")
708 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
709 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
710 eap_reauth(dev[0], "AKA'")
712 logger.info("AKA' reauth with mismatching k_aut")
715 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
716 eap_reauth(dev[0], "AKA'", expect_failure=True)
717 dev[0].request("REMOVE_NETWORK all")
719 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
720 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
723 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
724 eap_reauth(dev[0], "AKA'")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 logger.info("AKA' reauth with mismatching counter")
729 eap_reauth(dev[0], "AKA'")
730 dev[0].request("REMOVE_NETWORK all")
732 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
733 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
736 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with max reauth count reached")
738 eap_reauth(dev[0], "AKA'")
740 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
744 key_mgmt = hapd.get_config()['key_mgmt']
745 if key_mgmt.split(' ')[0] != "WPA-EAP":
746 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
747 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
748 anonymous_identity="ttls", password="password",
749 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
750 hwsim_utils.test_connectivity(dev[0], hapd)
751 eap_reauth(dev[0], "TTLS")
752 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
753 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
755 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
756 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
757 check_subject_match_support(dev[0])
758 check_altsubject_match_support(dev[0])
759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
760 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
761 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762 anonymous_identity="ttls", password="password",
763 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
764 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
765 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
766 eap_reauth(dev[0], "TTLS")
768 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
769 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
770 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
771 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
772 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
773 anonymous_identity="ttls", password="wrong",
774 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
776 eap_connect(dev[1], apdev[0], "TTLS", "user",
777 anonymous_identity="ttls", password="password",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
781 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
782 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
784 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
785 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
788 hwsim_utils.test_connectivity(dev[0], hapd)
789 eap_reauth(dev[0], "TTLS")
791 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
792 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
793 check_altsubject_match_support(dev[0])
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
797 anonymous_identity="ttls", password="password",
798 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
799 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
800 eap_reauth(dev[0], "TTLS")
802 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
805 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
806 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
807 anonymous_identity="ttls", password="wrong",
808 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
810 eap_connect(dev[1], apdev[0], "TTLS", "user",
811 anonymous_identity="ttls", password="password",
812 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
815 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
816 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
818 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
819 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
820 anonymous_identity="ttls", password="password",
821 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
822 domain_suffix_match="server.w1.fi")
823 hwsim_utils.test_connectivity(dev[0], hapd)
824 eap_reauth(dev[0], "TTLS")
825 dev[0].request("REMOVE_NETWORK all")
826 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
827 anonymous_identity="ttls", password="password",
828 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
831 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
832 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
834 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
835 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
836 anonymous_identity="ttls", password="wrong",
837 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
839 eap_connect(dev[1], apdev[0], "TTLS", "user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
843 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
844 anonymous_identity="ttls", password="password",
845 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
848 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
851 hostapd.add_ap(apdev[0]['ifname'], params)
852 hapd = hostapd.Hostapd(apdev[0]['ifname'])
853 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
856 domain_suffix_match="server.w1.fi")
857 hwsim_utils.test_connectivity(dev[0], hapd)
858 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
859 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
860 eap_reauth(dev[0], "TTLS")
861 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
862 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
863 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
864 raise Exception("dot1xAuthEapolFramesRx did not increase")
865 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
866 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
867 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
868 raise Exception("backendAuthSuccesses did not increase")
870 logger.info("Password as hash value")
871 dev[0].request("REMOVE_NETWORK all")
872 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
873 anonymous_identity="ttls",
874 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
875 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
877 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
878 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
879 check_domain_match_full(dev[0])
880 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
881 hostapd.add_ap(apdev[0]['ifname'], params)
882 hapd = hostapd.Hostapd(apdev[0]['ifname'])
883 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
886 domain_suffix_match="w1.fi")
887 hwsim_utils.test_connectivity(dev[0], hapd)
888 eap_reauth(dev[0], "TTLS")
890 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
891 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
892 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
893 hostapd.add_ap(apdev[0]['ifname'], params)
894 hapd = hostapd.Hostapd(apdev[0]['ifname'])
895 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
896 anonymous_identity="ttls", password="password",
897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
898 domain_match="Server.w1.fi")
899 hwsim_utils.test_connectivity(dev[0], hapd)
900 eap_reauth(dev[0], "TTLS")
902 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
903 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
906 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
907 anonymous_identity="ttls", password="password1",
908 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
910 eap_connect(dev[1], apdev[0], "TTLS", "user",
911 anonymous_identity="ttls", password="password",
912 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
916 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
918 hostapd.add_ap(apdev[0]['ifname'], params)
919 hapd = hostapd.Hostapd(apdev[0]['ifname'])
920 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
921 anonymous_identity="ttls", password="secret-åäö-€-password",
922 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
923 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
924 anonymous_identity="ttls",
925 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
928 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
930 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 eap_connect(dev[0], apdev[0], "TTLS", "user",
933 anonymous_identity="ttls", password="password",
934 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
935 hwsim_utils.test_connectivity(dev[0], hapd)
936 eap_reauth(dev[0], "TTLS")
938 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
939 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
940 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
942 eap_connect(dev[0], apdev[0], "TTLS", "user",
943 anonymous_identity="ttls", password="wrong",
944 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
947 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
956 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
957 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
958 params = int_eap_server_params()
959 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
960 with alloc_fail(hapd, 1, "eap_gtc_init"):
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="password",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
965 dev[0].request("REMOVE_NETWORK all")
967 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
968 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
969 eap="TTLS", identity="user",
970 anonymous_identity="ttls", password="password",
971 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
972 wait_connect=False, scan_freq="2412")
973 # This would eventually time out, but we can stop after having reached
974 # the allocation failure.
977 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
980 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 eap_connect(dev[0], apdev[0], "TTLS", "user",
985 anonymous_identity="ttls", password="password",
986 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
987 hwsim_utils.test_connectivity(dev[0], hapd)
988 eap_reauth(dev[0], "TTLS")
990 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
991 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994 eap_connect(dev[0], apdev[0], "TTLS", "user",
995 anonymous_identity="ttls", password="wrong",
996 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
999 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1001 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1002 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1003 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1004 anonymous_identity="ttls", password="password",
1005 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1006 expect_failure=True)
1008 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1009 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1010 params = int_eap_server_params()
1011 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1012 with alloc_fail(hapd, 1, "eap_md5_init"):
1013 eap_connect(dev[0], apdev[0], "TTLS", "user",
1014 anonymous_identity="ttls", password="password",
1015 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1016 expect_failure=True)
1017 dev[0].request("REMOVE_NETWORK all")
1019 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1020 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1021 eap="TTLS", identity="user",
1022 anonymous_identity="ttls", password="password",
1023 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1024 wait_connect=False, scan_freq="2412")
1025 # This would eventually time out, but we can stop after having reached
1026 # the allocation failure.
1029 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1032 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1033 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1034 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1035 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1039 hwsim_utils.test_connectivity(dev[0], hapd)
1040 eap_reauth(dev[0], "TTLS")
1042 logger.info("Negative test with incorrect password")
1043 dev[0].request("REMOVE_NETWORK all")
1044 eap_connect(dev[0], apdev[0], "TTLS", "user",
1045 anonymous_identity="ttls", password="password1",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1047 expect_failure=True)
1049 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1050 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1052 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1053 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1054 anonymous_identity="ttls", password="password",
1055 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1056 expect_failure=True)
1058 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1059 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1060 params = int_eap_server_params()
1061 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1062 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1063 eap_connect(dev[0], apdev[0], "TTLS", "user",
1064 anonymous_identity="ttls", password="password",
1065 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1066 expect_failure=True)
1067 dev[0].request("REMOVE_NETWORK all")
1069 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1071 eap="TTLS", identity="user",
1072 anonymous_identity="ttls", password="password",
1073 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1074 wait_connect=False, scan_freq="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1079 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1081 dev[0].request("REMOVE_NETWORK all")
1083 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1085 eap="TTLS", identity="user",
1086 anonymous_identity="ttls", password="password",
1087 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1088 wait_connect=False, scan_freq="2412")
1089 # This would eventually time out, but we can stop after having reached
1090 # the allocation failure.
1093 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1095 dev[0].request("REMOVE_NETWORK all")
1097 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1098 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1099 eap="TTLS", identity="user",
1100 anonymous_identity="ttls", password="wrong",
1101 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1102 wait_connect=False, scan_freq="2412")
1103 # This would eventually time out, but we can stop after having reached
1104 # the allocation failure.
1107 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1109 dev[0].request("REMOVE_NETWORK all")
1111 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1112 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1113 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1114 hostapd.add_ap(apdev[0]['ifname'], params)
1115 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1116 anonymous_identity="0232010000000000@ttls",
1117 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1120 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1121 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 hostapd.add_ap(apdev[0]['ifname'], params)
1124 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1125 anonymous_identity="0232010000000000@peap",
1126 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1127 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1129 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1130 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1131 check_eap_capa(dev[0], "FAST")
1132 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1133 hostapd.add_ap(apdev[0]['ifname'], params)
1134 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1135 anonymous_identity="0232010000000000@fast",
1136 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1137 phase1="fast_provisioning=2",
1138 pac_file="blob://fast_pac_auth_aka",
1139 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1141 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "user",
1146 anonymous_identity="peap", password="password",
1147 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1148 hwsim_utils.test_connectivity(dev[0], hapd)
1149 eap_reauth(dev[0], "PEAP")
1150 dev[0].request("REMOVE_NETWORK all")
1151 eap_connect(dev[0], apdev[0], "PEAP", "user",
1152 anonymous_identity="peap", password="password",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1154 fragment_size="200")
1156 logger.info("Password as hash value")
1157 dev[0].request("REMOVE_NETWORK all")
1158 eap_connect(dev[0], apdev[0], "PEAP", "user",
1159 anonymous_identity="peap",
1160 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1161 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1163 logger.info("Negative test with incorrect password")
1164 dev[0].request("REMOVE_NETWORK all")
1165 eap_connect(dev[0], apdev[0], "PEAP", "user",
1166 anonymous_identity="peap", password="password1",
1167 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1168 expect_failure=True)
1170 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1171 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1172 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1173 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1174 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1175 anonymous_identity="peap", password="password",
1176 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1177 hwsim_utils.test_connectivity(dev[0], hapd)
1178 eap_reauth(dev[0], "PEAP")
1180 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1181 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1182 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1183 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1184 eap_connect(dev[0], apdev[0], "PEAP", "user",
1185 anonymous_identity="peap", password="wrong",
1186 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1187 expect_failure=True)
1189 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1190 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1191 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1192 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1193 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1194 ca_cert="auth_serv/ca.pem",
1195 phase1="peapver=0 crypto_binding=2",
1196 phase2="auth=MSCHAPV2")
1197 hwsim_utils.test_connectivity(dev[0], hapd)
1198 eap_reauth(dev[0], "PEAP")
1200 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1201 ca_cert="auth_serv/ca.pem",
1202 phase1="peapver=0 crypto_binding=1",
1203 phase2="auth=MSCHAPV2")
1204 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1205 ca_cert="auth_serv/ca.pem",
1206 phase1="peapver=0 crypto_binding=0",
1207 phase2="auth=MSCHAPV2")
1209 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1210 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1211 params = int_eap_server_params()
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1214 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1215 ca_cert="auth_serv/ca.pem",
1216 phase1="peapver=0 crypto_binding=2",
1217 phase2="auth=MSCHAPV2",
1218 expect_failure=True, local_error_report=True)
1220 def test_ap_wpa2_eap_peap_params(dev, apdev):
1221 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1223 hostapd.add_ap(apdev[0]['ifname'], params)
1224 eap_connect(dev[0], apdev[0], "PEAP", "user",
1225 anonymous_identity="peap", password="password",
1226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1227 phase1="peapver=0 peaplabel=1",
1228 expect_failure=True)
1229 dev[0].request("REMOVE_NETWORK all")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peap_outer_success=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peap_outer_success=2",
1237 phase2="auth=MSCHAPV2")
1238 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1240 anonymous_identity="peap", password="password",
1241 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1242 phase1="peapver=1 peaplabel=1",
1243 wait_connect=False, scan_freq="2412")
1244 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1246 raise Exception("No EAP success seen")
1247 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1249 raise Exception("Unexpected connection")
1251 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1253 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1254 hostapd.add_ap(apdev[0]['ifname'], params)
1255 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1256 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1257 ca_cert2="auth_serv/ca.pem",
1258 client_cert2="auth_serv/user.pem",
1259 private_key2="auth_serv/user.key")
1260 eap_reauth(dev[0], "PEAP")
1262 def test_ap_wpa2_eap_tls(dev, apdev):
1263 """WPA2-Enterprise connection using EAP-TLS"""
1264 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1265 hostapd.add_ap(apdev[0]['ifname'], params)
1266 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1267 client_cert="auth_serv/user.pem",
1268 private_key="auth_serv/user.key")
1269 eap_reauth(dev[0], "TLS")
1271 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1272 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1274 hostapd.add_ap(apdev[0]['ifname'], params)
1275 cert = read_pem("auth_serv/ca.pem")
1276 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1277 raise Exception("Could not set cacert blob")
1278 cert = read_pem("auth_serv/user.pem")
1279 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1280 raise Exception("Could not set usercert blob")
1281 key = read_pem("auth_serv/user.rsa-key")
1282 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1283 raise Exception("Could not set cacert blob")
1284 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1285 client_cert="blob://usercert",
1286 private_key="blob://userkey")
1288 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291 hostapd.add_ap(apdev[0]['ifname'], params)
1292 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1293 private_key="auth_serv/user.pkcs12",
1294 private_key_passwd="whatever")
1295 dev[0].request("REMOVE_NETWORK all")
1296 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1297 identity="tls user",
1298 ca_cert="auth_serv/ca.pem",
1299 private_key="auth_serv/user.pkcs12",
1300 wait_connect=False, scan_freq="2412")
1301 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1303 raise Exception("Request for private key passphrase timed out")
1304 id = ev.split(':')[0].split('-')[-1]
1305 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1306 dev[0].wait_connected(timeout=10)
1308 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1309 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1311 hostapd.add_ap(apdev[0]['ifname'], params)
1312 cert = read_pem("auth_serv/ca.pem")
1313 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1314 raise Exception("Could not set cacert blob")
1315 with open("auth_serv/user.pkcs12", "rb") as f:
1316 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1317 raise Exception("Could not set pkcs12 blob")
1318 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1319 private_key="blob://pkcs12",
1320 private_key_passwd="whatever")
1322 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1323 """WPA2-Enterprise negative test - incorrect trust root"""
1324 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1325 hostapd.add_ap(apdev[0]['ifname'], params)
1326 cert = read_pem("auth_serv/ca-incorrect.pem")
1327 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1328 raise Exception("Could not set cacert blob")
1329 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1330 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1331 password="password", phase2="auth=MSCHAPV2",
1332 ca_cert="blob://cacert",
1333 wait_connect=False, scan_freq="2412")
1334 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1335 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1336 password="password", phase2="auth=MSCHAPV2",
1337 ca_cert="auth_serv/ca-incorrect.pem",
1338 wait_connect=False, scan_freq="2412")
1340 for dev in (dev[0], dev[1]):
1341 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1343 raise Exception("Association and EAP start timed out")
1345 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1347 raise Exception("EAP method selection timed out")
1348 if "TTLS" not in ev:
1349 raise Exception("Unexpected EAP method")
1351 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1352 "CTRL-EVENT-EAP-SUCCESS",
1353 "CTRL-EVENT-EAP-FAILURE",
1354 "CTRL-EVENT-CONNECTED",
1355 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1357 raise Exception("EAP result timed out")
1358 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1359 raise Exception("TLS certificate error not reported")
1361 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1362 "CTRL-EVENT-EAP-FAILURE",
1363 "CTRL-EVENT-CONNECTED",
1364 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1366 raise Exception("EAP result(2) timed out")
1367 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1368 raise Exception("EAP failure not reported")
1370 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1371 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1373 raise Exception("EAP result(3) timed out")
1374 if "CTRL-EVENT-DISCONNECTED" not in ev:
1375 raise Exception("Disconnection not reported")
1377 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1379 raise Exception("Network block disabling not reported")
1381 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1382 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1383 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1384 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1385 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1386 identity="pap user", anonymous_identity="ttls",
1387 password="password", phase2="auth=PAP",
1388 ca_cert="auth_serv/ca.pem",
1389 wait_connect=True, scan_freq="2412")
1390 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1391 identity="pap user", anonymous_identity="ttls",
1392 password="password", phase2="auth=PAP",
1393 ca_cert="auth_serv/ca-incorrect.pem",
1394 only_add_network=True, scan_freq="2412")
1396 dev[0].request("DISCONNECT")
1397 dev[0].wait_disconnected()
1398 dev[0].dump_monitor()
1399 dev[0].select_network(id, freq="2412")
1401 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1403 raise Exception("EAP-TTLS not re-started")
1405 ev = dev[0].wait_disconnected(timeout=15)
1406 if "reason=23" not in ev:
1407 raise Exception("Proper reason code for disconnection not reported")
1409 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1410 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1411 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1412 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1413 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1414 identity="pap user", anonymous_identity="ttls",
1415 password="password", phase2="auth=PAP",
1416 wait_connect=True, scan_freq="2412")
1417 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1418 identity="pap user", anonymous_identity="ttls",
1419 password="password", phase2="auth=PAP",
1420 ca_cert="auth_serv/ca-incorrect.pem",
1421 only_add_network=True, scan_freq="2412")
1423 dev[0].request("DISCONNECT")
1424 dev[0].wait_disconnected()
1425 dev[0].dump_monitor()
1426 dev[0].select_network(id, freq="2412")
1428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1430 raise Exception("EAP-TTLS not re-started")
1432 ev = dev[0].wait_disconnected(timeout=15)
1433 if "reason=23" not in ev:
1434 raise Exception("Proper reason code for disconnection not reported")
1436 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1437 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1438 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1439 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1440 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1441 identity="pap user", anonymous_identity="ttls",
1442 password="password", phase2="auth=PAP",
1443 ca_cert="auth_serv/ca.pem",
1444 wait_connect=True, scan_freq="2412")
1445 dev[0].request("DISCONNECT")
1446 dev[0].wait_disconnected()
1447 dev[0].dump_monitor()
1448 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1449 dev[0].select_network(id, freq="2412")
1451 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1453 raise Exception("EAP-TTLS not re-started")
1455 ev = dev[0].wait_disconnected(timeout=15)
1456 if "reason=23" not in ev:
1457 raise Exception("Proper reason code for disconnection not reported")
1459 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1460 """WPA2-Enterprise negative test - domain suffix mismatch"""
1461 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1462 hostapd.add_ap(apdev[0]['ifname'], params)
1463 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1464 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1465 password="password", phase2="auth=MSCHAPV2",
1466 ca_cert="auth_serv/ca.pem",
1467 domain_suffix_match="incorrect.example.com",
1468 wait_connect=False, scan_freq="2412")
1470 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1472 raise Exception("Association and EAP start timed out")
1474 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1476 raise Exception("EAP method selection timed out")
1477 if "TTLS" not in ev:
1478 raise Exception("Unexpected EAP method")
1480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1481 "CTRL-EVENT-EAP-SUCCESS",
1482 "CTRL-EVENT-EAP-FAILURE",
1483 "CTRL-EVENT-CONNECTED",
1484 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1486 raise Exception("EAP result timed out")
1487 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1488 raise Exception("TLS certificate error not reported")
1489 if "Domain suffix mismatch" not in ev:
1490 raise Exception("Domain suffix mismatch not reported")
1492 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1493 "CTRL-EVENT-EAP-FAILURE",
1494 "CTRL-EVENT-CONNECTED",
1495 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1497 raise Exception("EAP result(2) timed out")
1498 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1499 raise Exception("EAP failure not reported")
1501 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1502 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1504 raise Exception("EAP result(3) timed out")
1505 if "CTRL-EVENT-DISCONNECTED" not in ev:
1506 raise Exception("Disconnection not reported")
1508 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1510 raise Exception("Network block disabling not reported")
1512 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1513 """WPA2-Enterprise negative test - domain mismatch"""
1514 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1515 hostapd.add_ap(apdev[0]['ifname'], params)
1516 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1517 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1518 password="password", phase2="auth=MSCHAPV2",
1519 ca_cert="auth_serv/ca.pem",
1520 domain_match="w1.fi",
1521 wait_connect=False, scan_freq="2412")
1523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1525 raise Exception("Association and EAP start timed out")
1527 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1529 raise Exception("EAP method selection timed out")
1530 if "TTLS" not in ev:
1531 raise Exception("Unexpected EAP method")
1533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1534 "CTRL-EVENT-EAP-SUCCESS",
1535 "CTRL-EVENT-EAP-FAILURE",
1536 "CTRL-EVENT-CONNECTED",
1537 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1539 raise Exception("EAP result timed out")
1540 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1541 raise Exception("TLS certificate error not reported")
1542 if "Domain mismatch" not in ev:
1543 raise Exception("Domain mismatch not reported")
1545 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1546 "CTRL-EVENT-EAP-FAILURE",
1547 "CTRL-EVENT-CONNECTED",
1548 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1550 raise Exception("EAP result(2) timed out")
1551 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1552 raise Exception("EAP failure not reported")
1554 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1555 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1557 raise Exception("EAP result(3) timed out")
1558 if "CTRL-EVENT-DISCONNECTED" not in ev:
1559 raise Exception("Disconnection not reported")
1561 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1563 raise Exception("Network block disabling not reported")
1565 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1566 """WPA2-Enterprise negative test - subject mismatch"""
1567 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1568 hostapd.add_ap(apdev[0]['ifname'], params)
1569 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1570 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1571 password="password", phase2="auth=MSCHAPV2",
1572 ca_cert="auth_serv/ca.pem",
1573 subject_match="/C=FI/O=w1.fi/CN=example.com",
1574 wait_connect=False, scan_freq="2412")
1576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1578 raise Exception("Association and EAP start timed out")
1580 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1581 "EAP: Failed to initialize EAP method"], timeout=10)
1583 raise Exception("EAP method selection timed out")
1584 if "EAP: Failed to initialize EAP method" in ev:
1585 tls = dev[0].request("GET tls_library")
1586 if tls.startswith("OpenSSL"):
1587 raise Exception("Failed to select EAP method")
1588 logger.info("subject_match not supported - connection failed, so test succeeded")
1590 if "TTLS" not in ev:
1591 raise Exception("Unexpected EAP method")
1593 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1594 "CTRL-EVENT-EAP-SUCCESS",
1595 "CTRL-EVENT-EAP-FAILURE",
1596 "CTRL-EVENT-CONNECTED",
1597 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1599 raise Exception("EAP result timed out")
1600 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1601 raise Exception("TLS certificate error not reported")
1602 if "Subject mismatch" not in ev:
1603 raise Exception("Subject mismatch not reported")
1605 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1606 "CTRL-EVENT-EAP-FAILURE",
1607 "CTRL-EVENT-CONNECTED",
1608 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1610 raise Exception("EAP result(2) timed out")
1611 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1612 raise Exception("EAP failure not reported")
1614 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1615 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1617 raise Exception("EAP result(3) timed out")
1618 if "CTRL-EVENT-DISCONNECTED" not in ev:
1619 raise Exception("Disconnection not reported")
1621 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1623 raise Exception("Network block disabling not reported")
1625 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1626 """WPA2-Enterprise negative test - altsubject mismatch"""
1627 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1628 hostapd.add_ap(apdev[0]['ifname'], params)
1630 tests = [ "incorrect.example.com",
1631 "DNS:incorrect.example.com",
1635 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1637 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1638 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1639 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1640 password="password", phase2="auth=MSCHAPV2",
1641 ca_cert="auth_serv/ca.pem",
1642 altsubject_match=match,
1643 wait_connect=False, scan_freq="2412")
1645 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1647 raise Exception("Association and EAP start timed out")
1649 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1650 "EAP: Failed to initialize EAP method"], timeout=10)
1652 raise Exception("EAP method selection timed out")
1653 if "EAP: Failed to initialize EAP method" in ev:
1654 tls = dev[0].request("GET tls_library")
1655 if tls.startswith("OpenSSL"):
1656 raise Exception("Failed to select EAP method")
1657 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1659 if "TTLS" not in ev:
1660 raise Exception("Unexpected EAP method")
1662 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1663 "CTRL-EVENT-EAP-SUCCESS",
1664 "CTRL-EVENT-EAP-FAILURE",
1665 "CTRL-EVENT-CONNECTED",
1666 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1668 raise Exception("EAP result timed out")
1669 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1670 raise Exception("TLS certificate error not reported")
1671 if "AltSubject mismatch" not in ev:
1672 raise Exception("altsubject mismatch not reported")
1674 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1675 "CTRL-EVENT-EAP-FAILURE",
1676 "CTRL-EVENT-CONNECTED",
1677 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1679 raise Exception("EAP result(2) timed out")
1680 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1681 raise Exception("EAP failure not reported")
1683 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1684 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1686 raise Exception("EAP result(3) timed out")
1687 if "CTRL-EVENT-DISCONNECTED" not in ev:
1688 raise Exception("Disconnection not reported")
1690 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1692 raise Exception("Network block disabling not reported")
1694 dev[0].request("REMOVE_NETWORK all")
1696 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1697 """WPA2-Enterprise connection using UNAUTH-TLS"""
1698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1699 hostapd.add_ap(apdev[0]['ifname'], params)
1700 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1701 ca_cert="auth_serv/ca.pem")
1702 eap_reauth(dev[0], "UNAUTH-TLS")
1704 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1705 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1706 check_cert_probe_support(dev[0])
1707 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1708 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1709 hostapd.add_ap(apdev[0]['ifname'], params)
1710 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1711 identity="probe", ca_cert="probe://",
1712 wait_connect=False, scan_freq="2412")
1713 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1715 raise Exception("Association and EAP start timed out")
1716 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1718 raise Exception("No peer server certificate event seen")
1719 if "hash=" + srv_cert_hash not in ev:
1720 raise Exception("Expected server certificate hash not reported")
1721 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1723 raise Exception("EAP result timed out")
1724 if "Server certificate chain probe" not in ev:
1725 raise Exception("Server certificate probe not reported")
1726 dev[0].wait_disconnected(timeout=10)
1727 dev[0].request("REMOVE_NETWORK all")
1729 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1730 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1731 password="password", phase2="auth=MSCHAPV2",
1732 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1733 wait_connect=False, scan_freq="2412")
1734 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1736 raise Exception("Association and EAP start timed out")
1737 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1739 raise Exception("EAP result timed out")
1740 if "Server certificate mismatch" not in ev:
1741 raise Exception("Server certificate mismatch not reported")
1742 dev[0].wait_disconnected(timeout=10)
1743 dev[0].request("REMOVE_NETWORK all")
1745 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1746 anonymous_identity="ttls", password="password",
1747 ca_cert="hash://server/sha256/" + srv_cert_hash,
1748 phase2="auth=MSCHAPV2")
1750 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1751 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1755 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1756 password="password", phase2="auth=MSCHAPV2",
1757 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1758 wait_connect=False, scan_freq="2412")
1759 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1760 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1761 password="password", phase2="auth=MSCHAPV2",
1762 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1763 wait_connect=False, scan_freq="2412")
1764 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1765 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1766 password="password", phase2="auth=MSCHAPV2",
1767 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1768 wait_connect=False, scan_freq="2412")
1769 for i in range(0, 3):
1770 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1772 raise Exception("Association and EAP start timed out")
1773 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1775 raise Exception("Did not report EAP method initialization failure")
1777 def test_ap_wpa2_eap_pwd(dev, apdev):
1778 """WPA2-Enterprise connection using EAP-pwd"""
1779 check_eap_capa(dev[0], "PWD")
1780 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1781 hostapd.add_ap(apdev[0]['ifname'], params)
1782 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1783 eap_reauth(dev[0], "PWD")
1784 dev[0].request("REMOVE_NETWORK all")
1786 eap_connect(dev[1], apdev[0], "PWD",
1787 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1788 password="secret password",
1791 logger.info("Negative test with incorrect password")
1792 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1793 expect_failure=True, local_error_report=True)
1795 eap_connect(dev[0], apdev[0], "PWD",
1796 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1797 password="secret password",
1800 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1801 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1802 check_eap_capa(dev[0], "PWD")
1803 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1804 hostapd.add_ap(apdev[0]['ifname'], params)
1805 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1806 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1807 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1808 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1809 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1810 expect_failure=True, local_error_report=True)
1812 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1813 """WPA2-Enterprise connection using various EAP-pwd groups"""
1814 check_eap_capa(dev[0], "PWD")
1815 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1816 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1817 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1818 for i in [ 19, 20, 21, 25, 26 ]:
1819 params['pwd_group'] = str(i)
1820 hostapd.add_ap(apdev[0]['ifname'], params)
1821 dev[0].request("REMOVE_NETWORK all")
1822 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1824 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1825 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1826 check_eap_capa(dev[0], "PWD")
1827 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1828 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1829 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1830 params['pwd_group'] = "0"
1831 hostapd.add_ap(apdev[0]['ifname'], params)
1832 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1833 identity="pwd user", password="secret password",
1834 scan_freq="2412", wait_connect=False)
1835 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1837 raise Exception("Timeout on EAP failure report")
1839 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1840 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1841 check_eap_capa(dev[0], "PWD")
1842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1843 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1844 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1845 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1846 "pwd_group": "19", "fragment_size": "40" }
1847 hostapd.add_ap(apdev[0]['ifname'], params)
1848 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1850 def test_ap_wpa2_eap_gpsk(dev, apdev):
1851 """WPA2-Enterprise connection using EAP-GPSK"""
1852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1853 hostapd.add_ap(apdev[0]['ifname'], params)
1854 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1855 password="abcdefghijklmnop0123456789abcdef")
1856 eap_reauth(dev[0], "GPSK")
1858 logger.info("Test forced algorithm selection")
1859 for phase1 in [ "cipher=1", "cipher=2" ]:
1860 dev[0].set_network_quoted(id, "phase1", phase1)
1861 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1863 raise Exception("EAP success timed out")
1864 dev[0].wait_connected(timeout=10)
1866 logger.info("Test failed algorithm negotiation")
1867 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1868 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1870 raise Exception("EAP failure timed out")
1872 logger.info("Negative test with incorrect password")
1873 dev[0].request("REMOVE_NETWORK all")
1874 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1875 password="ffcdefghijklmnop0123456789abcdef",
1876 expect_failure=True)
1878 def test_ap_wpa2_eap_sake(dev, apdev):
1879 """WPA2-Enterprise connection using EAP-SAKE"""
1880 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1881 hostapd.add_ap(apdev[0]['ifname'], params)
1882 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1883 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1884 eap_reauth(dev[0], "SAKE")
1886 logger.info("Negative test with incorrect password")
1887 dev[0].request("REMOVE_NETWORK all")
1888 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1889 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1890 expect_failure=True)
1892 def test_ap_wpa2_eap_eke(dev, apdev):
1893 """WPA2-Enterprise connection using EAP-EKE"""
1894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1895 hostapd.add_ap(apdev[0]['ifname'], params)
1896 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1897 eap_reauth(dev[0], "EKE")
1899 logger.info("Test forced algorithm selection")
1900 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1901 "dhgroup=4 encr=1 prf=2 mac=2",
1902 "dhgroup=3 encr=1 prf=2 mac=2",
1903 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1904 dev[0].set_network_quoted(id, "phase1", phase1)
1905 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1907 raise Exception("EAP success timed out")
1908 dev[0].wait_connected(timeout=10)
1910 logger.info("Test failed algorithm negotiation")
1911 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1914 raise Exception("EAP failure timed out")
1916 logger.info("Negative test with incorrect password")
1917 dev[0].request("REMOVE_NETWORK all")
1918 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1919 expect_failure=True)
1921 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1922 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1923 params = int_eap_server_params()
1924 params['server_id'] = 'example.server@w1.fi'
1925 hostapd.add_ap(apdev[0]['ifname'], params)
1926 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1928 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1929 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1930 params = int_eap_server_params()
1931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1932 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1934 for count,func in [ (1, "eap_eke_build_commit"),
1935 (2, "eap_eke_build_commit"),
1936 (3, "eap_eke_build_commit"),
1937 (1, "eap_eke_build_confirm"),
1938 (2, "eap_eke_build_confirm"),
1939 (1, "eap_eke_process_commit"),
1940 (2, "eap_eke_process_commit"),
1941 (1, "eap_eke_process_confirm"),
1942 (1, "eap_eke_process_identity"),
1943 (2, "eap_eke_process_identity"),
1944 (3, "eap_eke_process_identity"),
1945 (4, "eap_eke_process_identity") ]:
1946 with alloc_fail(hapd, count, func):
1947 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1948 expect_failure=True)
1949 dev[0].request("REMOVE_NETWORK all")
1951 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1952 (1, "eap_eke_get_session_id", "hello"),
1953 (1, "eap_eke_getKey", "hello"),
1954 (1, "eap_eke_build_msg", "hello"),
1955 (1, "eap_eke_build_failure", "wrong"),
1956 (1, "eap_eke_build_identity", "hello"),
1957 (2, "eap_eke_build_identity", "hello") ]:
1958 with alloc_fail(hapd, count, func):
1959 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1960 eap="EKE", identity="eke user", password=pw,
1961 wait_connect=False, scan_freq="2412")
1962 # This would eventually time out, but we can stop after having
1963 # reached the allocation failure.
1966 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1968 dev[0].request("REMOVE_NETWORK all")
1970 for count in range(1, 1000):
1972 with alloc_fail(hapd, count, "eap_server_sm_step"):
1973 dev[0].connect("test-wpa2-eap",
1974 key_mgmt="WPA-EAP WPA-EAP-SHA256",
1975 eap="EKE", identity="eke user", password=pw,
1976 wait_connect=False, scan_freq="2412")
1977 # This would eventually time out, but we can stop after having
1978 # reached the allocation failure.
1981 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1983 dev[0].request("REMOVE_NETWORK all")
1984 except Exception, e:
1985 if str(e) == "Allocation failure did not trigger":
1987 raise Exception("Too few allocation failures")
1988 logger.info("%d allocation failures tested" % (count - 1))
1992 def test_ap_wpa2_eap_ikev2(dev, apdev):
1993 """WPA2-Enterprise connection using EAP-IKEv2"""
1994 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1995 hostapd.add_ap(apdev[0]['ifname'], params)
1996 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1997 password="ike password")
1998 eap_reauth(dev[0], "IKEV2")
1999 dev[0].request("REMOVE_NETWORK all")
2000 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2001 password="ike password", fragment_size="50")
2003 logger.info("Negative test with incorrect password")
2004 dev[0].request("REMOVE_NETWORK all")
2005 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2006 password="ike-password", expect_failure=True)
2008 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2009 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2010 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2011 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2012 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2013 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2014 "fragment_size": "50" }
2015 hostapd.add_ap(apdev[0]['ifname'], params)
2016 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2017 password="ike password")
2018 eap_reauth(dev[0], "IKEV2")
2020 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2021 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2022 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2023 hostapd.add_ap(apdev[0]['ifname'], params)
2025 tests = [ (1, "dh_init"),
2027 (1, "dh_derive_shared") ]
2028 for count, func in tests:
2029 with alloc_fail(dev[0], count, func):
2030 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2031 identity="ikev2 user", password="ike password",
2032 wait_connect=False, scan_freq="2412")
2033 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2035 raise Exception("EAP method not selected")
2037 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2040 dev[0].request("REMOVE_NETWORK all")
2042 tests = [ (1, "os_get_random;dh_init") ]
2043 for count, func in tests:
2044 with fail_test(dev[0], count, func):
2045 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2046 identity="ikev2 user", password="ike password",
2047 wait_connect=False, scan_freq="2412")
2048 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2050 raise Exception("EAP method not selected")
2052 if "0:" in dev[0].request("GET_FAIL"):
2055 dev[0].request("REMOVE_NETWORK all")
2057 def test_ap_wpa2_eap_pax(dev, apdev):
2058 """WPA2-Enterprise connection using EAP-PAX"""
2059 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2060 hostapd.add_ap(apdev[0]['ifname'], params)
2061 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2062 password_hex="0123456789abcdef0123456789abcdef")
2063 eap_reauth(dev[0], "PAX")
2065 logger.info("Negative test with incorrect password")
2066 dev[0].request("REMOVE_NETWORK all")
2067 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2068 password_hex="ff23456789abcdef0123456789abcdef",
2069 expect_failure=True)
2071 def test_ap_wpa2_eap_psk(dev, apdev):
2072 """WPA2-Enterprise connection using EAP-PSK"""
2073 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2074 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2075 params["ieee80211w"] = "2"
2076 hostapd.add_ap(apdev[0]['ifname'], params)
2077 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2078 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2079 eap_reauth(dev[0], "PSK", sha256=True)
2080 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2081 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2083 bss = dev[0].get_bss(apdev[0]['bssid'])
2084 if 'flags' not in bss:
2085 raise Exception("Could not get BSS flags from BSS table")
2086 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2087 raise Exception("Unexpected BSS flags: " + bss['flags'])
2089 logger.info("Negative test with incorrect password")
2090 dev[0].request("REMOVE_NETWORK all")
2091 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2092 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2093 expect_failure=True)
2095 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2096 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2097 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2098 hostapd.add_ap(apdev[0]['ifname'], params)
2099 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2100 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2101 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2102 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2103 (1, "=aes_128_eax_encrypt"),
2104 (1, "omac1_aes_vector"),
2105 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2106 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2107 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2108 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2109 (1, "=aes_128_eax_decrypt") ]
2110 for count, func in tests:
2111 with alloc_fail(dev[0], count, func):
2112 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2113 identity="psk.user@example.com",
2114 password_hex="0123456789abcdef0123456789abcdef",
2115 wait_connect=False, scan_freq="2412")
2116 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2118 raise Exception("EAP method not selected")
2120 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2123 dev[0].request("REMOVE_NETWORK all")
2125 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2126 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2127 identity="psk.user@example.com",
2128 password_hex="0123456789abcdef0123456789abcdef",
2129 wait_connect=False, scan_freq="2412")
2130 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2132 raise Exception("EAP method failure not reported")
2133 dev[0].request("REMOVE_NETWORK all")
2135 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2136 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2137 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2138 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2139 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2140 identity="user", password="password", phase2="auth=MSCHAPV2",
2141 ca_cert="auth_serv/ca.pem", wait_connect=False,
2143 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2144 hwsim_utils.test_connectivity(dev[0], hapd)
2145 eap_reauth(dev[0], "PEAP", rsn=False)
2146 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2147 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2148 status = dev[0].get_status(extra="VERBOSE")
2149 if 'portControl' not in status:
2150 raise Exception("portControl missing from STATUS-VERBOSE")
2151 if status['portControl'] != 'Auto':
2152 raise Exception("Unexpected portControl value: " + status['portControl'])
2153 if 'eap_session_id' not in status:
2154 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2155 if not status['eap_session_id'].startswith("19"):
2156 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2158 def test_ap_wpa2_eap_interactive(dev, apdev):
2159 """WPA2-Enterprise connection using interactive identity/password entry"""
2160 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2161 hostapd.add_ap(apdev[0]['ifname'], params)
2162 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2164 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2165 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2167 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2168 "TTLS", "ttls", None, "auth=MSCHAPV2",
2169 "DOMAIN\mschapv2 user", "password"),
2170 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2171 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2172 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2173 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2174 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2175 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2176 ("Connection with dynamic PEAP/EAP-GTC password entry",
2177 "PEAP", None, "user", "auth=GTC", None, "password") ]
2178 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2180 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2181 anonymous_identity=anon, identity=identity,
2182 ca_cert="auth_serv/ca.pem", phase2=phase2,
2183 wait_connect=False, scan_freq="2412")
2185 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2187 raise Exception("Request for identity timed out")
2188 id = ev.split(':')[0].split('-')[-1]
2189 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2190 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2192 raise Exception("Request for password timed out")
2193 id = ev.split(':')[0].split('-')[-1]
2194 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2195 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2196 dev[0].wait_connected(timeout=10)
2197 dev[0].request("REMOVE_NETWORK all")
2199 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2200 """WPA2-Enterprise connection using EAP vendor test"""
2201 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2202 hostapd.add_ap(apdev[0]['ifname'], params)
2203 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2204 eap_reauth(dev[0], "VENDOR-TEST")
2205 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2208 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2209 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2210 check_eap_capa(dev[0], "FAST")
2211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2213 eap_connect(dev[0], apdev[0], "FAST", "user",
2214 anonymous_identity="FAST", password="password",
2215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2216 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2217 hwsim_utils.test_connectivity(dev[0], hapd)
2218 res = eap_reauth(dev[0], "FAST")
2219 if res['tls_session_reused'] != '1':
2220 raise Exception("EAP-FAST could not use PAC session ticket")
2222 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2223 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2224 check_eap_capa(dev[0], "FAST")
2225 pac_file = os.path.join(params['logdir'], "fast.pac")
2226 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2227 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2228 hostapd.add_ap(apdev[0]['ifname'], params)
2231 eap_connect(dev[0], apdev[0], "FAST", "user",
2232 anonymous_identity="FAST", password="password",
2233 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2234 phase1="fast_provisioning=1", pac_file=pac_file)
2235 with open(pac_file, "r") as f:
2237 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2238 raise Exception("PAC file header missing")
2239 if "PAC-Key=" not in data:
2240 raise Exception("PAC-Key missing from PAC file")
2241 dev[0].request("REMOVE_NETWORK all")
2242 eap_connect(dev[0], apdev[0], "FAST", "user",
2243 anonymous_identity="FAST", password="password",
2244 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2247 eap_connect(dev[1], apdev[0], "FAST", "user",
2248 anonymous_identity="FAST", password="password",
2249 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2250 phase1="fast_provisioning=1 fast_pac_format=binary",
2252 dev[1].request("REMOVE_NETWORK all")
2253 eap_connect(dev[1], apdev[0], "FAST", "user",
2254 anonymous_identity="FAST", password="password",
2255 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2256 phase1="fast_pac_format=binary",
2264 os.remove(pac_file2)
2268 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2269 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2270 check_eap_capa(dev[0], "FAST")
2271 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2272 hostapd.add_ap(apdev[0]['ifname'], params)
2273 eap_connect(dev[0], apdev[0], "FAST", "user",
2274 anonymous_identity="FAST", password="password",
2275 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2276 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2277 pac_file="blob://fast_pac_bin")
2278 res = eap_reauth(dev[0], "FAST")
2279 if res['tls_session_reused'] != '1':
2280 raise Exception("EAP-FAST could not use PAC session ticket")
2282 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2283 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2284 check_eap_capa(dev[0], "FAST")
2285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2286 hostapd.add_ap(apdev[0]['ifname'], params)
2288 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2289 identity="user", anonymous_identity="FAST",
2290 password="password",
2291 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2292 pac_file="blob://fast_pac_not_in_use",
2293 wait_connect=False, scan_freq="2412")
2294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2296 raise Exception("Timeout on EAP failure report")
2297 dev[0].request("REMOVE_NETWORK all")
2299 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2300 identity="user", anonymous_identity="FAST",
2301 password="password",
2302 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2303 wait_connect=False, scan_freq="2412")
2304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2306 raise Exception("Timeout on EAP failure report")
2308 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2309 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2310 check_eap_capa(dev[0], "FAST")
2311 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2312 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2313 eap_connect(dev[0], apdev[0], "FAST", "user",
2314 anonymous_identity="FAST", password="password",
2315 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2316 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2317 hwsim_utils.test_connectivity(dev[0], hapd)
2318 res = eap_reauth(dev[0], "FAST")
2319 if res['tls_session_reused'] != '1':
2320 raise Exception("EAP-FAST could not use PAC session ticket")
2322 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2323 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2324 check_eap_capa(dev[0], "FAST")
2325 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2326 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2327 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2328 anonymous_identity="FAST", password="password",
2329 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2330 phase1="fast_provisioning=2",
2331 pac_file="blob://fast_pac_auth")
2332 dev[0].set_network_quoted(id, "identity", "user2")
2333 dev[0].wait_disconnected()
2334 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2336 raise Exception("EAP-FAST not started")
2337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2339 raise Exception("EAP failure not reported")
2340 dev[0].wait_disconnected()
2342 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2343 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2344 check_eap_capa(dev[0], "FAST")
2345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2346 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2347 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2348 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2349 identity="user", anonymous_identity="FAST",
2350 password="password", ca_cert="auth_serv/ca.pem",
2352 phase1="fast_provisioning=2",
2353 pac_file="blob://fast_pac_auth",
2354 wait_connect=False, scan_freq="2412")
2355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2357 raise Exception("EAP failure not reported")
2358 dev[0].request("DISCONNECT")
2360 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2361 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2363 hostapd.add_ap(apdev[0]['ifname'], params)
2364 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2365 private_key="auth_serv/user.pkcs12",
2366 private_key_passwd="whatever", ocsp=2)
2368 def int_eap_server_params():
2369 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2370 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2371 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2372 "ca_cert": "auth_serv/ca.pem",
2373 "server_cert": "auth_serv/server.pem",
2374 "private_key": "auth_serv/server.key" }
2377 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2378 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2379 params = int_eap_server_params()
2380 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2381 hostapd.add_ap(apdev[0]['ifname'], params)
2382 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2383 identity="tls user", ca_cert="auth_serv/ca.pem",
2384 private_key="auth_serv/user.pkcs12",
2385 private_key_passwd="whatever", ocsp=2,
2386 wait_connect=False, scan_freq="2412")
2389 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2391 raise Exception("Timeout on EAP status")
2392 if 'bad certificate status response' in ev:
2396 raise Exception("Unexpected number of EAP status messages")
2398 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2400 raise Exception("Timeout on EAP failure report")
2402 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2403 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2404 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2405 if not os.path.exists(ocsp):
2406 raise HwsimSkip("No OCSP response available")
2407 params = int_eap_server_params()
2408 params["ocsp_stapling_response"] = ocsp
2409 hostapd.add_ap(apdev[0]['ifname'], params)
2410 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2411 identity="pap user", ca_cert="auth_serv/ca.pem",
2412 anonymous_identity="ttls", password="password",
2413 phase2="auth=PAP", ocsp=2,
2414 wait_connect=False, scan_freq="2412")
2417 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2419 raise Exception("Timeout on EAP status")
2420 if 'bad certificate status response' in ev:
2422 if 'certificate revoked' in ev:
2426 raise Exception("Unexpected number of EAP status messages")
2428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2430 raise Exception("Timeout on EAP failure report")
2432 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2433 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2434 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2435 if not os.path.exists(ocsp):
2436 raise HwsimSkip("No OCSP response available")
2437 params = int_eap_server_params()
2438 params["ocsp_stapling_response"] = ocsp
2439 hostapd.add_ap(apdev[0]['ifname'], params)
2440 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2441 identity="pap user", ca_cert="auth_serv/ca.pem",
2442 anonymous_identity="ttls", password="password",
2443 phase2="auth=PAP", ocsp=2,
2444 wait_connect=False, scan_freq="2412")
2447 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2449 raise Exception("Timeout on EAP status")
2450 if 'bad certificate status response' in ev:
2454 raise Exception("Unexpected number of EAP status messages")
2456 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2458 raise Exception("Timeout on EAP failure report")
2460 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2461 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2462 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2463 if not os.path.exists(ocsp):
2464 raise HwsimSkip("No OCSP response available")
2465 params = int_eap_server_params()
2466 params["ocsp_stapling_response"] = ocsp
2467 hostapd.add_ap(apdev[0]['ifname'], params)
2468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2469 identity="pap user", ca_cert="auth_serv/ca.pem",
2470 anonymous_identity="ttls", password="password",
2471 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2473 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2474 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2475 params = int_eap_server_params()
2476 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2477 params["private_key"] = "auth_serv/server-no-dnsname.key"
2478 hostapd.add_ap(apdev[0]['ifname'], params)
2479 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2480 identity="tls user", ca_cert="auth_serv/ca.pem",
2481 private_key="auth_serv/user.pkcs12",
2482 private_key_passwd="whatever",
2483 domain_suffix_match="server3.w1.fi",
2486 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2487 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2488 params = int_eap_server_params()
2489 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2490 params["private_key"] = "auth_serv/server-no-dnsname.key"
2491 hostapd.add_ap(apdev[0]['ifname'], params)
2492 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2493 identity="tls user", ca_cert="auth_serv/ca.pem",
2494 private_key="auth_serv/user.pkcs12",
2495 private_key_passwd="whatever",
2496 domain_match="server3.w1.fi",
2499 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2500 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2501 check_domain_match_full(dev[0])
2502 params = int_eap_server_params()
2503 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2504 params["private_key"] = "auth_serv/server-no-dnsname.key"
2505 hostapd.add_ap(apdev[0]['ifname'], params)
2506 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2507 identity="tls user", ca_cert="auth_serv/ca.pem",
2508 private_key="auth_serv/user.pkcs12",
2509 private_key_passwd="whatever",
2510 domain_suffix_match="w1.fi",
2513 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2514 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2515 params = int_eap_server_params()
2516 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2517 params["private_key"] = "auth_serv/server-no-dnsname.key"
2518 hostapd.add_ap(apdev[0]['ifname'], params)
2519 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2520 identity="tls user", ca_cert="auth_serv/ca.pem",
2521 private_key="auth_serv/user.pkcs12",
2522 private_key_passwd="whatever",
2523 domain_suffix_match="example.com",
2526 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2527 identity="tls user", ca_cert="auth_serv/ca.pem",
2528 private_key="auth_serv/user.pkcs12",
2529 private_key_passwd="whatever",
2530 domain_suffix_match="erver3.w1.fi",
2533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2535 raise Exception("Timeout on EAP failure report")
2536 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2538 raise Exception("Timeout on EAP failure report (2)")
2540 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2541 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2542 params = int_eap_server_params()
2543 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2544 params["private_key"] = "auth_serv/server-no-dnsname.key"
2545 hostapd.add_ap(apdev[0]['ifname'], params)
2546 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2547 identity="tls user", ca_cert="auth_serv/ca.pem",
2548 private_key="auth_serv/user.pkcs12",
2549 private_key_passwd="whatever",
2550 domain_match="example.com",
2553 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2554 identity="tls user", ca_cert="auth_serv/ca.pem",
2555 private_key="auth_serv/user.pkcs12",
2556 private_key_passwd="whatever",
2557 domain_match="w1.fi",
2560 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2562 raise Exception("Timeout on EAP failure report")
2563 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2565 raise Exception("Timeout on EAP failure report (2)")
2567 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2568 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2569 params = int_eap_server_params()
2570 params["server_cert"] = "auth_serv/server-expired.pem"
2571 params["private_key"] = "auth_serv/server-expired.key"
2572 hostapd.add_ap(apdev[0]['ifname'], params)
2573 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2574 identity="mschap user", password="password",
2575 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2578 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2580 raise Exception("Timeout on EAP certificate error report")
2581 if "reason=4" not in ev or "certificate has expired" not in ev:
2582 raise Exception("Unexpected failure reason: " + ev)
2583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2585 raise Exception("Timeout on EAP failure report")
2587 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2588 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2589 params = int_eap_server_params()
2590 params["server_cert"] = "auth_serv/server-expired.pem"
2591 params["private_key"] = "auth_serv/server-expired.key"
2592 hostapd.add_ap(apdev[0]['ifname'], params)
2593 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2594 identity="mschap user", password="password",
2595 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2596 phase1="tls_disable_time_checks=1",
2599 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2600 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2601 params = int_eap_server_params()
2602 params["server_cert"] = "auth_serv/server-long-duration.pem"
2603 params["private_key"] = "auth_serv/server-long-duration.key"
2604 hostapd.add_ap(apdev[0]['ifname'], params)
2605 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2606 identity="mschap user", password="password",
2607 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2610 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2611 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2612 params = int_eap_server_params()
2613 params["server_cert"] = "auth_serv/server-eku-client.pem"
2614 params["private_key"] = "auth_serv/server-eku-client.key"
2615 hostapd.add_ap(apdev[0]['ifname'], params)
2616 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2617 identity="mschap user", password="password",
2618 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2621 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2623 raise Exception("Timeout on EAP failure report")
2625 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2626 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2627 params = int_eap_server_params()
2628 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2629 params["private_key"] = "auth_serv/server-eku-client-server.key"
2630 hostapd.add_ap(apdev[0]['ifname'], params)
2631 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2632 identity="mschap user", password="password",
2633 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2636 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2637 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2638 params = int_eap_server_params()
2639 del params["server_cert"]
2640 params["private_key"] = "auth_serv/server.pkcs12"
2641 hostapd.add_ap(apdev[0]['ifname'], params)
2642 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2643 identity="mschap user", password="password",
2644 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2647 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2648 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2649 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2650 hostapd.add_ap(apdev[0]['ifname'], params)
2651 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2652 anonymous_identity="ttls", password="password",
2653 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2654 dh_file="auth_serv/dh.conf")
2656 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2657 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2658 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2659 hostapd.add_ap(apdev[0]['ifname'], params)
2660 dh = read_pem("auth_serv/dh2.conf")
2661 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2662 raise Exception("Could not set dhparams blob")
2663 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2664 anonymous_identity="ttls", password="password",
2665 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2666 dh_file="blob://dhparams")
2668 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2669 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2670 params = int_eap_server_params()
2671 params["dh_file"] = "auth_serv/dh2.conf"
2672 hostapd.add_ap(apdev[0]['ifname'], params)
2673 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2674 anonymous_identity="ttls", password="password",
2675 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2677 def test_ap_wpa2_eap_reauth(dev, apdev):
2678 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2679 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2680 params['eap_reauth_period'] = '2'
2681 hostapd.add_ap(apdev[0]['ifname'], params)
2682 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2683 password_hex="0123456789abcdef0123456789abcdef")
2684 logger.info("Wait for reauthentication")
2685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2687 raise Exception("Timeout on reauthentication")
2688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2690 raise Exception("Timeout on reauthentication")
2691 for i in range(0, 20):
2692 state = dev[0].get_status_field("wpa_state")
2693 if state == "COMPLETED":
2696 if state != "COMPLETED":
2697 raise Exception("Reauthentication did not complete")
2699 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2700 """Optional displayable message in EAP Request-Identity"""
2701 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2702 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2703 hostapd.add_ap(apdev[0]['ifname'], params)
2704 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2705 password_hex="0123456789abcdef0123456789abcdef")
2707 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2708 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2709 check_hlr_auc_gw_support()
2710 params = int_eap_server_params()
2711 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2712 params['eap_sim_aka_result_ind'] = "1"
2713 hostapd.add_ap(apdev[0]['ifname'], params)
2715 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2716 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2717 phase1="result_ind=1")
2718 eap_reauth(dev[0], "SIM")
2719 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2720 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2722 dev[0].request("REMOVE_NETWORK all")
2723 dev[1].request("REMOVE_NETWORK all")
2725 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2726 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2727 phase1="result_ind=1")
2728 eap_reauth(dev[0], "AKA")
2729 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2730 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2732 dev[0].request("REMOVE_NETWORK all")
2733 dev[1].request("REMOVE_NETWORK all")
2735 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2736 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2737 phase1="result_ind=1")
2738 eap_reauth(dev[0], "AKA'")
2739 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2740 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2742 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2743 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2744 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2745 hostapd.add_ap(apdev[0]['ifname'], params)
2746 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2747 eap="TTLS", identity="mschap user",
2748 wait_connect=False, scan_freq="2412", ieee80211w="1",
2749 anonymous_identity="ttls", password="password",
2750 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2752 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2754 raise Exception("EAP roundtrip limit not reached")
2756 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2757 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2758 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2759 hostapd.add_ap(apdev[0]['ifname'], params)
2760 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2761 eap="PSK", identity="vendor-test",
2762 password_hex="ff23456789abcdef0123456789abcdef",
2766 for i in range(0, 5):
2767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2769 raise Exception("Association and EAP start timed out")
2770 if "refuse proposed method" in ev:
2774 raise Exception("Unexpected EAP status: " + ev)
2776 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2778 raise Exception("EAP failure timed out")
2780 def test_ap_wpa2_eap_sql(dev, apdev, params):
2781 """WPA2-Enterprise connection using SQLite for user DB"""
2785 raise HwsimSkip("No sqlite3 module available")
2786 dbfile = os.path.join(params['logdir'], "eap-user.db")
2791 con = sqlite3.connect(dbfile)
2794 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2795 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2796 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2797 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2798 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2799 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2800 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2801 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2804 params = int_eap_server_params()
2805 params["eap_user_file"] = "sqlite:" + dbfile
2806 hostapd.add_ap(apdev[0]['ifname'], params)
2807 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2808 anonymous_identity="ttls", password="password",
2809 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2810 dev[0].request("REMOVE_NETWORK all")
2811 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2812 anonymous_identity="ttls", password="password",
2813 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2814 dev[1].request("REMOVE_NETWORK all")
2815 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2816 anonymous_identity="ttls", password="password",
2817 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2818 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2819 anonymous_identity="ttls", password="password",
2820 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2824 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2825 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2826 params = int_eap_server_params()
2827 hostapd.add_ap(apdev[0]['ifname'], params)
2828 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2829 identity="\x80", password="password", wait_connect=False)
2830 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2831 identity="a\x80", password="password", wait_connect=False)
2832 for i in range(0, 2):
2833 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2835 raise Exception("Association and EAP start timed out")
2836 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2838 raise Exception("EAP method selection timed out")
2840 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2841 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2843 hostapd.add_ap(apdev[0]['ifname'], params)
2844 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2845 identity="\x80", password="password", wait_connect=False)
2846 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2847 identity="a\x80", password="password", wait_connect=False)
2848 for i in range(0, 2):
2849 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2851 raise Exception("Association and EAP start timed out")
2852 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2854 raise Exception("EAP method selection timed out")
2856 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2857 """OpenSSL cipher suite configuration on wpa_supplicant"""
2858 tls = dev[0].request("GET tls_library")
2859 if not tls.startswith("OpenSSL"):
2860 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2861 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2862 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2863 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2864 anonymous_identity="ttls", password="password",
2865 openssl_ciphers="AES128",
2866 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2867 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2868 anonymous_identity="ttls", password="password",
2869 openssl_ciphers="EXPORT",
2870 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2871 expect_failure=True)
2873 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2874 """OpenSSL cipher suite configuration on hostapd"""
2875 tls = dev[0].request("GET tls_library")
2876 if not tls.startswith("OpenSSL"):
2877 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2878 params = int_eap_server_params()
2879 params['openssl_ciphers'] = "AES256"
2880 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2881 tls = hapd.request("GET tls_library")
2882 if not tls.startswith("OpenSSL"):
2883 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2884 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2885 anonymous_identity="ttls", password="password",
2886 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2887 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2888 anonymous_identity="ttls", password="password",
2889 openssl_ciphers="AES128",
2890 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2891 expect_failure=True)
2892 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2893 anonymous_identity="ttls", password="password",
2894 openssl_ciphers="HIGH:!ADH",
2895 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2897 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2898 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2899 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2900 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2901 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2902 pid = find_wpas_process(dev[0])
2903 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2904 anonymous_identity="ttls", password=password,
2905 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2907 buf = read_process_memory(pid, password)
2909 dev[0].request("DISCONNECT")
2910 dev[0].wait_disconnected()
2918 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2919 for l in f.readlines():
2920 if "EAP-TTLS: Derived key - hexdump" in l:
2921 val = l.strip().split(':')[3].replace(' ', '')
2922 msk = binascii.unhexlify(val)
2923 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2924 val = l.strip().split(':')[3].replace(' ', '')
2925 emsk = binascii.unhexlify(val)
2926 if "WPA: PMK - hexdump" in l:
2927 val = l.strip().split(':')[3].replace(' ', '')
2928 pmk = binascii.unhexlify(val)
2929 if "WPA: PTK - hexdump" in l:
2930 val = l.strip().split(':')[3].replace(' ', '')
2931 ptk = binascii.unhexlify(val)
2932 if "WPA: Group Key - hexdump" in l:
2933 val = l.strip().split(':')[3].replace(' ', '')
2934 gtk = binascii.unhexlify(val)
2935 if not msk or not emsk or not pmk or not ptk or not gtk:
2936 raise Exception("Could not find keys from debug log")
2938 raise Exception("Unexpected GTK length")
2944 fname = os.path.join(params['logdir'],
2945 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2947 logger.info("Checking keys in memory while associated")
2948 get_key_locations(buf, password, "Password")
2949 get_key_locations(buf, pmk, "PMK")
2950 get_key_locations(buf, msk, "MSK")
2951 get_key_locations(buf, emsk, "EMSK")
2952 if password not in buf:
2953 raise HwsimSkip("Password not found while associated")
2955 raise HwsimSkip("PMK not found while associated")
2957 raise Exception("KCK not found while associated")
2959 raise Exception("KEK not found while associated")
2961 raise Exception("TK found from memory")
2963 raise Exception("GTK found from memory")
2965 logger.info("Checking keys in memory after disassociation")
2966 buf = read_process_memory(pid, password)
2968 # Note: Password is still present in network configuration
2969 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2971 get_key_locations(buf, password, "Password")
2972 get_key_locations(buf, pmk, "PMK")
2973 get_key_locations(buf, msk, "MSK")
2974 get_key_locations(buf, emsk, "EMSK")
2975 verify_not_present(buf, kck, fname, "KCK")
2976 verify_not_present(buf, kek, fname, "KEK")
2977 verify_not_present(buf, tk, fname, "TK")
2978 verify_not_present(buf, gtk, fname, "GTK")
2980 dev[0].request("PMKSA_FLUSH")
2981 dev[0].set_network_quoted(id, "identity", "foo")
2982 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2983 buf = read_process_memory(pid, password)
2984 get_key_locations(buf, password, "Password")
2985 get_key_locations(buf, pmk, "PMK")
2986 get_key_locations(buf, msk, "MSK")
2987 get_key_locations(buf, emsk, "EMSK")
2988 verify_not_present(buf, pmk, fname, "PMK")
2990 dev[0].request("REMOVE_NETWORK all")
2992 logger.info("Checking keys in memory after network profile removal")
2993 buf = read_process_memory(pid, password)
2995 get_key_locations(buf, password, "Password")
2996 get_key_locations(buf, pmk, "PMK")
2997 get_key_locations(buf, msk, "MSK")
2998 get_key_locations(buf, emsk, "EMSK")
2999 verify_not_present(buf, password, fname, "password")
3000 verify_not_present(buf, pmk, fname, "PMK")
3001 verify_not_present(buf, kck, fname, "KCK")
3002 verify_not_present(buf, kek, fname, "KEK")
3003 verify_not_present(buf, tk, fname, "TK")
3004 verify_not_present(buf, gtk, fname, "GTK")
3005 verify_not_present(buf, msk, fname, "MSK")
3006 verify_not_present(buf, emsk, fname, "EMSK")
3008 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3009 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3010 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3011 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3012 bssid = apdev[0]['bssid']
3013 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3014 anonymous_identity="ttls", password="password",
3015 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3017 # Send unexpected WEP EAPOL-Key; this gets dropped
3018 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3020 raise Exception("EAPOL_RX to wpa_supplicant failed")
3022 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3023 """WPA2-EAP and wpas interface in a bridge"""
3027 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3029 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3030 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3031 subprocess.call(['brctl', 'delbr', br_ifname])
3032 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3034 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3036 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3040 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3041 subprocess.call(['brctl', 'addbr', br_ifname])
3042 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3043 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3044 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3045 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3046 wpas.interface_add(ifname, br_ifname=br_ifname)
3048 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3049 password_hex="0123456789abcdef0123456789abcdef")
3050 eap_reauth(wpas, "PAX")
3051 # Try again as a regression test for packet socket workaround
3052 eap_reauth(wpas, "PAX")
3053 wpas.request("DISCONNECT")
3054 wpas.wait_disconnected()
3055 wpas.request("RECONNECT")
3056 wpas.wait_connected()
3058 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3059 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3060 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3061 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3062 key_mgmt = hapd.get_config()['key_mgmt']
3063 if key_mgmt.split(' ')[0] != "WPA-EAP":
3064 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3065 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3066 anonymous_identity="ttls", password="password",
3067 ca_cert="auth_serv/ca.pem",
3068 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3069 eap_reauth(dev[0], "TTLS")
3071 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3072 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3073 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3074 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3075 key_mgmt = hapd.get_config()['key_mgmt']
3076 if key_mgmt.split(' ')[0] != "WPA-EAP":
3077 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3078 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3079 anonymous_identity="ttls", password="password",
3080 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3082 eap_reauth(dev[0], "TTLS")
3084 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3085 """EAP-TLS and server checking CRL"""
3086 params = int_eap_server_params()
3087 params['check_crl'] = '1'
3088 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3090 # check_crl=1 and no CRL available --> reject connection
3091 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3092 client_cert="auth_serv/user.pem",
3093 private_key="auth_serv/user.key", expect_failure=True)
3094 dev[0].request("REMOVE_NETWORK all")
3097 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3100 # check_crl=1 and valid CRL --> accept
3101 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3102 client_cert="auth_serv/user.pem",
3103 private_key="auth_serv/user.key")
3104 dev[0].request("REMOVE_NETWORK all")
3107 hapd.set("check_crl", "2")
3110 # check_crl=2 and valid CRL --> accept
3111 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3112 client_cert="auth_serv/user.pem",
3113 private_key="auth_serv/user.key")
3114 dev[0].request("REMOVE_NETWORK all")
3116 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3117 """EAP-TLS and OOM"""
3118 check_subject_match_support(dev[0])
3119 check_altsubject_match_support(dev[0])
3120 check_domain_match_full(dev[0])
3122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3123 hostapd.add_ap(apdev[0]['ifname'], params)
3125 tests = [ (1, "tls_connection_set_subject_match"),
3126 (2, "tls_connection_set_subject_match"),
3127 (3, "tls_connection_set_subject_match"),
3128 (4, "tls_connection_set_subject_match") ]
3129 for count, func in tests:
3130 with alloc_fail(dev[0], count, func):
3131 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3132 identity="tls user", ca_cert="auth_serv/ca.pem",
3133 client_cert="auth_serv/user.pem",
3134 private_key="auth_serv/user.key",
3135 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3136 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3137 domain_suffix_match="server.w1.fi",
3138 domain_match="server.w1.fi",
3139 wait_connect=False, scan_freq="2412")
3140 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3141 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3143 raise Exception("No passphrase request")
3144 dev[0].request("REMOVE_NETWORK all")
3145 dev[0].wait_disconnected()
projects / mech_eap.git / blob