1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report)
78 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
80 raise Exception("No connection event received from hostapd")
83 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
84 expect_failure=False, local_error_report=False):
85 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
87 raise Exception("Association and EAP start timed out")
88 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
90 raise Exception("EAP method selection timed out")
92 raise Exception("Unexpected EAP method")
94 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
96 raise Exception("EAP failure timed out")
97 ev = dev.wait_disconnected(timeout=10)
98 if not local_error_report:
99 if "reason=23" not in ev:
100 raise Exception("Proper reason code for disconnection not reported")
102 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
104 raise Exception("EAP success timed out")
107 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
109 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
111 raise Exception("Association with the AP timed out")
112 status = dev.get_status()
113 if status["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
116 if status["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method not in status["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
121 e = "WPA2-EAP-SHA256"
123 e = "WPA2/IEEE 802.1X/EAP"
125 e = "WPA/IEEE 802.1X/EAP"
126 if status["key_mgmt"] != e:
127 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
130 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
131 dev.request("REAUTHENTICATE")
132 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
133 expect_failure=expect_failure)
135 def test_ap_wpa2_eap_sim(dev, apdev):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
140 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
141 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils.test_connectivity(dev[0], hapd)
143 eap_reauth(dev[0], "SIM")
145 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
146 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
151 logger.info("Negative test with incorrect key")
152 dev[0].request("REMOVE_NETWORK all")
153 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
154 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
157 logger.info("Invalid GSM-Milenage key")
158 dev[0].request("REMOVE_NETWORK all")
159 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
160 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
163 logger.info("Invalid GSM-Milenage key(2)")
164 dev[0].request("REMOVE_NETWORK all")
165 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
166 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
169 logger.info("Invalid GSM-Milenage key(3)")
170 dev[0].request("REMOVE_NETWORK all")
171 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
172 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
175 logger.info("Invalid GSM-Milenage key(4)")
176 dev[0].request("REMOVE_NETWORK all")
177 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
178 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
181 logger.info("Missing key configuration")
182 dev[0].request("REMOVE_NETWORK all")
183 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
192 raise HwsimSkip("No sqlite3 module available")
193 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
195 params['auth_server_port'] = "1814"
196 hostapd.add_ap(apdev[0]['ifname'], params)
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
200 logger.info("SIM fast re-authentication")
201 eap_reauth(dev[0], "SIM")
203 logger.info("SIM full auth with pseudonym")
206 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
209 logger.info("SIM full auth with permanent identity")
212 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev[0], "SIM")
216 logger.info("SIM reauth with mismatching MK")
219 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev[0], "SIM", expect_failure=True)
221 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger.info("SIM reauth with mismatching counter")
233 eap_reauth(dev[0], "SIM")
234 dev[0].request("REMOVE_NETWORK all")
236 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
237 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
240 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev[0], "SIM")
244 def test_ap_wpa2_eap_sim_config(dev, apdev):
245 """EAP-SIM configuration options"""
246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
247 hostapd.add_ap(apdev[0]['ifname'], params)
248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
249 identity="1232010000000000",
250 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1="sim_min_num_chal=1",
252 wait_connect=False, scan_freq="2412")
253 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
255 raise Exception("No EAP error message seen")
256 dev[0].request("REMOVE_NETWORK all")
258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
259 identity="1232010000000000",
260 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1="sim_min_num_chal=4",
262 wait_connect=False, scan_freq="2412")
263 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
265 raise Exception("No EAP error message seen (2)")
266 dev[0].request("REMOVE_NETWORK all")
268 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=2")
271 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity="345678")
275 def test_ap_wpa2_eap_sim_ext(dev, apdev):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
278 _test_ap_wpa2_eap_sim_ext(dev, apdev)
280 dev[0].request("SET external_sim 0")
282 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
283 check_hlr_auc_gw_support()
284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
285 hostapd.add_ap(apdev[0]['ifname'], params)
286 dev[0].request("SET external_sim 1")
287 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
288 identity="1232010000000000",
289 wait_connect=False, scan_freq="2412")
290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
292 raise Exception("Network connected timed out")
294 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
296 raise Exception("Wait for external SIM processing request timed out")
298 if p[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid = p[0].split('-')[3]
303 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
308 raise Exception("EAP failure not reported")
309 dev[0].request("DISCONNECT")
310 dev[0].wait_disconnected()
313 dev[0].select_network(id, freq="2412")
314 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
316 raise Exception("Wait for external SIM processing request timed out")
318 if p[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid = p[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
326 raise Exception("EAP failure not reported")
327 dev[0].request("DISCONNECT")
328 dev[0].wait_disconnected()
331 dev[0].select_network(id, freq="2412")
332 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid = p[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
344 raise Exception("EAP failure not reported")
345 dev[0].request("DISCONNECT")
346 dev[0].wait_disconnected()
349 dev[0].select_network(id, freq="2412")
350 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid = p[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
362 raise Exception("EAP failure not reported")
363 dev[0].request("DISCONNECT")
364 dev[0].wait_disconnected()
367 dev[0].select_network(id, freq="2412")
368 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid = p[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 raise Exception("EAP failure not reported")
381 dev[0].request("DISCONNECT")
382 dev[0].wait_disconnected()
385 dev[0].select_network(id, freq="2412")
386 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid = p[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
398 raise Exception("EAP failure not reported")
399 dev[0].request("DISCONNECT")
400 dev[0].wait_disconnected()
403 dev[0].select_network(id, freq="2412")
404 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid = p[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
416 raise Exception("EAP failure not reported")
418 def test_ap_wpa2_eap_sim_oom(dev, apdev):
419 """EAP-SIM and OOM"""
420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
421 hostapd.add_ap(apdev[0]['ifname'], params)
422 tests = [ (1, "milenage_f2345"),
423 (2, "milenage_f2345"),
424 (3, "milenage_f2345"),
425 (4, "milenage_f2345"),
426 (5, "milenage_f2345"),
427 (6, "milenage_f2345"),
428 (7, "milenage_f2345"),
429 (8, "milenage_f2345"),
430 (9, "milenage_f2345"),
431 (10, "milenage_f2345"),
432 (11, "milenage_f2345"),
433 (12, "milenage_f2345") ]
434 for count, func in tests:
435 with alloc_fail(dev[0], count, func):
436 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
437 identity="1232010000000000",
438 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
439 wait_connect=False, scan_freq="2412")
440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
442 raise Exception("EAP method not selected")
443 dev[0].wait_disconnected()
444 dev[0].request("REMOVE_NETWORK all")
446 def test_ap_wpa2_eap_aka(dev, apdev):
447 """WPA2-Enterprise connection using EAP-AKA"""
448 check_hlr_auc_gw_support()
449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
450 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
451 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
452 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
453 hwsim_utils.test_connectivity(dev[0], hapd)
454 eap_reauth(dev[0], "AKA")
456 logger.info("Negative test with incorrect key")
457 dev[0].request("REMOVE_NETWORK all")
458 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
459 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
462 logger.info("Invalid Milenage key")
463 dev[0].request("REMOVE_NETWORK all")
464 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
465 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
468 logger.info("Invalid Milenage key(2)")
469 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
470 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
473 logger.info("Invalid Milenage key(3)")
474 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
475 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
478 logger.info("Invalid Milenage key(4)")
479 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
480 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
483 logger.info("Invalid Milenage key(5)")
484 dev[0].request("REMOVE_NETWORK all")
485 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
486 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
489 logger.info("Invalid Milenage key(6)")
490 dev[0].request("REMOVE_NETWORK all")
491 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
492 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
495 logger.info("Missing key configuration")
496 dev[0].request("REMOVE_NETWORK all")
497 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
501 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
502 check_hlr_auc_gw_support()
506 raise HwsimSkip("No sqlite3 module available")
507 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
508 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
509 params['auth_server_port'] = "1814"
510 hostapd.add_ap(apdev[0]['ifname'], params)
511 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
512 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
514 logger.info("AKA fast re-authentication")
515 eap_reauth(dev[0], "AKA")
517 logger.info("AKA full auth with pseudonym")
520 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
521 eap_reauth(dev[0], "AKA")
523 logger.info("AKA full auth with permanent identity")
526 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
527 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
528 eap_reauth(dev[0], "AKA")
530 logger.info("AKA reauth with mismatching MK")
533 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
534 eap_reauth(dev[0], "AKA", expect_failure=True)
535 dev[0].request("REMOVE_NETWORK all")
537 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
538 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
541 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
542 eap_reauth(dev[0], "AKA")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 logger.info("AKA reauth with mismatching counter")
547 eap_reauth(dev[0], "AKA")
548 dev[0].request("REMOVE_NETWORK all")
550 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
551 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
554 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with max reauth count reached")
556 eap_reauth(dev[0], "AKA")
558 def test_ap_wpa2_eap_aka_config(dev, apdev):
559 """EAP-AKA configuration options"""
560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
561 hostapd.add_ap(apdev[0]['ifname'], params)
562 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
563 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
564 anonymous_identity="2345678")
566 def test_ap_wpa2_eap_aka_ext(dev, apdev):
567 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
569 _test_ap_wpa2_eap_aka_ext(dev, apdev)
571 dev[0].request("SET external_sim 0")
573 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
574 check_hlr_auc_gw_support()
575 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
576 hostapd.add_ap(apdev[0]['ifname'], params)
577 dev[0].request("SET external_sim 1")
578 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
579 identity="0232010000000000",
580 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
581 wait_connect=False, scan_freq="2412")
582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
584 raise Exception("Network connected timed out")
586 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
588 raise Exception("Wait for external SIM processing request timed out")
590 if p[1] != "UMTS-AUTH":
591 raise Exception("Unexpected CTRL-REQ-SIM type")
592 rid = p[0].split('-')[3]
595 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
596 # This will fail during processing, but the ctrl_iface command succeeds
597 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
600 raise Exception("EAP failure not reported")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected()
605 dev[0].select_network(id, freq="2412")
606 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
608 raise Exception("Wait for external SIM processing request timed out")
610 if p[1] != "UMTS-AUTH":
611 raise Exception("Unexpected CTRL-REQ-SIM type")
612 rid = p[0].split('-')[3]
613 # This will fail during UMTS auth validation
614 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
615 raise Exception("CTRL-RSP-SIM failed")
616 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
618 raise Exception("Wait for external SIM processing request timed out")
620 if p[1] != "UMTS-AUTH":
621 raise Exception("Unexpected CTRL-REQ-SIM type")
622 rid = p[0].split('-')[3]
623 # This will fail during UMTS auth validation
624 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
625 raise Exception("CTRL-RSP-SIM failed")
626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
628 raise Exception("EAP failure not reported")
629 dev[0].request("DISCONNECT")
630 dev[0].wait_disconnected()
633 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
635 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
636 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
637 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
638 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
641 dev[0].select_network(id, freq="2412")
642 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
644 raise Exception("Wait for external SIM processing request timed out")
646 if p[1] != "UMTS-AUTH":
647 raise Exception("Unexpected CTRL-REQ-SIM type")
648 rid = p[0].split('-')[3]
649 # This will fail during UMTS auth validation
650 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
651 raise Exception("CTRL-RSP-SIM failed")
652 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
654 raise Exception("EAP failure not reported")
655 dev[0].request("DISCONNECT")
656 dev[0].wait_disconnected()
659 def test_ap_wpa2_eap_aka_prime(dev, apdev):
660 """WPA2-Enterprise connection using EAP-AKA'"""
661 check_hlr_auc_gw_support()
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
664 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
665 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
666 hwsim_utils.test_connectivity(dev[0], hapd)
667 eap_reauth(dev[0], "AKA'")
669 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
670 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
671 identity="6555444333222111@both",
672 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
673 wait_connect=False, scan_freq="2412")
674 dev[1].wait_connected(timeout=15)
676 logger.info("Negative test with incorrect key")
677 dev[0].request("REMOVE_NETWORK all")
678 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
683 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
684 check_hlr_auc_gw_support()
688 raise HwsimSkip("No sqlite3 module available")
689 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
691 params['auth_server_port'] = "1814"
692 hostapd.add_ap(apdev[0]['ifname'], params)
693 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
694 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
696 logger.info("AKA' fast re-authentication")
697 eap_reauth(dev[0], "AKA'")
699 logger.info("AKA' full auth with pseudonym")
702 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
703 eap_reauth(dev[0], "AKA'")
705 logger.info("AKA' full auth with permanent identity")
708 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
709 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
710 eap_reauth(dev[0], "AKA'")
712 logger.info("AKA' reauth with mismatching k_aut")
715 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
716 eap_reauth(dev[0], "AKA'", expect_failure=True)
717 dev[0].request("REMOVE_NETWORK all")
719 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
720 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
723 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
724 eap_reauth(dev[0], "AKA'")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 logger.info("AKA' reauth with mismatching counter")
729 eap_reauth(dev[0], "AKA'")
730 dev[0].request("REMOVE_NETWORK all")
732 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
733 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
736 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with max reauth count reached")
738 eap_reauth(dev[0], "AKA'")
740 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
744 key_mgmt = hapd.get_config()['key_mgmt']
745 if key_mgmt.split(' ')[0] != "WPA-EAP":
746 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
747 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
748 anonymous_identity="ttls", password="password",
749 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
750 hwsim_utils.test_connectivity(dev[0], hapd)
751 eap_reauth(dev[0], "TTLS")
752 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
753 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
755 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
756 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
757 check_subject_match_support(dev[0])
758 check_altsubject_match_support(dev[0])
759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
760 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
761 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762 anonymous_identity="ttls", password="password",
763 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
764 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
765 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
766 eap_reauth(dev[0], "TTLS")
768 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
769 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
770 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
771 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
772 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
773 anonymous_identity="ttls", password="wrong",
774 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
776 eap_connect(dev[1], apdev[0], "TTLS", "user",
777 anonymous_identity="ttls", password="password",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
781 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
782 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
784 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
785 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
788 hwsim_utils.test_connectivity(dev[0], hapd)
789 eap_reauth(dev[0], "TTLS")
791 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
792 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
793 check_altsubject_match_support(dev[0])
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
797 anonymous_identity="ttls", password="password",
798 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
799 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
800 eap_reauth(dev[0], "TTLS")
802 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
805 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
806 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
807 anonymous_identity="ttls", password="wrong",
808 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
810 eap_connect(dev[1], apdev[0], "TTLS", "user",
811 anonymous_identity="ttls", password="password",
812 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
815 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
816 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
818 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
819 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
820 anonymous_identity="ttls", password="password",
821 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
822 domain_suffix_match="server.w1.fi")
823 hwsim_utils.test_connectivity(dev[0], hapd)
824 eap_reauth(dev[0], "TTLS")
825 dev[0].request("REMOVE_NETWORK all")
826 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
827 anonymous_identity="ttls", password="password",
828 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
831 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
832 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
834 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
835 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
836 anonymous_identity="ttls", password="wrong",
837 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
839 eap_connect(dev[1], apdev[0], "TTLS", "user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
843 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
844 anonymous_identity="ttls", password="password",
845 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
848 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
851 hostapd.add_ap(apdev[0]['ifname'], params)
852 hapd = hostapd.Hostapd(apdev[0]['ifname'])
853 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
856 domain_suffix_match="server.w1.fi")
857 hwsim_utils.test_connectivity(dev[0], hapd)
858 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
859 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
860 eap_reauth(dev[0], "TTLS")
861 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
862 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
863 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
864 raise Exception("dot1xAuthEapolFramesRx did not increase")
865 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
866 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
867 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
868 raise Exception("backendAuthSuccesses did not increase")
870 logger.info("Password as hash value")
871 dev[0].request("REMOVE_NETWORK all")
872 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
873 anonymous_identity="ttls",
874 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
875 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
877 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
878 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
879 check_domain_match_full(dev[0])
880 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
881 hostapd.add_ap(apdev[0]['ifname'], params)
882 hapd = hostapd.Hostapd(apdev[0]['ifname'])
883 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
886 domain_suffix_match="w1.fi")
887 hwsim_utils.test_connectivity(dev[0], hapd)
888 eap_reauth(dev[0], "TTLS")
890 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
891 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
892 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
893 hostapd.add_ap(apdev[0]['ifname'], params)
894 hapd = hostapd.Hostapd(apdev[0]['ifname'])
895 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
896 anonymous_identity="ttls", password="password",
897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
898 domain_match="Server.w1.fi")
899 hwsim_utils.test_connectivity(dev[0], hapd)
900 eap_reauth(dev[0], "TTLS")
902 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
903 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
906 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
907 anonymous_identity="ttls", password="password1",
908 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
910 eap_connect(dev[1], apdev[0], "TTLS", "user",
911 anonymous_identity="ttls", password="password",
912 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
916 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
918 hostapd.add_ap(apdev[0]['ifname'], params)
919 hapd = hostapd.Hostapd(apdev[0]['ifname'])
920 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
921 anonymous_identity="ttls", password="secret-åäö-€-password",
922 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
923 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
924 anonymous_identity="ttls",
925 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
928 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
930 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 eap_connect(dev[0], apdev[0], "TTLS", "user",
933 anonymous_identity="ttls", password="password",
934 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
935 hwsim_utils.test_connectivity(dev[0], hapd)
936 eap_reauth(dev[0], "TTLS")
938 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
939 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
940 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
942 eap_connect(dev[0], apdev[0], "TTLS", "user",
943 anonymous_identity="ttls", password="wrong",
944 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
947 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
956 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
957 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
958 params = int_eap_server_params()
959 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
960 with alloc_fail(hapd, 1, "eap_gtc_init"):
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="password",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
965 dev[0].request("REMOVE_NETWORK all")
967 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
968 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
969 eap="TTLS", identity="user",
970 anonymous_identity="ttls", password="password",
971 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
972 wait_connect=False, scan_freq="2412")
973 # This would eventually time out, but we can stop after having reached
974 # the allocation failure.
977 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
980 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 eap_connect(dev[0], apdev[0], "TTLS", "user",
985 anonymous_identity="ttls", password="password",
986 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
987 hwsim_utils.test_connectivity(dev[0], hapd)
988 eap_reauth(dev[0], "TTLS")
990 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
991 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994 eap_connect(dev[0], apdev[0], "TTLS", "user",
995 anonymous_identity="ttls", password="wrong",
996 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
999 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1001 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1002 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1003 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1004 anonymous_identity="ttls", password="password",
1005 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1006 expect_failure=True)
1008 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1009 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1010 params = int_eap_server_params()
1011 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1012 with alloc_fail(hapd, 1, "eap_md5_init"):
1013 eap_connect(dev[0], apdev[0], "TTLS", "user",
1014 anonymous_identity="ttls", password="password",
1015 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1016 expect_failure=True)
1017 dev[0].request("REMOVE_NETWORK all")
1019 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1020 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1021 eap="TTLS", identity="user",
1022 anonymous_identity="ttls", password="password",
1023 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1024 wait_connect=False, scan_freq="2412")
1025 # This would eventually time out, but we can stop after having reached
1026 # the allocation failure.
1029 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1032 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1033 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1034 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1035 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1039 hwsim_utils.test_connectivity(dev[0], hapd)
1040 eap_reauth(dev[0], "TTLS")
1042 logger.info("Negative test with incorrect password")
1043 dev[0].request("REMOVE_NETWORK all")
1044 eap_connect(dev[0], apdev[0], "TTLS", "user",
1045 anonymous_identity="ttls", password="password1",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1047 expect_failure=True)
1049 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1050 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1052 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1053 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1054 anonymous_identity="ttls", password="password",
1055 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1056 expect_failure=True)
1058 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1059 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1060 params = int_eap_server_params()
1061 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1062 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1063 eap_connect(dev[0], apdev[0], "TTLS", "user",
1064 anonymous_identity="ttls", password="password",
1065 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1066 expect_failure=True)
1067 dev[0].request("REMOVE_NETWORK all")
1069 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1071 eap="TTLS", identity="user",
1072 anonymous_identity="ttls", password="password",
1073 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1074 wait_connect=False, scan_freq="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1079 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1081 dev[0].request("REMOVE_NETWORK all")
1083 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1085 eap="TTLS", identity="user",
1086 anonymous_identity="ttls", password="password",
1087 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1088 wait_connect=False, scan_freq="2412")
1089 # This would eventually time out, but we can stop after having reached
1090 # the allocation failure.
1093 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1095 dev[0].request("REMOVE_NETWORK all")
1097 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1098 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1099 eap="TTLS", identity="user",
1100 anonymous_identity="ttls", password="wrong",
1101 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1102 wait_connect=False, scan_freq="2412")
1103 # This would eventually time out, but we can stop after having reached
1104 # the allocation failure.
1107 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1109 dev[0].request("REMOVE_NETWORK all")
1111 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1112 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1113 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1114 hostapd.add_ap(apdev[0]['ifname'], params)
1115 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1116 anonymous_identity="0232010000000000@ttls",
1117 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1120 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1121 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 hostapd.add_ap(apdev[0]['ifname'], params)
1124 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1125 anonymous_identity="0232010000000000@peap",
1126 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1127 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1129 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1130 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1131 check_eap_capa(dev[0], "FAST")
1132 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1133 hostapd.add_ap(apdev[0]['ifname'], params)
1134 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1135 anonymous_identity="0232010000000000@fast",
1136 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1137 phase1="fast_provisioning=2",
1138 pac_file="blob://fast_pac_auth_aka",
1139 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1141 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "user",
1146 anonymous_identity="peap", password="password",
1147 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1148 hwsim_utils.test_connectivity(dev[0], hapd)
1149 eap_reauth(dev[0], "PEAP")
1150 dev[0].request("REMOVE_NETWORK all")
1151 eap_connect(dev[0], apdev[0], "PEAP", "user",
1152 anonymous_identity="peap", password="password",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1154 fragment_size="200")
1156 logger.info("Password as hash value")
1157 dev[0].request("REMOVE_NETWORK all")
1158 eap_connect(dev[0], apdev[0], "PEAP", "user",
1159 anonymous_identity="peap",
1160 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1161 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1163 logger.info("Negative test with incorrect password")
1164 dev[0].request("REMOVE_NETWORK all")
1165 eap_connect(dev[0], apdev[0], "PEAP", "user",
1166 anonymous_identity="peap", password="password1",
1167 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1168 expect_failure=True)
1170 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1171 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1172 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1173 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1174 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1175 anonymous_identity="peap", password="password",
1176 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1177 hwsim_utils.test_connectivity(dev[0], hapd)
1178 eap_reauth(dev[0], "PEAP")
1180 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1181 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1182 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1183 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1184 eap_connect(dev[0], apdev[0], "PEAP", "user",
1185 anonymous_identity="peap", password="wrong",
1186 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1187 expect_failure=True)
1189 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1190 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1191 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1192 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1193 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1194 ca_cert="auth_serv/ca.pem",
1195 phase1="peapver=0 crypto_binding=2",
1196 phase2="auth=MSCHAPV2")
1197 hwsim_utils.test_connectivity(dev[0], hapd)
1198 eap_reauth(dev[0], "PEAP")
1200 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1201 ca_cert="auth_serv/ca.pem",
1202 phase1="peapver=0 crypto_binding=1",
1203 phase2="auth=MSCHAPV2")
1204 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1205 ca_cert="auth_serv/ca.pem",
1206 phase1="peapver=0 crypto_binding=0",
1207 phase2="auth=MSCHAPV2")
1209 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1210 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1211 params = int_eap_server_params()
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1214 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1215 ca_cert="auth_serv/ca.pem",
1216 phase1="peapver=0 crypto_binding=2",
1217 phase2="auth=MSCHAPV2",
1218 expect_failure=True, local_error_report=True)
1220 def test_ap_wpa2_eap_peap_params(dev, apdev):
1221 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1223 hostapd.add_ap(apdev[0]['ifname'], params)
1224 eap_connect(dev[0], apdev[0], "PEAP", "user",
1225 anonymous_identity="peap", password="password",
1226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1227 phase1="peapver=0 peaplabel=1",
1228 expect_failure=True)
1229 dev[0].request("REMOVE_NETWORK all")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peap_outer_success=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peap_outer_success=2",
1237 phase2="auth=MSCHAPV2")
1238 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1240 anonymous_identity="peap", password="password",
1241 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1242 phase1="peapver=1 peaplabel=1",
1243 wait_connect=False, scan_freq="2412")
1244 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1246 raise Exception("No EAP success seen")
1247 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1249 raise Exception("Unexpected connection")
1251 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1253 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1254 hostapd.add_ap(apdev[0]['ifname'], params)
1255 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1256 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1257 ca_cert2="auth_serv/ca.pem",
1258 client_cert2="auth_serv/user.pem",
1259 private_key2="auth_serv/user.key")
1260 eap_reauth(dev[0], "PEAP")
1262 def test_ap_wpa2_eap_tls(dev, apdev):
1263 """WPA2-Enterprise connection using EAP-TLS"""
1264 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1265 hostapd.add_ap(apdev[0]['ifname'], params)
1266 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1267 client_cert="auth_serv/user.pem",
1268 private_key="auth_serv/user.key")
1269 eap_reauth(dev[0], "TLS")
1271 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1272 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1274 hostapd.add_ap(apdev[0]['ifname'], params)
1275 cert = read_pem("auth_serv/ca.pem")
1276 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1277 raise Exception("Could not set cacert blob")
1278 cert = read_pem("auth_serv/user.pem")
1279 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1280 raise Exception("Could not set usercert blob")
1281 key = read_pem("auth_serv/user.rsa-key")
1282 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1283 raise Exception("Could not set cacert blob")
1284 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1285 client_cert="blob://usercert",
1286 private_key="blob://userkey")
1288 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291 hostapd.add_ap(apdev[0]['ifname'], params)
1292 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1293 private_key="auth_serv/user.pkcs12",
1294 private_key_passwd="whatever")
1295 dev[0].request("REMOVE_NETWORK all")
1296 dev[0].wait_disconnected()
1298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1299 identity="tls user",
1300 ca_cert="auth_serv/ca.pem",
1301 private_key="auth_serv/user.pkcs12",
1302 wait_connect=False, scan_freq="2412")
1303 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1305 raise Exception("Request for private key passphrase timed out")
1306 id = ev.split(':')[0].split('-')[-1]
1307 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1308 dev[0].wait_connected(timeout=10)
1309 dev[0].request("REMOVE_NETWORK all")
1310 dev[0].wait_disconnected()
1312 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1313 private_key="auth_serv/user2.pkcs12",
1314 private_key_passwd="whatever")
1315 dev[0].request("REMOVE_NETWORK all")
1316 dev[0].wait_disconnected()
1318 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1319 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1320 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1321 hostapd.add_ap(apdev[0]['ifname'], params)
1322 cert = read_pem("auth_serv/ca.pem")
1323 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1324 raise Exception("Could not set cacert blob")
1325 with open("auth_serv/user.pkcs12", "rb") as f:
1326 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1327 raise Exception("Could not set pkcs12 blob")
1328 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1329 private_key="blob://pkcs12",
1330 private_key_passwd="whatever")
1332 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1333 """WPA2-Enterprise negative test - incorrect trust root"""
1334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1335 hostapd.add_ap(apdev[0]['ifname'], params)
1336 cert = read_pem("auth_serv/ca-incorrect.pem")
1337 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1338 raise Exception("Could not set cacert blob")
1339 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1340 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1341 password="password", phase2="auth=MSCHAPV2",
1342 ca_cert="blob://cacert",
1343 wait_connect=False, scan_freq="2412")
1344 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1345 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1346 password="password", phase2="auth=MSCHAPV2",
1347 ca_cert="auth_serv/ca-incorrect.pem",
1348 wait_connect=False, scan_freq="2412")
1350 for dev in (dev[0], dev[1]):
1351 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1353 raise Exception("Association and EAP start timed out")
1355 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1357 raise Exception("EAP method selection timed out")
1358 if "TTLS" not in ev:
1359 raise Exception("Unexpected EAP method")
1361 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1362 "CTRL-EVENT-EAP-SUCCESS",
1363 "CTRL-EVENT-EAP-FAILURE",
1364 "CTRL-EVENT-CONNECTED",
1365 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1367 raise Exception("EAP result timed out")
1368 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1369 raise Exception("TLS certificate error not reported")
1371 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1372 "CTRL-EVENT-EAP-FAILURE",
1373 "CTRL-EVENT-CONNECTED",
1374 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1376 raise Exception("EAP result(2) timed out")
1377 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1378 raise Exception("EAP failure not reported")
1380 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1381 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1383 raise Exception("EAP result(3) timed out")
1384 if "CTRL-EVENT-DISCONNECTED" not in ev:
1385 raise Exception("Disconnection not reported")
1387 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1389 raise Exception("Network block disabling not reported")
1391 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1392 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1395 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1396 identity="pap user", anonymous_identity="ttls",
1397 password="password", phase2="auth=PAP",
1398 ca_cert="auth_serv/ca.pem",
1399 wait_connect=True, scan_freq="2412")
1400 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1401 identity="pap user", anonymous_identity="ttls",
1402 password="password", phase2="auth=PAP",
1403 ca_cert="auth_serv/ca-incorrect.pem",
1404 only_add_network=True, scan_freq="2412")
1406 dev[0].request("DISCONNECT")
1407 dev[0].wait_disconnected()
1408 dev[0].dump_monitor()
1409 dev[0].select_network(id, freq="2412")
1411 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1413 raise Exception("EAP-TTLS not re-started")
1415 ev = dev[0].wait_disconnected(timeout=15)
1416 if "reason=23" not in ev:
1417 raise Exception("Proper reason code for disconnection not reported")
1419 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1423 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1424 identity="pap user", anonymous_identity="ttls",
1425 password="password", phase2="auth=PAP",
1426 wait_connect=True, scan_freq="2412")
1427 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1428 identity="pap user", anonymous_identity="ttls",
1429 password="password", phase2="auth=PAP",
1430 ca_cert="auth_serv/ca-incorrect.pem",
1431 only_add_network=True, scan_freq="2412")
1433 dev[0].request("DISCONNECT")
1434 dev[0].wait_disconnected()
1435 dev[0].dump_monitor()
1436 dev[0].select_network(id, freq="2412")
1438 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1440 raise Exception("EAP-TTLS not re-started")
1442 ev = dev[0].wait_disconnected(timeout=15)
1443 if "reason=23" not in ev:
1444 raise Exception("Proper reason code for disconnection not reported")
1446 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1447 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1449 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1450 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1451 identity="pap user", anonymous_identity="ttls",
1452 password="password", phase2="auth=PAP",
1453 ca_cert="auth_serv/ca.pem",
1454 wait_connect=True, scan_freq="2412")
1455 dev[0].request("DISCONNECT")
1456 dev[0].wait_disconnected()
1457 dev[0].dump_monitor()
1458 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1459 dev[0].select_network(id, freq="2412")
1461 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1463 raise Exception("EAP-TTLS not re-started")
1465 ev = dev[0].wait_disconnected(timeout=15)
1466 if "reason=23" not in ev:
1467 raise Exception("Proper reason code for disconnection not reported")
1469 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1470 """WPA2-Enterprise negative test - domain suffix mismatch"""
1471 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1472 hostapd.add_ap(apdev[0]['ifname'], params)
1473 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1474 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1475 password="password", phase2="auth=MSCHAPV2",
1476 ca_cert="auth_serv/ca.pem",
1477 domain_suffix_match="incorrect.example.com",
1478 wait_connect=False, scan_freq="2412")
1480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1482 raise Exception("Association and EAP start timed out")
1484 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1486 raise Exception("EAP method selection timed out")
1487 if "TTLS" not in ev:
1488 raise Exception("Unexpected EAP method")
1490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1491 "CTRL-EVENT-EAP-SUCCESS",
1492 "CTRL-EVENT-EAP-FAILURE",
1493 "CTRL-EVENT-CONNECTED",
1494 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1496 raise Exception("EAP result timed out")
1497 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1498 raise Exception("TLS certificate error not reported")
1499 if "Domain suffix mismatch" not in ev:
1500 raise Exception("Domain suffix mismatch not reported")
1502 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1503 "CTRL-EVENT-EAP-FAILURE",
1504 "CTRL-EVENT-CONNECTED",
1505 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1507 raise Exception("EAP result(2) timed out")
1508 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1509 raise Exception("EAP failure not reported")
1511 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1512 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1514 raise Exception("EAP result(3) timed out")
1515 if "CTRL-EVENT-DISCONNECTED" not in ev:
1516 raise Exception("Disconnection not reported")
1518 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1520 raise Exception("Network block disabling not reported")
1522 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1523 """WPA2-Enterprise negative test - domain mismatch"""
1524 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1525 hostapd.add_ap(apdev[0]['ifname'], params)
1526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1527 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1528 password="password", phase2="auth=MSCHAPV2",
1529 ca_cert="auth_serv/ca.pem",
1530 domain_match="w1.fi",
1531 wait_connect=False, scan_freq="2412")
1533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1535 raise Exception("Association and EAP start timed out")
1537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1539 raise Exception("EAP method selection timed out")
1540 if "TTLS" not in ev:
1541 raise Exception("Unexpected EAP method")
1543 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1544 "CTRL-EVENT-EAP-SUCCESS",
1545 "CTRL-EVENT-EAP-FAILURE",
1546 "CTRL-EVENT-CONNECTED",
1547 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1549 raise Exception("EAP result timed out")
1550 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1551 raise Exception("TLS certificate error not reported")
1552 if "Domain mismatch" not in ev:
1553 raise Exception("Domain mismatch not reported")
1555 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1556 "CTRL-EVENT-EAP-FAILURE",
1557 "CTRL-EVENT-CONNECTED",
1558 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1560 raise Exception("EAP result(2) timed out")
1561 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1562 raise Exception("EAP failure not reported")
1564 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1565 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1567 raise Exception("EAP result(3) timed out")
1568 if "CTRL-EVENT-DISCONNECTED" not in ev:
1569 raise Exception("Disconnection not reported")
1571 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1573 raise Exception("Network block disabling not reported")
1575 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1576 """WPA2-Enterprise negative test - subject mismatch"""
1577 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1578 hostapd.add_ap(apdev[0]['ifname'], params)
1579 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1580 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1581 password="password", phase2="auth=MSCHAPV2",
1582 ca_cert="auth_serv/ca.pem",
1583 subject_match="/C=FI/O=w1.fi/CN=example.com",
1584 wait_connect=False, scan_freq="2412")
1586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1588 raise Exception("Association and EAP start timed out")
1590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1591 "EAP: Failed to initialize EAP method"], timeout=10)
1593 raise Exception("EAP method selection timed out")
1594 if "EAP: Failed to initialize EAP method" in ev:
1595 tls = dev[0].request("GET tls_library")
1596 if tls.startswith("OpenSSL"):
1597 raise Exception("Failed to select EAP method")
1598 logger.info("subject_match not supported - connection failed, so test succeeded")
1600 if "TTLS" not in ev:
1601 raise Exception("Unexpected EAP method")
1603 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1604 "CTRL-EVENT-EAP-SUCCESS",
1605 "CTRL-EVENT-EAP-FAILURE",
1606 "CTRL-EVENT-CONNECTED",
1607 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1609 raise Exception("EAP result timed out")
1610 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1611 raise Exception("TLS certificate error not reported")
1612 if "Subject mismatch" not in ev:
1613 raise Exception("Subject mismatch not reported")
1615 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1616 "CTRL-EVENT-EAP-FAILURE",
1617 "CTRL-EVENT-CONNECTED",
1618 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1620 raise Exception("EAP result(2) timed out")
1621 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1622 raise Exception("EAP failure not reported")
1624 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1625 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1627 raise Exception("EAP result(3) timed out")
1628 if "CTRL-EVENT-DISCONNECTED" not in ev:
1629 raise Exception("Disconnection not reported")
1631 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1633 raise Exception("Network block disabling not reported")
1635 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1636 """WPA2-Enterprise negative test - altsubject mismatch"""
1637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1638 hostapd.add_ap(apdev[0]['ifname'], params)
1640 tests = [ "incorrect.example.com",
1641 "DNS:incorrect.example.com",
1645 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1647 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1648 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1649 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1650 password="password", phase2="auth=MSCHAPV2",
1651 ca_cert="auth_serv/ca.pem",
1652 altsubject_match=match,
1653 wait_connect=False, scan_freq="2412")
1655 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1657 raise Exception("Association and EAP start timed out")
1659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1660 "EAP: Failed to initialize EAP method"], timeout=10)
1662 raise Exception("EAP method selection timed out")
1663 if "EAP: Failed to initialize EAP method" in ev:
1664 tls = dev[0].request("GET tls_library")
1665 if tls.startswith("OpenSSL"):
1666 raise Exception("Failed to select EAP method")
1667 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1669 if "TTLS" not in ev:
1670 raise Exception("Unexpected EAP method")
1672 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1673 "CTRL-EVENT-EAP-SUCCESS",
1674 "CTRL-EVENT-EAP-FAILURE",
1675 "CTRL-EVENT-CONNECTED",
1676 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1678 raise Exception("EAP result timed out")
1679 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1680 raise Exception("TLS certificate error not reported")
1681 if "AltSubject mismatch" not in ev:
1682 raise Exception("altsubject mismatch not reported")
1684 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1685 "CTRL-EVENT-EAP-FAILURE",
1686 "CTRL-EVENT-CONNECTED",
1687 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1689 raise Exception("EAP result(2) timed out")
1690 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1691 raise Exception("EAP failure not reported")
1693 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1694 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1696 raise Exception("EAP result(3) timed out")
1697 if "CTRL-EVENT-DISCONNECTED" not in ev:
1698 raise Exception("Disconnection not reported")
1700 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1702 raise Exception("Network block disabling not reported")
1704 dev[0].request("REMOVE_NETWORK all")
1706 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1707 """WPA2-Enterprise connection using UNAUTH-TLS"""
1708 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1709 hostapd.add_ap(apdev[0]['ifname'], params)
1710 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1711 ca_cert="auth_serv/ca.pem")
1712 eap_reauth(dev[0], "UNAUTH-TLS")
1714 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1715 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1716 check_cert_probe_support(dev[0])
1717 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1719 hostapd.add_ap(apdev[0]['ifname'], params)
1720 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1721 identity="probe", ca_cert="probe://",
1722 wait_connect=False, scan_freq="2412")
1723 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1725 raise Exception("Association and EAP start timed out")
1726 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1728 raise Exception("No peer server certificate event seen")
1729 if "hash=" + srv_cert_hash not in ev:
1730 raise Exception("Expected server certificate hash not reported")
1731 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1733 raise Exception("EAP result timed out")
1734 if "Server certificate chain probe" not in ev:
1735 raise Exception("Server certificate probe not reported")
1736 dev[0].wait_disconnected(timeout=10)
1737 dev[0].request("REMOVE_NETWORK all")
1739 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1740 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1741 password="password", phase2="auth=MSCHAPV2",
1742 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1743 wait_connect=False, scan_freq="2412")
1744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1746 raise Exception("Association and EAP start timed out")
1747 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1749 raise Exception("EAP result timed out")
1750 if "Server certificate mismatch" not in ev:
1751 raise Exception("Server certificate mismatch not reported")
1752 dev[0].wait_disconnected(timeout=10)
1753 dev[0].request("REMOVE_NETWORK all")
1755 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1756 anonymous_identity="ttls", password="password",
1757 ca_cert="hash://server/sha256/" + srv_cert_hash,
1758 phase2="auth=MSCHAPV2")
1760 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1761 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1762 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1763 hostapd.add_ap(apdev[0]['ifname'], params)
1764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1765 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1766 password="password", phase2="auth=MSCHAPV2",
1767 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1768 wait_connect=False, scan_freq="2412")
1769 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1770 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1771 password="password", phase2="auth=MSCHAPV2",
1772 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1773 wait_connect=False, scan_freq="2412")
1774 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1775 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1776 password="password", phase2="auth=MSCHAPV2",
1777 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1778 wait_connect=False, scan_freq="2412")
1779 for i in range(0, 3):
1780 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1782 raise Exception("Association and EAP start timed out")
1783 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1785 raise Exception("Did not report EAP method initialization failure")
1787 def test_ap_wpa2_eap_pwd(dev, apdev):
1788 """WPA2-Enterprise connection using EAP-pwd"""
1789 check_eap_capa(dev[0], "PWD")
1790 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1791 hostapd.add_ap(apdev[0]['ifname'], params)
1792 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1793 eap_reauth(dev[0], "PWD")
1794 dev[0].request("REMOVE_NETWORK all")
1796 eap_connect(dev[1], apdev[0], "PWD",
1797 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1798 password="secret password",
1801 logger.info("Negative test with incorrect password")
1802 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1803 expect_failure=True, local_error_report=True)
1805 eap_connect(dev[0], apdev[0], "PWD",
1806 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1807 password="secret password",
1810 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1811 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1812 check_eap_capa(dev[0], "PWD")
1813 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1814 hostapd.add_ap(apdev[0]['ifname'], params)
1815 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1816 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1817 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1818 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1819 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1820 expect_failure=True, local_error_report=True)
1822 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1823 """WPA2-Enterprise connection using various EAP-pwd groups"""
1824 check_eap_capa(dev[0], "PWD")
1825 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1826 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1827 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1828 for i in [ 19, 20, 21, 25, 26 ]:
1829 params['pwd_group'] = str(i)
1830 hostapd.add_ap(apdev[0]['ifname'], params)
1831 dev[0].request("REMOVE_NETWORK all")
1832 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1834 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1835 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1836 check_eap_capa(dev[0], "PWD")
1837 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1838 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1839 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1840 params['pwd_group'] = "0"
1841 hostapd.add_ap(apdev[0]['ifname'], params)
1842 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1843 identity="pwd user", password="secret password",
1844 scan_freq="2412", wait_connect=False)
1845 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1847 raise Exception("Timeout on EAP failure report")
1849 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1850 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1851 check_eap_capa(dev[0], "PWD")
1852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1853 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1854 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1855 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1856 "pwd_group": "19", "fragment_size": "40" }
1857 hostapd.add_ap(apdev[0]['ifname'], params)
1858 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1860 def test_ap_wpa2_eap_gpsk(dev, apdev):
1861 """WPA2-Enterprise connection using EAP-GPSK"""
1862 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1863 hostapd.add_ap(apdev[0]['ifname'], params)
1864 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1865 password="abcdefghijklmnop0123456789abcdef")
1866 eap_reauth(dev[0], "GPSK")
1868 logger.info("Test forced algorithm selection")
1869 for phase1 in [ "cipher=1", "cipher=2" ]:
1870 dev[0].set_network_quoted(id, "phase1", phase1)
1871 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1873 raise Exception("EAP success timed out")
1874 dev[0].wait_connected(timeout=10)
1876 logger.info("Test failed algorithm negotiation")
1877 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1880 raise Exception("EAP failure timed out")
1882 logger.info("Negative test with incorrect password")
1883 dev[0].request("REMOVE_NETWORK all")
1884 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1885 password="ffcdefghijklmnop0123456789abcdef",
1886 expect_failure=True)
1888 def test_ap_wpa2_eap_sake(dev, apdev):
1889 """WPA2-Enterprise connection using EAP-SAKE"""
1890 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1891 hostapd.add_ap(apdev[0]['ifname'], params)
1892 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1893 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1894 eap_reauth(dev[0], "SAKE")
1896 logger.info("Negative test with incorrect password")
1897 dev[0].request("REMOVE_NETWORK all")
1898 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1899 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1900 expect_failure=True)
1902 def test_ap_wpa2_eap_eke(dev, apdev):
1903 """WPA2-Enterprise connection using EAP-EKE"""
1904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1905 hostapd.add_ap(apdev[0]['ifname'], params)
1906 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1907 eap_reauth(dev[0], "EKE")
1909 logger.info("Test forced algorithm selection")
1910 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1911 "dhgroup=4 encr=1 prf=2 mac=2",
1912 "dhgroup=3 encr=1 prf=2 mac=2",
1913 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1914 dev[0].set_network_quoted(id, "phase1", phase1)
1915 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1917 raise Exception("EAP success timed out")
1918 dev[0].wait_connected(timeout=10)
1920 logger.info("Test failed algorithm negotiation")
1921 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1922 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1924 raise Exception("EAP failure timed out")
1926 logger.info("Negative test with incorrect password")
1927 dev[0].request("REMOVE_NETWORK all")
1928 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1929 expect_failure=True)
1931 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1932 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1933 params = int_eap_server_params()
1934 params['server_id'] = 'example.server@w1.fi'
1935 hostapd.add_ap(apdev[0]['ifname'], params)
1936 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1938 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1939 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1940 params = int_eap_server_params()
1941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1942 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1944 for count,func in [ (1, "eap_eke_build_commit"),
1945 (2, "eap_eke_build_commit"),
1946 (3, "eap_eke_build_commit"),
1947 (1, "eap_eke_build_confirm"),
1948 (2, "eap_eke_build_confirm"),
1949 (1, "eap_eke_process_commit"),
1950 (2, "eap_eke_process_commit"),
1951 (1, "eap_eke_process_confirm"),
1952 (1, "eap_eke_process_identity"),
1953 (2, "eap_eke_process_identity"),
1954 (3, "eap_eke_process_identity"),
1955 (4, "eap_eke_process_identity") ]:
1956 with alloc_fail(hapd, count, func):
1957 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1958 expect_failure=True)
1959 dev[0].request("REMOVE_NETWORK all")
1961 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1962 (1, "eap_eke_get_session_id", "hello"),
1963 (1, "eap_eke_getKey", "hello"),
1964 (1, "eap_eke_build_msg", "hello"),
1965 (1, "eap_eke_build_failure", "wrong"),
1966 (1, "eap_eke_build_identity", "hello"),
1967 (2, "eap_eke_build_identity", "hello") ]:
1968 with alloc_fail(hapd, count, func):
1969 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1970 eap="EKE", identity="eke user", password=pw,
1971 wait_connect=False, scan_freq="2412")
1972 # This would eventually time out, but we can stop after having
1973 # reached the allocation failure.
1976 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1978 dev[0].request("REMOVE_NETWORK all")
1980 for count in range(1, 1000):
1982 with alloc_fail(hapd, count, "eap_server_sm_step"):
1983 dev[0].connect("test-wpa2-eap",
1984 key_mgmt="WPA-EAP WPA-EAP-SHA256",
1985 eap="EKE", identity="eke user", password=pw,
1986 wait_connect=False, scan_freq="2412")
1987 # This would eventually time out, but we can stop after having
1988 # reached the allocation failure.
1991 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1993 dev[0].request("REMOVE_NETWORK all")
1994 except Exception, e:
1995 if str(e) == "Allocation failure did not trigger":
1997 raise Exception("Too few allocation failures")
1998 logger.info("%d allocation failures tested" % (count - 1))
2002 def test_ap_wpa2_eap_ikev2(dev, apdev):
2003 """WPA2-Enterprise connection using EAP-IKEv2"""
2004 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2005 hostapd.add_ap(apdev[0]['ifname'], params)
2006 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2007 password="ike password")
2008 eap_reauth(dev[0], "IKEV2")
2009 dev[0].request("REMOVE_NETWORK all")
2010 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2011 password="ike password", fragment_size="50")
2013 logger.info("Negative test with incorrect password")
2014 dev[0].request("REMOVE_NETWORK all")
2015 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2016 password="ike-password", expect_failure=True)
2018 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2019 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2021 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2022 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2023 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2024 "fragment_size": "50" }
2025 hostapd.add_ap(apdev[0]['ifname'], params)
2026 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2027 password="ike password")
2028 eap_reauth(dev[0], "IKEV2")
2030 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2031 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2032 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2033 hostapd.add_ap(apdev[0]['ifname'], params)
2035 tests = [ (1, "dh_init"),
2037 (1, "dh_derive_shared") ]
2038 for count, func in tests:
2039 with alloc_fail(dev[0], count, func):
2040 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2041 identity="ikev2 user", password="ike password",
2042 wait_connect=False, scan_freq="2412")
2043 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2045 raise Exception("EAP method not selected")
2047 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2050 dev[0].request("REMOVE_NETWORK all")
2052 tests = [ (1, "os_get_random;dh_init") ]
2053 for count, func in tests:
2054 with fail_test(dev[0], count, func):
2055 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2056 identity="ikev2 user", password="ike password",
2057 wait_connect=False, scan_freq="2412")
2058 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2060 raise Exception("EAP method not selected")
2062 if "0:" in dev[0].request("GET_FAIL"):
2065 dev[0].request("REMOVE_NETWORK all")
2067 def test_ap_wpa2_eap_pax(dev, apdev):
2068 """WPA2-Enterprise connection using EAP-PAX"""
2069 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2070 hostapd.add_ap(apdev[0]['ifname'], params)
2071 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2072 password_hex="0123456789abcdef0123456789abcdef")
2073 eap_reauth(dev[0], "PAX")
2075 logger.info("Negative test with incorrect password")
2076 dev[0].request("REMOVE_NETWORK all")
2077 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2078 password_hex="ff23456789abcdef0123456789abcdef",
2079 expect_failure=True)
2081 def test_ap_wpa2_eap_psk(dev, apdev):
2082 """WPA2-Enterprise connection using EAP-PSK"""
2083 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2084 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2085 params["ieee80211w"] = "2"
2086 hostapd.add_ap(apdev[0]['ifname'], params)
2087 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2088 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2089 eap_reauth(dev[0], "PSK", sha256=True)
2090 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2091 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2093 bss = dev[0].get_bss(apdev[0]['bssid'])
2094 if 'flags' not in bss:
2095 raise Exception("Could not get BSS flags from BSS table")
2096 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2097 raise Exception("Unexpected BSS flags: " + bss['flags'])
2099 logger.info("Negative test with incorrect password")
2100 dev[0].request("REMOVE_NETWORK all")
2101 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2102 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2103 expect_failure=True)
2105 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2106 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2107 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2108 hostapd.add_ap(apdev[0]['ifname'], params)
2109 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2110 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2111 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2112 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2113 (1, "=aes_128_eax_encrypt"),
2114 (1, "omac1_aes_vector"),
2115 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2116 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2117 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2118 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2119 (1, "=aes_128_eax_decrypt") ]
2120 for count, func in tests:
2121 with alloc_fail(dev[0], count, func):
2122 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2123 identity="psk.user@example.com",
2124 password_hex="0123456789abcdef0123456789abcdef",
2125 wait_connect=False, scan_freq="2412")
2126 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2128 raise Exception("EAP method not selected")
2130 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2133 dev[0].request("REMOVE_NETWORK all")
2135 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2137 identity="psk.user@example.com",
2138 password_hex="0123456789abcdef0123456789abcdef",
2139 wait_connect=False, scan_freq="2412")
2140 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2142 raise Exception("EAP method failure not reported")
2143 dev[0].request("REMOVE_NETWORK all")
2145 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2146 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2147 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2149 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2150 identity="user", password="password", phase2="auth=MSCHAPV2",
2151 ca_cert="auth_serv/ca.pem", wait_connect=False,
2153 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2154 hwsim_utils.test_connectivity(dev[0], hapd)
2155 eap_reauth(dev[0], "PEAP", rsn=False)
2156 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2157 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2158 status = dev[0].get_status(extra="VERBOSE")
2159 if 'portControl' not in status:
2160 raise Exception("portControl missing from STATUS-VERBOSE")
2161 if status['portControl'] != 'Auto':
2162 raise Exception("Unexpected portControl value: " + status['portControl'])
2163 if 'eap_session_id' not in status:
2164 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2165 if not status['eap_session_id'].startswith("19"):
2166 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2168 def test_ap_wpa2_eap_interactive(dev, apdev):
2169 """WPA2-Enterprise connection using interactive identity/password entry"""
2170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2171 hostapd.add_ap(apdev[0]['ifname'], params)
2172 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2174 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2175 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2177 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2178 "TTLS", "ttls", None, "auth=MSCHAPV2",
2179 "DOMAIN\mschapv2 user", "password"),
2180 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2181 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2182 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2183 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2184 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2185 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2186 ("Connection with dynamic PEAP/EAP-GTC password entry",
2187 "PEAP", None, "user", "auth=GTC", None, "password") ]
2188 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2190 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2191 anonymous_identity=anon, identity=identity,
2192 ca_cert="auth_serv/ca.pem", phase2=phase2,
2193 wait_connect=False, scan_freq="2412")
2195 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2197 raise Exception("Request for identity timed out")
2198 id = ev.split(':')[0].split('-')[-1]
2199 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2200 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2202 raise Exception("Request for password timed out")
2203 id = ev.split(':')[0].split('-')[-1]
2204 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2205 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2206 dev[0].wait_connected(timeout=10)
2207 dev[0].request("REMOVE_NETWORK all")
2209 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2210 """WPA2-Enterprise connection using EAP vendor test"""
2211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2212 hostapd.add_ap(apdev[0]['ifname'], params)
2213 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2214 eap_reauth(dev[0], "VENDOR-TEST")
2215 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2218 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2219 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2220 check_eap_capa(dev[0], "FAST")
2221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2223 eap_connect(dev[0], apdev[0], "FAST", "user",
2224 anonymous_identity="FAST", password="password",
2225 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2226 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2227 hwsim_utils.test_connectivity(dev[0], hapd)
2228 res = eap_reauth(dev[0], "FAST")
2229 if res['tls_session_reused'] != '1':
2230 raise Exception("EAP-FAST could not use PAC session ticket")
2232 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2233 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2234 check_eap_capa(dev[0], "FAST")
2235 pac_file = os.path.join(params['logdir'], "fast.pac")
2236 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2237 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2238 hostapd.add_ap(apdev[0]['ifname'], params)
2241 eap_connect(dev[0], apdev[0], "FAST", "user",
2242 anonymous_identity="FAST", password="password",
2243 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2244 phase1="fast_provisioning=1", pac_file=pac_file)
2245 with open(pac_file, "r") as f:
2247 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2248 raise Exception("PAC file header missing")
2249 if "PAC-Key=" not in data:
2250 raise Exception("PAC-Key missing from PAC file")
2251 dev[0].request("REMOVE_NETWORK all")
2252 eap_connect(dev[0], apdev[0], "FAST", "user",
2253 anonymous_identity="FAST", password="password",
2254 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2257 eap_connect(dev[1], apdev[0], "FAST", "user",
2258 anonymous_identity="FAST", password="password",
2259 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2260 phase1="fast_provisioning=1 fast_pac_format=binary",
2262 dev[1].request("REMOVE_NETWORK all")
2263 eap_connect(dev[1], apdev[0], "FAST", "user",
2264 anonymous_identity="FAST", password="password",
2265 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2266 phase1="fast_pac_format=binary",
2274 os.remove(pac_file2)
2278 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2279 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2280 check_eap_capa(dev[0], "FAST")
2281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2282 hostapd.add_ap(apdev[0]['ifname'], params)
2283 eap_connect(dev[0], apdev[0], "FAST", "user",
2284 anonymous_identity="FAST", password="password",
2285 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2286 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2287 pac_file="blob://fast_pac_bin")
2288 res = eap_reauth(dev[0], "FAST")
2289 if res['tls_session_reused'] != '1':
2290 raise Exception("EAP-FAST could not use PAC session ticket")
2292 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2293 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2294 check_eap_capa(dev[0], "FAST")
2295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2296 hostapd.add_ap(apdev[0]['ifname'], params)
2298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2299 identity="user", anonymous_identity="FAST",
2300 password="password",
2301 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2302 pac_file="blob://fast_pac_not_in_use",
2303 wait_connect=False, scan_freq="2412")
2304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2306 raise Exception("Timeout on EAP failure report")
2307 dev[0].request("REMOVE_NETWORK all")
2309 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2310 identity="user", anonymous_identity="FAST",
2311 password="password",
2312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2313 wait_connect=False, scan_freq="2412")
2314 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2316 raise Exception("Timeout on EAP failure report")
2318 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2319 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2320 check_eap_capa(dev[0], "FAST")
2321 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2322 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2323 eap_connect(dev[0], apdev[0], "FAST", "user",
2324 anonymous_identity="FAST", password="password",
2325 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2326 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2327 hwsim_utils.test_connectivity(dev[0], hapd)
2328 res = eap_reauth(dev[0], "FAST")
2329 if res['tls_session_reused'] != '1':
2330 raise Exception("EAP-FAST could not use PAC session ticket")
2332 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2333 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2334 check_eap_capa(dev[0], "FAST")
2335 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2336 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2337 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2338 anonymous_identity="FAST", password="password",
2339 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2340 phase1="fast_provisioning=2",
2341 pac_file="blob://fast_pac_auth")
2342 dev[0].set_network_quoted(id, "identity", "user2")
2343 dev[0].wait_disconnected()
2344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2346 raise Exception("EAP-FAST not started")
2347 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2349 raise Exception("EAP failure not reported")
2350 dev[0].wait_disconnected()
2352 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2353 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2354 check_eap_capa(dev[0], "FAST")
2355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2357 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2358 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2359 identity="user", anonymous_identity="FAST",
2360 password="password", ca_cert="auth_serv/ca.pem",
2362 phase1="fast_provisioning=2",
2363 pac_file="blob://fast_pac_auth",
2364 wait_connect=False, scan_freq="2412")
2365 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2367 raise Exception("EAP failure not reported")
2368 dev[0].request("DISCONNECT")
2370 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2371 """EAP-FAST/MSCHAPv2 and server OOM"""
2372 check_eap_capa(dev[0], "FAST")
2374 params = int_eap_server_params()
2375 params['dh_file'] = 'auth_serv/dh.conf'
2376 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2377 params['eap_fast_a_id'] = '1011'
2378 params['eap_fast_a_id_info'] = 'another test server'
2379 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2381 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2382 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2383 anonymous_identity="FAST", password="password",
2384 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2385 phase1="fast_provisioning=1",
2386 pac_file="blob://fast_pac",
2387 expect_failure=True)
2388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2390 raise Exception("No EAP failure reported")
2391 dev[0].wait_disconnected()
2392 dev[0].request("DISCONNECT")
2394 dev[0].select_network(id, freq="2412")
2396 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2397 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2398 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2399 hostapd.add_ap(apdev[0]['ifname'], params)
2400 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2401 private_key="auth_serv/user.pkcs12",
2402 private_key_passwd="whatever", ocsp=2)
2404 def int_eap_server_params():
2405 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2406 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2407 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2408 "ca_cert": "auth_serv/ca.pem",
2409 "server_cert": "auth_serv/server.pem",
2410 "private_key": "auth_serv/server.key" }
2413 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2414 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2415 params = int_eap_server_params()
2416 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2417 hostapd.add_ap(apdev[0]['ifname'], params)
2418 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2419 identity="tls user", ca_cert="auth_serv/ca.pem",
2420 private_key="auth_serv/user.pkcs12",
2421 private_key_passwd="whatever", ocsp=2,
2422 wait_connect=False, scan_freq="2412")
2425 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2427 raise Exception("Timeout on EAP status")
2428 if 'bad certificate status response' in ev:
2432 raise Exception("Unexpected number of EAP status messages")
2434 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2436 raise Exception("Timeout on EAP failure report")
2438 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2439 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2440 params = int_eap_server_params()
2441 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2442 hostapd.add_ap(apdev[0]['ifname'], params)
2443 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2444 identity="tls user", ca_cert="auth_serv/ca.pem",
2445 private_key="auth_serv/user.pkcs12",
2446 private_key_passwd="whatever", ocsp=2,
2447 wait_connect=False, scan_freq="2412")
2450 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2452 raise Exception("Timeout on EAP status")
2453 if 'bad certificate status response' in ev:
2457 raise Exception("Unexpected number of EAP status messages")
2459 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2461 raise Exception("Timeout on EAP failure report")
2463 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2464 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2465 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2466 if not os.path.exists(ocsp):
2467 raise HwsimSkip("No OCSP response available")
2468 params = int_eap_server_params()
2469 params["ocsp_stapling_response"] = ocsp
2470 hostapd.add_ap(apdev[0]['ifname'], params)
2471 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2472 identity="pap user", ca_cert="auth_serv/ca.pem",
2473 anonymous_identity="ttls", password="password",
2474 phase2="auth=PAP", ocsp=2,
2475 wait_connect=False, scan_freq="2412")
2478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2480 raise Exception("Timeout on EAP status")
2481 if 'bad certificate status response' in ev:
2483 if 'certificate revoked' in ev:
2487 raise Exception("Unexpected number of EAP status messages")
2489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2491 raise Exception("Timeout on EAP failure report")
2493 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2494 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2495 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2496 if not os.path.exists(ocsp):
2497 raise HwsimSkip("No OCSP response available")
2498 params = int_eap_server_params()
2499 params["ocsp_stapling_response"] = ocsp
2500 hostapd.add_ap(apdev[0]['ifname'], params)
2501 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2502 identity="pap user", ca_cert="auth_serv/ca.pem",
2503 anonymous_identity="ttls", password="password",
2504 phase2="auth=PAP", ocsp=2,
2505 wait_connect=False, scan_freq="2412")
2508 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2510 raise Exception("Timeout on EAP status")
2511 if 'bad certificate status response' in ev:
2515 raise Exception("Unexpected number of EAP status messages")
2517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2519 raise Exception("Timeout on EAP failure report")
2521 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2522 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2523 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2524 if not os.path.exists(ocsp):
2525 raise HwsimSkip("No OCSP response available")
2526 params = int_eap_server_params()
2527 params["ocsp_stapling_response"] = ocsp
2528 hostapd.add_ap(apdev[0]['ifname'], params)
2529 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2530 identity="pap user", ca_cert="auth_serv/ca.pem",
2531 anonymous_identity="ttls", password="password",
2532 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2534 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2535 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2536 params = int_eap_server_params()
2537 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2538 params["private_key"] = "auth_serv/server-no-dnsname.key"
2539 hostapd.add_ap(apdev[0]['ifname'], params)
2540 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2541 identity="tls user", ca_cert="auth_serv/ca.pem",
2542 private_key="auth_serv/user.pkcs12",
2543 private_key_passwd="whatever",
2544 domain_suffix_match="server3.w1.fi",
2547 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2548 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2549 params = int_eap_server_params()
2550 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2551 params["private_key"] = "auth_serv/server-no-dnsname.key"
2552 hostapd.add_ap(apdev[0]['ifname'], params)
2553 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2554 identity="tls user", ca_cert="auth_serv/ca.pem",
2555 private_key="auth_serv/user.pkcs12",
2556 private_key_passwd="whatever",
2557 domain_match="server3.w1.fi",
2560 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2561 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2562 check_domain_match_full(dev[0])
2563 params = int_eap_server_params()
2564 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2565 params["private_key"] = "auth_serv/server-no-dnsname.key"
2566 hostapd.add_ap(apdev[0]['ifname'], params)
2567 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2568 identity="tls user", ca_cert="auth_serv/ca.pem",
2569 private_key="auth_serv/user.pkcs12",
2570 private_key_passwd="whatever",
2571 domain_suffix_match="w1.fi",
2574 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2575 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2576 params = int_eap_server_params()
2577 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2578 params["private_key"] = "auth_serv/server-no-dnsname.key"
2579 hostapd.add_ap(apdev[0]['ifname'], params)
2580 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2581 identity="tls user", ca_cert="auth_serv/ca.pem",
2582 private_key="auth_serv/user.pkcs12",
2583 private_key_passwd="whatever",
2584 domain_suffix_match="example.com",
2587 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2588 identity="tls user", ca_cert="auth_serv/ca.pem",
2589 private_key="auth_serv/user.pkcs12",
2590 private_key_passwd="whatever",
2591 domain_suffix_match="erver3.w1.fi",
2594 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2596 raise Exception("Timeout on EAP failure report")
2597 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2599 raise Exception("Timeout on EAP failure report (2)")
2601 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2602 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2603 params = int_eap_server_params()
2604 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2605 params["private_key"] = "auth_serv/server-no-dnsname.key"
2606 hostapd.add_ap(apdev[0]['ifname'], params)
2607 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2608 identity="tls user", ca_cert="auth_serv/ca.pem",
2609 private_key="auth_serv/user.pkcs12",
2610 private_key_passwd="whatever",
2611 domain_match="example.com",
2614 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2615 identity="tls user", ca_cert="auth_serv/ca.pem",
2616 private_key="auth_serv/user.pkcs12",
2617 private_key_passwd="whatever",
2618 domain_match="w1.fi",
2621 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2623 raise Exception("Timeout on EAP failure report")
2624 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2626 raise Exception("Timeout on EAP failure report (2)")
2628 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2629 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2630 params = int_eap_server_params()
2631 params["server_cert"] = "auth_serv/server-expired.pem"
2632 params["private_key"] = "auth_serv/server-expired.key"
2633 hostapd.add_ap(apdev[0]['ifname'], params)
2634 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2635 identity="mschap user", password="password",
2636 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2639 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2641 raise Exception("Timeout on EAP certificate error report")
2642 if "reason=4" not in ev or "certificate has expired" not in ev:
2643 raise Exception("Unexpected failure reason: " + ev)
2644 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2646 raise Exception("Timeout on EAP failure report")
2648 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2649 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2650 params = int_eap_server_params()
2651 params["server_cert"] = "auth_serv/server-expired.pem"
2652 params["private_key"] = "auth_serv/server-expired.key"
2653 hostapd.add_ap(apdev[0]['ifname'], params)
2654 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2655 identity="mschap user", password="password",
2656 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2657 phase1="tls_disable_time_checks=1",
2660 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2661 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2662 params = int_eap_server_params()
2663 params["server_cert"] = "auth_serv/server-long-duration.pem"
2664 params["private_key"] = "auth_serv/server-long-duration.key"
2665 hostapd.add_ap(apdev[0]['ifname'], params)
2666 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2667 identity="mschap user", password="password",
2668 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2671 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2672 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2673 params = int_eap_server_params()
2674 params["server_cert"] = "auth_serv/server-eku-client.pem"
2675 params["private_key"] = "auth_serv/server-eku-client.key"
2676 hostapd.add_ap(apdev[0]['ifname'], params)
2677 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2678 identity="mschap user", password="password",
2679 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2682 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2684 raise Exception("Timeout on EAP failure report")
2686 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2687 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2688 params = int_eap_server_params()
2689 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2690 params["private_key"] = "auth_serv/server-eku-client-server.key"
2691 hostapd.add_ap(apdev[0]['ifname'], params)
2692 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2693 identity="mschap user", password="password",
2694 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2697 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2698 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2699 params = int_eap_server_params()
2700 del params["server_cert"]
2701 params["private_key"] = "auth_serv/server.pkcs12"
2702 hostapd.add_ap(apdev[0]['ifname'], params)
2703 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2704 identity="mschap user", password="password",
2705 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2708 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2709 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2710 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2711 hostapd.add_ap(apdev[0]['ifname'], params)
2712 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2713 anonymous_identity="ttls", password="password",
2714 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2715 dh_file="auth_serv/dh.conf")
2717 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2718 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2719 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2720 hostapd.add_ap(apdev[0]['ifname'], params)
2721 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2722 anonymous_identity="ttls", password="password",
2723 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2724 dh_file="auth_serv/dsaparam.pem")
2726 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2727 """EAP-TTLS and DH params file not found"""
2728 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2729 hostapd.add_ap(apdev[0]['ifname'], params)
2730 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2731 identity="mschap user", password="password",
2732 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2733 dh_file="auth_serv/dh-no-such-file.conf",
2734 scan_freq="2412", wait_connect=False)
2735 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2737 raise Exception("EAP failure timed out")
2738 dev[0].request("REMOVE_NETWORK all")
2739 dev[0].wait_disconnected()
2741 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2742 """EAP-TTLS and invalid DH params file"""
2743 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2744 hostapd.add_ap(apdev[0]['ifname'], params)
2745 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2746 identity="mschap user", password="password",
2747 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2748 dh_file="auth_serv/ca.pem",
2749 scan_freq="2412", wait_connect=False)
2750 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2752 raise Exception("EAP failure timed out")
2753 dev[0].request("REMOVE_NETWORK all")
2754 dev[0].wait_disconnected()
2756 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2757 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2758 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2759 hostapd.add_ap(apdev[0]['ifname'], params)
2760 dh = read_pem("auth_serv/dh2.conf")
2761 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2762 raise Exception("Could not set dhparams blob")
2763 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2764 anonymous_identity="ttls", password="password",
2765 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2766 dh_file="blob://dhparams")
2768 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2769 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2770 params = int_eap_server_params()
2771 params["dh_file"] = "auth_serv/dh2.conf"
2772 hostapd.add_ap(apdev[0]['ifname'], params)
2773 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2774 anonymous_identity="ttls", password="password",
2775 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2777 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2778 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2779 params = int_eap_server_params()
2780 params["dh_file"] = "auth_serv/dsaparam.pem"
2781 hostapd.add_ap(apdev[0]['ifname'], params)
2782 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2783 anonymous_identity="ttls", password="password",
2784 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2786 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2787 """EAP-TLS server and dhparams file not found"""
2788 params = int_eap_server_params()
2789 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2790 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2791 if "FAIL" not in hapd.request("ENABLE"):
2792 raise Exception("Invalid configuration accepted")
2794 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2795 """EAP-TLS server and invalid dhparams file"""
2796 params = int_eap_server_params()
2797 params["dh_file"] = "auth_serv/ca.pem"
2798 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2799 if "FAIL" not in hapd.request("ENABLE"):
2800 raise Exception("Invalid configuration accepted")
2802 def test_ap_wpa2_eap_reauth(dev, apdev):
2803 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2805 params['eap_reauth_period'] = '2'
2806 hostapd.add_ap(apdev[0]['ifname'], params)
2807 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2808 password_hex="0123456789abcdef0123456789abcdef")
2809 logger.info("Wait for reauthentication")
2810 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2812 raise Exception("Timeout on reauthentication")
2813 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2815 raise Exception("Timeout on reauthentication")
2816 for i in range(0, 20):
2817 state = dev[0].get_status_field("wpa_state")
2818 if state == "COMPLETED":
2821 if state != "COMPLETED":
2822 raise Exception("Reauthentication did not complete")
2824 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2825 """Optional displayable message in EAP Request-Identity"""
2826 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2827 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2828 hostapd.add_ap(apdev[0]['ifname'], params)
2829 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2830 password_hex="0123456789abcdef0123456789abcdef")
2832 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2833 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2834 check_hlr_auc_gw_support()
2835 params = int_eap_server_params()
2836 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2837 params['eap_sim_aka_result_ind'] = "1"
2838 hostapd.add_ap(apdev[0]['ifname'], params)
2840 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2841 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2842 phase1="result_ind=1")
2843 eap_reauth(dev[0], "SIM")
2844 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2845 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2847 dev[0].request("REMOVE_NETWORK all")
2848 dev[1].request("REMOVE_NETWORK all")
2850 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2851 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2852 phase1="result_ind=1")
2853 eap_reauth(dev[0], "AKA")
2854 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2855 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2857 dev[0].request("REMOVE_NETWORK all")
2858 dev[1].request("REMOVE_NETWORK all")
2860 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2861 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2862 phase1="result_ind=1")
2863 eap_reauth(dev[0], "AKA'")
2864 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2865 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2867 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2868 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2869 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2870 hostapd.add_ap(apdev[0]['ifname'], params)
2871 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2872 eap="TTLS", identity="mschap user",
2873 wait_connect=False, scan_freq="2412", ieee80211w="1",
2874 anonymous_identity="ttls", password="password",
2875 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2877 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2879 raise Exception("EAP roundtrip limit not reached")
2881 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2882 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2883 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2884 hostapd.add_ap(apdev[0]['ifname'], params)
2885 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2886 eap="PSK", identity="vendor-test",
2887 password_hex="ff23456789abcdef0123456789abcdef",
2891 for i in range(0, 5):
2892 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2894 raise Exception("Association and EAP start timed out")
2895 if "refuse proposed method" in ev:
2899 raise Exception("Unexpected EAP status: " + ev)
2901 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2903 raise Exception("EAP failure timed out")
2905 def test_ap_wpa2_eap_sql(dev, apdev, params):
2906 """WPA2-Enterprise connection using SQLite for user DB"""
2910 raise HwsimSkip("No sqlite3 module available")
2911 dbfile = os.path.join(params['logdir'], "eap-user.db")
2916 con = sqlite3.connect(dbfile)
2919 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2920 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2921 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2922 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2923 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2924 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2925 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2926 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2929 params = int_eap_server_params()
2930 params["eap_user_file"] = "sqlite:" + dbfile
2931 hostapd.add_ap(apdev[0]['ifname'], params)
2932 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2933 anonymous_identity="ttls", password="password",
2934 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2935 dev[0].request("REMOVE_NETWORK all")
2936 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2937 anonymous_identity="ttls", password="password",
2938 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2939 dev[1].request("REMOVE_NETWORK all")
2940 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2941 anonymous_identity="ttls", password="password",
2942 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2943 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2944 anonymous_identity="ttls", password="password",
2945 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2949 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2950 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2951 params = int_eap_server_params()
2952 hostapd.add_ap(apdev[0]['ifname'], params)
2953 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2954 identity="\x80", password="password", wait_connect=False)
2955 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2956 identity="a\x80", password="password", wait_connect=False)
2957 for i in range(0, 2):
2958 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2960 raise Exception("Association and EAP start timed out")
2961 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2963 raise Exception("EAP method selection timed out")
2965 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2966 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2967 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2968 hostapd.add_ap(apdev[0]['ifname'], params)
2969 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2970 identity="\x80", password="password", wait_connect=False)
2971 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2972 identity="a\x80", password="password", wait_connect=False)
2973 for i in range(0, 2):
2974 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2976 raise Exception("Association and EAP start timed out")
2977 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2979 raise Exception("EAP method selection timed out")
2981 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2982 """OpenSSL cipher suite configuration on wpa_supplicant"""
2983 tls = dev[0].request("GET tls_library")
2984 if not tls.startswith("OpenSSL"):
2985 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2986 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2987 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2988 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2989 anonymous_identity="ttls", password="password",
2990 openssl_ciphers="AES128",
2991 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2992 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2993 anonymous_identity="ttls", password="password",
2994 openssl_ciphers="EXPORT",
2995 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2996 expect_failure=True)
2997 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2998 identity="pap user", anonymous_identity="ttls",
2999 password="password",
3000 openssl_ciphers="FOO",
3001 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3003 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3005 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3006 dev[2].request("DISCONNECT")
3008 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3009 """OpenSSL cipher suite configuration on hostapd"""
3010 tls = dev[0].request("GET tls_library")
3011 if not tls.startswith("OpenSSL"):
3012 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3013 params = int_eap_server_params()
3014 params['openssl_ciphers'] = "AES256"
3015 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3016 tls = hapd.request("GET tls_library")
3017 if not tls.startswith("OpenSSL"):
3018 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3019 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3020 anonymous_identity="ttls", password="password",
3021 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3022 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3023 anonymous_identity="ttls", password="password",
3024 openssl_ciphers="AES128",
3025 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3026 expect_failure=True)
3027 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3028 anonymous_identity="ttls", password="password",
3029 openssl_ciphers="HIGH:!ADH",
3030 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3032 params['openssl_ciphers'] = "FOO"
3033 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3034 if "FAIL" not in hapd2.request("ENABLE"):
3035 raise Exception("Invalid openssl_ciphers value accepted")
3037 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3038 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3039 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3040 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3041 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3042 pid = find_wpas_process(dev[0])
3043 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3044 anonymous_identity="ttls", password=password,
3045 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3047 buf = read_process_memory(pid, password)
3049 dev[0].request("DISCONNECT")
3050 dev[0].wait_disconnected()
3058 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3059 for l in f.readlines():
3060 if "EAP-TTLS: Derived key - hexdump" in l:
3061 val = l.strip().split(':')[3].replace(' ', '')
3062 msk = binascii.unhexlify(val)
3063 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3064 val = l.strip().split(':')[3].replace(' ', '')
3065 emsk = binascii.unhexlify(val)
3066 if "WPA: PMK - hexdump" in l:
3067 val = l.strip().split(':')[3].replace(' ', '')
3068 pmk = binascii.unhexlify(val)
3069 if "WPA: PTK - hexdump" in l:
3070 val = l.strip().split(':')[3].replace(' ', '')
3071 ptk = binascii.unhexlify(val)
3072 if "WPA: Group Key - hexdump" in l:
3073 val = l.strip().split(':')[3].replace(' ', '')
3074 gtk = binascii.unhexlify(val)
3075 if not msk or not emsk or not pmk or not ptk or not gtk:
3076 raise Exception("Could not find keys from debug log")
3078 raise Exception("Unexpected GTK length")
3084 fname = os.path.join(params['logdir'],
3085 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3087 logger.info("Checking keys in memory while associated")
3088 get_key_locations(buf, password, "Password")
3089 get_key_locations(buf, pmk, "PMK")
3090 get_key_locations(buf, msk, "MSK")
3091 get_key_locations(buf, emsk, "EMSK")
3092 if password not in buf:
3093 raise HwsimSkip("Password not found while associated")
3095 raise HwsimSkip("PMK not found while associated")
3097 raise Exception("KCK not found while associated")
3099 raise Exception("KEK not found while associated")
3101 raise Exception("TK found from memory")
3103 raise Exception("GTK found from memory")
3105 logger.info("Checking keys in memory after disassociation")
3106 buf = read_process_memory(pid, password)
3108 # Note: Password is still present in network configuration
3109 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3111 get_key_locations(buf, password, "Password")
3112 get_key_locations(buf, pmk, "PMK")
3113 get_key_locations(buf, msk, "MSK")
3114 get_key_locations(buf, emsk, "EMSK")
3115 verify_not_present(buf, kck, fname, "KCK")
3116 verify_not_present(buf, kek, fname, "KEK")
3117 verify_not_present(buf, tk, fname, "TK")
3118 verify_not_present(buf, gtk, fname, "GTK")
3120 dev[0].request("PMKSA_FLUSH")
3121 dev[0].set_network_quoted(id, "identity", "foo")
3122 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3123 buf = read_process_memory(pid, password)
3124 get_key_locations(buf, password, "Password")
3125 get_key_locations(buf, pmk, "PMK")
3126 get_key_locations(buf, msk, "MSK")
3127 get_key_locations(buf, emsk, "EMSK")
3128 verify_not_present(buf, pmk, fname, "PMK")
3130 dev[0].request("REMOVE_NETWORK all")
3132 logger.info("Checking keys in memory after network profile removal")
3133 buf = read_process_memory(pid, password)
3135 get_key_locations(buf, password, "Password")
3136 get_key_locations(buf, pmk, "PMK")
3137 get_key_locations(buf, msk, "MSK")
3138 get_key_locations(buf, emsk, "EMSK")
3139 verify_not_present(buf, password, fname, "password")
3140 verify_not_present(buf, pmk, fname, "PMK")
3141 verify_not_present(buf, kck, fname, "KCK")
3142 verify_not_present(buf, kek, fname, "KEK")
3143 verify_not_present(buf, tk, fname, "TK")
3144 verify_not_present(buf, gtk, fname, "GTK")
3145 verify_not_present(buf, msk, fname, "MSK")
3146 verify_not_present(buf, emsk, fname, "EMSK")
3148 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3149 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3150 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3151 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3152 bssid = apdev[0]['bssid']
3153 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3154 anonymous_identity="ttls", password="password",
3155 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3157 # Send unexpected WEP EAPOL-Key; this gets dropped
3158 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3160 raise Exception("EAPOL_RX to wpa_supplicant failed")
3162 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3163 """WPA2-EAP and wpas interface in a bridge"""
3167 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3169 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3170 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3171 subprocess.call(['brctl', 'delbr', br_ifname])
3172 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3174 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3176 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3180 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3181 subprocess.call(['brctl', 'addbr', br_ifname])
3182 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3183 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3184 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3185 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3186 wpas.interface_add(ifname, br_ifname=br_ifname)
3188 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3189 password_hex="0123456789abcdef0123456789abcdef")
3190 eap_reauth(wpas, "PAX")
3191 # Try again as a regression test for packet socket workaround
3192 eap_reauth(wpas, "PAX")
3193 wpas.request("DISCONNECT")
3194 wpas.wait_disconnected()
3195 wpas.request("RECONNECT")
3196 wpas.wait_connected()
3198 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3199 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3200 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3201 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3202 key_mgmt = hapd.get_config()['key_mgmt']
3203 if key_mgmt.split(' ')[0] != "WPA-EAP":
3204 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3205 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3206 anonymous_identity="ttls", password="password",
3207 ca_cert="auth_serv/ca.pem",
3208 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3209 eap_reauth(dev[0], "TTLS")
3211 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3212 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3213 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3214 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3215 key_mgmt = hapd.get_config()['key_mgmt']
3216 if key_mgmt.split(' ')[0] != "WPA-EAP":
3217 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3218 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3219 anonymous_identity="ttls", password="password",
3220 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3222 eap_reauth(dev[0], "TTLS")
3224 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3225 """EAP-TLS and server checking CRL"""
3226 params = int_eap_server_params()
3227 params['check_crl'] = '1'
3228 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3230 # check_crl=1 and no CRL available --> reject connection
3231 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3232 client_cert="auth_serv/user.pem",
3233 private_key="auth_serv/user.key", expect_failure=True)
3234 dev[0].request("REMOVE_NETWORK all")
3237 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3240 # check_crl=1 and valid CRL --> accept
3241 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3242 client_cert="auth_serv/user.pem",
3243 private_key="auth_serv/user.key")
3244 dev[0].request("REMOVE_NETWORK all")
3247 hapd.set("check_crl", "2")
3250 # check_crl=2 and valid CRL --> accept
3251 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3252 client_cert="auth_serv/user.pem",
3253 private_key="auth_serv/user.key")
3254 dev[0].request("REMOVE_NETWORK all")
3256 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3257 """EAP-TLS and OOM"""
3258 check_subject_match_support(dev[0])
3259 check_altsubject_match_support(dev[0])
3260 check_domain_match_full(dev[0])
3262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3263 hostapd.add_ap(apdev[0]['ifname'], params)
3265 tests = [ (1, "tls_connection_set_subject_match"),
3266 (2, "tls_connection_set_subject_match"),
3267 (3, "tls_connection_set_subject_match"),
3268 (4, "tls_connection_set_subject_match") ]
3269 for count, func in tests:
3270 with alloc_fail(dev[0], count, func):
3271 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3272 identity="tls user", ca_cert="auth_serv/ca.pem",
3273 client_cert="auth_serv/user.pem",
3274 private_key="auth_serv/user.key",
3275 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3276 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3277 domain_suffix_match="server.w1.fi",
3278 domain_match="server.w1.fi",
3279 wait_connect=False, scan_freq="2412")
3280 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3281 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3283 raise Exception("No passphrase request")
3284 dev[0].request("REMOVE_NETWORK all")
3285 dev[0].wait_disconnected()