1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
92 raise Exception("EAP method selection timed out")
94 raise Exception("Unexpected EAP method")
96 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
98 raise Exception("EAP failure timed out")
99 ev = dev.wait_disconnected(timeout=10)
100 if maybe_local_error and "locally_generated=1" in ev:
102 if not local_error_report:
103 if "reason=23" not in ev:
104 raise Exception("Proper reason code for disconnection not reported")
106 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
108 raise Exception("EAP success timed out")
111 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
113 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
115 raise Exception("Association with the AP timed out")
116 status = dev.get_status()
117 if status["wpa_state"] != "COMPLETED":
118 raise Exception("Connection not completed")
120 if status["suppPortStatus"] != "Authorized":
121 raise Exception("Port not authorized")
122 if method not in status["selectedMethod"]:
123 raise Exception("Incorrect EAP method status")
125 e = "WPA2-EAP-SHA256"
127 e = "WPA2/IEEE 802.1X/EAP"
129 e = "WPA/IEEE 802.1X/EAP"
130 if status["key_mgmt"] != e:
131 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
134 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
135 dev.request("REAUTHENTICATE")
136 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
137 expect_failure=expect_failure)
139 def test_ap_wpa2_eap_sim(dev, apdev):
140 """WPA2-Enterprise connection using EAP-SIM"""
141 check_hlr_auc_gw_support()
142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
144 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
145 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 hwsim_utils.test_connectivity(dev[0], hapd)
147 eap_reauth(dev[0], "SIM")
149 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
155 logger.info("Negative test with incorrect key")
156 dev[0].request("REMOVE_NETWORK all")
157 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
158 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
161 logger.info("Invalid GSM-Milenage key")
162 dev[0].request("REMOVE_NETWORK all")
163 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
164 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
167 logger.info("Invalid GSM-Milenage key(2)")
168 dev[0].request("REMOVE_NETWORK all")
169 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
170 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
173 logger.info("Invalid GSM-Milenage key(3)")
174 dev[0].request("REMOVE_NETWORK all")
175 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
176 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
179 logger.info("Invalid GSM-Milenage key(4)")
180 dev[0].request("REMOVE_NETWORK all")
181 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
182 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
185 logger.info("Missing key configuration")
186 dev[0].request("REMOVE_NETWORK all")
187 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
191 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
192 check_hlr_auc_gw_support()
196 raise HwsimSkip("No sqlite3 module available")
197 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
198 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
199 params['auth_server_port'] = "1814"
200 hostapd.add_ap(apdev[0]['ifname'], params)
201 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
202 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
204 logger.info("SIM fast re-authentication")
205 eap_reauth(dev[0], "SIM")
207 logger.info("SIM full auth with pseudonym")
210 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
211 eap_reauth(dev[0], "SIM")
213 logger.info("SIM full auth with permanent identity")
216 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
217 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
218 eap_reauth(dev[0], "SIM")
220 logger.info("SIM reauth with mismatching MK")
223 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
224 eap_reauth(dev[0], "SIM", expect_failure=True)
225 dev[0].request("REMOVE_NETWORK all")
227 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
228 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 eap_reauth(dev[0], "SIM")
235 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
236 logger.info("SIM reauth with mismatching counter")
237 eap_reauth(dev[0], "SIM")
238 dev[0].request("REMOVE_NETWORK all")
240 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
241 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
244 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
245 logger.info("SIM reauth with max reauth count reached")
246 eap_reauth(dev[0], "SIM")
248 def test_ap_wpa2_eap_sim_config(dev, apdev):
249 """EAP-SIM configuration options"""
250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
251 hostapd.add_ap(apdev[0]['ifname'], params)
252 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
253 identity="1232010000000000",
254 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 phase1="sim_min_num_chal=1",
256 wait_connect=False, scan_freq="2412")
257 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
259 raise Exception("No EAP error message seen")
260 dev[0].request("REMOVE_NETWORK all")
262 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263 identity="1232010000000000",
264 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265 phase1="sim_min_num_chal=4",
266 wait_connect=False, scan_freq="2412")
267 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
269 raise Exception("No EAP error message seen (2)")
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
274 phase1="sim_min_num_chal=2")
275 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
276 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
277 anonymous_identity="345678")
279 def test_ap_wpa2_eap_sim_ext(dev, apdev):
280 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
282 _test_ap_wpa2_eap_sim_ext(dev, apdev)
284 dev[0].request("SET external_sim 0")
286 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
287 check_hlr_auc_gw_support()
288 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
289 hostapd.add_ap(apdev[0]['ifname'], params)
290 dev[0].request("SET external_sim 1")
291 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
292 identity="1232010000000000",
293 wait_connect=False, scan_freq="2412")
294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
296 raise Exception("Network connected timed out")
298 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
300 raise Exception("Wait for external SIM processing request timed out")
302 if p[1] != "GSM-AUTH":
303 raise Exception("Unexpected CTRL-REQ-SIM type")
304 rid = p[0].split('-')[3]
307 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
308 # This will fail during processing, but the ctrl_iface command succeeds
309 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
310 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
312 raise Exception("EAP failure not reported")
313 dev[0].request("DISCONNECT")
314 dev[0].wait_disconnected()
317 dev[0].select_network(id, freq="2412")
318 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
320 raise Exception("Wait for external SIM processing request timed out")
322 if p[1] != "GSM-AUTH":
323 raise Exception("Unexpected CTRL-REQ-SIM type")
324 rid = p[0].split('-')[3]
325 # This will fail during GSM auth validation
326 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
327 raise Exception("CTRL-RSP-SIM failed")
328 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
330 raise Exception("EAP failure not reported")
331 dev[0].request("DISCONNECT")
332 dev[0].wait_disconnected()
335 dev[0].select_network(id, freq="2412")
336 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
338 raise Exception("Wait for external SIM processing request timed out")
340 if p[1] != "GSM-AUTH":
341 raise Exception("Unexpected CTRL-REQ-SIM type")
342 rid = p[0].split('-')[3]
343 # This will fail during GSM auth validation
344 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
345 raise Exception("CTRL-RSP-SIM failed")
346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
348 raise Exception("EAP failure not reported")
349 dev[0].request("DISCONNECT")
350 dev[0].wait_disconnected()
353 dev[0].select_network(id, freq="2412")
354 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
356 raise Exception("Wait for external SIM processing request timed out")
358 if p[1] != "GSM-AUTH":
359 raise Exception("Unexpected CTRL-REQ-SIM type")
360 rid = p[0].split('-')[3]
361 # This will fail during GSM auth validation
362 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
363 raise Exception("CTRL-RSP-SIM failed")
364 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
366 raise Exception("EAP failure not reported")
367 dev[0].request("DISCONNECT")
368 dev[0].wait_disconnected()
371 dev[0].select_network(id, freq="2412")
372 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
374 raise Exception("Wait for external SIM processing request timed out")
376 if p[1] != "GSM-AUTH":
377 raise Exception("Unexpected CTRL-REQ-SIM type")
378 rid = p[0].split('-')[3]
379 # This will fail during GSM auth validation
380 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
381 raise Exception("CTRL-RSP-SIM failed")
382 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
384 raise Exception("EAP failure not reported")
385 dev[0].request("DISCONNECT")
386 dev[0].wait_disconnected()
389 dev[0].select_network(id, freq="2412")
390 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
392 raise Exception("Wait for external SIM processing request timed out")
394 if p[1] != "GSM-AUTH":
395 raise Exception("Unexpected CTRL-REQ-SIM type")
396 rid = p[0].split('-')[3]
397 # This will fail during GSM auth validation
398 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
399 raise Exception("CTRL-RSP-SIM failed")
400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
402 raise Exception("EAP failure not reported")
403 dev[0].request("DISCONNECT")
404 dev[0].wait_disconnected()
407 dev[0].select_network(id, freq="2412")
408 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
410 raise Exception("Wait for external SIM processing request timed out")
412 if p[1] != "GSM-AUTH":
413 raise Exception("Unexpected CTRL-REQ-SIM type")
414 rid = p[0].split('-')[3]
415 # This will fail during GSM auth validation
416 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
417 raise Exception("CTRL-RSP-SIM failed")
418 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
420 raise Exception("EAP failure not reported")
422 def test_ap_wpa2_eap_sim_oom(dev, apdev):
423 """EAP-SIM and OOM"""
424 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
425 hostapd.add_ap(apdev[0]['ifname'], params)
426 tests = [ (1, "milenage_f2345"),
427 (2, "milenage_f2345"),
428 (3, "milenage_f2345"),
429 (4, "milenage_f2345"),
430 (5, "milenage_f2345"),
431 (6, "milenage_f2345"),
432 (7, "milenage_f2345"),
433 (8, "milenage_f2345"),
434 (9, "milenage_f2345"),
435 (10, "milenage_f2345"),
436 (11, "milenage_f2345"),
437 (12, "milenage_f2345") ]
438 for count, func in tests:
439 with alloc_fail(dev[0], count, func):
440 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
441 identity="1232010000000000",
442 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
443 wait_connect=False, scan_freq="2412")
444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
446 raise Exception("EAP method not selected")
447 dev[0].wait_disconnected()
448 dev[0].request("REMOVE_NETWORK all")
450 def test_ap_wpa2_eap_aka(dev, apdev):
451 """WPA2-Enterprise connection using EAP-AKA"""
452 check_hlr_auc_gw_support()
453 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
454 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
455 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
456 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
457 hwsim_utils.test_connectivity(dev[0], hapd)
458 eap_reauth(dev[0], "AKA")
460 logger.info("Negative test with incorrect key")
461 dev[0].request("REMOVE_NETWORK all")
462 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
463 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
466 logger.info("Invalid Milenage key")
467 dev[0].request("REMOVE_NETWORK all")
468 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
469 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
472 logger.info("Invalid Milenage key(2)")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
477 logger.info("Invalid Milenage key(3)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
482 logger.info("Invalid Milenage key(4)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
487 logger.info("Invalid Milenage key(5)")
488 dev[0].request("REMOVE_NETWORK all")
489 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
490 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
493 logger.info("Invalid Milenage key(6)")
494 dev[0].request("REMOVE_NETWORK all")
495 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
496 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
499 logger.info("Missing key configuration")
500 dev[0].request("REMOVE_NETWORK all")
501 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
504 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
505 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
506 check_hlr_auc_gw_support()
510 raise HwsimSkip("No sqlite3 module available")
511 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
513 params['auth_server_port'] = "1814"
514 hostapd.add_ap(apdev[0]['ifname'], params)
515 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
516 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
518 logger.info("AKA fast re-authentication")
519 eap_reauth(dev[0], "AKA")
521 logger.info("AKA full auth with pseudonym")
524 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
525 eap_reauth(dev[0], "AKA")
527 logger.info("AKA full auth with permanent identity")
530 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
531 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
532 eap_reauth(dev[0], "AKA")
534 logger.info("AKA reauth with mismatching MK")
537 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
538 eap_reauth(dev[0], "AKA", expect_failure=True)
539 dev[0].request("REMOVE_NETWORK all")
541 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
542 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 eap_reauth(dev[0], "AKA")
549 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
550 logger.info("AKA reauth with mismatching counter")
551 eap_reauth(dev[0], "AKA")
552 dev[0].request("REMOVE_NETWORK all")
554 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
555 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
558 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
559 logger.info("AKA reauth with max reauth count reached")
560 eap_reauth(dev[0], "AKA")
562 def test_ap_wpa2_eap_aka_config(dev, apdev):
563 """EAP-AKA configuration options"""
564 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
565 hostapd.add_ap(apdev[0]['ifname'], params)
566 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
567 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
568 anonymous_identity="2345678")
570 def test_ap_wpa2_eap_aka_ext(dev, apdev):
571 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
573 _test_ap_wpa2_eap_aka_ext(dev, apdev)
575 dev[0].request("SET external_sim 0")
577 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
578 check_hlr_auc_gw_support()
579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
580 hostapd.add_ap(apdev[0]['ifname'], params)
581 dev[0].request("SET external_sim 1")
582 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
583 identity="0232010000000000",
584 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
585 wait_connect=False, scan_freq="2412")
586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
588 raise Exception("Network connected timed out")
590 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
592 raise Exception("Wait for external SIM processing request timed out")
594 if p[1] != "UMTS-AUTH":
595 raise Exception("Unexpected CTRL-REQ-SIM type")
596 rid = p[0].split('-')[3]
599 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
600 # This will fail during processing, but the ctrl_iface command succeeds
601 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
604 raise Exception("EAP failure not reported")
605 dev[0].request("DISCONNECT")
606 dev[0].wait_disconnected()
609 dev[0].select_network(id, freq="2412")
610 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
612 raise Exception("Wait for external SIM processing request timed out")
614 if p[1] != "UMTS-AUTH":
615 raise Exception("Unexpected CTRL-REQ-SIM type")
616 rid = p[0].split('-')[3]
617 # This will fail during UMTS auth validation
618 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
619 raise Exception("CTRL-RSP-SIM failed")
620 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
622 raise Exception("Wait for external SIM processing request timed out")
624 if p[1] != "UMTS-AUTH":
625 raise Exception("Unexpected CTRL-REQ-SIM type")
626 rid = p[0].split('-')[3]
627 # This will fail during UMTS auth validation
628 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
629 raise Exception("CTRL-RSP-SIM failed")
630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
632 raise Exception("EAP failure not reported")
633 dev[0].request("DISCONNECT")
634 dev[0].wait_disconnected()
637 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
640 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
641 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
642 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
643 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
645 dev[0].select_network(id, freq="2412")
646 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
648 raise Exception("Wait for external SIM processing request timed out")
650 if p[1] != "UMTS-AUTH":
651 raise Exception("Unexpected CTRL-REQ-SIM type")
652 rid = p[0].split('-')[3]
653 # This will fail during UMTS auth validation
654 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
655 raise Exception("CTRL-RSP-SIM failed")
656 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
658 raise Exception("EAP failure not reported")
659 dev[0].request("DISCONNECT")
660 dev[0].wait_disconnected()
663 def test_ap_wpa2_eap_aka_prime(dev, apdev):
664 """WPA2-Enterprise connection using EAP-AKA'"""
665 check_hlr_auc_gw_support()
666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
667 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
668 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
669 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
670 hwsim_utils.test_connectivity(dev[0], hapd)
671 eap_reauth(dev[0], "AKA'")
673 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
674 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
675 identity="6555444333222111@both",
676 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
677 wait_connect=False, scan_freq="2412")
678 dev[1].wait_connected(timeout=15)
680 logger.info("Negative test with incorrect key")
681 dev[0].request("REMOVE_NETWORK all")
682 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
683 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
686 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
687 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
688 check_hlr_auc_gw_support()
692 raise HwsimSkip("No sqlite3 module available")
693 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
694 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
695 params['auth_server_port'] = "1814"
696 hostapd.add_ap(apdev[0]['ifname'], params)
697 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
698 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
700 logger.info("AKA' fast re-authentication")
701 eap_reauth(dev[0], "AKA'")
703 logger.info("AKA' full auth with pseudonym")
706 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
707 eap_reauth(dev[0], "AKA'")
709 logger.info("AKA' full auth with permanent identity")
712 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
713 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
714 eap_reauth(dev[0], "AKA'")
716 logger.info("AKA' reauth with mismatching k_aut")
719 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
720 eap_reauth(dev[0], "AKA'", expect_failure=True)
721 dev[0].request("REMOVE_NETWORK all")
723 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 eap_reauth(dev[0], "AKA'")
731 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
732 logger.info("AKA' reauth with mismatching counter")
733 eap_reauth(dev[0], "AKA'")
734 dev[0].request("REMOVE_NETWORK all")
736 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
737 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
740 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
741 logger.info("AKA' reauth with max reauth count reached")
742 eap_reauth(dev[0], "AKA'")
744 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
745 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
746 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
747 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
748 key_mgmt = hapd.get_config()['key_mgmt']
749 if key_mgmt.split(' ')[0] != "WPA-EAP":
750 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
751 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
752 anonymous_identity="ttls", password="password",
753 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
754 hwsim_utils.test_connectivity(dev[0], hapd)
755 eap_reauth(dev[0], "TTLS")
756 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
757 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
759 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
760 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
761 check_subject_match_support(dev[0])
762 check_altsubject_match_support(dev[0])
763 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
764 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
765 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
766 anonymous_identity="ttls", password="password",
767 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
768 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
769 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
770 eap_reauth(dev[0], "TTLS")
772 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
773 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
774 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
775 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
776 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
777 anonymous_identity="ttls", password="wrong",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
780 eap_connect(dev[1], apdev[0], "TTLS", "user",
781 anonymous_identity="ttls", password="password",
782 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
786 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
787 skip_with_fips(dev[0])
788 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
789 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
790 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
793 hwsim_utils.test_connectivity(dev[0], hapd)
794 eap_reauth(dev[0], "TTLS")
796 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
797 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
798 skip_with_fips(dev[0])
799 check_altsubject_match_support(dev[0])
800 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
801 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
802 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
803 anonymous_identity="ttls", password="password",
804 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
805 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
806 eap_reauth(dev[0], "TTLS")
808 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
809 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
810 skip_with_fips(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
814 anonymous_identity="ttls", password="wrong",
815 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
817 eap_connect(dev[1], apdev[0], "TTLS", "user",
818 anonymous_identity="ttls", password="password",
819 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
822 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
823 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
824 skip_with_fips(dev[0])
825 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
826 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
827 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
828 anonymous_identity="ttls", password="password",
829 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
830 domain_suffix_match="server.w1.fi")
831 hwsim_utils.test_connectivity(dev[0], hapd)
832 eap_reauth(dev[0], "TTLS")
833 dev[0].request("REMOVE_NETWORK all")
834 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
835 anonymous_identity="ttls", password="password",
836 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
839 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
840 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
841 skip_with_fips(dev[0])
842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
843 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
844 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
845 anonymous_identity="ttls", password="wrong",
846 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
848 eap_connect(dev[1], apdev[0], "TTLS", "user",
849 anonymous_identity="ttls", password="password",
850 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
852 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
853 anonymous_identity="ttls", password="password",
854 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
858 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
859 check_eap_capa(dev[0], "MSCHAPV2")
860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
861 hostapd.add_ap(apdev[0]['ifname'], params)
862 hapd = hostapd.Hostapd(apdev[0]['ifname'])
863 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
864 anonymous_identity="ttls", password="password",
865 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
866 domain_suffix_match="server.w1.fi")
867 hwsim_utils.test_connectivity(dev[0], hapd)
868 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
869 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
870 eap_reauth(dev[0], "TTLS")
871 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
872 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
873 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
874 raise Exception("dot1xAuthEapolFramesRx did not increase")
875 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
876 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
877 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
878 raise Exception("backendAuthSuccesses did not increase")
880 logger.info("Password as hash value")
881 dev[0].request("REMOVE_NETWORK all")
882 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
883 anonymous_identity="ttls",
884 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
887 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
888 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
889 check_domain_match_full(dev[0])
890 skip_with_fips(dev[0])
891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
892 hostapd.add_ap(apdev[0]['ifname'], params)
893 hapd = hostapd.Hostapd(apdev[0]['ifname'])
894 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
895 anonymous_identity="ttls", password="password",
896 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
897 domain_suffix_match="w1.fi")
898 hwsim_utils.test_connectivity(dev[0], hapd)
899 eap_reauth(dev[0], "TTLS")
901 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
902 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
903 skip_with_fips(dev[0])
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hostapd.add_ap(apdev[0]['ifname'], params)
906 hapd = hostapd.Hostapd(apdev[0]['ifname'])
907 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
908 anonymous_identity="ttls", password="password",
909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
910 domain_match="Server.w1.fi")
911 hwsim_utils.test_connectivity(dev[0], hapd)
912 eap_reauth(dev[0], "TTLS")
914 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
915 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
916 skip_with_fips(dev[0])
917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
918 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity="ttls", password="password1",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
923 eap_connect(dev[1], apdev[0], "TTLS", "user",
924 anonymous_identity="ttls", password="password",
925 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
928 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
930 skip_with_fips(dev[0])
931 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
932 hostapd.add_ap(apdev[0]['ifname'], params)
933 hapd = hostapd.Hostapd(apdev[0]['ifname'])
934 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
935 anonymous_identity="ttls", password="secret-åäö-€-password",
936 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
937 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
938 anonymous_identity="ttls",
939 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
940 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
943 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
945 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
946 eap_connect(dev[0], apdev[0], "TTLS", "user",
947 anonymous_identity="ttls", password="password",
948 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
949 hwsim_utils.test_connectivity(dev[0], hapd)
950 eap_reauth(dev[0], "TTLS")
952 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="wrong",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
961 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
962 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
963 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
964 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
965 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
966 anonymous_identity="ttls", password="password",
967 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
970 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
971 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
972 params = int_eap_server_params()
973 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
974 with alloc_fail(hapd, 1, "eap_gtc_init"):
975 eap_connect(dev[0], apdev[0], "TTLS", "user",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
979 dev[0].request("REMOVE_NETWORK all")
981 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
983 eap="TTLS", identity="user",
984 anonymous_identity="ttls", password="password",
985 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
986 wait_connect=False, scan_freq="2412")
987 # This would eventually time out, but we can stop after having reached
988 # the allocation failure.
991 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
994 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
995 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
996 check_eap_capa(dev[0], "MD5")
997 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
998 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
999 eap_connect(dev[0], apdev[0], "TTLS", "user",
1000 anonymous_identity="ttls", password="password",
1001 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1002 hwsim_utils.test_connectivity(dev[0], hapd)
1003 eap_reauth(dev[0], "TTLS")
1005 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1006 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1007 check_eap_capa(dev[0], "MD5")
1008 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1009 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1010 eap_connect(dev[0], apdev[0], "TTLS", "user",
1011 anonymous_identity="ttls", password="wrong",
1012 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1013 expect_failure=True)
1015 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1016 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1017 check_eap_capa(dev[0], "MD5")
1018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1019 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1020 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1021 anonymous_identity="ttls", password="password",
1022 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1023 expect_failure=True)
1025 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1026 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1027 check_eap_capa(dev[0], "MD5")
1028 params = int_eap_server_params()
1029 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1030 with alloc_fail(hapd, 1, "eap_md5_init"):
1031 eap_connect(dev[0], apdev[0], "TTLS", "user",
1032 anonymous_identity="ttls", password="password",
1033 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1034 expect_failure=True)
1035 dev[0].request("REMOVE_NETWORK all")
1037 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1038 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1039 eap="TTLS", identity="user",
1040 anonymous_identity="ttls", password="password",
1041 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1042 wait_connect=False, scan_freq="2412")
1043 # This would eventually time out, but we can stop after having reached
1044 # the allocation failure.
1047 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1050 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1051 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1052 check_eap_capa(dev[0], "MSCHAPV2")
1053 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1054 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1055 eap_connect(dev[0], apdev[0], "TTLS", "user",
1056 anonymous_identity="ttls", password="password",
1057 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1058 hwsim_utils.test_connectivity(dev[0], hapd)
1059 eap_reauth(dev[0], "TTLS")
1061 logger.info("Negative test with incorrect password")
1062 dev[0].request("REMOVE_NETWORK all")
1063 eap_connect(dev[0], apdev[0], "TTLS", "user",
1064 anonymous_identity="ttls", password="password1",
1065 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1066 expect_failure=True)
1068 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1069 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1070 check_eap_capa(dev[0], "MSCHAPV2")
1071 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1072 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1073 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1074 anonymous_identity="ttls", password="password",
1075 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1076 expect_failure=True)
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1079 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1080 check_eap_capa(dev[0], "MSCHAPV2")
1081 params = int_eap_server_params()
1082 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1083 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1084 eap_connect(dev[0], apdev[0], "TTLS", "user",
1085 anonymous_identity="ttls", password="password",
1086 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1087 expect_failure=True)
1088 dev[0].request("REMOVE_NETWORK all")
1090 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1091 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1092 eap="TTLS", identity="user",
1093 anonymous_identity="ttls", password="password",
1094 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1095 wait_connect=False, scan_freq="2412")
1096 # This would eventually time out, but we can stop after having reached
1097 # the allocation failure.
1100 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1102 dev[0].request("REMOVE_NETWORK all")
1104 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1105 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1106 eap="TTLS", identity="user",
1107 anonymous_identity="ttls", password="password",
1108 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1109 wait_connect=False, scan_freq="2412")
1110 # This would eventually time out, but we can stop after having reached
1111 # the allocation failure.
1114 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1116 dev[0].request("REMOVE_NETWORK all")
1118 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1119 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1120 eap="TTLS", identity="user",
1121 anonymous_identity="ttls", password="wrong",
1122 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1123 wait_connect=False, scan_freq="2412")
1124 # This would eventually time out, but we can stop after having reached
1125 # the allocation failure.
1128 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1130 dev[0].request("REMOVE_NETWORK all")
1132 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1133 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1134 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1135 hostapd.add_ap(apdev[0]['ifname'], params)
1136 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1137 anonymous_identity="0232010000000000@ttls",
1138 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1139 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1141 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1146 anonymous_identity="0232010000000000@peap",
1147 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1150 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1152 check_eap_capa(dev[0], "FAST")
1153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1154 hostapd.add_ap(apdev[0]['ifname'], params)
1155 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1156 anonymous_identity="0232010000000000@fast",
1157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1158 phase1="fast_provisioning=2",
1159 pac_file="blob://fast_pac_auth_aka",
1160 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1162 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1163 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1164 check_eap_capa(dev[0], "MSCHAPV2")
1165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1166 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1167 eap_connect(dev[0], apdev[0], "PEAP", "user",
1168 anonymous_identity="peap", password="password",
1169 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1170 hwsim_utils.test_connectivity(dev[0], hapd)
1171 eap_reauth(dev[0], "PEAP")
1172 dev[0].request("REMOVE_NETWORK all")
1173 eap_connect(dev[0], apdev[0], "PEAP", "user",
1174 anonymous_identity="peap", password="password",
1175 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1176 fragment_size="200")
1178 logger.info("Password as hash value")
1179 dev[0].request("REMOVE_NETWORK all")
1180 eap_connect(dev[0], apdev[0], "PEAP", "user",
1181 anonymous_identity="peap",
1182 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1183 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1185 logger.info("Negative test with incorrect password")
1186 dev[0].request("REMOVE_NETWORK all")
1187 eap_connect(dev[0], apdev[0], "PEAP", "user",
1188 anonymous_identity="peap", password="password1",
1189 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1190 expect_failure=True)
1192 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1193 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1194 check_eap_capa(dev[0], "MSCHAPV2")
1195 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1196 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1197 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1198 anonymous_identity="peap", password="password",
1199 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1200 hwsim_utils.test_connectivity(dev[0], hapd)
1201 eap_reauth(dev[0], "PEAP")
1203 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1204 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1205 check_eap_capa(dev[0], "MSCHAPV2")
1206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1207 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1208 eap_connect(dev[0], apdev[0], "PEAP", "user",
1209 anonymous_identity="peap", password="wrong",
1210 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1211 expect_failure=True)
1213 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1214 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1215 check_eap_capa(dev[0], "MSCHAPV2")
1216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1218 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1219 ca_cert="auth_serv/ca.pem",
1220 phase1="peapver=0 crypto_binding=2",
1221 phase2="auth=MSCHAPV2")
1222 hwsim_utils.test_connectivity(dev[0], hapd)
1223 eap_reauth(dev[0], "PEAP")
1225 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1226 ca_cert="auth_serv/ca.pem",
1227 phase1="peapver=0 crypto_binding=1",
1228 phase2="auth=MSCHAPV2")
1229 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1230 ca_cert="auth_serv/ca.pem",
1231 phase1="peapver=0 crypto_binding=0",
1232 phase2="auth=MSCHAPV2")
1234 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1236 check_eap_capa(dev[0], "MSCHAPV2")
1237 params = int_eap_server_params()
1238 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1239 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1240 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1241 ca_cert="auth_serv/ca.pem",
1242 phase1="peapver=0 crypto_binding=2",
1243 phase2="auth=MSCHAPV2",
1244 expect_failure=True, local_error_report=True)
1246 def test_ap_wpa2_eap_peap_params(dev, apdev):
1247 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1248 check_eap_capa(dev[0], "MSCHAPV2")
1249 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1250 hostapd.add_ap(apdev[0]['ifname'], params)
1251 eap_connect(dev[0], apdev[0], "PEAP", "user",
1252 anonymous_identity="peap", password="password",
1253 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1254 phase1="peapver=0 peaplabel=1",
1255 expect_failure=True)
1256 dev[0].request("REMOVE_NETWORK all")
1257 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1258 ca_cert="auth_serv/ca.pem",
1259 phase1="peap_outer_success=1",
1260 phase2="auth=MSCHAPV2")
1261 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1262 ca_cert="auth_serv/ca.pem",
1263 phase1="peap_outer_success=2",
1264 phase2="auth=MSCHAPV2")
1265 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1267 anonymous_identity="peap", password="password",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1269 phase1="peapver=1 peaplabel=1",
1270 wait_connect=False, scan_freq="2412")
1271 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1273 raise Exception("No EAP success seen")
1274 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1276 raise Exception("Unexpected connection")
1278 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1279 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1281 hostapd.add_ap(apdev[0]['ifname'], params)
1282 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1283 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1284 ca_cert2="auth_serv/ca.pem",
1285 client_cert2="auth_serv/user.pem",
1286 private_key2="auth_serv/user.key")
1287 eap_reauth(dev[0], "PEAP")
1289 def test_ap_wpa2_eap_tls(dev, apdev):
1290 """WPA2-Enterprise connection using EAP-TLS"""
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hostapd.add_ap(apdev[0]['ifname'], params)
1293 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1294 client_cert="auth_serv/user.pem",
1295 private_key="auth_serv/user.key")
1296 eap_reauth(dev[0], "TLS")
1298 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1299 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1300 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1301 hostapd.add_ap(apdev[0]['ifname'], params)
1302 cert = read_pem("auth_serv/ca.pem")
1303 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1304 raise Exception("Could not set cacert blob")
1305 cert = read_pem("auth_serv/user.pem")
1306 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1307 raise Exception("Could not set usercert blob")
1308 key = read_pem("auth_serv/user.rsa-key")
1309 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1310 raise Exception("Could not set cacert blob")
1311 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1312 client_cert="blob://usercert",
1313 private_key="blob://userkey")
1315 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1316 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1317 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1318 hostapd.add_ap(apdev[0]['ifname'], params)
1319 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1320 private_key="auth_serv/user.pkcs12",
1321 private_key_passwd="whatever")
1322 dev[0].request("REMOVE_NETWORK all")
1323 dev[0].wait_disconnected()
1325 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1326 identity="tls user",
1327 ca_cert="auth_serv/ca.pem",
1328 private_key="auth_serv/user.pkcs12",
1329 wait_connect=False, scan_freq="2412")
1330 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1332 raise Exception("Request for private key passphrase timed out")
1333 id = ev.split(':')[0].split('-')[-1]
1334 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1335 dev[0].wait_connected(timeout=10)
1336 dev[0].request("REMOVE_NETWORK all")
1337 dev[0].wait_disconnected()
1339 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1340 private_key="auth_serv/user2.pkcs12",
1341 private_key_passwd="whatever")
1342 dev[0].request("REMOVE_NETWORK all")
1343 dev[0].wait_disconnected()
1345 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1346 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1348 hostapd.add_ap(apdev[0]['ifname'], params)
1349 cert = read_pem("auth_serv/ca.pem")
1350 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1351 raise Exception("Could not set cacert blob")
1352 with open("auth_serv/user.pkcs12", "rb") as f:
1353 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1354 raise Exception("Could not set pkcs12 blob")
1355 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1356 private_key="blob://pkcs12",
1357 private_key_passwd="whatever")
1359 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1360 """WPA2-Enterprise negative test - incorrect trust root"""
1361 check_eap_capa(dev[0], "MSCHAPV2")
1362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1363 hostapd.add_ap(apdev[0]['ifname'], params)
1364 cert = read_pem("auth_serv/ca-incorrect.pem")
1365 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1366 raise Exception("Could not set cacert blob")
1367 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1368 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1369 password="password", phase2="auth=MSCHAPV2",
1370 ca_cert="blob://cacert",
1371 wait_connect=False, scan_freq="2412")
1372 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1373 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1374 password="password", phase2="auth=MSCHAPV2",
1375 ca_cert="auth_serv/ca-incorrect.pem",
1376 wait_connect=False, scan_freq="2412")
1378 for dev in (dev[0], dev[1]):
1379 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1381 raise Exception("Association and EAP start timed out")
1383 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1385 raise Exception("EAP method selection timed out")
1386 if "TTLS" not in ev:
1387 raise Exception("Unexpected EAP method")
1389 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1390 "CTRL-EVENT-EAP-SUCCESS",
1391 "CTRL-EVENT-EAP-FAILURE",
1392 "CTRL-EVENT-CONNECTED",
1393 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1395 raise Exception("EAP result timed out")
1396 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1397 raise Exception("TLS certificate error not reported")
1399 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1400 "CTRL-EVENT-EAP-FAILURE",
1401 "CTRL-EVENT-CONNECTED",
1402 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1404 raise Exception("EAP result(2) timed out")
1405 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1406 raise Exception("EAP failure not reported")
1408 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1409 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1411 raise Exception("EAP result(3) timed out")
1412 if "CTRL-EVENT-DISCONNECTED" not in ev:
1413 raise Exception("Disconnection not reported")
1415 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1417 raise Exception("Network block disabling not reported")
1419 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1423 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1424 identity="pap user", anonymous_identity="ttls",
1425 password="password", phase2="auth=PAP",
1426 ca_cert="auth_serv/ca.pem",
1427 wait_connect=True, scan_freq="2412")
1428 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1429 identity="pap user", anonymous_identity="ttls",
1430 password="password", phase2="auth=PAP",
1431 ca_cert="auth_serv/ca-incorrect.pem",
1432 only_add_network=True, scan_freq="2412")
1434 dev[0].request("DISCONNECT")
1435 dev[0].wait_disconnected()
1436 dev[0].dump_monitor()
1437 dev[0].select_network(id, freq="2412")
1439 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1441 raise Exception("EAP-TTLS not re-started")
1443 ev = dev[0].wait_disconnected(timeout=15)
1444 if "reason=23" not in ev:
1445 raise Exception("Proper reason code for disconnection not reported")
1447 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1448 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1450 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1451 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1452 identity="pap user", anonymous_identity="ttls",
1453 password="password", phase2="auth=PAP",
1454 wait_connect=True, scan_freq="2412")
1455 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1456 identity="pap user", anonymous_identity="ttls",
1457 password="password", phase2="auth=PAP",
1458 ca_cert="auth_serv/ca-incorrect.pem",
1459 only_add_network=True, scan_freq="2412")
1461 dev[0].request("DISCONNECT")
1462 dev[0].wait_disconnected()
1463 dev[0].dump_monitor()
1464 dev[0].select_network(id, freq="2412")
1466 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1468 raise Exception("EAP-TTLS not re-started")
1470 ev = dev[0].wait_disconnected(timeout=15)
1471 if "reason=23" not in ev:
1472 raise Exception("Proper reason code for disconnection not reported")
1474 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1475 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1476 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1477 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1478 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1479 identity="pap user", anonymous_identity="ttls",
1480 password="password", phase2="auth=PAP",
1481 ca_cert="auth_serv/ca.pem",
1482 wait_connect=True, scan_freq="2412")
1483 dev[0].request("DISCONNECT")
1484 dev[0].wait_disconnected()
1485 dev[0].dump_monitor()
1486 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1487 dev[0].select_network(id, freq="2412")
1489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1491 raise Exception("EAP-TTLS not re-started")
1493 ev = dev[0].wait_disconnected(timeout=15)
1494 if "reason=23" not in ev:
1495 raise Exception("Proper reason code for disconnection not reported")
1497 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1498 """WPA2-Enterprise negative test - domain suffix mismatch"""
1499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1500 hostapd.add_ap(apdev[0]['ifname'], params)
1501 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1502 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1503 password="password", phase2="auth=MSCHAPV2",
1504 ca_cert="auth_serv/ca.pem",
1505 domain_suffix_match="incorrect.example.com",
1506 wait_connect=False, scan_freq="2412")
1508 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1510 raise Exception("Association and EAP start timed out")
1512 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1514 raise Exception("EAP method selection timed out")
1515 if "TTLS" not in ev:
1516 raise Exception("Unexpected EAP method")
1518 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1519 "CTRL-EVENT-EAP-SUCCESS",
1520 "CTRL-EVENT-EAP-FAILURE",
1521 "CTRL-EVENT-CONNECTED",
1522 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1524 raise Exception("EAP result timed out")
1525 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1526 raise Exception("TLS certificate error not reported")
1527 if "Domain suffix mismatch" not in ev:
1528 raise Exception("Domain suffix mismatch not reported")
1530 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1531 "CTRL-EVENT-EAP-FAILURE",
1532 "CTRL-EVENT-CONNECTED",
1533 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1535 raise Exception("EAP result(2) timed out")
1536 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1537 raise Exception("EAP failure not reported")
1539 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1540 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1542 raise Exception("EAP result(3) timed out")
1543 if "CTRL-EVENT-DISCONNECTED" not in ev:
1544 raise Exception("Disconnection not reported")
1546 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1548 raise Exception("Network block disabling not reported")
1550 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1551 """WPA2-Enterprise negative test - domain mismatch"""
1552 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1553 hostapd.add_ap(apdev[0]['ifname'], params)
1554 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1555 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1556 password="password", phase2="auth=MSCHAPV2",
1557 ca_cert="auth_serv/ca.pem",
1558 domain_match="w1.fi",
1559 wait_connect=False, scan_freq="2412")
1561 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1563 raise Exception("Association and EAP start timed out")
1565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1567 raise Exception("EAP method selection timed out")
1568 if "TTLS" not in ev:
1569 raise Exception("Unexpected EAP method")
1571 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1572 "CTRL-EVENT-EAP-SUCCESS",
1573 "CTRL-EVENT-EAP-FAILURE",
1574 "CTRL-EVENT-CONNECTED",
1575 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1577 raise Exception("EAP result timed out")
1578 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1579 raise Exception("TLS certificate error not reported")
1580 if "Domain mismatch" not in ev:
1581 raise Exception("Domain mismatch not reported")
1583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1584 "CTRL-EVENT-EAP-FAILURE",
1585 "CTRL-EVENT-CONNECTED",
1586 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1588 raise Exception("EAP result(2) timed out")
1589 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1590 raise Exception("EAP failure not reported")
1592 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1593 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1595 raise Exception("EAP result(3) timed out")
1596 if "CTRL-EVENT-DISCONNECTED" not in ev:
1597 raise Exception("Disconnection not reported")
1599 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1601 raise Exception("Network block disabling not reported")
1603 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1604 """WPA2-Enterprise negative test - subject mismatch"""
1605 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1606 hostapd.add_ap(apdev[0]['ifname'], params)
1607 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1608 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1609 password="password", phase2="auth=MSCHAPV2",
1610 ca_cert="auth_serv/ca.pem",
1611 subject_match="/C=FI/O=w1.fi/CN=example.com",
1612 wait_connect=False, scan_freq="2412")
1614 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1616 raise Exception("Association and EAP start timed out")
1618 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1619 "EAP: Failed to initialize EAP method"], timeout=10)
1621 raise Exception("EAP method selection timed out")
1622 if "EAP: Failed to initialize EAP method" in ev:
1623 tls = dev[0].request("GET tls_library")
1624 if tls.startswith("OpenSSL"):
1625 raise Exception("Failed to select EAP method")
1626 logger.info("subject_match not supported - connection failed, so test succeeded")
1628 if "TTLS" not in ev:
1629 raise Exception("Unexpected EAP method")
1631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1632 "CTRL-EVENT-EAP-SUCCESS",
1633 "CTRL-EVENT-EAP-FAILURE",
1634 "CTRL-EVENT-CONNECTED",
1635 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1637 raise Exception("EAP result timed out")
1638 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1639 raise Exception("TLS certificate error not reported")
1640 if "Subject mismatch" not in ev:
1641 raise Exception("Subject mismatch not reported")
1643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1644 "CTRL-EVENT-EAP-FAILURE",
1645 "CTRL-EVENT-CONNECTED",
1646 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1648 raise Exception("EAP result(2) timed out")
1649 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1650 raise Exception("EAP failure not reported")
1652 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1653 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1655 raise Exception("EAP result(3) timed out")
1656 if "CTRL-EVENT-DISCONNECTED" not in ev:
1657 raise Exception("Disconnection not reported")
1659 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1661 raise Exception("Network block disabling not reported")
1663 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1664 """WPA2-Enterprise negative test - altsubject mismatch"""
1665 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1666 hostapd.add_ap(apdev[0]['ifname'], params)
1668 tests = [ "incorrect.example.com",
1669 "DNS:incorrect.example.com",
1673 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1675 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1676 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1677 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1678 password="password", phase2="auth=MSCHAPV2",
1679 ca_cert="auth_serv/ca.pem",
1680 altsubject_match=match,
1681 wait_connect=False, scan_freq="2412")
1683 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1685 raise Exception("Association and EAP start timed out")
1687 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1688 "EAP: Failed to initialize EAP method"], timeout=10)
1690 raise Exception("EAP method selection timed out")
1691 if "EAP: Failed to initialize EAP method" in ev:
1692 tls = dev[0].request("GET tls_library")
1693 if tls.startswith("OpenSSL"):
1694 raise Exception("Failed to select EAP method")
1695 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1697 if "TTLS" not in ev:
1698 raise Exception("Unexpected EAP method")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1701 "CTRL-EVENT-EAP-SUCCESS",
1702 "CTRL-EVENT-EAP-FAILURE",
1703 "CTRL-EVENT-CONNECTED",
1704 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1706 raise Exception("EAP result timed out")
1707 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1708 raise Exception("TLS certificate error not reported")
1709 if "AltSubject mismatch" not in ev:
1710 raise Exception("altsubject mismatch not reported")
1712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1713 "CTRL-EVENT-EAP-FAILURE",
1714 "CTRL-EVENT-CONNECTED",
1715 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1717 raise Exception("EAP result(2) timed out")
1718 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1719 raise Exception("EAP failure not reported")
1721 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1722 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1724 raise Exception("EAP result(3) timed out")
1725 if "CTRL-EVENT-DISCONNECTED" not in ev:
1726 raise Exception("Disconnection not reported")
1728 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1730 raise Exception("Network block disabling not reported")
1732 dev[0].request("REMOVE_NETWORK all")
1734 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1735 """WPA2-Enterprise connection using UNAUTH-TLS"""
1736 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1737 hostapd.add_ap(apdev[0]['ifname'], params)
1738 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1739 ca_cert="auth_serv/ca.pem")
1740 eap_reauth(dev[0], "UNAUTH-TLS")
1742 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1743 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1744 check_cert_probe_support(dev[0])
1745 skip_with_fips(dev[0])
1746 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1747 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1748 hostapd.add_ap(apdev[0]['ifname'], params)
1749 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1750 identity="probe", ca_cert="probe://",
1751 wait_connect=False, scan_freq="2412")
1752 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1754 raise Exception("Association and EAP start timed out")
1755 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1757 raise Exception("No peer server certificate event seen")
1758 if "hash=" + srv_cert_hash not in ev:
1759 raise Exception("Expected server certificate hash not reported")
1760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1762 raise Exception("EAP result timed out")
1763 if "Server certificate chain probe" not in ev:
1764 raise Exception("Server certificate probe not reported")
1765 dev[0].wait_disconnected(timeout=10)
1766 dev[0].request("REMOVE_NETWORK all")
1768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1769 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1770 password="password", phase2="auth=MSCHAPV2",
1771 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1772 wait_connect=False, scan_freq="2412")
1773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1775 raise Exception("Association and EAP start timed out")
1776 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1778 raise Exception("EAP result timed out")
1779 if "Server certificate mismatch" not in ev:
1780 raise Exception("Server certificate mismatch not reported")
1781 dev[0].wait_disconnected(timeout=10)
1782 dev[0].request("REMOVE_NETWORK all")
1784 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1785 anonymous_identity="ttls", password="password",
1786 ca_cert="hash://server/sha256/" + srv_cert_hash,
1787 phase2="auth=MSCHAPV2")
1789 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1790 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1791 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1792 hostapd.add_ap(apdev[0]['ifname'], params)
1793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1794 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1795 password="password", phase2="auth=MSCHAPV2",
1796 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1797 wait_connect=False, scan_freq="2412")
1798 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1799 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1800 password="password", phase2="auth=MSCHAPV2",
1801 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1802 wait_connect=False, scan_freq="2412")
1803 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1804 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1805 password="password", phase2="auth=MSCHAPV2",
1806 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1807 wait_connect=False, scan_freq="2412")
1808 for i in range(0, 3):
1809 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1811 raise Exception("Association and EAP start timed out")
1812 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1814 raise Exception("Did not report EAP method initialization failure")
1816 def test_ap_wpa2_eap_pwd(dev, apdev):
1817 """WPA2-Enterprise connection using EAP-pwd"""
1818 check_eap_capa(dev[0], "PWD")
1819 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1820 hostapd.add_ap(apdev[0]['ifname'], params)
1821 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1822 eap_reauth(dev[0], "PWD")
1823 dev[0].request("REMOVE_NETWORK all")
1825 eap_connect(dev[1], apdev[0], "PWD",
1826 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1827 password="secret password",
1830 logger.info("Negative test with incorrect password")
1831 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1832 expect_failure=True, local_error_report=True)
1834 eap_connect(dev[0], apdev[0], "PWD",
1835 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1836 password="secret password",
1839 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1840 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1841 check_eap_capa(dev[0], "PWD")
1842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1843 hostapd.add_ap(apdev[0]['ifname'], params)
1844 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1845 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1846 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1847 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1848 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1849 expect_failure=True, local_error_report=True)
1851 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1852 """WPA2-Enterprise connection using various EAP-pwd groups"""
1853 check_eap_capa(dev[0], "PWD")
1854 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1855 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1856 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1857 for i in [ 19, 20, 21, 25, 26 ]:
1858 params['pwd_group'] = str(i)
1859 hostapd.add_ap(apdev[0]['ifname'], params)
1860 dev[0].request("REMOVE_NETWORK all")
1861 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1863 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1864 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1865 check_eap_capa(dev[0], "PWD")
1866 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1867 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1868 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1869 params['pwd_group'] = "0"
1870 hostapd.add_ap(apdev[0]['ifname'], params)
1871 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1872 identity="pwd user", password="secret password",
1873 scan_freq="2412", wait_connect=False)
1874 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1876 raise Exception("Timeout on EAP failure report")
1878 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1879 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1880 check_eap_capa(dev[0], "PWD")
1881 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1882 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1883 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1884 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1885 "pwd_group": "19", "fragment_size": "40" }
1886 hostapd.add_ap(apdev[0]['ifname'], params)
1887 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1889 def test_ap_wpa2_eap_gpsk(dev, apdev):
1890 """WPA2-Enterprise connection using EAP-GPSK"""
1891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1892 hostapd.add_ap(apdev[0]['ifname'], params)
1893 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1894 password="abcdefghijklmnop0123456789abcdef")
1895 eap_reauth(dev[0], "GPSK")
1897 logger.info("Test forced algorithm selection")
1898 for phase1 in [ "cipher=1", "cipher=2" ]:
1899 dev[0].set_network_quoted(id, "phase1", phase1)
1900 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1902 raise Exception("EAP success timed out")
1903 dev[0].wait_connected(timeout=10)
1905 logger.info("Test failed algorithm negotiation")
1906 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1907 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1909 raise Exception("EAP failure timed out")
1911 logger.info("Negative test with incorrect password")
1912 dev[0].request("REMOVE_NETWORK all")
1913 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1914 password="ffcdefghijklmnop0123456789abcdef",
1915 expect_failure=True)
1917 def test_ap_wpa2_eap_sake(dev, apdev):
1918 """WPA2-Enterprise connection using EAP-SAKE"""
1919 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1920 hostapd.add_ap(apdev[0]['ifname'], params)
1921 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1922 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1923 eap_reauth(dev[0], "SAKE")
1925 logger.info("Negative test with incorrect password")
1926 dev[0].request("REMOVE_NETWORK all")
1927 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1928 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1929 expect_failure=True)
1931 def test_ap_wpa2_eap_eke(dev, apdev):
1932 """WPA2-Enterprise connection using EAP-EKE"""
1933 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1934 hostapd.add_ap(apdev[0]['ifname'], params)
1935 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1936 eap_reauth(dev[0], "EKE")
1938 logger.info("Test forced algorithm selection")
1939 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1940 "dhgroup=4 encr=1 prf=2 mac=2",
1941 "dhgroup=3 encr=1 prf=2 mac=2",
1942 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1943 dev[0].set_network_quoted(id, "phase1", phase1)
1944 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1946 raise Exception("EAP success timed out")
1947 dev[0].wait_connected(timeout=10)
1949 logger.info("Test failed algorithm negotiation")
1950 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1951 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1953 raise Exception("EAP failure timed out")
1955 logger.info("Negative test with incorrect password")
1956 dev[0].request("REMOVE_NETWORK all")
1957 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1958 expect_failure=True)
1960 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1961 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1962 params = int_eap_server_params()
1963 params['server_id'] = 'example.server@w1.fi'
1964 hostapd.add_ap(apdev[0]['ifname'], params)
1965 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1967 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1968 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1969 params = int_eap_server_params()
1970 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1971 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1973 for count,func in [ (1, "eap_eke_build_commit"),
1974 (2, "eap_eke_build_commit"),
1975 (3, "eap_eke_build_commit"),
1976 (1, "eap_eke_build_confirm"),
1977 (2, "eap_eke_build_confirm"),
1978 (1, "eap_eke_process_commit"),
1979 (2, "eap_eke_process_commit"),
1980 (1, "eap_eke_process_confirm"),
1981 (1, "eap_eke_process_identity"),
1982 (2, "eap_eke_process_identity"),
1983 (3, "eap_eke_process_identity"),
1984 (4, "eap_eke_process_identity") ]:
1985 with alloc_fail(hapd, count, func):
1986 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1987 expect_failure=True)
1988 dev[0].request("REMOVE_NETWORK all")
1990 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1991 (1, "eap_eke_get_session_id", "hello"),
1992 (1, "eap_eke_getKey", "hello"),
1993 (1, "eap_eke_build_msg", "hello"),
1994 (1, "eap_eke_build_failure", "wrong"),
1995 (1, "eap_eke_build_identity", "hello"),
1996 (2, "eap_eke_build_identity", "hello") ]:
1997 with alloc_fail(hapd, count, func):
1998 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1999 eap="EKE", identity="eke user", password=pw,
2000 wait_connect=False, scan_freq="2412")
2001 # This would eventually time out, but we can stop after having
2002 # reached the allocation failure.
2005 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2007 dev[0].request("REMOVE_NETWORK all")
2009 for count in range(1, 1000):
2011 with alloc_fail(hapd, count, "eap_server_sm_step"):
2012 dev[0].connect("test-wpa2-eap",
2013 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2014 eap="EKE", identity="eke user", password=pw,
2015 wait_connect=False, scan_freq="2412")
2016 # This would eventually time out, but we can stop after having
2017 # reached the allocation failure.
2020 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2022 dev[0].request("REMOVE_NETWORK all")
2023 except Exception, e:
2024 if str(e) == "Allocation failure did not trigger":
2026 raise Exception("Too few allocation failures")
2027 logger.info("%d allocation failures tested" % (count - 1))
2031 def test_ap_wpa2_eap_ikev2(dev, apdev):
2032 """WPA2-Enterprise connection using EAP-IKEv2"""
2033 check_eap_capa(dev[0], "IKEV2")
2034 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2035 hostapd.add_ap(apdev[0]['ifname'], params)
2036 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2037 password="ike password")
2038 eap_reauth(dev[0], "IKEV2")
2039 dev[0].request("REMOVE_NETWORK all")
2040 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2041 password="ike password", fragment_size="50")
2043 logger.info("Negative test with incorrect password")
2044 dev[0].request("REMOVE_NETWORK all")
2045 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2046 password="ike-password", expect_failure=True)
2048 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2049 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2050 check_eap_capa(dev[0], "IKEV2")
2051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2052 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2053 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2054 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2055 "fragment_size": "50" }
2056 hostapd.add_ap(apdev[0]['ifname'], params)
2057 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2058 password="ike password")
2059 eap_reauth(dev[0], "IKEV2")
2061 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2062 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2063 check_eap_capa(dev[0], "IKEV2")
2064 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2065 hostapd.add_ap(apdev[0]['ifname'], params)
2067 tests = [ (1, "dh_init"),
2069 (1, "dh_derive_shared") ]
2070 for count, func in tests:
2071 with alloc_fail(dev[0], count, func):
2072 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2073 identity="ikev2 user", password="ike password",
2074 wait_connect=False, scan_freq="2412")
2075 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2077 raise Exception("EAP method not selected")
2079 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2082 dev[0].request("REMOVE_NETWORK all")
2084 tests = [ (1, "os_get_random;dh_init") ]
2085 for count, func in tests:
2086 with fail_test(dev[0], count, func):
2087 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2088 identity="ikev2 user", password="ike password",
2089 wait_connect=False, scan_freq="2412")
2090 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2092 raise Exception("EAP method not selected")
2094 if "0:" in dev[0].request("GET_FAIL"):
2097 dev[0].request("REMOVE_NETWORK all")
2099 def test_ap_wpa2_eap_pax(dev, apdev):
2100 """WPA2-Enterprise connection using EAP-PAX"""
2101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2102 hostapd.add_ap(apdev[0]['ifname'], params)
2103 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2104 password_hex="0123456789abcdef0123456789abcdef")
2105 eap_reauth(dev[0], "PAX")
2107 logger.info("Negative test with incorrect password")
2108 dev[0].request("REMOVE_NETWORK all")
2109 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2110 password_hex="ff23456789abcdef0123456789abcdef",
2111 expect_failure=True)
2113 def test_ap_wpa2_eap_psk(dev, apdev):
2114 """WPA2-Enterprise connection using EAP-PSK"""
2115 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2116 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2117 params["ieee80211w"] = "2"
2118 hostapd.add_ap(apdev[0]['ifname'], params)
2119 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2120 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2121 eap_reauth(dev[0], "PSK", sha256=True)
2122 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2123 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2125 bss = dev[0].get_bss(apdev[0]['bssid'])
2126 if 'flags' not in bss:
2127 raise Exception("Could not get BSS flags from BSS table")
2128 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2129 raise Exception("Unexpected BSS flags: " + bss['flags'])
2131 logger.info("Negative test with incorrect password")
2132 dev[0].request("REMOVE_NETWORK all")
2133 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2134 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2135 expect_failure=True)
2137 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2138 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2140 hostapd.add_ap(apdev[0]['ifname'], params)
2141 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2142 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2143 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2144 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2145 (1, "=aes_128_eax_encrypt"),
2146 (1, "omac1_aes_vector"),
2147 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2148 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2149 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2150 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2151 (1, "=aes_128_eax_decrypt") ]
2152 for count, func in tests:
2153 with alloc_fail(dev[0], count, func):
2154 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2155 identity="psk.user@example.com",
2156 password_hex="0123456789abcdef0123456789abcdef",
2157 wait_connect=False, scan_freq="2412")
2158 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2160 raise Exception("EAP method not selected")
2162 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2165 dev[0].request("REMOVE_NETWORK all")
2167 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2168 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2169 identity="psk.user@example.com",
2170 password_hex="0123456789abcdef0123456789abcdef",
2171 wait_connect=False, scan_freq="2412")
2172 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2174 raise Exception("EAP method failure not reported")
2175 dev[0].request("REMOVE_NETWORK all")
2177 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2178 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2179 check_eap_capa(dev[0], "MSCHAPV2")
2180 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2181 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2182 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2183 identity="user", password="password", phase2="auth=MSCHAPV2",
2184 ca_cert="auth_serv/ca.pem", wait_connect=False,
2186 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2187 hwsim_utils.test_connectivity(dev[0], hapd)
2188 eap_reauth(dev[0], "PEAP", rsn=False)
2189 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2190 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2191 status = dev[0].get_status(extra="VERBOSE")
2192 if 'portControl' not in status:
2193 raise Exception("portControl missing from STATUS-VERBOSE")
2194 if status['portControl'] != 'Auto':
2195 raise Exception("Unexpected portControl value: " + status['portControl'])
2196 if 'eap_session_id' not in status:
2197 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2198 if not status['eap_session_id'].startswith("19"):
2199 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2201 def test_ap_wpa2_eap_interactive(dev, apdev):
2202 """WPA2-Enterprise connection using interactive identity/password entry"""
2203 check_eap_capa(dev[0], "MSCHAPV2")
2204 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2205 hostapd.add_ap(apdev[0]['ifname'], params)
2206 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2208 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2209 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2211 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2212 "TTLS", "ttls", None, "auth=MSCHAPV2",
2213 "DOMAIN\mschapv2 user", "password"),
2214 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2215 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2216 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2217 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2218 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2219 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2220 ("Connection with dynamic PEAP/EAP-GTC password entry",
2221 "PEAP", None, "user", "auth=GTC", None, "password") ]
2222 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2224 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2225 anonymous_identity=anon, identity=identity,
2226 ca_cert="auth_serv/ca.pem", phase2=phase2,
2227 wait_connect=False, scan_freq="2412")
2229 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2231 raise Exception("Request for identity timed out")
2232 id = ev.split(':')[0].split('-')[-1]
2233 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2234 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2236 raise Exception("Request for password timed out")
2237 id = ev.split(':')[0].split('-')[-1]
2238 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2239 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2240 dev[0].wait_connected(timeout=10)
2241 dev[0].request("REMOVE_NETWORK all")
2243 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2244 """WPA2-Enterprise connection using EAP vendor test"""
2245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2246 hostapd.add_ap(apdev[0]['ifname'], params)
2247 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2248 eap_reauth(dev[0], "VENDOR-TEST")
2249 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2252 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2253 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2254 check_eap_capa(dev[0], "FAST")
2255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2256 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2257 eap_connect(dev[0], apdev[0], "FAST", "user",
2258 anonymous_identity="FAST", password="password",
2259 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2260 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2261 hwsim_utils.test_connectivity(dev[0], hapd)
2262 res = eap_reauth(dev[0], "FAST")
2263 if res['tls_session_reused'] != '1':
2264 raise Exception("EAP-FAST could not use PAC session ticket")
2266 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2267 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2268 check_eap_capa(dev[0], "FAST")
2269 pac_file = os.path.join(params['logdir'], "fast.pac")
2270 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2271 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2272 hostapd.add_ap(apdev[0]['ifname'], params)
2275 eap_connect(dev[0], apdev[0], "FAST", "user",
2276 anonymous_identity="FAST", password="password",
2277 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2278 phase1="fast_provisioning=1", pac_file=pac_file)
2279 with open(pac_file, "r") as f:
2281 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2282 raise Exception("PAC file header missing")
2283 if "PAC-Key=" not in data:
2284 raise Exception("PAC-Key missing from PAC file")
2285 dev[0].request("REMOVE_NETWORK all")
2286 eap_connect(dev[0], apdev[0], "FAST", "user",
2287 anonymous_identity="FAST", password="password",
2288 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2291 eap_connect(dev[1], apdev[0], "FAST", "user",
2292 anonymous_identity="FAST", password="password",
2293 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2294 phase1="fast_provisioning=1 fast_pac_format=binary",
2296 dev[1].request("REMOVE_NETWORK all")
2297 eap_connect(dev[1], apdev[0], "FAST", "user",
2298 anonymous_identity="FAST", password="password",
2299 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2300 phase1="fast_pac_format=binary",
2308 os.remove(pac_file2)
2312 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2313 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2314 check_eap_capa(dev[0], "FAST")
2315 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2316 hostapd.add_ap(apdev[0]['ifname'], params)
2317 eap_connect(dev[0], apdev[0], "FAST", "user",
2318 anonymous_identity="FAST", password="password",
2319 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2320 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2321 pac_file="blob://fast_pac_bin")
2322 res = eap_reauth(dev[0], "FAST")
2323 if res['tls_session_reused'] != '1':
2324 raise Exception("EAP-FAST could not use PAC session ticket")
2326 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2327 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2328 check_eap_capa(dev[0], "FAST")
2329 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2330 hostapd.add_ap(apdev[0]['ifname'], params)
2332 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2333 identity="user", anonymous_identity="FAST",
2334 password="password",
2335 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2336 pac_file="blob://fast_pac_not_in_use",
2337 wait_connect=False, scan_freq="2412")
2338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2340 raise Exception("Timeout on EAP failure report")
2341 dev[0].request("REMOVE_NETWORK all")
2343 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2344 identity="user", anonymous_identity="FAST",
2345 password="password",
2346 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2347 wait_connect=False, scan_freq="2412")
2348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2350 raise Exception("Timeout on EAP failure report")
2352 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2353 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2354 check_eap_capa(dev[0], "FAST")
2355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2357 eap_connect(dev[0], apdev[0], "FAST", "user",
2358 anonymous_identity="FAST", password="password",
2359 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2360 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2361 hwsim_utils.test_connectivity(dev[0], hapd)
2362 res = eap_reauth(dev[0], "FAST")
2363 if res['tls_session_reused'] != '1':
2364 raise Exception("EAP-FAST could not use PAC session ticket")
2366 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2367 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2368 check_eap_capa(dev[0], "FAST")
2369 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2370 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2371 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2372 anonymous_identity="FAST", password="password",
2373 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2374 phase1="fast_provisioning=2",
2375 pac_file="blob://fast_pac_auth")
2376 dev[0].set_network_quoted(id, "identity", "user2")
2377 dev[0].wait_disconnected()
2378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2380 raise Exception("EAP-FAST not started")
2381 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2383 raise Exception("EAP failure not reported")
2384 dev[0].wait_disconnected()
2386 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2387 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2388 check_eap_capa(dev[0], "FAST")
2389 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2390 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2391 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2392 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2393 identity="user", anonymous_identity="FAST",
2394 password="password", ca_cert="auth_serv/ca.pem",
2396 phase1="fast_provisioning=2",
2397 pac_file="blob://fast_pac_auth",
2398 wait_connect=False, scan_freq="2412")
2399 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2401 raise Exception("EAP failure not reported")
2402 dev[0].request("DISCONNECT")
2404 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2405 """EAP-FAST/MSCHAPv2 and server OOM"""
2406 check_eap_capa(dev[0], "FAST")
2408 params = int_eap_server_params()
2409 params['dh_file'] = 'auth_serv/dh.conf'
2410 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2411 params['eap_fast_a_id'] = '1011'
2412 params['eap_fast_a_id_info'] = 'another test server'
2413 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2415 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2416 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2417 anonymous_identity="FAST", password="password",
2418 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2419 phase1="fast_provisioning=1",
2420 pac_file="blob://fast_pac",
2421 expect_failure=True)
2422 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2424 raise Exception("No EAP failure reported")
2425 dev[0].wait_disconnected()
2426 dev[0].request("DISCONNECT")
2428 dev[0].select_network(id, freq="2412")
2430 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2431 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2432 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2433 hostapd.add_ap(apdev[0]['ifname'], params)
2434 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2435 private_key="auth_serv/user.pkcs12",
2436 private_key_passwd="whatever", ocsp=2)
2438 def int_eap_server_params():
2439 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2440 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2441 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2442 "ca_cert": "auth_serv/ca.pem",
2443 "server_cert": "auth_serv/server.pem",
2444 "private_key": "auth_serv/server.key" }
2447 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2448 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2449 params = int_eap_server_params()
2450 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2451 hostapd.add_ap(apdev[0]['ifname'], params)
2452 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2453 identity="tls user", ca_cert="auth_serv/ca.pem",
2454 private_key="auth_serv/user.pkcs12",
2455 private_key_passwd="whatever", ocsp=2,
2456 wait_connect=False, scan_freq="2412")
2459 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2461 raise Exception("Timeout on EAP status")
2462 if 'bad certificate status response' in ev:
2466 raise Exception("Unexpected number of EAP status messages")
2468 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2470 raise Exception("Timeout on EAP failure report")
2472 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2473 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2474 params = int_eap_server_params()
2475 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2476 hostapd.add_ap(apdev[0]['ifname'], params)
2477 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2478 identity="tls user", ca_cert="auth_serv/ca.pem",
2479 private_key="auth_serv/user.pkcs12",
2480 private_key_passwd="whatever", ocsp=2,
2481 wait_connect=False, scan_freq="2412")
2484 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2486 raise Exception("Timeout on EAP status")
2487 if 'bad certificate status response' in ev:
2491 raise Exception("Unexpected number of EAP status messages")
2493 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2495 raise Exception("Timeout on EAP failure report")
2497 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2498 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2499 params = int_eap_server_params()
2500 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2501 hostapd.add_ap(apdev[0]['ifname'], params)
2502 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2503 identity="tls user", ca_cert="auth_serv/ca.pem",
2504 private_key="auth_serv/user.pkcs12",
2505 private_key_passwd="whatever", ocsp=2,
2506 wait_connect=False, scan_freq="2412")
2509 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2511 raise Exception("Timeout on EAP status")
2512 if 'bad certificate status response' in ev:
2516 raise Exception("Unexpected number of EAP status messages")
2518 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2520 raise Exception("Timeout on EAP failure report")
2522 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2523 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2524 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2525 if not os.path.exists(ocsp):
2526 raise HwsimSkip("No OCSP response available")
2527 params = int_eap_server_params()
2528 params["ocsp_stapling_response"] = ocsp
2529 hostapd.add_ap(apdev[0]['ifname'], params)
2530 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2531 identity="pap user", ca_cert="auth_serv/ca.pem",
2532 anonymous_identity="ttls", password="password",
2533 phase2="auth=PAP", ocsp=2,
2534 wait_connect=False, scan_freq="2412")
2537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2539 raise Exception("Timeout on EAP status")
2540 if 'bad certificate status response' in ev:
2542 if 'certificate revoked' in ev:
2546 raise Exception("Unexpected number of EAP status messages")
2548 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2550 raise Exception("Timeout on EAP failure report")
2552 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2553 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2554 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2555 if not os.path.exists(ocsp):
2556 raise HwsimSkip("No OCSP response available")
2557 params = int_eap_server_params()
2558 params["ocsp_stapling_response"] = ocsp
2559 hostapd.add_ap(apdev[0]['ifname'], params)
2560 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2561 identity="pap user", ca_cert="auth_serv/ca.pem",
2562 anonymous_identity="ttls", password="password",
2563 phase2="auth=PAP", ocsp=2,
2564 wait_connect=False, scan_freq="2412")
2567 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2569 raise Exception("Timeout on EAP status")
2570 if 'bad certificate status response' in ev:
2574 raise Exception("Unexpected number of EAP status messages")
2576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2578 raise Exception("Timeout on EAP failure report")
2580 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2581 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2582 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2583 if not os.path.exists(ocsp):
2584 raise HwsimSkip("No OCSP response available")
2585 params = int_eap_server_params()
2586 params["ocsp_stapling_response"] = ocsp
2587 hostapd.add_ap(apdev[0]['ifname'], params)
2588 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2589 identity="pap user", ca_cert="auth_serv/ca.pem",
2590 anonymous_identity="ttls", password="password",
2591 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2593 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2594 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2595 params = int_eap_server_params()
2596 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2597 params["private_key"] = "auth_serv/server-no-dnsname.key"
2598 hostapd.add_ap(apdev[0]['ifname'], params)
2599 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2600 identity="tls user", ca_cert="auth_serv/ca.pem",
2601 private_key="auth_serv/user.pkcs12",
2602 private_key_passwd="whatever",
2603 domain_suffix_match="server3.w1.fi",
2606 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2607 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2608 params = int_eap_server_params()
2609 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2610 params["private_key"] = "auth_serv/server-no-dnsname.key"
2611 hostapd.add_ap(apdev[0]['ifname'], params)
2612 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2613 identity="tls user", ca_cert="auth_serv/ca.pem",
2614 private_key="auth_serv/user.pkcs12",
2615 private_key_passwd="whatever",
2616 domain_match="server3.w1.fi",
2619 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2620 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2621 check_domain_match_full(dev[0])
2622 params = int_eap_server_params()
2623 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2624 params["private_key"] = "auth_serv/server-no-dnsname.key"
2625 hostapd.add_ap(apdev[0]['ifname'], params)
2626 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2627 identity="tls user", ca_cert="auth_serv/ca.pem",
2628 private_key="auth_serv/user.pkcs12",
2629 private_key_passwd="whatever",
2630 domain_suffix_match="w1.fi",
2633 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2634 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2635 params = int_eap_server_params()
2636 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2637 params["private_key"] = "auth_serv/server-no-dnsname.key"
2638 hostapd.add_ap(apdev[0]['ifname'], params)
2639 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2640 identity="tls user", ca_cert="auth_serv/ca.pem",
2641 private_key="auth_serv/user.pkcs12",
2642 private_key_passwd="whatever",
2643 domain_suffix_match="example.com",
2646 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2647 identity="tls user", ca_cert="auth_serv/ca.pem",
2648 private_key="auth_serv/user.pkcs12",
2649 private_key_passwd="whatever",
2650 domain_suffix_match="erver3.w1.fi",
2653 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2655 raise Exception("Timeout on EAP failure report")
2656 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2658 raise Exception("Timeout on EAP failure report (2)")
2660 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2661 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2662 params = int_eap_server_params()
2663 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2664 params["private_key"] = "auth_serv/server-no-dnsname.key"
2665 hostapd.add_ap(apdev[0]['ifname'], params)
2666 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2667 identity="tls user", ca_cert="auth_serv/ca.pem",
2668 private_key="auth_serv/user.pkcs12",
2669 private_key_passwd="whatever",
2670 domain_match="example.com",
2673 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2674 identity="tls user", ca_cert="auth_serv/ca.pem",
2675 private_key="auth_serv/user.pkcs12",
2676 private_key_passwd="whatever",
2677 domain_match="w1.fi",
2680 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2682 raise Exception("Timeout on EAP failure report")
2683 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2685 raise Exception("Timeout on EAP failure report (2)")
2687 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2688 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2689 skip_with_fips(dev[0])
2690 params = int_eap_server_params()
2691 params["server_cert"] = "auth_serv/server-expired.pem"
2692 params["private_key"] = "auth_serv/server-expired.key"
2693 hostapd.add_ap(apdev[0]['ifname'], params)
2694 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2695 identity="mschap user", password="password",
2696 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2699 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2701 raise Exception("Timeout on EAP certificate error report")
2702 if "reason=4" not in ev or "certificate has expired" not in ev:
2703 raise Exception("Unexpected failure reason: " + ev)
2704 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2706 raise Exception("Timeout on EAP failure report")
2708 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2709 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2710 skip_with_fips(dev[0])
2711 params = int_eap_server_params()
2712 params["server_cert"] = "auth_serv/server-expired.pem"
2713 params["private_key"] = "auth_serv/server-expired.key"
2714 hostapd.add_ap(apdev[0]['ifname'], params)
2715 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2716 identity="mschap user", password="password",
2717 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2718 phase1="tls_disable_time_checks=1",
2721 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2722 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2723 skip_with_fips(dev[0])
2724 params = int_eap_server_params()
2725 params["server_cert"] = "auth_serv/server-long-duration.pem"
2726 params["private_key"] = "auth_serv/server-long-duration.key"
2727 hostapd.add_ap(apdev[0]['ifname'], params)
2728 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2729 identity="mschap user", password="password",
2730 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2733 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2734 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2735 skip_with_fips(dev[0])
2736 params = int_eap_server_params()
2737 params["server_cert"] = "auth_serv/server-eku-client.pem"
2738 params["private_key"] = "auth_serv/server-eku-client.key"
2739 hostapd.add_ap(apdev[0]['ifname'], params)
2740 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2741 identity="mschap user", password="password",
2742 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2747 raise Exception("Timeout on EAP failure report")
2749 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2750 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2751 skip_with_fips(dev[0])
2752 params = int_eap_server_params()
2753 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2754 params["private_key"] = "auth_serv/server-eku-client-server.key"
2755 hostapd.add_ap(apdev[0]['ifname'], params)
2756 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2757 identity="mschap user", password="password",
2758 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2761 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2762 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2763 skip_with_fips(dev[0])
2764 params = int_eap_server_params()
2765 del params["server_cert"]
2766 params["private_key"] = "auth_serv/server.pkcs12"
2767 hostapd.add_ap(apdev[0]['ifname'], params)
2768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2769 identity="mschap user", password="password",
2770 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2773 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2774 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2776 hostapd.add_ap(apdev[0]['ifname'], params)
2777 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2778 anonymous_identity="ttls", password="password",
2779 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2780 dh_file="auth_serv/dh.conf")
2782 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2783 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2784 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2785 hostapd.add_ap(apdev[0]['ifname'], params)
2786 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2787 anonymous_identity="ttls", password="password",
2788 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2789 dh_file="auth_serv/dsaparam.pem")
2791 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2792 """EAP-TTLS and DH params file not found"""
2793 skip_with_fips(dev[0])
2794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2795 hostapd.add_ap(apdev[0]['ifname'], params)
2796 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2797 identity="mschap user", password="password",
2798 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2799 dh_file="auth_serv/dh-no-such-file.conf",
2800 scan_freq="2412", wait_connect=False)
2801 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2803 raise Exception("EAP failure timed out")
2804 dev[0].request("REMOVE_NETWORK all")
2805 dev[0].wait_disconnected()
2807 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2808 """EAP-TTLS and invalid DH params file"""
2809 skip_with_fips(dev[0])
2810 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2811 hostapd.add_ap(apdev[0]['ifname'], params)
2812 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2813 identity="mschap user", password="password",
2814 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2815 dh_file="auth_serv/ca.pem",
2816 scan_freq="2412", wait_connect=False)
2817 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2819 raise Exception("EAP failure timed out")
2820 dev[0].request("REMOVE_NETWORK all")
2821 dev[0].wait_disconnected()
2823 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2824 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2825 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2826 hostapd.add_ap(apdev[0]['ifname'], params)
2827 dh = read_pem("auth_serv/dh2.conf")
2828 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2829 raise Exception("Could not set dhparams blob")
2830 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2831 anonymous_identity="ttls", password="password",
2832 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2833 dh_file="blob://dhparams")
2835 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2836 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2837 params = int_eap_server_params()
2838 params["dh_file"] = "auth_serv/dh2.conf"
2839 hostapd.add_ap(apdev[0]['ifname'], params)
2840 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2841 anonymous_identity="ttls", password="password",
2842 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2844 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2845 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2846 params = int_eap_server_params()
2847 params["dh_file"] = "auth_serv/dsaparam.pem"
2848 hostapd.add_ap(apdev[0]['ifname'], params)
2849 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2850 anonymous_identity="ttls", password="password",
2851 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2853 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2854 """EAP-TLS server and dhparams file not found"""
2855 params = int_eap_server_params()
2856 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2857 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2858 if "FAIL" not in hapd.request("ENABLE"):
2859 raise Exception("Invalid configuration accepted")
2861 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2862 """EAP-TLS server and invalid dhparams file"""
2863 params = int_eap_server_params()
2864 params["dh_file"] = "auth_serv/ca.pem"
2865 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2866 if "FAIL" not in hapd.request("ENABLE"):
2867 raise Exception("Invalid configuration accepted")
2869 def test_ap_wpa2_eap_reauth(dev, apdev):
2870 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2871 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2872 params['eap_reauth_period'] = '2'
2873 hostapd.add_ap(apdev[0]['ifname'], params)
2874 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2875 password_hex="0123456789abcdef0123456789abcdef")
2876 logger.info("Wait for reauthentication")
2877 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2879 raise Exception("Timeout on reauthentication")
2880 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2882 raise Exception("Timeout on reauthentication")
2883 for i in range(0, 20):
2884 state = dev[0].get_status_field("wpa_state")
2885 if state == "COMPLETED":
2888 if state != "COMPLETED":
2889 raise Exception("Reauthentication did not complete")
2891 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2892 """Optional displayable message in EAP Request-Identity"""
2893 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2894 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2895 hostapd.add_ap(apdev[0]['ifname'], params)
2896 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2897 password_hex="0123456789abcdef0123456789abcdef")
2899 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2900 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2901 check_hlr_auc_gw_support()
2902 params = int_eap_server_params()
2903 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2904 params['eap_sim_aka_result_ind'] = "1"
2905 hostapd.add_ap(apdev[0]['ifname'], params)
2907 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2908 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2909 phase1="result_ind=1")
2910 eap_reauth(dev[0], "SIM")
2911 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2912 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2914 dev[0].request("REMOVE_NETWORK all")
2915 dev[1].request("REMOVE_NETWORK all")
2917 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2918 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2919 phase1="result_ind=1")
2920 eap_reauth(dev[0], "AKA")
2921 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2922 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2924 dev[0].request("REMOVE_NETWORK all")
2925 dev[1].request("REMOVE_NETWORK all")
2927 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2928 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2929 phase1="result_ind=1")
2930 eap_reauth(dev[0], "AKA'")
2931 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2932 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2934 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2935 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2936 skip_with_fips(dev[0])
2937 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2938 hostapd.add_ap(apdev[0]['ifname'], params)
2939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2940 eap="TTLS", identity="mschap user",
2941 wait_connect=False, scan_freq="2412", ieee80211w="1",
2942 anonymous_identity="ttls", password="password",
2943 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2945 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2947 raise Exception("EAP roundtrip limit not reached")
2949 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2950 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2951 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2952 hostapd.add_ap(apdev[0]['ifname'], params)
2953 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2954 eap="PSK", identity="vendor-test",
2955 password_hex="ff23456789abcdef0123456789abcdef",
2959 for i in range(0, 5):
2960 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2962 raise Exception("Association and EAP start timed out")
2963 if "refuse proposed method" in ev:
2967 raise Exception("Unexpected EAP status: " + ev)
2969 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2971 raise Exception("EAP failure timed out")
2973 def test_ap_wpa2_eap_sql(dev, apdev, params):
2974 """WPA2-Enterprise connection using SQLite for user DB"""
2975 skip_with_fips(dev[0])
2979 raise HwsimSkip("No sqlite3 module available")
2980 dbfile = os.path.join(params['logdir'], "eap-user.db")
2985 con = sqlite3.connect(dbfile)
2988 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2989 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2990 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2991 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2992 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2993 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2994 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2995 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2998 params = int_eap_server_params()
2999 params["eap_user_file"] = "sqlite:" + dbfile
3000 hostapd.add_ap(apdev[0]['ifname'], params)
3001 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3002 anonymous_identity="ttls", password="password",
3003 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3004 dev[0].request("REMOVE_NETWORK all")
3005 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3006 anonymous_identity="ttls", password="password",
3007 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3008 dev[1].request("REMOVE_NETWORK all")
3009 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3010 anonymous_identity="ttls", password="password",
3011 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3012 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3013 anonymous_identity="ttls", password="password",
3014 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3018 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3019 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3020 params = int_eap_server_params()
3021 hostapd.add_ap(apdev[0]['ifname'], params)
3022 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3023 identity="\x80", password="password", wait_connect=False)
3024 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3025 identity="a\x80", password="password", wait_connect=False)
3026 for i in range(0, 2):
3027 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3029 raise Exception("Association and EAP start timed out")
3030 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3032 raise Exception("EAP method selection timed out")
3034 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3035 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3036 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3037 hostapd.add_ap(apdev[0]['ifname'], params)
3038 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3039 identity="\x80", password="password", wait_connect=False)
3040 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3041 identity="a\x80", password="password", wait_connect=False)
3042 for i in range(0, 2):
3043 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3045 raise Exception("Association and EAP start timed out")
3046 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3048 raise Exception("EAP method selection timed out")
3050 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3051 """OpenSSL cipher suite configuration on wpa_supplicant"""
3052 tls = dev[0].request("GET tls_library")
3053 if not tls.startswith("OpenSSL"):
3054 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3056 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3057 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3058 anonymous_identity="ttls", password="password",
3059 openssl_ciphers="AES128",
3060 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3061 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3062 anonymous_identity="ttls", password="password",
3063 openssl_ciphers="EXPORT",
3064 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3065 expect_failure=True, maybe_local_error=True)
3066 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3067 identity="pap user", anonymous_identity="ttls",
3068 password="password",
3069 openssl_ciphers="FOO",
3070 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3072 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3074 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3075 dev[2].request("DISCONNECT")
3077 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3078 """OpenSSL cipher suite configuration on hostapd"""
3079 tls = dev[0].request("GET tls_library")
3080 if not tls.startswith("OpenSSL"):
3081 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3082 params = int_eap_server_params()
3083 params['openssl_ciphers'] = "AES256"
3084 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3085 tls = hapd.request("GET tls_library")
3086 if not tls.startswith("OpenSSL"):
3087 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3088 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3089 anonymous_identity="ttls", password="password",
3090 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3091 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3092 anonymous_identity="ttls", password="password",
3093 openssl_ciphers="AES128",
3094 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3095 expect_failure=True)
3096 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3097 anonymous_identity="ttls", password="password",
3098 openssl_ciphers="HIGH:!ADH",
3099 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3101 params['openssl_ciphers'] = "FOO"
3102 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3103 if "FAIL" not in hapd2.request("ENABLE"):
3104 raise Exception("Invalid openssl_ciphers value accepted")
3106 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3107 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3108 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3109 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3110 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3111 pid = find_wpas_process(dev[0])
3112 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3113 anonymous_identity="ttls", password=password,
3114 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3116 buf = read_process_memory(pid, password)
3118 dev[0].request("DISCONNECT")
3119 dev[0].wait_disconnected()
3127 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3128 for l in f.readlines():
3129 if "EAP-TTLS: Derived key - hexdump" in l:
3130 val = l.strip().split(':')[3].replace(' ', '')
3131 msk = binascii.unhexlify(val)
3132 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3133 val = l.strip().split(':')[3].replace(' ', '')
3134 emsk = binascii.unhexlify(val)
3135 if "WPA: PMK - hexdump" in l:
3136 val = l.strip().split(':')[3].replace(' ', '')
3137 pmk = binascii.unhexlify(val)
3138 if "WPA: PTK - hexdump" in l:
3139 val = l.strip().split(':')[3].replace(' ', '')
3140 ptk = binascii.unhexlify(val)
3141 if "WPA: Group Key - hexdump" in l:
3142 val = l.strip().split(':')[3].replace(' ', '')
3143 gtk = binascii.unhexlify(val)
3144 if not msk or not emsk or not pmk or not ptk or not gtk:
3145 raise Exception("Could not find keys from debug log")
3147 raise Exception("Unexpected GTK length")
3153 fname = os.path.join(params['logdir'],
3154 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3156 logger.info("Checking keys in memory while associated")
3157 get_key_locations(buf, password, "Password")
3158 get_key_locations(buf, pmk, "PMK")
3159 get_key_locations(buf, msk, "MSK")
3160 get_key_locations(buf, emsk, "EMSK")
3161 if password not in buf:
3162 raise HwsimSkip("Password not found while associated")
3164 raise HwsimSkip("PMK not found while associated")
3166 raise Exception("KCK not found while associated")
3168 raise Exception("KEK not found while associated")
3170 raise Exception("TK found from memory")
3172 raise Exception("GTK found from memory")
3174 logger.info("Checking keys in memory after disassociation")
3175 buf = read_process_memory(pid, password)
3177 # Note: Password is still present in network configuration
3178 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3180 get_key_locations(buf, password, "Password")
3181 get_key_locations(buf, pmk, "PMK")
3182 get_key_locations(buf, msk, "MSK")
3183 get_key_locations(buf, emsk, "EMSK")
3184 verify_not_present(buf, kck, fname, "KCK")
3185 verify_not_present(buf, kek, fname, "KEK")
3186 verify_not_present(buf, tk, fname, "TK")
3187 verify_not_present(buf, gtk, fname, "GTK")
3189 dev[0].request("PMKSA_FLUSH")
3190 dev[0].set_network_quoted(id, "identity", "foo")
3191 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3192 buf = read_process_memory(pid, password)
3193 get_key_locations(buf, password, "Password")
3194 get_key_locations(buf, pmk, "PMK")
3195 get_key_locations(buf, msk, "MSK")
3196 get_key_locations(buf, emsk, "EMSK")
3197 verify_not_present(buf, pmk, fname, "PMK")
3199 dev[0].request("REMOVE_NETWORK all")
3201 logger.info("Checking keys in memory after network profile removal")
3202 buf = read_process_memory(pid, password)
3204 get_key_locations(buf, password, "Password")
3205 get_key_locations(buf, pmk, "PMK")
3206 get_key_locations(buf, msk, "MSK")
3207 get_key_locations(buf, emsk, "EMSK")
3208 verify_not_present(buf, password, fname, "password")
3209 verify_not_present(buf, pmk, fname, "PMK")
3210 verify_not_present(buf, kck, fname, "KCK")
3211 verify_not_present(buf, kek, fname, "KEK")
3212 verify_not_present(buf, tk, fname, "TK")
3213 verify_not_present(buf, gtk, fname, "GTK")
3214 verify_not_present(buf, msk, fname, "MSK")
3215 verify_not_present(buf, emsk, fname, "EMSK")
3217 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3218 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3219 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3220 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3221 bssid = apdev[0]['bssid']
3222 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3223 anonymous_identity="ttls", password="password",
3224 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3226 # Send unexpected WEP EAPOL-Key; this gets dropped
3227 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3229 raise Exception("EAPOL_RX to wpa_supplicant failed")
3231 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3232 """WPA2-EAP and wpas interface in a bridge"""
3236 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3238 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3239 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3240 subprocess.call(['brctl', 'delbr', br_ifname])
3241 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3243 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3244 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3245 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3249 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3250 subprocess.call(['brctl', 'addbr', br_ifname])
3251 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3252 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3253 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3254 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3255 wpas.interface_add(ifname, br_ifname=br_ifname)
3257 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3258 password_hex="0123456789abcdef0123456789abcdef")
3259 eap_reauth(wpas, "PAX")
3260 # Try again as a regression test for packet socket workaround
3261 eap_reauth(wpas, "PAX")
3262 wpas.request("DISCONNECT")
3263 wpas.wait_disconnected()
3264 wpas.request("RECONNECT")
3265 wpas.wait_connected()
3267 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3268 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3269 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3270 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3271 key_mgmt = hapd.get_config()['key_mgmt']
3272 if key_mgmt.split(' ')[0] != "WPA-EAP":
3273 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3274 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3275 anonymous_identity="ttls", password="password",
3276 ca_cert="auth_serv/ca.pem",
3277 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3278 eap_reauth(dev[0], "TTLS")
3280 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3281 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3282 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3283 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3284 key_mgmt = hapd.get_config()['key_mgmt']
3285 if key_mgmt.split(' ')[0] != "WPA-EAP":
3286 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3287 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3288 anonymous_identity="ttls", password="password",
3289 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3291 eap_reauth(dev[0], "TTLS")
3293 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3294 """EAP-TLS and server checking CRL"""
3295 params = int_eap_server_params()
3296 params['check_crl'] = '1'
3297 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3299 # check_crl=1 and no CRL available --> reject connection
3300 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3301 client_cert="auth_serv/user.pem",
3302 private_key="auth_serv/user.key", expect_failure=True)
3303 dev[0].request("REMOVE_NETWORK all")
3306 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3309 # check_crl=1 and valid CRL --> accept
3310 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3311 client_cert="auth_serv/user.pem",
3312 private_key="auth_serv/user.key")
3313 dev[0].request("REMOVE_NETWORK all")
3316 hapd.set("check_crl", "2")
3319 # check_crl=2 and valid CRL --> accept
3320 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3321 client_cert="auth_serv/user.pem",
3322 private_key="auth_serv/user.key")
3323 dev[0].request("REMOVE_NETWORK all")
3325 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3326 """EAP-TLS and OOM"""
3327 check_subject_match_support(dev[0])
3328 check_altsubject_match_support(dev[0])
3329 check_domain_match_full(dev[0])
3331 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3332 hostapd.add_ap(apdev[0]['ifname'], params)
3334 tests = [ (1, "tls_connection_set_subject_match"),
3335 (2, "tls_connection_set_subject_match"),
3336 (3, "tls_connection_set_subject_match"),
3337 (4, "tls_connection_set_subject_match") ]
3338 for count, func in tests:
3339 with alloc_fail(dev[0], count, func):
3340 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3341 identity="tls user", ca_cert="auth_serv/ca.pem",
3342 client_cert="auth_serv/user.pem",
3343 private_key="auth_serv/user.key",
3344 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3345 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3346 domain_suffix_match="server.w1.fi",
3347 domain_match="server.w1.fi",
3348 wait_connect=False, scan_freq="2412")
3349 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3350 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3352 raise Exception("No passphrase request")
3353 dev[0].request("REMOVE_NETWORK all")
3354 dev[0].wait_disconnected()
3356 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3357 """WPA2-Enterprise connection using MAC ACL"""
3358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3359 params["macaddr_acl"] = "2"
3360 hostapd.add_ap(apdev[0]['ifname'], params)
3361 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3362 client_cert="auth_serv/user.pem",
3363 private_key="auth_serv/user.key")
3365 def test_ap_wpa2_eap_oom(dev, apdev):
3366 """EAP server and OOM"""
3367 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3368 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3369 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3371 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3372 # The first attempt fails, but STA will send EAPOL-Start to retry and
3374 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3375 identity="tls user", ca_cert="auth_serv/ca.pem",
3376 client_cert="auth_serv/user.pem",
3377 private_key="auth_serv/user.key",
3380 def check_tls_ver(dev, ap, phase1, expected):
3381 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3382 client_cert="auth_serv/user.pem",
3383 private_key="auth_serv/user.key",
3385 ver = dev.get_status_field("eap_tls_version")
3387 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3389 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3390 """EAP-TLS and TLS version configuration"""
3391 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3392 hostapd.add_ap(apdev[0]['ifname'], params)
3394 tls = dev[0].request("GET tls_library")
3395 if tls.startswith("OpenSSL"):
3396 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3397 check_tls_ver(dev[0], apdev[0],
3398 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3400 check_tls_ver(dev[1], apdev[0],
3401 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3402 check_tls_ver(dev[2], apdev[0],
3403 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")