tests/hwsim/test_ap_eap.py

   1 # -*- coding: utf-8 -*-
   2 # WPA2-Enterprise tests
   3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
   4 #
   5 # This software may be distributed under the terms of the BSD license.
   6 # See README for more details.
   7
   8 import base64
   9 import binascii
  10 import time
  11 import subprocess
  12 import logging
  13 logger = logging.getLogger()
  14 import os
  15 import socket
  16 import SocketServer
  17
  18 import hwsim_utils
  19 import hostapd
  20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
  21 from wpasupplicant import WpaSupplicant
  22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
  23
  24 try:
  25     import OpenSSL
  26     openssl_imported = True
  27 except ImportError:
  28     openssl_imported = False
  29
  30 def check_hlr_auc_gw_support():
  31     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
  32         raise HwsimSkip("No hlr_auc_gw available")
  33
  34 def check_eap_capa(dev, method):
  35     res = dev.get_capability("eap")
  36     if method not in res:
  37         raise HwsimSkip("EAP method %s not supported in the build" % method)
  38
  39 def check_subject_match_support(dev):
  40     tls = dev.request("GET tls_library")
  41     if not tls.startswith("OpenSSL"):
  42         raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
  43
  44 def check_altsubject_match_support(dev):
  45     tls = dev.request("GET tls_library")
  46     if not tls.startswith("OpenSSL"):
  47         raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
  48
  49 def check_domain_match(dev):
  50     tls = dev.request("GET tls_library")
  51     if tls.startswith("internal"):
  52         raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
  53
  54 def check_domain_suffix_match(dev):
  55     tls = dev.request("GET tls_library")
  56     if tls.startswith("internal"):
  57         raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
  58
  59 def check_domain_match_full(dev):
  60     tls = dev.request("GET tls_library")
  61     if not tls.startswith("OpenSSL"):
  62         raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
  63
  64 def check_cert_probe_support(dev):
  65     tls = dev.request("GET tls_library")
  66     if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
  67         raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
  68
  69 def check_ext_cert_check_support(dev):
  70     tls = dev.request("GET tls_library")
  71     if not tls.startswith("OpenSSL"):
  72         raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
  73
  74 def check_ocsp_support(dev):
  75     tls = dev.request("GET tls_library")
  76     #if tls.startswith("internal"):
  77     #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
  78     #if "BoringSSL" in tls:
  79     #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
  80
  81 def check_pkcs12_support(dev):
  82     tls = dev.request("GET tls_library")
  83     #if tls.startswith("internal"):
  84     #    raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
  85
  86 def check_dh_dsa_support(dev):
  87     tls = dev.request("GET tls_library")
  88     if tls.startswith("internal"):
  89         raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
  90
  91 def read_pem(fname):
  92     with open(fname, "r") as f:
  93         lines = f.readlines()
  94         copy = False
  95         cert = ""
  96         for l in lines:
  97             if "-----END" in l:
  98                 break
  99             if copy:
 100                 cert = cert + l
 101             if "-----BEGIN" in l:
 102                 copy = True
 103     return base64.b64decode(cert)
 104
 105 def eap_connect(dev, ap, method, identity,
 106                 sha256=False, expect_failure=False, local_error_report=False,
 107                 maybe_local_error=False, **kwargs):
 108     hapd = hostapd.Hostapd(ap['ifname'])
 109     id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
 110                      eap=method, identity=identity,
 111                      wait_connect=False, scan_freq="2412", ieee80211w="1",
 112                      **kwargs)
 113     eap_check_auth(dev, method, True, sha256=sha256,
 114                    expect_failure=expect_failure,
 115                    local_error_report=local_error_report,
 116                    maybe_local_error=maybe_local_error)
 117     if expect_failure:
 118         return id
 119     ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
 120     if ev is None:
 121         raise Exception("No connection event received from hostapd")
 122     return id
 123
 124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
 125                    expect_failure=False, local_error_report=False,
 126                    maybe_local_error=False):
 127     ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
 128     if ev is None:
 129         raise Exception("Association and EAP start timed out")
 130     ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
 131                          "CTRL-EVENT-EAP-FAILURE"], timeout=10)
 132     if ev is None:
 133         raise Exception("EAP method selection timed out")
 134     if "CTRL-EVENT-EAP-FAILURE" in ev:
 135         if maybe_local_error:
 136             return
 137         raise Exception("Could not select EAP method")
 138     if method not in ev:
 139         raise Exception("Unexpected EAP method")
 140     if expect_failure:
 141         ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
 142         if ev is None:
 143             raise Exception("EAP failure timed out")
 144         ev = dev.wait_disconnected(timeout=10)
 145         if maybe_local_error and "locally_generated=1" in ev:
 146             return
 147         if not local_error_report:
 148             if "reason=23" not in ev:
 149                 raise Exception("Proper reason code for disconnection not reported")
 150         return
 151     ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
 152     if ev is None:
 153         raise Exception("EAP success timed out")
 154
 155     if initial:
 156         ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
 157     else:
 158         ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
 159     if ev is None:
 160         raise Exception("Association with the AP timed out")
 161     status = dev.get_status()
 162     if status["wpa_state"] != "COMPLETED":
 163         raise Exception("Connection not completed")
 164
 165     if status["suppPortStatus"] != "Authorized":
 166         raise Exception("Port not authorized")
 167     if method not in status["selectedMethod"]:
 168         raise Exception("Incorrect EAP method status")
 169     if sha256:
 170         e = "WPA2-EAP-SHA256"
 171     elif rsn:
 172         e = "WPA2/IEEE 802.1X/EAP"
 173     else:
 174         e = "WPA/IEEE 802.1X/EAP"
 175     if status["key_mgmt"] != e:
 176         raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
 177     return status
 178
 179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
 180     dev.request("REAUTHENTICATE")
 181     return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
 182                           expect_failure=expect_failure)
 183
 184 def test_ap_wpa2_eap_sim(dev, apdev):
 185     """WPA2-Enterprise connection using EAP-SIM"""
 186     check_hlr_auc_gw_support()
 187     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 188     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 189     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 190                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 191     hwsim_utils.test_connectivity(dev[0], hapd)
 192     eap_reauth(dev[0], "SIM")
 193
 194     eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
 195                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 196     eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
 197                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 198                 expect_failure=True)
 199
 200     logger.info("Negative test with incorrect key")
 201     dev[0].request("REMOVE_NETWORK all")
 202     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 203                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 204                 expect_failure=True)
 205
 206     logger.info("Invalid GSM-Milenage key")
 207     dev[0].request("REMOVE_NETWORK all")
 208     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 209                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
 210                 expect_failure=True)
 211
 212     logger.info("Invalid GSM-Milenage key(2)")
 213     dev[0].request("REMOVE_NETWORK all")
 214     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 215                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
 216                 expect_failure=True)
 217
 218     logger.info("Invalid GSM-Milenage key(3)")
 219     dev[0].request("REMOVE_NETWORK all")
 220     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 221                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
 222                 expect_failure=True)
 223
 224     logger.info("Invalid GSM-Milenage key(4)")
 225     dev[0].request("REMOVE_NETWORK all")
 226     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 227                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
 228                 expect_failure=True)
 229
 230     logger.info("Missing key configuration")
 231     dev[0].request("REMOVE_NETWORK all")
 232     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 233                 expect_failure=True)
 234
 235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
 236     """WPA2-Enterprise connection using EAP-SIM (SQL)"""
 237     check_hlr_auc_gw_support()
 238     try:
 239         import sqlite3
 240     except ImportError:
 241         raise HwsimSkip("No sqlite3 module available")
 242     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
 243     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 244     params['auth_server_port'] = "1814"
 245     hostapd.add_ap(apdev[0]['ifname'], params)
 246     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 247                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 248
 249     logger.info("SIM fast re-authentication")
 250     eap_reauth(dev[0], "SIM")
 251
 252     logger.info("SIM full auth with pseudonym")
 253     with con:
 254         cur = con.cursor()
 255         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
 256     eap_reauth(dev[0], "SIM")
 257
 258     logger.info("SIM full auth with permanent identity")
 259     with con:
 260         cur = con.cursor()
 261         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
 262         cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
 263     eap_reauth(dev[0], "SIM")
 264
 265     logger.info("SIM reauth with mismatching MK")
 266     with con:
 267         cur = con.cursor()
 268         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
 269     eap_reauth(dev[0], "SIM", expect_failure=True)
 270     dev[0].request("REMOVE_NETWORK all")
 271
 272     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 273                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 274     with con:
 275         cur = con.cursor()
 276         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
 277     eap_reauth(dev[0], "SIM")
 278     with con:
 279         cur = con.cursor()
 280         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
 281     logger.info("SIM reauth with mismatching counter")
 282     eap_reauth(dev[0], "SIM")
 283     dev[0].request("REMOVE_NETWORK all")
 284
 285     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 286                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 287     with con:
 288         cur = con.cursor()
 289         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
 290     logger.info("SIM reauth with max reauth count reached")
 291     eap_reauth(dev[0], "SIM")
 292
 293 def test_ap_wpa2_eap_sim_config(dev, apdev):
 294     """EAP-SIM configuration options"""
 295     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 296     hostapd.add_ap(apdev[0]['ifname'], params)
 297     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
 298                    identity="1232010000000000",
 299                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 300                    phase1="sim_min_num_chal=1",
 301                    wait_connect=False, scan_freq="2412")
 302     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
 303     if ev is None:
 304         raise Exception("No EAP error message seen")
 305     dev[0].request("REMOVE_NETWORK all")
 306
 307     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
 308                    identity="1232010000000000",
 309                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 310                    phase1="sim_min_num_chal=4",
 311                    wait_connect=False, scan_freq="2412")
 312     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
 313     if ev is None:
 314         raise Exception("No EAP error message seen (2)")
 315     dev[0].request("REMOVE_NETWORK all")
 316
 317     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 318                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 319                 phase1="sim_min_num_chal=2")
 320     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
 321                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 322                 anonymous_identity="345678")
 323
 324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
 325     """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
 326     try:
 327         _test_ap_wpa2_eap_sim_ext(dev, apdev)
 328     finally:
 329         dev[0].request("SET external_sim 0")
 330
 331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
 332     check_hlr_auc_gw_support()
 333     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 334     hostapd.add_ap(apdev[0]['ifname'], params)
 335     dev[0].request("SET external_sim 1")
 336     id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
 337                         identity="1232010000000000",
 338                         wait_connect=False, scan_freq="2412")
 339     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
 340     if ev is None:
 341         raise Exception("Network connected timed out")
 342
 343     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 344     if ev is None:
 345         raise Exception("Wait for external SIM processing request timed out")
 346     p = ev.split(':', 2)
 347     if p[1] != "GSM-AUTH":
 348         raise Exception("Unexpected CTRL-REQ-SIM type")
 349     rid = p[0].split('-')[3]
 350
 351     # IK:CK:RES
 352     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
 353     # This will fail during processing, but the ctrl_iface command succeeds
 354     dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
 355     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 356     if ev is None:
 357         raise Exception("EAP failure not reported")
 358     dev[0].request("DISCONNECT")
 359     dev[0].wait_disconnected()
 360     time.sleep(0.1)
 361
 362     dev[0].select_network(id, freq="2412")
 363     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 364     if ev is None:
 365         raise Exception("Wait for external SIM processing request timed out")
 366     p = ev.split(':', 2)
 367     if p[1] != "GSM-AUTH":
 368         raise Exception("Unexpected CTRL-REQ-SIM type")
 369     rid = p[0].split('-')[3]
 370     # This will fail during GSM auth validation
 371     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
 372         raise Exception("CTRL-RSP-SIM failed")
 373     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 374     if ev is None:
 375         raise Exception("EAP failure not reported")
 376     dev[0].request("DISCONNECT")
 377     dev[0].wait_disconnected()
 378     time.sleep(0.1)
 379
 380     dev[0].select_network(id, freq="2412")
 381     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 382     if ev is None:
 383         raise Exception("Wait for external SIM processing request timed out")
 384     p = ev.split(':', 2)
 385     if p[1] != "GSM-AUTH":
 386         raise Exception("Unexpected CTRL-REQ-SIM type")
 387     rid = p[0].split('-')[3]
 388     # This will fail during GSM auth validation
 389     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
 390         raise Exception("CTRL-RSP-SIM failed")
 391     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 392     if ev is None:
 393         raise Exception("EAP failure not reported")
 394     dev[0].request("DISCONNECT")
 395     dev[0].wait_disconnected()
 396     time.sleep(0.1)
 397
 398     dev[0].select_network(id, freq="2412")
 399     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 400     if ev is None:
 401         raise Exception("Wait for external SIM processing request timed out")
 402     p = ev.split(':', 2)
 403     if p[1] != "GSM-AUTH":
 404         raise Exception("Unexpected CTRL-REQ-SIM type")
 405     rid = p[0].split('-')[3]
 406     # This will fail during GSM auth validation
 407     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
 408         raise Exception("CTRL-RSP-SIM failed")
 409     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 410     if ev is None:
 411         raise Exception("EAP failure not reported")
 412     dev[0].request("DISCONNECT")
 413     dev[0].wait_disconnected()
 414     time.sleep(0.1)
 415
 416     dev[0].select_network(id, freq="2412")
 417     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 418     if ev is None:
 419         raise Exception("Wait for external SIM processing request timed out")
 420     p = ev.split(':', 2)
 421     if p[1] != "GSM-AUTH":
 422         raise Exception("Unexpected CTRL-REQ-SIM type")
 423     rid = p[0].split('-')[3]
 424     # This will fail during GSM auth validation
 425     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
 426         raise Exception("CTRL-RSP-SIM failed")
 427     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 428     if ev is None:
 429         raise Exception("EAP failure not reported")
 430     dev[0].request("DISCONNECT")
 431     dev[0].wait_disconnected()
 432     time.sleep(0.1)
 433
 434     dev[0].select_network(id, freq="2412")
 435     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 436     if ev is None:
 437         raise Exception("Wait for external SIM processing request timed out")
 438     p = ev.split(':', 2)
 439     if p[1] != "GSM-AUTH":
 440         raise Exception("Unexpected CTRL-REQ-SIM type")
 441     rid = p[0].split('-')[3]
 442     # This will fail during GSM auth validation
 443     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
 444         raise Exception("CTRL-RSP-SIM failed")
 445     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 446     if ev is None:
 447         raise Exception("EAP failure not reported")
 448     dev[0].request("DISCONNECT")
 449     dev[0].wait_disconnected()
 450     time.sleep(0.1)
 451
 452     dev[0].select_network(id, freq="2412")
 453     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 454     if ev is None:
 455         raise Exception("Wait for external SIM processing request timed out")
 456     p = ev.split(':', 2)
 457     if p[1] != "GSM-AUTH":
 458         raise Exception("Unexpected CTRL-REQ-SIM type")
 459     rid = p[0].split('-')[3]
 460     # This will fail during GSM auth validation
 461     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
 462         raise Exception("CTRL-RSP-SIM failed")
 463     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 464     if ev is None:
 465         raise Exception("EAP failure not reported")
 466
 467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
 468     """EAP-SIM and OOM"""
 469     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 470     hostapd.add_ap(apdev[0]['ifname'], params)
 471     tests = [ (1, "milenage_f2345"),
 472               (2, "milenage_f2345"),
 473               (3, "milenage_f2345"),
 474               (4, "milenage_f2345"),
 475               (5, "milenage_f2345"),
 476               (6, "milenage_f2345"),
 477               (7, "milenage_f2345"),
 478               (8, "milenage_f2345"),
 479               (9, "milenage_f2345"),
 480               (10, "milenage_f2345"),
 481               (11, "milenage_f2345"),
 482               (12, "milenage_f2345") ]
 483     for count, func in tests:
 484         with alloc_fail(dev[0], count, func):
 485             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
 486                            identity="1232010000000000",
 487                            password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 488                            wait_connect=False, scan_freq="2412")
 489             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
 490             if ev is None:
 491                 raise Exception("EAP method not selected")
 492             dev[0].wait_disconnected()
 493             dev[0].request("REMOVE_NETWORK all")
 494
 495 def test_ap_wpa2_eap_aka(dev, apdev):
 496     """WPA2-Enterprise connection using EAP-AKA"""
 497     check_hlr_auc_gw_support()
 498     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 499     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 500     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 501                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 502     hwsim_utils.test_connectivity(dev[0], hapd)
 503     eap_reauth(dev[0], "AKA")
 504
 505     logger.info("Negative test with incorrect key")
 506     dev[0].request("REMOVE_NETWORK all")
 507     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 508                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 509                 expect_failure=True)
 510
 511     logger.info("Invalid Milenage key")
 512     dev[0].request("REMOVE_NETWORK all")
 513     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 514                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
 515                 expect_failure=True)
 516
 517     logger.info("Invalid Milenage key(2)")
 518     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 519                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 520                 expect_failure=True)
 521
 522     logger.info("Invalid Milenage key(3)")
 523     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 524                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
 525                 expect_failure=True)
 526
 527     logger.info("Invalid Milenage key(4)")
 528     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 529                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
 530                 expect_failure=True)
 531
 532     logger.info("Invalid Milenage key(5)")
 533     dev[0].request("REMOVE_NETWORK all")
 534     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 535                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
 536                 expect_failure=True)
 537
 538     logger.info("Invalid Milenage key(6)")
 539     dev[0].request("REMOVE_NETWORK all")
 540     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 541                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
 542                 expect_failure=True)
 543
 544     logger.info("Missing key configuration")
 545     dev[0].request("REMOVE_NETWORK all")
 546     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 547                 expect_failure=True)
 548
 549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
 550     """WPA2-Enterprise connection using EAP-AKA (SQL)"""
 551     check_hlr_auc_gw_support()
 552     try:
 553         import sqlite3
 554     except ImportError:
 555         raise HwsimSkip("No sqlite3 module available")
 556     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
 557     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 558     params['auth_server_port'] = "1814"
 559     hostapd.add_ap(apdev[0]['ifname'], params)
 560     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 561                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 562
 563     logger.info("AKA fast re-authentication")
 564     eap_reauth(dev[0], "AKA")
 565
 566     logger.info("AKA full auth with pseudonym")
 567     with con:
 568         cur = con.cursor()
 569         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
 570     eap_reauth(dev[0], "AKA")
 571
 572     logger.info("AKA full auth with permanent identity")
 573     with con:
 574         cur = con.cursor()
 575         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
 576         cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
 577     eap_reauth(dev[0], "AKA")
 578
 579     logger.info("AKA reauth with mismatching MK")
 580     with con:
 581         cur = con.cursor()
 582         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
 583     eap_reauth(dev[0], "AKA", expect_failure=True)
 584     dev[0].request("REMOVE_NETWORK all")
 585
 586     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 587                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 588     with con:
 589         cur = con.cursor()
 590         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
 591     eap_reauth(dev[0], "AKA")
 592     with con:
 593         cur = con.cursor()
 594         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
 595     logger.info("AKA reauth with mismatching counter")
 596     eap_reauth(dev[0], "AKA")
 597     dev[0].request("REMOVE_NETWORK all")
 598
 599     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 600                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 601     with con:
 602         cur = con.cursor()
 603         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
 604     logger.info("AKA reauth with max reauth count reached")
 605     eap_reauth(dev[0], "AKA")
 606
 607 def test_ap_wpa2_eap_aka_config(dev, apdev):
 608     """EAP-AKA configuration options"""
 609     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 610     hostapd.add_ap(apdev[0]['ifname'], params)
 611     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 612                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 613                 anonymous_identity="2345678")
 614
 615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
 616     """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
 617     try:
 618         _test_ap_wpa2_eap_aka_ext(dev, apdev)
 619     finally:
 620         dev[0].request("SET external_sim 0")
 621
 622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
 623     check_hlr_auc_gw_support()
 624     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 625     hostapd.add_ap(apdev[0]['ifname'], params)
 626     dev[0].request("SET external_sim 1")
 627     id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
 628                         identity="0232010000000000",
 629                         password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 630                         wait_connect=False, scan_freq="2412")
 631     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
 632     if ev is None:
 633         raise Exception("Network connected timed out")
 634
 635     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 636     if ev is None:
 637         raise Exception("Wait for external SIM processing request timed out")
 638     p = ev.split(':', 2)
 639     if p[1] != "UMTS-AUTH":
 640         raise Exception("Unexpected CTRL-REQ-SIM type")
 641     rid = p[0].split('-')[3]
 642
 643     # IK:CK:RES
 644     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
 645     # This will fail during processing, but the ctrl_iface command succeeds
 646     dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
 647     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 648     if ev is None:
 649         raise Exception("EAP failure not reported")
 650     dev[0].request("DISCONNECT")
 651     dev[0].wait_disconnected()
 652     time.sleep(0.1)
 653     dev[0].dump_monitor()
 654
 655     dev[0].select_network(id, freq="2412")
 656     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 657     if ev is None:
 658         raise Exception("Wait for external SIM processing request timed out")
 659     p = ev.split(':', 2)
 660     if p[1] != "UMTS-AUTH":
 661         raise Exception("Unexpected CTRL-REQ-SIM type")
 662     rid = p[0].split('-')[3]
 663     # This will fail during UMTS auth validation
 664     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
 665         raise Exception("CTRL-RSP-SIM failed")
 666     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 667     if ev is None:
 668         raise Exception("Wait for external SIM processing request timed out")
 669     p = ev.split(':', 2)
 670     if p[1] != "UMTS-AUTH":
 671         raise Exception("Unexpected CTRL-REQ-SIM type")
 672     rid = p[0].split('-')[3]
 673     # This will fail during UMTS auth validation
 674     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
 675         raise Exception("CTRL-RSP-SIM failed")
 676     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 677     if ev is None:
 678         raise Exception("EAP failure not reported")
 679     dev[0].request("DISCONNECT")
 680     dev[0].wait_disconnected()
 681     time.sleep(0.1)
 682     dev[0].dump_monitor()
 683
 684     tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
 685               ":UMTS-AUTH:34",
 686               ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
 687               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
 688               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
 689               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
 690               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
 691     for t in tests:
 692         dev[0].select_network(id, freq="2412")
 693         ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 694         if ev is None:
 695             raise Exception("Wait for external SIM processing request timed out")
 696         p = ev.split(':', 2)
 697         if p[1] != "UMTS-AUTH":
 698             raise Exception("Unexpected CTRL-REQ-SIM type")
 699         rid = p[0].split('-')[3]
 700         # This will fail during UMTS auth validation
 701         if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
 702             raise Exception("CTRL-RSP-SIM failed")
 703         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 704         if ev is None:
 705             raise Exception("EAP failure not reported")
 706         dev[0].request("DISCONNECT")
 707         dev[0].wait_disconnected()
 708         time.sleep(0.1)
 709         dev[0].dump_monitor()
 710
 711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
 712     """WPA2-Enterprise connection using EAP-AKA'"""
 713     check_hlr_auc_gw_support()
 714     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 715     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 716     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 717                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 718     hwsim_utils.test_connectivity(dev[0], hapd)
 719     eap_reauth(dev[0], "AKA'")
 720
 721     logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
 722     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
 723                    identity="6555444333222111@both",
 724                    password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
 725                    wait_connect=False, scan_freq="2412")
 726     dev[1].wait_connected(timeout=15)
 727
 728     logger.info("Negative test with incorrect key")
 729     dev[0].request("REMOVE_NETWORK all")
 730     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 731                 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
 732                 expect_failure=True)
 733
 734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
 735     """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
 736     check_hlr_auc_gw_support()
 737     try:
 738         import sqlite3
 739     except ImportError:
 740         raise HwsimSkip("No sqlite3 module available")
 741     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
 742     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 743     params['auth_server_port'] = "1814"
 744     hostapd.add_ap(apdev[0]['ifname'], params)
 745     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 746                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 747
 748     logger.info("AKA' fast re-authentication")
 749     eap_reauth(dev[0], "AKA'")
 750
 751     logger.info("AKA' full auth with pseudonym")
 752     with con:
 753         cur = con.cursor()
 754         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
 755     eap_reauth(dev[0], "AKA'")
 756
 757     logger.info("AKA' full auth with permanent identity")
 758     with con:
 759         cur = con.cursor()
 760         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
 761         cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
 762     eap_reauth(dev[0], "AKA'")
 763
 764     logger.info("AKA' reauth with mismatching k_aut")
 765     with con:
 766         cur = con.cursor()
 767         cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
 768     eap_reauth(dev[0], "AKA'", expect_failure=True)
 769     dev[0].request("REMOVE_NETWORK all")
 770
 771     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 772                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 773     with con:
 774         cur = con.cursor()
 775         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
 776     eap_reauth(dev[0], "AKA'")
 777     with con:
 778         cur = con.cursor()
 779         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
 780     logger.info("AKA' reauth with mismatching counter")
 781     eap_reauth(dev[0], "AKA'")
 782     dev[0].request("REMOVE_NETWORK all")
 783
 784     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 785                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 786     with con:
 787         cur = con.cursor()
 788         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
 789     logger.info("AKA' reauth with max reauth count reached")
 790     eap_reauth(dev[0], "AKA'")
 791
 792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
 793     """WPA2-Enterprise connection using EAP-TTLS/PAP"""
 794     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 795     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 796     key_mgmt = hapd.get_config()['key_mgmt']
 797     if key_mgmt.split(' ')[0] != "WPA-EAP":
 798         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
 799     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
 800                 anonymous_identity="ttls", password="password",
 801                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
 802     hwsim_utils.test_connectivity(dev[0], hapd)
 803     eap_reauth(dev[0], "TTLS")
 804     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
 805                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
 806
 807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
 808     """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
 809     check_subject_match_support(dev[0])
 810     check_altsubject_match_support(dev[0])
 811     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 812     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 813     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
 814                 anonymous_identity="ttls", password="password",
 815                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 816                 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
 817                 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
 818     eap_reauth(dev[0], "TTLS")
 819
 820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
 821     """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
 822     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 823     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 824     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
 825                 anonymous_identity="ttls", password="wrong",
 826                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 827                 expect_failure=True)
 828     eap_connect(dev[1], apdev[0], "TTLS", "user",
 829                 anonymous_identity="ttls", password="password",
 830                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 831                 expect_failure=True)
 832
 833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
 834     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
 835     skip_with_fips(dev[0])
 836     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 837     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 838     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
 839                 anonymous_identity="ttls", password="password",
 840                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
 841     hwsim_utils.test_connectivity(dev[0], hapd)
 842     eap_reauth(dev[0], "TTLS")
 843
 844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
 845     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
 846     skip_with_fips(dev[0])
 847     check_altsubject_match_support(dev[0])
 848     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 849     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 850     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
 851                 anonymous_identity="ttls", password="password",
 852                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
 853                 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
 854     eap_reauth(dev[0], "TTLS")
 855
 856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
 857     """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
 858     skip_with_fips(dev[0])
 859     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 860     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 861     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
 862                 anonymous_identity="ttls", password="wrong",
 863                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
 864                 expect_failure=True)
 865     eap_connect(dev[1], apdev[0], "TTLS", "user",
 866                 anonymous_identity="ttls", password="password",
 867                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
 868                 expect_failure=True)
 869
 870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
 871     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
 872     skip_with_fips(dev[0])
 873     check_domain_suffix_match(dev[0])
 874     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 875     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 876     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 877                 anonymous_identity="ttls", password="password",
 878                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 879                 domain_suffix_match="server.w1.fi")
 880     hwsim_utils.test_connectivity(dev[0], hapd)
 881     eap_reauth(dev[0], "TTLS")
 882     dev[0].request("REMOVE_NETWORK all")
 883     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 884                 anonymous_identity="ttls", password="password",
 885                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 886                 fragment_size="200")
 887     dev[0].request("REMOVE_NETWORK all")
 888     dev[0].wait_disconnected()
 889     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 890                 anonymous_identity="ttls",
 891                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
 892                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
 893
 894 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
 895     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
 896     skip_with_fips(dev[0])
 897     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 898     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 899     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 900                 anonymous_identity="ttls", password="wrong",
 901                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 902                 expect_failure=True)
 903     eap_connect(dev[1], apdev[0], "TTLS", "user",
 904                 anonymous_identity="ttls", password="password",
 905                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 906                 expect_failure=True)
 907     eap_connect(dev[2], apdev[0], "TTLS", "no such user",
 908                 anonymous_identity="ttls", password="password",
 909                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 910                 expect_failure=True)
 911
 912 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
 913     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
 914     check_domain_suffix_match(dev[0])
 915     check_eap_capa(dev[0], "MSCHAPV2")
 916     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 917     hostapd.add_ap(apdev[0]['ifname'], params)
 918     hapd = hostapd.Hostapd(apdev[0]['ifname'])
 919     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 920                 anonymous_identity="ttls", password="password",
 921                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 922                 domain_suffix_match="server.w1.fi")
 923     hwsim_utils.test_connectivity(dev[0], hapd)
 924     sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
 925     eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
 926     eap_reauth(dev[0], "TTLS")
 927     sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
 928     eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
 929     if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
 930         raise Exception("dot1xAuthEapolFramesRx did not increase")
 931     if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
 932         raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
 933     if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
 934         raise Exception("backendAuthSuccesses did not increase")
 935
 936     logger.info("Password as hash value")
 937     dev[0].request("REMOVE_NETWORK all")
 938     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 939                 anonymous_identity="ttls",
 940                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
 941                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
 942
 943 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
 944     """EAP-TTLS with invalid phase2 parameter values"""
 945     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 946     hostapd.add_ap(apdev[0]['ifname'], params)
 947     tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
 948               "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
 949               "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
 950     for t in tests:
 951         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
 952                        identity="DOMAIN\mschapv2 user",
 953                        anonymous_identity="ttls", password="password",
 954                        ca_cert="auth_serv/ca.pem", phase2=t,
 955                        wait_connect=False, scan_freq="2412")
 956         ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
 957         if ev is None or "method=21" not in ev:
 958             raise Exception("EAP-TTLS not started")
 959         ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
 960                                 "CTRL-EVENT-CONNECTED"], timeout=5)
 961         if ev is None or "CTRL-EVENT-CONNECTED" in ev:
 962             raise Exception("No EAP-TTLS failure reported for phase2=" + t)
 963         dev[0].request("REMOVE_NETWORK all")
 964         dev[0].wait_disconnected()
 965         dev[0].dump_monitor()
 966
 967 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
 968     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
 969     check_domain_match_full(dev[0])
 970     skip_with_fips(dev[0])
 971     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 972     hostapd.add_ap(apdev[0]['ifname'], params)
 973     hapd = hostapd.Hostapd(apdev[0]['ifname'])
 974     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 975                 anonymous_identity="ttls", password="password",
 976                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 977                 domain_suffix_match="w1.fi")
 978     hwsim_utils.test_connectivity(dev[0], hapd)
 979     eap_reauth(dev[0], "TTLS")
 980
 981 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
 982     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
 983     check_domain_match(dev[0])
 984     skip_with_fips(dev[0])
 985     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 986     hostapd.add_ap(apdev[0]['ifname'], params)
 987     hapd = hostapd.Hostapd(apdev[0]['ifname'])
 988     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 989                 anonymous_identity="ttls", password="password",
 990                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 991                 domain_match="Server.w1.fi")
 992     hwsim_utils.test_connectivity(dev[0], hapd)
 993     eap_reauth(dev[0], "TTLS")
 994
 995 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
 996     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
 997     skip_with_fips(dev[0])
 998     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 999     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1000     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1001                 anonymous_identity="ttls", password="password1",
1002                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1003                 expect_failure=True)
1004     eap_connect(dev[1], apdev[0], "TTLS", "user",
1005                 anonymous_identity="ttls", password="password",
1006                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1007                 expect_failure=True)
1008
1009 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1010     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1011     skip_with_fips(dev[0])
1012     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1013     hostapd.add_ap(apdev[0]['ifname'], params)
1014     hapd = hostapd.Hostapd(apdev[0]['ifname'])
1015     eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1016                 anonymous_identity="ttls", password="secret-åäö-€-password",
1017                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1018     eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1019                 anonymous_identity="ttls",
1020                 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1021                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1022     for p in [ "80", "41c041e04141e041", 257*"41" ]:
1023         dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1024                        eap="TTLS", identity="utf8-user-hash",
1025                        anonymous_identity="ttls", password_hex=p,
1026                        ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1027                        wait_connect=False, scan_freq="2412")
1028         ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1029         if ev is None:
1030             raise Exception("No failure reported")
1031         dev[2].request("REMOVE_NETWORK all")
1032         dev[2].wait_disconnected()
1033
1034 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1035     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1036     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1037     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1038     eap_connect(dev[0], apdev[0], "TTLS", "user",
1039                 anonymous_identity="ttls", password="password",
1040                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1041     hwsim_utils.test_connectivity(dev[0], hapd)
1042     eap_reauth(dev[0], "TTLS")
1043
1044 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1045     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1046     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1047     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1048     eap_connect(dev[0], apdev[0], "TTLS", "user",
1049                 anonymous_identity="ttls", password="wrong",
1050                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1051                 expect_failure=True)
1052
1053 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1054     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1055     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1056     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1057     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1058                 anonymous_identity="ttls", password="password",
1059                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1060                 expect_failure=True)
1061
1062 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1063     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1064     params = int_eap_server_params()
1065     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1066     with alloc_fail(hapd, 1, "eap_gtc_init"):
1067         eap_connect(dev[0], apdev[0], "TTLS", "user",
1068                     anonymous_identity="ttls", password="password",
1069                     ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1070                     expect_failure=True)
1071         dev[0].request("REMOVE_NETWORK all")
1072
1073     with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1074         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1075                        eap="TTLS", identity="user",
1076                        anonymous_identity="ttls", password="password",
1077                        ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1078                        wait_connect=False, scan_freq="2412")
1079         # This would eventually time out, but we can stop after having reached
1080         # the allocation failure.
1081         for i in range(20):
1082             time.sleep(0.1)
1083             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1084                 break
1085
1086 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1087     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1088     check_eap_capa(dev[0], "MD5")
1089     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1090     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1091     eap_connect(dev[0], apdev[0], "TTLS", "user",
1092                 anonymous_identity="ttls", password="password",
1093                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1094     hwsim_utils.test_connectivity(dev[0], hapd)
1095     eap_reauth(dev[0], "TTLS")
1096
1097 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1098     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1099     check_eap_capa(dev[0], "MD5")
1100     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1101     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1102     eap_connect(dev[0], apdev[0], "TTLS", "user",
1103                 anonymous_identity="ttls", password="wrong",
1104                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1105                 expect_failure=True)
1106
1107 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1108     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1109     check_eap_capa(dev[0], "MD5")
1110     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1111     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1112     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1113                 anonymous_identity="ttls", password="password",
1114                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1115                 expect_failure=True)
1116
1117 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1118     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1119     check_eap_capa(dev[0], "MD5")
1120     params = int_eap_server_params()
1121     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1122     with alloc_fail(hapd, 1, "eap_md5_init"):
1123         eap_connect(dev[0], apdev[0], "TTLS", "user",
1124                     anonymous_identity="ttls", password="password",
1125                     ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1126                     expect_failure=True)
1127         dev[0].request("REMOVE_NETWORK all")
1128
1129     with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1130         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1131                        eap="TTLS", identity="user",
1132                        anonymous_identity="ttls", password="password",
1133                        ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1134                        wait_connect=False, scan_freq="2412")
1135         # This would eventually time out, but we can stop after having reached
1136         # the allocation failure.
1137         for i in range(20):
1138             time.sleep(0.1)
1139             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1140                 break
1141
1142 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1143     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1144     check_eap_capa(dev[0], "MSCHAPV2")
1145     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1146     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1147     eap_connect(dev[0], apdev[0], "TTLS", "user",
1148                 anonymous_identity="ttls", password="password",
1149                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1150     hwsim_utils.test_connectivity(dev[0], hapd)
1151     eap_reauth(dev[0], "TTLS")
1152
1153     logger.info("Negative test with incorrect password")
1154     dev[0].request("REMOVE_NETWORK all")
1155     eap_connect(dev[0], apdev[0], "TTLS", "user",
1156                 anonymous_identity="ttls", password="password1",
1157                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1158                 expect_failure=True)
1159
1160 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1161     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1162     check_eap_capa(dev[0], "MSCHAPV2")
1163     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1166                 anonymous_identity="ttls", password="password",
1167                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1168                 expect_failure=True)
1169
1170 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1171     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1172     check_eap_capa(dev[0], "MSCHAPV2")
1173     params = int_eap_server_params()
1174     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1175     with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1176         eap_connect(dev[0], apdev[0], "TTLS", "user",
1177                     anonymous_identity="ttls", password="password",
1178                     ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1179                     expect_failure=True)
1180         dev[0].request("REMOVE_NETWORK all")
1181
1182     with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1183         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1184                        eap="TTLS", identity="user",
1185                        anonymous_identity="ttls", password="password",
1186                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1187                        wait_connect=False, scan_freq="2412")
1188         # This would eventually time out, but we can stop after having reached
1189         # the allocation failure.
1190         for i in range(20):
1191             time.sleep(0.1)
1192             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1193                 break
1194         dev[0].request("REMOVE_NETWORK all")
1195
1196     with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1197         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1198                        eap="TTLS", identity="user",
1199                        anonymous_identity="ttls", password="password",
1200                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1201                        wait_connect=False, scan_freq="2412")
1202         # This would eventually time out, but we can stop after having reached
1203         # the allocation failure.
1204         for i in range(20):
1205             time.sleep(0.1)
1206             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1207                 break
1208         dev[0].request("REMOVE_NETWORK all")
1209
1210     with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1211         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1212                        eap="TTLS", identity="user",
1213                        anonymous_identity="ttls", password="wrong",
1214                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1215                        wait_connect=False, scan_freq="2412")
1216         # This would eventually time out, but we can stop after having reached
1217         # the allocation failure.
1218         for i in range(20):
1219             time.sleep(0.1)
1220             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1221                 break
1222         dev[0].request("REMOVE_NETWORK all")
1223
1224 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1225     """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1226     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227     hostapd.add_ap(apdev[0]['ifname'], params)
1228     eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1229                 anonymous_identity="0232010000000000@ttls",
1230                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1231                 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1232
1233 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1234     """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1235     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1236     hostapd.add_ap(apdev[0]['ifname'], params)
1237     eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1238                 anonymous_identity="0232010000000000@peap",
1239                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1240                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1241
1242 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1243     """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1244     check_eap_capa(dev[0], "FAST")
1245     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246     hostapd.add_ap(apdev[0]['ifname'], params)
1247     eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1248                 anonymous_identity="0232010000000000@fast",
1249                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1250                 phase1="fast_provisioning=2",
1251                 pac_file="blob://fast_pac_auth_aka",
1252                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1253
1254 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1255     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1256     check_eap_capa(dev[0], "MSCHAPV2")
1257     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1259     eap_connect(dev[0], apdev[0], "PEAP", "user",
1260                 anonymous_identity="peap", password="password",
1261                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1262     hwsim_utils.test_connectivity(dev[0], hapd)
1263     eap_reauth(dev[0], "PEAP")
1264     dev[0].request("REMOVE_NETWORK all")
1265     eap_connect(dev[0], apdev[0], "PEAP", "user",
1266                 anonymous_identity="peap", password="password",
1267                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1268                 fragment_size="200")
1269
1270     logger.info("Password as hash value")
1271     dev[0].request("REMOVE_NETWORK all")
1272     eap_connect(dev[0], apdev[0], "PEAP", "user",
1273                 anonymous_identity="peap",
1274                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1275                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1276
1277     logger.info("Negative test with incorrect password")
1278     dev[0].request("REMOVE_NETWORK all")
1279     eap_connect(dev[0], apdev[0], "PEAP", "user",
1280                 anonymous_identity="peap", password="password1",
1281                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1282                 expect_failure=True)
1283
1284 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1285     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1286     check_eap_capa(dev[0], "MSCHAPV2")
1287     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1288     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1289     eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1290                 anonymous_identity="peap", password="password",
1291                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1292     hwsim_utils.test_connectivity(dev[0], hapd)
1293     eap_reauth(dev[0], "PEAP")
1294
1295 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1296     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1297     check_eap_capa(dev[0], "MSCHAPV2")
1298     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1299     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1300     eap_connect(dev[0], apdev[0], "PEAP", "user",
1301                 anonymous_identity="peap", password="wrong",
1302                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1303                 expect_failure=True)
1304
1305 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1306     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1307     check_eap_capa(dev[0], "MSCHAPV2")
1308     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1309     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1310     eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1311                 ca_cert="auth_serv/ca.pem",
1312                 phase1="peapver=0 crypto_binding=2",
1313                 phase2="auth=MSCHAPV2")
1314     hwsim_utils.test_connectivity(dev[0], hapd)
1315     eap_reauth(dev[0], "PEAP")
1316
1317     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1318                 ca_cert="auth_serv/ca.pem",
1319                 phase1="peapver=0 crypto_binding=1",
1320                 phase2="auth=MSCHAPV2")
1321     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1322                 ca_cert="auth_serv/ca.pem",
1323                 phase1="peapver=0 crypto_binding=0",
1324                 phase2="auth=MSCHAPV2")
1325
1326 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1327     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1328     check_eap_capa(dev[0], "MSCHAPV2")
1329     params = int_eap_server_params()
1330     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1331     with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1332         eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1333                     ca_cert="auth_serv/ca.pem",
1334                     phase1="peapver=0 crypto_binding=2",
1335                     phase2="auth=MSCHAPV2",
1336                     expect_failure=True, local_error_report=True)
1337
1338 def test_ap_wpa2_eap_peap_params(dev, apdev):
1339     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1340     check_eap_capa(dev[0], "MSCHAPV2")
1341     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1342     hostapd.add_ap(apdev[0]['ifname'], params)
1343     eap_connect(dev[0], apdev[0], "PEAP", "user",
1344                 anonymous_identity="peap", password="password",
1345                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1346                 phase1="peapver=0 peaplabel=1",
1347                 expect_failure=True)
1348     dev[0].request("REMOVE_NETWORK all")
1349     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1350                    identity="user",
1351                    anonymous_identity="peap", password="password",
1352                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1353                    phase1="peap_outer_success=0",
1354                    wait_connect=False, scan_freq="2412")
1355     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1356     if ev is None:
1357         raise Exception("No EAP success seen")
1358     # This won't succeed to connect with peap_outer_success=0, so stop here.
1359     dev[0].request("REMOVE_NETWORK all")
1360     dev[0].wait_disconnected()
1361     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1362                 ca_cert="auth_serv/ca.pem",
1363                 phase1="peap_outer_success=1",
1364                 phase2="auth=MSCHAPV2")
1365     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1366                 ca_cert="auth_serv/ca.pem",
1367                 phase1="peap_outer_success=2",
1368                 phase2="auth=MSCHAPV2")
1369     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1370                    identity="user",
1371                    anonymous_identity="peap", password="password",
1372                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1373                    phase1="peapver=1 peaplabel=1",
1374                    wait_connect=False, scan_freq="2412")
1375     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1376     if ev is None:
1377         raise Exception("No EAP success seen")
1378     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1379     if ev is not None:
1380         raise Exception("Unexpected connection")
1381
1382     tests = [ ("peap-ver0", ""),
1383               ("peap-ver1", ""),
1384               ("peap-ver0", "peapver=0"),
1385               ("peap-ver1", "peapver=1") ]
1386     for anon,phase1 in tests:
1387         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1388                        identity="user", anonymous_identity=anon,
1389                        password="password", phase1=phase1,
1390                        ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1391                        scan_freq="2412")
1392         dev[0].request("REMOVE_NETWORK all")
1393         dev[0].wait_disconnected()
1394
1395     tests = [ ("peap-ver0", "peapver=1"),
1396               ("peap-ver1", "peapver=0") ]
1397     for anon,phase1 in tests:
1398         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1399                        identity="user", anonymous_identity=anon,
1400                        password="password", phase1=phase1,
1401                        ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1402                        wait_connect=False, scan_freq="2412")
1403         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1404         if ev is None:
1405             raise Exception("No EAP-Failure seen")
1406         dev[0].request("REMOVE_NETWORK all")
1407         dev[0].wait_disconnected()
1408
1409     eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1410                 ca_cert="auth_serv/ca.pem",
1411                 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1412                 phase2="auth=MSCHAPV2")
1413
1414 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1415     """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1416     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1417     hostapd.add_ap(apdev[0]['ifname'], params)
1418     eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1419                 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1420                 ca_cert2="auth_serv/ca.pem",
1421                 client_cert2="auth_serv/user.pem",
1422                 private_key2="auth_serv/user.key")
1423     eap_reauth(dev[0], "PEAP")
1424
1425 def test_ap_wpa2_eap_tls(dev, apdev):
1426     """WPA2-Enterprise connection using EAP-TLS"""
1427     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1428     hostapd.add_ap(apdev[0]['ifname'], params)
1429     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1430                 client_cert="auth_serv/user.pem",
1431                 private_key="auth_serv/user.key")
1432     eap_reauth(dev[0], "TLS")
1433
1434 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1435     """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1436     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1437     hostapd.add_ap(apdev[0]['ifname'], params)
1438     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1439                 client_cert="auth_serv/user.pem",
1440                 private_key="auth_serv/user.key.pkcs8",
1441                 private_key_passwd="whatever")
1442
1443 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1444     """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1445     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1446     hostapd.add_ap(apdev[0]['ifname'], params)
1447     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1448                 client_cert="auth_serv/user.pem",
1449                 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1450                 private_key_passwd="whatever")
1451
1452 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1453     """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1454     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1455     hostapd.add_ap(apdev[0]['ifname'], params)
1456     cert = read_pem("auth_serv/ca.pem")
1457     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1458         raise Exception("Could not set cacert blob")
1459     cert = read_pem("auth_serv/user.pem")
1460     if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1461         raise Exception("Could not set usercert blob")
1462     key = read_pem("auth_serv/user.rsa-key")
1463     if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1464         raise Exception("Could not set cacert blob")
1465     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1466                 client_cert="blob://usercert",
1467                 private_key="blob://userkey")
1468
1469 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1470     """EAP-TLS and config blob missing"""
1471     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1472     hostapd.add_ap(apdev[0]['ifname'], params)
1473     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1474                    identity="tls user",
1475                    ca_cert="blob://testing-blob-does-not-exist",
1476                    client_cert="blob://testing-blob-does-not-exist",
1477                    private_key="blob://testing-blob-does-not-exist",
1478                    wait_connect=False, scan_freq="2412")
1479     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1480     if ev is None:
1481         raise Exception("EAP failure not reported")
1482     dev[0].request("REMOVE_NETWORK all")
1483     dev[0].wait_disconnected()
1484
1485 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1486     """EAP-TLS and TLS Message Length in unfragmented packets"""
1487     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1488     hostapd.add_ap(apdev[0]['ifname'], params)
1489     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1490                 phase1="include_tls_length=1",
1491                 client_cert="auth_serv/user.pem",
1492                 private_key="auth_serv/user.key")
1493
1494 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1495     """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1496     check_pkcs12_support(dev[0])
1497     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1498     hostapd.add_ap(apdev[0]['ifname'], params)
1499     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1500                 private_key="auth_serv/user.pkcs12",
1501                 private_key_passwd="whatever")
1502     dev[0].request("REMOVE_NETWORK all")
1503     dev[0].wait_disconnected()
1504
1505     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1506                    identity="tls user",
1507                    ca_cert="auth_serv/ca.pem",
1508                    private_key="auth_serv/user.pkcs12",
1509                    wait_connect=False, scan_freq="2412")
1510     ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1511     if ev is None:
1512         raise Exception("Request for private key passphrase timed out")
1513     id = ev.split(':')[0].split('-')[-1]
1514     dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1515     dev[0].wait_connected(timeout=10)
1516     dev[0].request("REMOVE_NETWORK all")
1517     dev[0].wait_disconnected()
1518
1519     # Run this twice to verify certificate chain handling with OpenSSL. Use two
1520     # different files to cover both cases of the extra certificate being the
1521     # one that signed the client certificate and it being unrelated to the
1522     # client certificate.
1523     for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1524         for i in range(2):
1525             eap_connect(dev[0], apdev[0], "TLS", "tls user",
1526                         ca_cert="auth_serv/ca.pem",
1527                         private_key=pkcs12,
1528                         private_key_passwd="whatever")
1529             dev[0].request("REMOVE_NETWORK all")
1530             dev[0].wait_disconnected()
1531
1532 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1533     """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1534     check_pkcs12_support(dev[0])
1535     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1536     hostapd.add_ap(apdev[0]['ifname'], params)
1537     cert = read_pem("auth_serv/ca.pem")
1538     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1539         raise Exception("Could not set cacert blob")
1540     with open("auth_serv/user.pkcs12", "rb") as f:
1541         if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1542             raise Exception("Could not set pkcs12 blob")
1543     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1544                 private_key="blob://pkcs12",
1545                 private_key_passwd="whatever")
1546
1547 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1548     """WPA2-Enterprise negative test - incorrect trust root"""
1549     check_eap_capa(dev[0], "MSCHAPV2")
1550     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1551     hostapd.add_ap(apdev[0]['ifname'], params)
1552     cert = read_pem("auth_serv/ca-incorrect.pem")
1553     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1554         raise Exception("Could not set cacert blob")
1555     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1556                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1557                    password="password", phase2="auth=MSCHAPV2",
1558                    ca_cert="blob://cacert",
1559                    wait_connect=False, scan_freq="2412")
1560     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1561                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1562                    password="password", phase2="auth=MSCHAPV2",
1563                    ca_cert="auth_serv/ca-incorrect.pem",
1564                    wait_connect=False, scan_freq="2412")
1565
1566     for dev in (dev[0], dev[1]):
1567         ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1568         if ev is None:
1569             raise Exception("Association and EAP start timed out")
1570
1571         ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1572         if ev is None:
1573             raise Exception("EAP method selection timed out")
1574         if "TTLS" not in ev:
1575             raise Exception("Unexpected EAP method")
1576
1577         ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1578                              "CTRL-EVENT-EAP-SUCCESS",
1579                              "CTRL-EVENT-EAP-FAILURE",
1580                              "CTRL-EVENT-CONNECTED",
1581                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1582         if ev is None:
1583             raise Exception("EAP result timed out")
1584         if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1585             raise Exception("TLS certificate error not reported")
1586
1587         ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1588                              "CTRL-EVENT-EAP-FAILURE",
1589                              "CTRL-EVENT-CONNECTED",
1590                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1591         if ev is None:
1592             raise Exception("EAP result(2) timed out")
1593         if "CTRL-EVENT-EAP-FAILURE" not in ev:
1594             raise Exception("EAP failure not reported")
1595
1596         ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1597                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1598         if ev is None:
1599             raise Exception("EAP result(3) timed out")
1600         if "CTRL-EVENT-DISCONNECTED" not in ev:
1601             raise Exception("Disconnection not reported")
1602
1603         ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1604         if ev is None:
1605             raise Exception("Network block disabling not reported")
1606
1607 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1608     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1609     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1610     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1611     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1612                    identity="pap user", anonymous_identity="ttls",
1613                    password="password", phase2="auth=PAP",
1614                    ca_cert="auth_serv/ca.pem",
1615                    wait_connect=True, scan_freq="2412")
1616     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1617                         identity="pap user", anonymous_identity="ttls",
1618                         password="password", phase2="auth=PAP",
1619                         ca_cert="auth_serv/ca-incorrect.pem",
1620                         only_add_network=True, scan_freq="2412")
1621
1622     dev[0].request("DISCONNECT")
1623     dev[0].wait_disconnected()
1624     dev[0].dump_monitor()
1625     dev[0].select_network(id, freq="2412")
1626
1627     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1628     if ev is None:
1629         raise Exception("EAP-TTLS not re-started")
1630
1631     ev = dev[0].wait_disconnected(timeout=15)
1632     if "reason=23" not in ev:
1633         raise Exception("Proper reason code for disconnection not reported")
1634
1635 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1636     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1637     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1638     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1639     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1640                    identity="pap user", anonymous_identity="ttls",
1641                    password="password", phase2="auth=PAP",
1642                    wait_connect=True, scan_freq="2412")
1643     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1644                         identity="pap user", anonymous_identity="ttls",
1645                         password="password", phase2="auth=PAP",
1646                         ca_cert="auth_serv/ca-incorrect.pem",
1647                         only_add_network=True, scan_freq="2412")
1648
1649     dev[0].request("DISCONNECT")
1650     dev[0].wait_disconnected()
1651     dev[0].dump_monitor()
1652     dev[0].select_network(id, freq="2412")
1653
1654     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1655     if ev is None:
1656         raise Exception("EAP-TTLS not re-started")
1657
1658     ev = dev[0].wait_disconnected(timeout=15)
1659     if "reason=23" not in ev:
1660         raise Exception("Proper reason code for disconnection not reported")
1661
1662 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1663     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1664     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1665     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1666     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1667                         identity="pap user", anonymous_identity="ttls",
1668                         password="password", phase2="auth=PAP",
1669                         ca_cert="auth_serv/ca.pem",
1670                         wait_connect=True, scan_freq="2412")
1671     dev[0].request("DISCONNECT")
1672     dev[0].wait_disconnected()
1673     dev[0].dump_monitor()
1674     dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1675     dev[0].select_network(id, freq="2412")
1676
1677     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1678     if ev is None:
1679         raise Exception("EAP-TTLS not re-started")
1680
1681     ev = dev[0].wait_disconnected(timeout=15)
1682     if "reason=23" not in ev:
1683         raise Exception("Proper reason code for disconnection not reported")
1684
1685 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1686     """WPA2-Enterprise negative test - domain suffix mismatch"""
1687     check_domain_suffix_match(dev[0])
1688     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1689     hostapd.add_ap(apdev[0]['ifname'], params)
1690     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1691                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1692                    password="password", phase2="auth=MSCHAPV2",
1693                    ca_cert="auth_serv/ca.pem",
1694                    domain_suffix_match="incorrect.example.com",
1695                    wait_connect=False, scan_freq="2412")
1696
1697     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1698     if ev is None:
1699         raise Exception("Association and EAP start timed out")
1700
1701     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1702     if ev is None:
1703         raise Exception("EAP method selection timed out")
1704     if "TTLS" not in ev:
1705         raise Exception("Unexpected EAP method")
1706
1707     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1708                             "CTRL-EVENT-EAP-SUCCESS",
1709                             "CTRL-EVENT-EAP-FAILURE",
1710                             "CTRL-EVENT-CONNECTED",
1711                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1712     if ev is None:
1713         raise Exception("EAP result timed out")
1714     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1715         raise Exception("TLS certificate error not reported")
1716     if "Domain suffix mismatch" not in ev:
1717         raise Exception("Domain suffix mismatch not reported")
1718
1719     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1720                             "CTRL-EVENT-EAP-FAILURE",
1721                             "CTRL-EVENT-CONNECTED",
1722                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1723     if ev is None:
1724         raise Exception("EAP result(2) timed out")
1725     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1726         raise Exception("EAP failure not reported")
1727
1728     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1729                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1730     if ev is None:
1731         raise Exception("EAP result(3) timed out")
1732     if "CTRL-EVENT-DISCONNECTED" not in ev:
1733         raise Exception("Disconnection not reported")
1734
1735     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1736     if ev is None:
1737         raise Exception("Network block disabling not reported")
1738
1739 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1740     """WPA2-Enterprise negative test - domain mismatch"""
1741     check_domain_match(dev[0])
1742     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1743     hostapd.add_ap(apdev[0]['ifname'], params)
1744     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1745                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1746                    password="password", phase2="auth=MSCHAPV2",
1747                    ca_cert="auth_serv/ca.pem",
1748                    domain_match="w1.fi",
1749                    wait_connect=False, scan_freq="2412")
1750
1751     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1752     if ev is None:
1753         raise Exception("Association and EAP start timed out")
1754
1755     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1756     if ev is None:
1757         raise Exception("EAP method selection timed out")
1758     if "TTLS" not in ev:
1759         raise Exception("Unexpected EAP method")
1760
1761     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1762                             "CTRL-EVENT-EAP-SUCCESS",
1763                             "CTRL-EVENT-EAP-FAILURE",
1764                             "CTRL-EVENT-CONNECTED",
1765                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1766     if ev is None:
1767         raise Exception("EAP result timed out")
1768     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1769         raise Exception("TLS certificate error not reported")
1770     if "Domain mismatch" not in ev:
1771         raise Exception("Domain mismatch not reported")
1772
1773     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1774                             "CTRL-EVENT-EAP-FAILURE",
1775                             "CTRL-EVENT-CONNECTED",
1776                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1777     if ev is None:
1778         raise Exception("EAP result(2) timed out")
1779     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1780         raise Exception("EAP failure not reported")
1781
1782     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1783                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1784     if ev is None:
1785         raise Exception("EAP result(3) timed out")
1786     if "CTRL-EVENT-DISCONNECTED" not in ev:
1787         raise Exception("Disconnection not reported")
1788
1789     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1790     if ev is None:
1791         raise Exception("Network block disabling not reported")
1792
1793 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1794     """WPA2-Enterprise negative test - subject mismatch"""
1795     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1796     hostapd.add_ap(apdev[0]['ifname'], params)
1797     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1798                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1799                    password="password", phase2="auth=MSCHAPV2",
1800                    ca_cert="auth_serv/ca.pem",
1801                    subject_match="/C=FI/O=w1.fi/CN=example.com",
1802                    wait_connect=False, scan_freq="2412")
1803
1804     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1805     if ev is None:
1806         raise Exception("Association and EAP start timed out")
1807
1808     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1809                             "EAP: Failed to initialize EAP method"], timeout=10)
1810     if ev is None:
1811         raise Exception("EAP method selection timed out")
1812     if "EAP: Failed to initialize EAP method" in ev:
1813         tls = dev[0].request("GET tls_library")
1814         if tls.startswith("OpenSSL"):
1815             raise Exception("Failed to select EAP method")
1816         logger.info("subject_match not supported - connection failed, so test succeeded")
1817         return
1818     if "TTLS" not in ev:
1819         raise Exception("Unexpected EAP method")
1820
1821     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1822                             "CTRL-EVENT-EAP-SUCCESS",
1823                             "CTRL-EVENT-EAP-FAILURE",
1824                             "CTRL-EVENT-CONNECTED",
1825                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1826     if ev is None:
1827         raise Exception("EAP result timed out")
1828     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1829         raise Exception("TLS certificate error not reported")
1830     if "Subject mismatch" not in ev:
1831         raise Exception("Subject mismatch not reported")
1832
1833     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1834                             "CTRL-EVENT-EAP-FAILURE",
1835                             "CTRL-EVENT-CONNECTED",
1836                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1837     if ev is None:
1838         raise Exception("EAP result(2) timed out")
1839     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1840         raise Exception("EAP failure not reported")
1841
1842     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1843                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1844     if ev is None:
1845         raise Exception("EAP result(3) timed out")
1846     if "CTRL-EVENT-DISCONNECTED" not in ev:
1847         raise Exception("Disconnection not reported")
1848
1849     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1850     if ev is None:
1851         raise Exception("Network block disabling not reported")
1852
1853 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1854     """WPA2-Enterprise negative test - altsubject mismatch"""
1855     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1856     hostapd.add_ap(apdev[0]['ifname'], params)
1857
1858     tests = [ "incorrect.example.com",
1859               "DNS:incorrect.example.com",
1860               "DNS:w1.fi",
1861               "DNS:erver.w1.fi" ]
1862     for match in tests:
1863         _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1864
1865 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1866     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1867                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1868                    password="password", phase2="auth=MSCHAPV2",
1869                    ca_cert="auth_serv/ca.pem",
1870                    altsubject_match=match,
1871                    wait_connect=False, scan_freq="2412")
1872
1873     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1874     if ev is None:
1875         raise Exception("Association and EAP start timed out")
1876
1877     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1878                             "EAP: Failed to initialize EAP method"], timeout=10)
1879     if ev is None:
1880         raise Exception("EAP method selection timed out")
1881     if "EAP: Failed to initialize EAP method" in ev:
1882         tls = dev[0].request("GET tls_library")
1883         if tls.startswith("OpenSSL"):
1884             raise Exception("Failed to select EAP method")
1885         logger.info("altsubject_match not supported - connection failed, so test succeeded")
1886         return
1887     if "TTLS" not in ev:
1888         raise Exception("Unexpected EAP method")
1889
1890     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1891                             "CTRL-EVENT-EAP-SUCCESS",
1892                             "CTRL-EVENT-EAP-FAILURE",
1893                             "CTRL-EVENT-CONNECTED",
1894                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1895     if ev is None:
1896         raise Exception("EAP result timed out")
1897     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1898         raise Exception("TLS certificate error not reported")
1899     if "AltSubject mismatch" not in ev:
1900         raise Exception("altsubject mismatch not reported")
1901
1902     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1903                             "CTRL-EVENT-EAP-FAILURE",
1904                             "CTRL-EVENT-CONNECTED",
1905                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1906     if ev is None:
1907         raise Exception("EAP result(2) timed out")
1908     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1909         raise Exception("EAP failure not reported")
1910
1911     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1912                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1913     if ev is None:
1914         raise Exception("EAP result(3) timed out")
1915     if "CTRL-EVENT-DISCONNECTED" not in ev:
1916         raise Exception("Disconnection not reported")
1917
1918     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1919     if ev is None:
1920         raise Exception("Network block disabling not reported")
1921
1922     dev[0].request("REMOVE_NETWORK all")
1923
1924 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1925     """WPA2-Enterprise connection using UNAUTH-TLS"""
1926     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1927     hostapd.add_ap(apdev[0]['ifname'], params)
1928     eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1929                 ca_cert="auth_serv/ca.pem")
1930     eap_reauth(dev[0], "UNAUTH-TLS")
1931
1932 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1933     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1934     check_cert_probe_support(dev[0])
1935     skip_with_fips(dev[0])
1936     srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1937     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1938     hostapd.add_ap(apdev[0]['ifname'], params)
1939     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1940                    identity="probe", ca_cert="probe://",
1941                    wait_connect=False, scan_freq="2412")
1942     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1943     if ev is None:
1944         raise Exception("Association and EAP start timed out")
1945     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1946     if ev is None:
1947         raise Exception("No peer server certificate event seen")
1948     if "hash=" + srv_cert_hash not in ev:
1949         raise Exception("Expected server certificate hash not reported")
1950     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1951     if ev is None:
1952         raise Exception("EAP result timed out")
1953     if "Server certificate chain probe" not in ev:
1954         raise Exception("Server certificate probe not reported")
1955     dev[0].wait_disconnected(timeout=10)
1956     dev[0].request("REMOVE_NETWORK all")
1957
1958     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1959                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1960                    password="password", phase2="auth=MSCHAPV2",
1961                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1962                    wait_connect=False, scan_freq="2412")
1963     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1964     if ev is None:
1965         raise Exception("Association and EAP start timed out")
1966     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1967     if ev is None:
1968         raise Exception("EAP result timed out")
1969     if "Server certificate mismatch" not in ev:
1970         raise Exception("Server certificate mismatch not reported")
1971     dev[0].wait_disconnected(timeout=10)
1972     dev[0].request("REMOVE_NETWORK all")
1973
1974     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1975                 anonymous_identity="ttls", password="password",
1976                 ca_cert="hash://server/sha256/" + srv_cert_hash,
1977                 phase2="auth=MSCHAPV2")
1978
1979 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1980     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1981     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1982     hostapd.add_ap(apdev[0]['ifname'], params)
1983     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1984                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1985                    password="password", phase2="auth=MSCHAPV2",
1986                    ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1987                    wait_connect=False, scan_freq="2412")
1988     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1989                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1990                    password="password", phase2="auth=MSCHAPV2",
1991                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1992                    wait_connect=False, scan_freq="2412")
1993     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1994                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1995                    password="password", phase2="auth=MSCHAPV2",
1996                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1997                    wait_connect=False, scan_freq="2412")
1998     for i in range(0, 3):
1999         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2000         if ev is None:
2001             raise Exception("Association and EAP start timed out")
2002         ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2003         if ev is None:
2004             raise Exception("Did not report EAP method initialization failure")
2005
2006 def test_ap_wpa2_eap_pwd(dev, apdev):
2007     """WPA2-Enterprise connection using EAP-pwd"""
2008     check_eap_capa(dev[0], "PWD")
2009     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2010     hostapd.add_ap(apdev[0]['ifname'], params)
2011     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2012     eap_reauth(dev[0], "PWD")
2013     dev[0].request("REMOVE_NETWORK all")
2014
2015     eap_connect(dev[1], apdev[0], "PWD",
2016                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2017                 password="secret password",
2018                 fragment_size="90")
2019
2020     logger.info("Negative test with incorrect password")
2021     eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2022                 expect_failure=True, local_error_report=True)
2023
2024     eap_connect(dev[0], apdev[0], "PWD",
2025                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2026                 password="secret password",
2027                 fragment_size="31")
2028
2029 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2030     """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2031     check_eap_capa(dev[0], "PWD")
2032     skip_with_fips(dev[0])
2033     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2034     hostapd.add_ap(apdev[0]['ifname'], params)
2035     eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2036     eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2037                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2038     eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2039                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2040                 expect_failure=True, local_error_report=True)
2041
2042 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2043     """WPA2-Enterprise connection using various EAP-pwd groups"""
2044     check_eap_capa(dev[0], "PWD")
2045     tls = dev[0].request("GET tls_library")
2046     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2047                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2048                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2049     groups = [ 19, 20, 21, 25, 26 ]
2050     if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2051         logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2052         groups += [ 27, 28, 29, 30 ]
2053     for i in groups:
2054         logger.info("Group %d" % i)
2055         params['pwd_group'] = str(i)
2056         hostapd.add_ap(apdev[0]['ifname'], params)
2057         try:
2058             eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2059                         password="secret password")
2060             dev[0].request("REMOVE_NETWORK all")
2061             dev[0].wait_disconnected()
2062             dev[0].dump_monitor()
2063         except:
2064             if "BoringSSL" in tls and i in [ 25 ]:
2065                 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2066                 dev[0].request("DISCONNECT")
2067                 time.sleep(0.1)
2068                 dev[0].request("REMOVE_NETWORK all")
2069                 dev[0].dump_monitor()
2070                 continue
2071             raise
2072
2073 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2074     """WPA2-Enterprise connection using invalid EAP-pwd group"""
2075     check_eap_capa(dev[0], "PWD")
2076     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2077                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2078                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2079     params['pwd_group'] = "0"
2080     hostapd.add_ap(apdev[0]['ifname'], params)
2081     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2082                    identity="pwd user", password="secret password",
2083                    scan_freq="2412", wait_connect=False)
2084     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2085     if ev is None:
2086         raise Exception("Timeout on EAP failure report")
2087
2088 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2089     """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2090     check_eap_capa(dev[0], "PWD")
2091     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2092     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2093                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2094                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2095                "pwd_group": "19", "fragment_size": "40" }
2096     hostapd.add_ap(apdev[0]['ifname'], params)
2097     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2098
2099 def test_ap_wpa2_eap_gpsk(dev, apdev):
2100     """WPA2-Enterprise connection using EAP-GPSK"""
2101     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2102     hostapd.add_ap(apdev[0]['ifname'], params)
2103     id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2104                      password="abcdefghijklmnop0123456789abcdef")
2105     eap_reauth(dev[0], "GPSK")
2106
2107     logger.info("Test forced algorithm selection")
2108     for phase1 in [ "cipher=1", "cipher=2" ]:
2109         dev[0].set_network_quoted(id, "phase1", phase1)
2110         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2111         if ev is None:
2112             raise Exception("EAP success timed out")
2113         dev[0].wait_connected(timeout=10)
2114
2115     logger.info("Test failed algorithm negotiation")
2116     dev[0].set_network_quoted(id, "phase1", "cipher=9")
2117     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2118     if ev is None:
2119         raise Exception("EAP failure timed out")
2120
2121     logger.info("Negative test with incorrect password")
2122     dev[0].request("REMOVE_NETWORK all")
2123     eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2124                 password="ffcdefghijklmnop0123456789abcdef",
2125                 expect_failure=True)
2126
2127 def test_ap_wpa2_eap_sake(dev, apdev):
2128     """WPA2-Enterprise connection using EAP-SAKE"""
2129     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2130     hostapd.add_ap(apdev[0]['ifname'], params)
2131     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2132                 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2133     eap_reauth(dev[0], "SAKE")
2134
2135     logger.info("Negative test with incorrect password")
2136     dev[0].request("REMOVE_NETWORK all")
2137     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2138                 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2139                 expect_failure=True)
2140
2141 def test_ap_wpa2_eap_eke(dev, apdev):
2142     """WPA2-Enterprise connection using EAP-EKE"""
2143     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2144     hostapd.add_ap(apdev[0]['ifname'], params)
2145     id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2146     eap_reauth(dev[0], "EKE")
2147
2148     logger.info("Test forced algorithm selection")
2149     for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2150                     "dhgroup=4 encr=1 prf=2 mac=2",
2151                     "dhgroup=3 encr=1 prf=2 mac=2",
2152                     "dhgroup=3 encr=1 prf=1 mac=1" ]:
2153         dev[0].set_network_quoted(id, "phase1", phase1)
2154         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2155         if ev is None:
2156             raise Exception("EAP success timed out")
2157         dev[0].wait_connected(timeout=10)
2158
2159     logger.info("Test failed algorithm negotiation")
2160     dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2161     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2162     if ev is None:
2163         raise Exception("EAP failure timed out")
2164
2165     logger.info("Negative test with incorrect password")
2166     dev[0].request("REMOVE_NETWORK all")
2167     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2168                 expect_failure=True)
2169
2170 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2171     """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2172     params = int_eap_server_params()
2173     params['server_id'] = 'example.server@w1.fi'
2174     hostapd.add_ap(apdev[0]['ifname'], params)
2175     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2176
2177 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2178     """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2179     params = int_eap_server_params()
2180     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2181     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2182
2183     for count,func in [ (1, "eap_eke_build_commit"),
2184                         (2, "eap_eke_build_commit"),
2185                         (3, "eap_eke_build_commit"),
2186                         (1, "eap_eke_build_confirm"),
2187                         (2, "eap_eke_build_confirm"),
2188                         (1, "eap_eke_process_commit"),
2189                         (2, "eap_eke_process_commit"),
2190                         (1, "eap_eke_process_confirm"),
2191                         (1, "eap_eke_process_identity"),
2192                         (2, "eap_eke_process_identity"),
2193                         (3, "eap_eke_process_identity"),
2194                         (4, "eap_eke_process_identity") ]:
2195         with alloc_fail(hapd, count, func):
2196             eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2197                         expect_failure=True)
2198             dev[0].request("REMOVE_NETWORK all")
2199
2200     for count,func,pw in [ (1, "eap_eke_init", "hello"),
2201                            (1, "eap_eke_get_session_id", "hello"),
2202                            (1, "eap_eke_getKey", "hello"),
2203                            (1, "eap_eke_build_msg", "hello"),
2204                            (1, "eap_eke_build_failure", "wrong"),
2205                            (1, "eap_eke_build_identity", "hello"),
2206                            (2, "eap_eke_build_identity", "hello") ]:
2207         with alloc_fail(hapd, count, func):
2208             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2209                            eap="EKE", identity="eke user", password=pw,
2210                            wait_connect=False, scan_freq="2412")
2211             # This would eventually time out, but we can stop after having
2212             # reached the allocation failure.
2213             for i in range(20):
2214                 time.sleep(0.1)
2215                 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2216                     break
2217             dev[0].request("REMOVE_NETWORK all")
2218
2219     for count in range(1, 1000):
2220         try:
2221             with alloc_fail(hapd, count, "eap_server_sm_step"):
2222                 dev[0].connect("test-wpa2-eap",
2223                                key_mgmt="WPA-EAP WPA-EAP-SHA256",
2224                                eap="EKE", identity="eke user", password=pw,
2225                                wait_connect=False, scan_freq="2412")
2226                 # This would eventually time out, but we can stop after having
2227                 # reached the allocation failure.
2228                 for i in range(10):
2229                     time.sleep(0.1)
2230                     if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2231                         break
2232                 dev[0].request("REMOVE_NETWORK all")
2233         except Exception, e:
2234             if str(e) == "Allocation failure did not trigger":
2235                 if count < 30:
2236                     raise Exception("Too few allocation failures")
2237                 logger.info("%d allocation failures tested" % (count - 1))
2238                 break
2239             raise e
2240
2241 def test_ap_wpa2_eap_ikev2(dev, apdev):
2242     """WPA2-Enterprise connection using EAP-IKEv2"""
2243     check_eap_capa(dev[0], "IKEV2")
2244     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2245     hostapd.add_ap(apdev[0]['ifname'], params)
2246     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2247                 password="ike password")
2248     eap_reauth(dev[0], "IKEV2")
2249     dev[0].request("REMOVE_NETWORK all")
2250     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2251                 password="ike password", fragment_size="50")
2252
2253     logger.info("Negative test with incorrect password")
2254     dev[0].request("REMOVE_NETWORK all")
2255     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2256                 password="ike-password", expect_failure=True)
2257
2258 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2259     """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2260     check_eap_capa(dev[0], "IKEV2")
2261     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2262     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2263                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2264                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2265                "fragment_size": "50" }
2266     hostapd.add_ap(apdev[0]['ifname'], params)
2267     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2268                 password="ike password")
2269     eap_reauth(dev[0], "IKEV2")
2270
2271 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2272     """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2273     check_eap_capa(dev[0], "IKEV2")
2274     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2275     hostapd.add_ap(apdev[0]['ifname'], params)
2276
2277     tests = [ (1, "dh_init"),
2278               (2, "dh_init"),
2279               (1, "dh_derive_shared") ]
2280     for count, func in tests:
2281         with alloc_fail(dev[0], count, func):
2282             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2283                            identity="ikev2 user", password="ike password",
2284                            wait_connect=False, scan_freq="2412")
2285             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2286             if ev is None:
2287                 raise Exception("EAP method not selected")
2288             for i in range(10):
2289                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2290                     break
2291                 time.sleep(0.02)
2292             dev[0].request("REMOVE_NETWORK all")
2293
2294     tests = [ (1, "os_get_random;dh_init") ]
2295     for count, func in tests:
2296         with fail_test(dev[0], count, func):
2297             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2298                            identity="ikev2 user", password="ike password",
2299                            wait_connect=False, scan_freq="2412")
2300             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2301             if ev is None:
2302                 raise Exception("EAP method not selected")
2303             for i in range(10):
2304                 if "0:" in dev[0].request("GET_FAIL"):
2305                     break
2306                 time.sleep(0.02)
2307             dev[0].request("REMOVE_NETWORK all")
2308
2309 def test_ap_wpa2_eap_pax(dev, apdev):
2310     """WPA2-Enterprise connection using EAP-PAX"""
2311     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2312     hostapd.add_ap(apdev[0]['ifname'], params)
2313     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2314                 password_hex="0123456789abcdef0123456789abcdef")
2315     eap_reauth(dev[0], "PAX")
2316
2317     logger.info("Negative test with incorrect password")
2318     dev[0].request("REMOVE_NETWORK all")
2319     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2320                 password_hex="ff23456789abcdef0123456789abcdef",
2321                 expect_failure=True)
2322
2323 def test_ap_wpa2_eap_psk(dev, apdev):
2324     """WPA2-Enterprise connection using EAP-PSK"""
2325     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2326     params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2327     params["ieee80211w"] = "2"
2328     hostapd.add_ap(apdev[0]['ifname'], params)
2329     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2330                 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2331     eap_reauth(dev[0], "PSK", sha256=True)
2332     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2333                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2334
2335     bss = dev[0].get_bss(apdev[0]['bssid'])
2336     if 'flags' not in bss:
2337         raise Exception("Could not get BSS flags from BSS table")
2338     if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2339         raise Exception("Unexpected BSS flags: " + bss['flags'])
2340
2341     logger.info("Negative test with incorrect password")
2342     dev[0].request("REMOVE_NETWORK all")
2343     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2344                 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2345                 expect_failure=True)
2346
2347 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2348     """WPA2-Enterprise connection using EAP-PSK and OOM"""
2349     skip_with_fips(dev[0])
2350     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2351     hostapd.add_ap(apdev[0]['ifname'], params)
2352     tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2353               (1, "omac1_aes_128;aes_128_eax_encrypt"),
2354               (2, "omac1_aes_128;aes_128_eax_encrypt"),
2355               (3, "omac1_aes_128;aes_128_eax_encrypt"),
2356               (1, "=aes_128_eax_encrypt"),
2357               (1, "omac1_aes_vector"),
2358               (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2359               (1, "omac1_aes_128;aes_128_eax_decrypt"),
2360               (2, "omac1_aes_128;aes_128_eax_decrypt"),
2361               (3, "omac1_aes_128;aes_128_eax_decrypt"),
2362               (1, "=aes_128_eax_decrypt") ]
2363     for count, func in tests:
2364         with alloc_fail(dev[0], count, func):
2365             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2366                            identity="psk.user@example.com",
2367                            password_hex="0123456789abcdef0123456789abcdef",
2368                            wait_connect=False, scan_freq="2412")
2369             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2370             if ev is None:
2371                 raise Exception("EAP method not selected")
2372             for i in range(10):
2373                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2374                     break
2375                 time.sleep(0.02)
2376             dev[0].request("REMOVE_NETWORK all")
2377
2378     with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2379             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2380                            identity="psk.user@example.com",
2381                            password_hex="0123456789abcdef0123456789abcdef",
2382                            wait_connect=False, scan_freq="2412")
2383             ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2384             if ev is None:
2385                 raise Exception("EAP method failure not reported")
2386             dev[0].request("REMOVE_NETWORK all")
2387
2388 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2389     """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2390     check_eap_capa(dev[0], "MSCHAPV2")
2391     params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2392     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2393     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2394                    identity="user", password="password", phase2="auth=MSCHAPV2",
2395                    ca_cert="auth_serv/ca.pem", wait_connect=False,
2396                    scan_freq="2412")
2397     eap_check_auth(dev[0], "PEAP", True, rsn=False)
2398     hwsim_utils.test_connectivity(dev[0], hapd)
2399     eap_reauth(dev[0], "PEAP", rsn=False)
2400     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2401                         ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2402     status = dev[0].get_status(extra="VERBOSE")
2403     if 'portControl' not in status:
2404         raise Exception("portControl missing from STATUS-VERBOSE")
2405     if status['portControl'] != 'Auto':
2406         raise Exception("Unexpected portControl value: " + status['portControl'])
2407     if 'eap_session_id' not in status:
2408         raise Exception("eap_session_id missing from STATUS-VERBOSE")
2409     if not status['eap_session_id'].startswith("19"):
2410         raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2411
2412 def test_ap_wpa2_eap_interactive(dev, apdev):
2413     """WPA2-Enterprise connection using interactive identity/password entry"""
2414     check_eap_capa(dev[0], "MSCHAPV2")
2415     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2416     hostapd.add_ap(apdev[0]['ifname'], params)
2417     hapd = hostapd.Hostapd(apdev[0]['ifname'])
2418
2419     tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2420                "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2421                None, "password"),
2422               ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2423                "TTLS", "ttls", None, "auth=MSCHAPV2",
2424                "DOMAIN\mschapv2 user", "password"),
2425               ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2426                "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2427               ("Connection with dynamic TTLS/EAP-MD5 password entry",
2428                "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2429               ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2430                "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2431               ("Connection with dynamic PEAP/EAP-GTC password entry",
2432                "PEAP", None, "user", "auth=GTC", None, "password") ]
2433     for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2434         logger.info(desc)
2435         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2436                        anonymous_identity=anon, identity=identity,
2437                        ca_cert="auth_serv/ca.pem", phase2=phase2,
2438                        wait_connect=False, scan_freq="2412")
2439         if req_id:
2440             ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2441             if ev is None:
2442                 raise Exception("Request for identity timed out")
2443             id = ev.split(':')[0].split('-')[-1]
2444             dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2445         ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2446         if ev is None:
2447             raise Exception("Request for password timed out")
2448         id = ev.split(':')[0].split('-')[-1]
2449         type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2450         dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2451         dev[0].wait_connected(timeout=10)
2452         dev[0].request("REMOVE_NETWORK all")
2453
2454 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2455     """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2456     check_eap_capa(dev[0], "MSCHAPV2")
2457     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2458     hostapd.add_ap(apdev[0]['ifname'], params)
2459     hapd = hostapd.Hostapd(apdev[0]['ifname'])
2460
2461     id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2462                               only_add_network=True)
2463
2464     req_id = "DOMAIN\mschapv2 user"
2465     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2466                    anonymous_identity="ttls", identity=None,
2467                    password="password",
2468                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2469                    wait_connect=False, scan_freq="2412")
2470     ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2471     if ev is None:
2472         raise Exception("Request for identity timed out")
2473     id = ev.split(':')[0].split('-')[-1]
2474     dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2475     dev[0].wait_connected(timeout=10)
2476
2477     if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2478         raise Exception("Failed to enable network")
2479     ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2480     if ev is not None:
2481         raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2482     dev[0].request("REMOVE_NETWORK all")
2483
2484 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2485     """WPA2-Enterprise connection using EAP vendor test"""
2486     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2487     hostapd.add_ap(apdev[0]['ifname'], params)
2488     eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2489     eap_reauth(dev[0], "VENDOR-TEST")
2490     eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2491                 password="pending")
2492
2493 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2494     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2495     check_eap_capa(dev[0], "FAST")
2496     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2497     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2498     eap_connect(dev[0], apdev[0], "FAST", "user",
2499                 anonymous_identity="FAST", password="password",
2500                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2501                 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2502     hwsim_utils.test_connectivity(dev[0], hapd)
2503     res = eap_reauth(dev[0], "FAST")
2504     if res['tls_session_reused'] != '1':
2505         raise Exception("EAP-FAST could not use PAC session ticket")
2506
2507 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2508     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2509     check_eap_capa(dev[0], "FAST")
2510     pac_file = os.path.join(params['logdir'], "fast.pac")
2511     pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2512     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2513     hostapd.add_ap(apdev[0]['ifname'], params)
2514
2515     try:
2516         eap_connect(dev[0], apdev[0], "FAST", "user",
2517                     anonymous_identity="FAST", password="password",
2518                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2519                     phase1="fast_provisioning=1", pac_file=pac_file)
2520         with open(pac_file, "r") as f:
2521             data = f.read()
2522             if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2523                 raise Exception("PAC file header missing")
2524             if "PAC-Key=" not in data:
2525                 raise Exception("PAC-Key missing from PAC file")
2526         dev[0].request("REMOVE_NETWORK all")
2527         eap_connect(dev[0], apdev[0], "FAST", "user",
2528                     anonymous_identity="FAST", password="password",
2529                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2530                     pac_file=pac_file)
2531
2532         eap_connect(dev[1], apdev[0], "FAST", "user",
2533                     anonymous_identity="FAST", password="password",
2534                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2535                     phase1="fast_provisioning=1 fast_pac_format=binary",
2536                     pac_file=pac_file2)
2537         dev[1].request("REMOVE_NETWORK all")
2538         eap_connect(dev[1], apdev[0], "FAST", "user",
2539                     anonymous_identity="FAST", password="password",
2540                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2541                     phase1="fast_pac_format=binary",
2542                     pac_file=pac_file2)
2543     finally:
2544         try:
2545             os.remove(pac_file)
2546         except:
2547             pass
2548         try:
2549             os.remove(pac_file2)
2550         except:
2551             pass
2552
2553 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2554     """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2555     check_eap_capa(dev[0], "FAST")
2556     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2557     hostapd.add_ap(apdev[0]['ifname'], params)
2558     eap_connect(dev[0], apdev[0], "FAST", "user",
2559                 anonymous_identity="FAST", password="password",
2560                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2561                 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2562                 pac_file="blob://fast_pac_bin")
2563     res = eap_reauth(dev[0], "FAST")
2564     if res['tls_session_reused'] != '1':
2565         raise Exception("EAP-FAST could not use PAC session ticket")
2566
2567 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2568     """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2569     check_eap_capa(dev[0], "FAST")
2570     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2571     hostapd.add_ap(apdev[0]['ifname'], params)
2572
2573     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2574                    identity="user", anonymous_identity="FAST",
2575                    password="password",
2576                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2577                    pac_file="blob://fast_pac_not_in_use",
2578                    wait_connect=False, scan_freq="2412")
2579     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2580     if ev is None:
2581         raise Exception("Timeout on EAP failure report")
2582     dev[0].request("REMOVE_NETWORK all")
2583
2584     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2585                    identity="user", anonymous_identity="FAST",
2586                    password="password",
2587                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2588                    wait_connect=False, scan_freq="2412")
2589     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2590     if ev is None:
2591         raise Exception("Timeout on EAP failure report")
2592
2593 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2594     """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2595     check_eap_capa(dev[0], "FAST")
2596     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2597     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2598     eap_connect(dev[0], apdev[0], "FAST", "user",
2599                 anonymous_identity="FAST", password="password",
2600                 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2601                 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2602     hwsim_utils.test_connectivity(dev[0], hapd)
2603     res = eap_reauth(dev[0], "FAST")
2604     if res['tls_session_reused'] != '1':
2605         raise Exception("EAP-FAST could not use PAC session ticket")
2606
2607 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2608     """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2609     check_eap_capa(dev[0], "FAST")
2610     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2611     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2612     id = eap_connect(dev[0], apdev[0], "FAST", "user",
2613                      anonymous_identity="FAST", password="password",
2614                      ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2615                      phase1="fast_provisioning=2",
2616                      pac_file="blob://fast_pac_auth")
2617     dev[0].set_network_quoted(id, "identity", "user2")
2618     dev[0].wait_disconnected()
2619     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2620     if ev is None:
2621         raise Exception("EAP-FAST not started")
2622     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2623     if ev is None:
2624         raise Exception("EAP failure not reported")
2625     dev[0].wait_disconnected()
2626
2627 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2628     """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2629     check_eap_capa(dev[0], "FAST")
2630     tls = dev[0].request("GET tls_library")
2631     if tls.startswith("OpenSSL"):
2632         func = "openssl_tls_prf"
2633         count = 2
2634     elif tls.startswith("internal"):
2635         func = "tls_connection_prf"
2636         count = 1
2637     else:
2638         raise HwsimSkip("Unsupported TLS library")
2639     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2640     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2641     with alloc_fail(dev[0], count, func):
2642         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2643                        identity="user", anonymous_identity="FAST",
2644                        password="password", ca_cert="auth_serv/ca.pem",
2645                        phase2="auth=GTC",
2646                        phase1="fast_provisioning=2",
2647                        pac_file="blob://fast_pac_auth",
2648                        wait_connect=False, scan_freq="2412")
2649         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2650         if ev is None:
2651             raise Exception("EAP failure not reported")
2652     dev[0].request("DISCONNECT")
2653
2654 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2655     """EAP-FAST/MSCHAPv2 and server OOM"""
2656     check_eap_capa(dev[0], "FAST")
2657
2658     params = int_eap_server_params()
2659     params['dh_file'] = 'auth_serv/dh.conf'
2660     params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2661     params['eap_fast_a_id'] = '1011'
2662     params['eap_fast_a_id_info'] = 'another test server'
2663     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2664
2665     with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2666         id = eap_connect(dev[0], apdev[0], "FAST", "user",
2667                          anonymous_identity="FAST", password="password",
2668                          ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2669                          phase1="fast_provisioning=1",
2670                          pac_file="blob://fast_pac",
2671                          expect_failure=True)
2672         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2673         if ev is None:
2674             raise Exception("No EAP failure reported")
2675         dev[0].wait_disconnected()
2676         dev[0].request("DISCONNECT")
2677
2678     dev[0].select_network(id, freq="2412")
2679
2680 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2681     """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2682     check_ocsp_support(dev[0])
2683     check_pkcs12_support(dev[0])
2684     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2685     hostapd.add_ap(apdev[0]['ifname'], params)
2686     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2687                 private_key="auth_serv/user.pkcs12",
2688                 private_key_passwd="whatever", ocsp=2)
2689
2690 def int_eap_server_params():
2691     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2692                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2693                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2694                "ca_cert": "auth_serv/ca.pem",
2695                "server_cert": "auth_serv/server.pem",
2696                "private_key": "auth_serv/server.key" }
2697     return params
2698
2699 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2700     """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2701     check_ocsp_support(dev[0])
2702     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2703     if not os.path.exists(ocsp):
2704         raise HwsimSkip("No OCSP response available")
2705     params = int_eap_server_params()
2706     params["ocsp_stapling_response"] = ocsp
2707     hostapd.add_ap(apdev[0]['ifname'], params)
2708     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2709                    identity="tls user", ca_cert="auth_serv/ca.pem",
2710                    private_key="auth_serv/user.pkcs12",
2711                    private_key_passwd="whatever", ocsp=2,
2712                    scan_freq="2412")
2713
2714 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2715     """EAP-TLS and CA signed OCSP response (good)"""
2716     check_ocsp_support(dev[0])
2717     ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2718     if not os.path.exists(ocsp):
2719         raise HwsimSkip("No OCSP response available")
2720     params = int_eap_server_params()
2721     params["ocsp_stapling_response"] = ocsp
2722     hostapd.add_ap(apdev[0]['ifname'], params)
2723     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2724                    identity="tls user", ca_cert="auth_serv/ca.pem",
2725                    private_key="auth_serv/user.pkcs12",
2726                    private_key_passwd="whatever", ocsp=2,
2727                    scan_freq="2412")
2728
2729 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2730     """EAP-TLS and CA signed OCSP response (revoked)"""
2731     check_ocsp_support(dev[0])
2732     ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2733     if not os.path.exists(ocsp):
2734         raise HwsimSkip("No OCSP response available")
2735     params = int_eap_server_params()
2736     params["ocsp_stapling_response"] = ocsp
2737     hostapd.add_ap(apdev[0]['ifname'], params)
2738     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2739                    identity="tls user", ca_cert="auth_serv/ca.pem",
2740                    private_key="auth_serv/user.pkcs12",
2741                    private_key_passwd="whatever", ocsp=2,
2742                    wait_connect=False, scan_freq="2412")
2743     count = 0
2744     while True:
2745         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2746         if ev is None:
2747             raise Exception("Timeout on EAP status")
2748         if 'bad certificate status response' in ev:
2749             break
2750         if 'certificate revoked' in ev:
2751             break
2752         count = count + 1
2753         if count > 10:
2754             raise Exception("Unexpected number of EAP status messages")
2755
2756     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2757     if ev is None:
2758         raise Exception("Timeout on EAP failure report")
2759
2760 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2761     """EAP-TLS and CA signed OCSP response (unknown)"""
2762     check_ocsp_support(dev[0])
2763     ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2764     if not os.path.exists(ocsp):
2765         raise HwsimSkip("No OCSP response available")
2766     params = int_eap_server_params()
2767     params["ocsp_stapling_response"] = ocsp
2768     hostapd.add_ap(apdev[0]['ifname'], params)
2769     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2770                    identity="tls user", ca_cert="auth_serv/ca.pem",
2771                    private_key="auth_serv/user.pkcs12",
2772                    private_key_passwd="whatever", ocsp=2,
2773                    wait_connect=False, scan_freq="2412")
2774     count = 0
2775     while True:
2776         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2777         if ev is None:
2778             raise Exception("Timeout on EAP status")
2779         if 'bad certificate status response' in ev:
2780             break
2781         count = count + 1
2782         if count > 10:
2783             raise Exception("Unexpected number of EAP status messages")
2784
2785     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2786     if ev is None:
2787         raise Exception("Timeout on EAP failure report")
2788
2789 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2790     """EAP-TLS and server signed OCSP response"""
2791     check_ocsp_support(dev[0])
2792     ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2793     if not os.path.exists(ocsp):
2794         raise HwsimSkip("No OCSP response available")
2795     params = int_eap_server_params()
2796     params["ocsp_stapling_response"] = ocsp
2797     hostapd.add_ap(apdev[0]['ifname'], params)
2798     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2799                    identity="tls user", ca_cert="auth_serv/ca.pem",
2800                    private_key="auth_serv/user.pkcs12",
2801                    private_key_passwd="whatever", ocsp=2,
2802                    wait_connect=False, scan_freq="2412")
2803     count = 0
2804     while True:
2805         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2806         if ev is None:
2807             raise Exception("Timeout on EAP status")
2808         if 'bad certificate status response' in ev:
2809             break
2810         count = count + 1
2811         if count > 10:
2812             raise Exception("Unexpected number of EAP status messages")
2813
2814     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2815     if ev is None:
2816         raise Exception("Timeout on EAP failure report")
2817
2818 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2819     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2820     check_ocsp_support(dev[0])
2821     params = int_eap_server_params()
2822     params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2823     hostapd.add_ap(apdev[0]['ifname'], params)
2824     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2825                    identity="tls user", ca_cert="auth_serv/ca.pem",
2826                    private_key="auth_serv/user.pkcs12",
2827                    private_key_passwd="whatever", ocsp=2,
2828                    wait_connect=False, scan_freq="2412")
2829     count = 0
2830     while True:
2831         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2832         if ev is None:
2833             raise Exception("Timeout on EAP status")
2834         if 'bad certificate status response' in ev:
2835             break
2836         count = count + 1
2837         if count > 10:
2838             raise Exception("Unexpected number of EAP status messages")
2839
2840     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2841     if ev is None:
2842         raise Exception("Timeout on EAP failure report")
2843
2844 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2845     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2846     check_ocsp_support(dev[0])
2847     params = int_eap_server_params()
2848     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2849     hostapd.add_ap(apdev[0]['ifname'], params)
2850     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2851                    identity="tls user", ca_cert="auth_serv/ca.pem",
2852                    private_key="auth_serv/user.pkcs12",
2853                    private_key_passwd="whatever", ocsp=2,
2854                    wait_connect=False, scan_freq="2412")
2855     count = 0
2856     while True:
2857         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2858         if ev is None:
2859             raise Exception("Timeout on EAP status")
2860         if 'bad certificate status response' in ev:
2861             break
2862         count = count + 1
2863         if count > 10:
2864             raise Exception("Unexpected number of EAP status messages")
2865
2866     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2867     if ev is None:
2868         raise Exception("Timeout on EAP failure report")
2869
2870 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2871     """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2872     check_ocsp_support(dev[0])
2873     params = int_eap_server_params()
2874     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2875     hostapd.add_ap(apdev[0]['ifname'], params)
2876     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2877                    identity="tls user", ca_cert="auth_serv/ca.pem",
2878                    private_key="auth_serv/user.pkcs12",
2879                    private_key_passwd="whatever", ocsp=2,
2880                    wait_connect=False, scan_freq="2412")
2881     count = 0
2882     while True:
2883         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2884         if ev is None:
2885             raise Exception("Timeout on EAP status")
2886         if 'bad certificate status response' in ev:
2887             break
2888         count = count + 1
2889         if count > 10:
2890             raise Exception("Unexpected number of EAP status messages")
2891
2892     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2893     if ev is None:
2894         raise Exception("Timeout on EAP failure report")
2895
2896 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2897     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2898     check_ocsp_support(dev[0])
2899     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2900     if not os.path.exists(ocsp):
2901         raise HwsimSkip("No OCSP response available")
2902     params = int_eap_server_params()
2903     params["ocsp_stapling_response"] = ocsp
2904     hostapd.add_ap(apdev[0]['ifname'], params)
2905     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2906                    identity="pap user", ca_cert="auth_serv/ca.pem",
2907                    anonymous_identity="ttls", password="password",
2908                    phase2="auth=PAP", ocsp=2,
2909                    wait_connect=False, scan_freq="2412")
2910     count = 0
2911     while True:
2912         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2913         if ev is None:
2914             raise Exception("Timeout on EAP status")
2915         if 'bad certificate status response' in ev:
2916             break
2917         if 'certificate revoked' in ev:
2918             break
2919         count = count + 1
2920         if count > 10:
2921             raise Exception("Unexpected number of EAP status messages")
2922
2923     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2924     if ev is None:
2925         raise Exception("Timeout on EAP failure report")
2926
2927 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2928     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2929     check_ocsp_support(dev[0])
2930     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2931     if not os.path.exists(ocsp):
2932         raise HwsimSkip("No OCSP response available")
2933     params = int_eap_server_params()
2934     params["ocsp_stapling_response"] = ocsp
2935     hostapd.add_ap(apdev[0]['ifname'], params)
2936     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2937                    identity="pap user", ca_cert="auth_serv/ca.pem",
2938                    anonymous_identity="ttls", password="password",
2939                    phase2="auth=PAP", ocsp=2,
2940                    wait_connect=False, scan_freq="2412")
2941     count = 0
2942     while True:
2943         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2944         if ev is None:
2945             raise Exception("Timeout on EAP status")
2946         if 'bad certificate status response' in ev:
2947             break
2948         count = count + 1
2949         if count > 10:
2950             raise Exception("Unexpected number of EAP status messages")
2951
2952     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2953     if ev is None:
2954         raise Exception("Timeout on EAP failure report")
2955
2956 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2957     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2958     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2959     if not os.path.exists(ocsp):
2960         raise HwsimSkip("No OCSP response available")
2961     params = int_eap_server_params()
2962     params["ocsp_stapling_response"] = ocsp
2963     hostapd.add_ap(apdev[0]['ifname'], params)
2964     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2965                    identity="pap user", ca_cert="auth_serv/ca.pem",
2966                    anonymous_identity="ttls", password="password",
2967                    phase2="auth=PAP", ocsp=1, scan_freq="2412")
2968
2969 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2970     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2971     check_domain_match_full(dev[0])
2972     params = int_eap_server_params()
2973     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2974     params["private_key"] = "auth_serv/server-no-dnsname.key"
2975     hostapd.add_ap(apdev[0]['ifname'], params)
2976     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2977                    identity="tls user", ca_cert="auth_serv/ca.pem",
2978                    private_key="auth_serv/user.pkcs12",
2979                    private_key_passwd="whatever",
2980                    domain_suffix_match="server3.w1.fi",
2981                    scan_freq="2412")
2982
2983 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2984     """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2985     check_domain_match(dev[0])
2986     params = int_eap_server_params()
2987     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2988     params["private_key"] = "auth_serv/server-no-dnsname.key"
2989     hostapd.add_ap(apdev[0]['ifname'], params)
2990     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2991                    identity="tls user", ca_cert="auth_serv/ca.pem",
2992                    private_key="auth_serv/user.pkcs12",
2993                    private_key_passwd="whatever",
2994                    domain_match="server3.w1.fi",
2995                    scan_freq="2412")
2996
2997 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2998     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2999     check_domain_match_full(dev[0])
3000     params = int_eap_server_params()
3001     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3002     params["private_key"] = "auth_serv/server-no-dnsname.key"
3003     hostapd.add_ap(apdev[0]['ifname'], params)
3004     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3005                    identity="tls user", ca_cert="auth_serv/ca.pem",
3006                    private_key="auth_serv/user.pkcs12",
3007                    private_key_passwd="whatever",
3008                    domain_suffix_match="w1.fi",
3009                    scan_freq="2412")
3010
3011 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
3012     """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3013     check_domain_suffix_match(dev[0])
3014     params = int_eap_server_params()
3015     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3016     params["private_key"] = "auth_serv/server-no-dnsname.key"
3017     hostapd.add_ap(apdev[0]['ifname'], params)
3018     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3019                    identity="tls user", ca_cert="auth_serv/ca.pem",
3020                    private_key="auth_serv/user.pkcs12",
3021                    private_key_passwd="whatever",
3022                    domain_suffix_match="example.com",
3023                    wait_connect=False,
3024                    scan_freq="2412")
3025     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3026                    identity="tls user", ca_cert="auth_serv/ca.pem",
3027                    private_key="auth_serv/user.pkcs12",
3028                    private_key_passwd="whatever",
3029                    domain_suffix_match="erver3.w1.fi",
3030                    wait_connect=False,
3031                    scan_freq="2412")
3032     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3033     if ev is None:
3034         raise Exception("Timeout on EAP failure report")
3035     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3036     if ev is None:
3037         raise Exception("Timeout on EAP failure report (2)")
3038
3039 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3040     """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3041     check_domain_match(dev[0])
3042     params = int_eap_server_params()
3043     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3044     params["private_key"] = "auth_serv/server-no-dnsname.key"
3045     hostapd.add_ap(apdev[0]['ifname'], params)
3046     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3047                    identity="tls user", ca_cert="auth_serv/ca.pem",
3048                    private_key="auth_serv/user.pkcs12",
3049                    private_key_passwd="whatever",
3050                    domain_match="example.com",
3051                    wait_connect=False,
3052                    scan_freq="2412")
3053     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3054                    identity="tls user", ca_cert="auth_serv/ca.pem",
3055                    private_key="auth_serv/user.pkcs12",
3056                    private_key_passwd="whatever",
3057                    domain_match="w1.fi",
3058                    wait_connect=False,
3059                    scan_freq="2412")
3060     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3061     if ev is None:
3062         raise Exception("Timeout on EAP failure report")
3063     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3064     if ev is None:
3065         raise Exception("Timeout on EAP failure report (2)")
3066
3067 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3068     """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3069     skip_with_fips(dev[0])
3070     params = int_eap_server_params()
3071     params["server_cert"] = "auth_serv/server-expired.pem"
3072     params["private_key"] = "auth_serv/server-expired.key"
3073     hostapd.add_ap(apdev[0]['ifname'], params)
3074     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3075                    identity="mschap user", password="password",
3076                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3077                    wait_connect=False,
3078                    scan_freq="2412")
3079     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3080     if ev is None:
3081         raise Exception("Timeout on EAP certificate error report")
3082     if "reason=4" not in ev or "certificate has expired" not in ev:
3083         raise Exception("Unexpected failure reason: " + ev)
3084     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3085     if ev is None:
3086         raise Exception("Timeout on EAP failure report")
3087
3088 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3089     """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3090     skip_with_fips(dev[0])
3091     params = int_eap_server_params()
3092     params["server_cert"] = "auth_serv/server-expired.pem"
3093     params["private_key"] = "auth_serv/server-expired.key"
3094     hostapd.add_ap(apdev[0]['ifname'], params)
3095     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3096                    identity="mschap user", password="password",
3097                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3098                    phase1="tls_disable_time_checks=1",
3099                    scan_freq="2412")
3100
3101 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3102     """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3103     skip_with_fips(dev[0])
3104     params = int_eap_server_params()
3105     params["server_cert"] = "auth_serv/server-long-duration.pem"
3106     params["private_key"] = "auth_serv/server-long-duration.key"
3107     hostapd.add_ap(apdev[0]['ifname'], params)
3108     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3109                    identity="mschap user", password="password",
3110                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3111                    scan_freq="2412")
3112
3113 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3114     """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3115     skip_with_fips(dev[0])
3116     params = int_eap_server_params()
3117     params["server_cert"] = "auth_serv/server-eku-client.pem"
3118     params["private_key"] = "auth_serv/server-eku-client.key"
3119     hostapd.add_ap(apdev[0]['ifname'], params)
3120     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3121                    identity="mschap user", password="password",
3122                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3123                    wait_connect=False,
3124                    scan_freq="2412")
3125     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3126     if ev is None:
3127         raise Exception("Timeout on EAP failure report")
3128
3129 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3130     """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3131     skip_with_fips(dev[0])
3132     params = int_eap_server_params()
3133     params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3134     params["private_key"] = "auth_serv/server-eku-client-server.key"
3135     hostapd.add_ap(apdev[0]['ifname'], params)
3136     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3137                    identity="mschap user", password="password",
3138                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3139                    scan_freq="2412")
3140
3141 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3142     """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3143     skip_with_fips(dev[0])
3144     params = int_eap_server_params()
3145     del params["server_cert"]
3146     params["private_key"] = "auth_serv/server.pkcs12"
3147     hostapd.add_ap(apdev[0]['ifname'], params)
3148     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3149                    identity="mschap user", password="password",
3150                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3151                    scan_freq="2412")
3152
3153 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3154     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3155     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3156     hostapd.add_ap(apdev[0]['ifname'], params)
3157     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3158                 anonymous_identity="ttls", password="password",
3159                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3160                 dh_file="auth_serv/dh.conf")
3161
3162 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3163     """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3164     check_dh_dsa_support(dev[0])
3165     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3166     hostapd.add_ap(apdev[0]['ifname'], params)
3167     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3168                 anonymous_identity="ttls", password="password",
3169                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3170                 dh_file="auth_serv/dsaparam.pem")
3171
3172 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3173     """EAP-TTLS and DH params file not found"""
3174     skip_with_fips(dev[0])
3175     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3176     hostapd.add_ap(apdev[0]['ifname'], params)
3177     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3178                    identity="mschap user", password="password",
3179                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3180                    dh_file="auth_serv/dh-no-such-file.conf",
3181                    scan_freq="2412", wait_connect=False)
3182     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3183     if ev is None:
3184         raise Exception("EAP failure timed out")
3185     dev[0].request("REMOVE_NETWORK all")
3186     dev[0].wait_disconnected()
3187
3188 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3189     """EAP-TTLS and invalid DH params file"""
3190     skip_with_fips(dev[0])
3191     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3192     hostapd.add_ap(apdev[0]['ifname'], params)
3193     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3194                    identity="mschap user", password="password",
3195                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3196                    dh_file="auth_serv/ca.pem",
3197                    scan_freq="2412", wait_connect=False)
3198     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3199     if ev is None:
3200         raise Exception("EAP failure timed out")
3201     dev[0].request("REMOVE_NETWORK all")
3202     dev[0].wait_disconnected()
3203
3204 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3205     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3206     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3207     hostapd.add_ap(apdev[0]['ifname'], params)
3208     dh = read_pem("auth_serv/dh2.conf")
3209     if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3210         raise Exception("Could not set dhparams blob")
3211     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3212                 anonymous_identity="ttls", password="password",
3213                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3214                 dh_file="blob://dhparams")
3215
3216 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3217     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3218     params = int_eap_server_params()
3219     params["dh_file"] = "auth_serv/dh2.conf"
3220     hostapd.add_ap(apdev[0]['ifname'], params)
3221     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3222                 anonymous_identity="ttls", password="password",
3223                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3224
3225 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3226     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3227     params = int_eap_server_params()
3228     params["dh_file"] = "auth_serv/dsaparam.pem"
3229     hostapd.add_ap(apdev[0]['ifname'], params)
3230     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3231                 anonymous_identity="ttls", password="password",
3232                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3233
3234 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3235     """EAP-TLS server and dhparams file not found"""
3236     params = int_eap_server_params()
3237     params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3238     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3239     if "FAIL" not in hapd.request("ENABLE"):
3240         raise Exception("Invalid configuration accepted")
3241
3242 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3243     """EAP-TLS server and invalid dhparams file"""
3244     params = int_eap_server_params()
3245     params["dh_file"] = "auth_serv/ca.pem"
3246     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3247     if "FAIL" not in hapd.request("ENABLE"):
3248         raise Exception("Invalid configuration accepted")
3249
3250 def test_ap_wpa2_eap_reauth(dev, apdev):
3251     """WPA2-Enterprise and Authenticator forcing reauthentication"""
3252     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3253     params['eap_reauth_period'] = '2'
3254     hostapd.add_ap(apdev[0]['ifname'], params)
3255     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3256                 password_hex="0123456789abcdef0123456789abcdef")
3257     logger.info("Wait for reauthentication")
3258     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3259     if ev is None:
3260         raise Exception("Timeout on reauthentication")
3261     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3262     if ev is None:
3263         raise Exception("Timeout on reauthentication")
3264     for i in range(0, 20):
3265         state = dev[0].get_status_field("wpa_state")
3266         if state == "COMPLETED":
3267             break
3268         time.sleep(0.1)
3269     if state != "COMPLETED":
3270         raise Exception("Reauthentication did not complete")
3271
3272 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3273     """Optional displayable message in EAP Request-Identity"""
3274     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3275     params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3276     hostapd.add_ap(apdev[0]['ifname'], params)
3277     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3278                 password_hex="0123456789abcdef0123456789abcdef")
3279
3280 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3281     """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3282     check_hlr_auc_gw_support()
3283     params = int_eap_server_params()
3284     params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3285     params['eap_sim_aka_result_ind'] = "1"
3286     hostapd.add_ap(apdev[0]['ifname'], params)
3287
3288     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3289                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3290                 phase1="result_ind=1")
3291     eap_reauth(dev[0], "SIM")
3292     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3293                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3294
3295     dev[0].request("REMOVE_NETWORK all")
3296     dev[1].request("REMOVE_NETWORK all")
3297
3298     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3299                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3300                 phase1="result_ind=1")
3301     eap_reauth(dev[0], "AKA")
3302     eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3303                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3304
3305     dev[0].request("REMOVE_NETWORK all")
3306     dev[1].request("REMOVE_NETWORK all")
3307
3308     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3309                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3310                 phase1="result_ind=1")
3311     eap_reauth(dev[0], "AKA'")
3312     eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3313                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3314
3315 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3316     """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3317     skip_with_fips(dev[0])
3318     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3319     hostapd.add_ap(apdev[0]['ifname'], params)
3320     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3321                    eap="TTLS", identity="mschap user",
3322                    wait_connect=False, scan_freq="2412", ieee80211w="1",
3323                    anonymous_identity="ttls", password="password",
3324                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3325                    fragment_size="10")
3326     ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3327     if ev is None:
3328         raise Exception("EAP roundtrip limit not reached")
3329
3330 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3331     """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3332     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3333     hostapd.add_ap(apdev[0]['ifname'], params)
3334     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3335                    eap="PSK", identity="vendor-test",
3336                    password_hex="ff23456789abcdef0123456789abcdef",
3337                    wait_connect=False)
3338
3339     found = False
3340     for i in range(0, 5):
3341         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3342         if ev is None:
3343             raise Exception("Association and EAP start timed out")
3344         if "refuse proposed method" in ev:
3345             found = True
3346             break
3347     if not found:
3348         raise Exception("Unexpected EAP status: " + ev)
3349
3350     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3351     if ev is None:
3352         raise Exception("EAP failure timed out")
3353
3354 def test_ap_wpa2_eap_sql(dev, apdev, params):
3355     """WPA2-Enterprise connection using SQLite for user DB"""
3356     skip_with_fips(dev[0])
3357     try:
3358         import sqlite3
3359     except ImportError:
3360         raise HwsimSkip("No sqlite3 module available")
3361     dbfile = os.path.join(params['logdir'], "eap-user.db")
3362     try:
3363         os.remove(dbfile)
3364     except:
3365         pass
3366     con = sqlite3.connect(dbfile)
3367     with con:
3368         cur = con.cursor()
3369         cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3370         cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3371         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3372         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3373         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3374         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3375         cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3376         cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3377
3378     try:
3379         params = int_eap_server_params()
3380         params["eap_user_file"] = "sqlite:" + dbfile
3381         hostapd.add_ap(apdev[0]['ifname'], params)
3382         eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3383                     anonymous_identity="ttls", password="password",
3384                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3385         dev[0].request("REMOVE_NETWORK all")
3386         eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3387                     anonymous_identity="ttls", password="password",
3388                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3389         dev[1].request("REMOVE_NETWORK all")
3390         eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3391                     anonymous_identity="ttls", password="password",
3392                     ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3393         eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3394                     anonymous_identity="ttls", password="password",
3395                     ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3396     finally:
3397         os.remove(dbfile)
3398
3399 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3400     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3401     params = int_eap_server_params()
3402     hostapd.add_ap(apdev[0]['ifname'], params)
3403     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3404                    identity="\x80", password="password", wait_connect=False)
3405     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3406                    identity="a\x80", password="password", wait_connect=False)
3407     for i in range(0, 2):
3408         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3409         if ev is None:
3410             raise Exception("Association and EAP start timed out")
3411         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3412         if ev is None:
3413             raise Exception("EAP method selection timed out")
3414
3415 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3416     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3417     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3418     hostapd.add_ap(apdev[0]['ifname'], params)
3419     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3420                    identity="\x80", password="password", wait_connect=False)
3421     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3422                    identity="a\x80", password="password", wait_connect=False)
3423     for i in range(0, 2):
3424         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3425         if ev is None:
3426             raise Exception("Association and EAP start timed out")
3427         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3428         if ev is None:
3429             raise Exception("EAP method selection timed out")
3430
3431 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3432     """OpenSSL cipher suite configuration on wpa_supplicant"""
3433     tls = dev[0].request("GET tls_library")
3434     if not tls.startswith("OpenSSL"):
3435         raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3436     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3437     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3438     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3439                 anonymous_identity="ttls", password="password",
3440                 openssl_ciphers="AES128",
3441                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3442     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3443                 anonymous_identity="ttls", password="password",
3444                 openssl_ciphers="EXPORT",
3445                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3446                 expect_failure=True, maybe_local_error=True)
3447     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3448                    identity="pap user", anonymous_identity="ttls",
3449                    password="password",
3450                    openssl_ciphers="FOO",
3451                    ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3452                    wait_connect=False)
3453     ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3454     if ev is None:
3455         raise Exception("EAP failure after invalid openssl_ciphers not reported")
3456     dev[2].request("DISCONNECT")
3457
3458 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3459     """OpenSSL cipher suite configuration on hostapd"""
3460     tls = dev[0].request("GET tls_library")
3461     if not tls.startswith("OpenSSL"):
3462         raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3463     params = int_eap_server_params()
3464     params['openssl_ciphers'] = "AES256"
3465     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3466     tls = hapd.request("GET tls_library")
3467     if not tls.startswith("OpenSSL"):
3468         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3469     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3470                 anonymous_identity="ttls", password="password",
3471                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3472     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3473                 anonymous_identity="ttls", password="password",
3474                 openssl_ciphers="AES128",
3475                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3476                 expect_failure=True)
3477     eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3478                 anonymous_identity="ttls", password="password",
3479                 openssl_ciphers="HIGH:!ADH",
3480                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3481
3482     params['openssl_ciphers'] = "FOO"
3483     hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3484     if "FAIL" not in hapd2.request("ENABLE"):
3485         raise Exception("Invalid openssl_ciphers value accepted")
3486
3487 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3488     """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3489     p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3490     hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3491     password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3492     pid = find_wpas_process(dev[0])
3493     id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3494                      anonymous_identity="ttls", password=password,
3495                      ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3496     # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3497     # event has been delivered, so verify that wpa_supplicant has returned to
3498     # eloop before reading process memory.
3499     time.sleep(1)
3500     dev[0].ping()
3501     buf = read_process_memory(pid, password)
3502
3503     dev[0].request("DISCONNECT")
3504     dev[0].wait_disconnected()
3505
3506     dev[0].relog()
3507     msk = None
3508     emsk = None
3509     pmk = None
3510     ptk = None
3511     gtk = None
3512     with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3513         for l in f.readlines():
3514             if "EAP-TTLS: Derived key - hexdump" in l:
3515                 val = l.strip().split(':')[3].replace(' ', '')
3516                 msk = binascii.unhexlify(val)
3517             if "EAP-TTLS: Derived EMSK - hexdump" in l:
3518                 val = l.strip().split(':')[3].replace(' ', '')
3519                 emsk = binascii.unhexlify(val)
3520             if "WPA: PMK - hexdump" in l:
3521                 val = l.strip().split(':')[3].replace(' ', '')
3522                 pmk = binascii.unhexlify(val)
3523             if "WPA: PTK - hexdump" in l:
3524                 val = l.strip().split(':')[3].replace(' ', '')
3525                 ptk = binascii.unhexlify(val)
3526             if "WPA: Group Key - hexdump" in l:
3527                 val = l.strip().split(':')[3].replace(' ', '')
3528                 gtk = binascii.unhexlify(val)
3529     if not msk or not emsk or not pmk or not ptk or not gtk:
3530         raise Exception("Could not find keys from debug log")
3531     if len(gtk) != 16:
3532         raise Exception("Unexpected GTK length")
3533
3534     kck = ptk[0:16]
3535     kek = ptk[16:32]
3536     tk = ptk[32:48]
3537
3538     fname = os.path.join(params['logdir'],
3539                          'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3540
3541     logger.info("Checking keys in memory while associated")
3542     get_key_locations(buf, password, "Password")
3543     get_key_locations(buf, pmk, "PMK")
3544     get_key_locations(buf, msk, "MSK")
3545     get_key_locations(buf, emsk, "EMSK")
3546     if password not in buf:
3547         raise HwsimSkip("Password not found while associated")
3548     if pmk not in buf:
3549         raise HwsimSkip("PMK not found while associated")
3550     if kck not in buf:
3551         raise Exception("KCK not found while associated")
3552     if kek not in buf:
3553         raise Exception("KEK not found while associated")
3554     if tk in buf:
3555         raise Exception("TK found from memory")
3556     if gtk in buf:
3557         get_key_locations(buf, gtk, "GTK")
3558         raise Exception("GTK found from memory")
3559
3560     logger.info("Checking keys in memory after disassociation")
3561     buf = read_process_memory(pid, password)
3562
3563     # Note: Password is still present in network configuration
3564     # Note: PMK is in PMKSA cache and EAP fast re-auth data
3565
3566     get_key_locations(buf, password, "Password")
3567     get_key_locations(buf, pmk, "PMK")
3568     get_key_locations(buf, msk, "MSK")
3569     get_key_locations(buf, emsk, "EMSK")
3570     verify_not_present(buf, kck, fname, "KCK")
3571     verify_not_present(buf, kek, fname, "KEK")
3572     verify_not_present(buf, tk, fname, "TK")
3573     verify_not_present(buf, gtk, fname, "GTK")
3574
3575     dev[0].request("PMKSA_FLUSH")
3576     dev[0].set_network_quoted(id, "identity", "foo")
3577     logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3578     buf = read_process_memory(pid, password)
3579     get_key_locations(buf, password, "Password")
3580     get_key_locations(buf, pmk, "PMK")
3581     get_key_locations(buf, msk, "MSK")
3582     get_key_locations(buf, emsk, "EMSK")
3583     verify_not_present(buf, pmk, fname, "PMK")
3584
3585     dev[0].request("REMOVE_NETWORK all")
3586
3587     logger.info("Checking keys in memory after network profile removal")
3588     buf = read_process_memory(pid, password)
3589
3590     get_key_locations(buf, password, "Password")
3591     get_key_locations(buf, pmk, "PMK")
3592     get_key_locations(buf, msk, "MSK")
3593     get_key_locations(buf, emsk, "EMSK")
3594     verify_not_present(buf, password, fname, "password")
3595     verify_not_present(buf, pmk, fname, "PMK")
3596     verify_not_present(buf, kck, fname, "KCK")
3597     verify_not_present(buf, kek, fname, "KEK")
3598     verify_not_present(buf, tk, fname, "TK")
3599     verify_not_present(buf, gtk, fname, "GTK")
3600     verify_not_present(buf, msk, fname, "MSK")
3601     verify_not_present(buf, emsk, fname, "EMSK")
3602
3603 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3604     """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3605     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3606     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3607     bssid = apdev[0]['bssid']
3608     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3609                 anonymous_identity="ttls", password="password",
3610                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3611
3612     # Send unexpected WEP EAPOL-Key; this gets dropped
3613     res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3614     if "OK" not in res:
3615         raise Exception("EAPOL_RX to wpa_supplicant failed")
3616
3617 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3618     """WPA2-EAP and wpas interface in a bridge"""
3619     br_ifname='sta-br0'
3620     ifname='wlan5'
3621     try:
3622         _test_ap_wpa2_eap_in_bridge(dev, apdev)
3623     finally:
3624         subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3625         subprocess.call(['brctl', 'delif', br_ifname, ifname])
3626         subprocess.call(['brctl', 'delbr', br_ifname])
3627         subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3628
3629 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3630     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3631     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3632
3633     br_ifname='sta-br0'
3634     ifname='wlan5'
3635     wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3636     subprocess.call(['brctl', 'addbr', br_ifname])
3637     subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3638     subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3639     subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3640     subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3641     wpas.interface_add(ifname, br_ifname=br_ifname)
3642     wpas.dump_monitor()
3643
3644     id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3645                      password_hex="0123456789abcdef0123456789abcdef")
3646     wpas.dump_monitor()
3647     eap_reauth(wpas, "PAX")
3648     wpas.dump_monitor()
3649     # Try again as a regression test for packet socket workaround
3650     eap_reauth(wpas, "PAX")
3651     wpas.dump_monitor()
3652     wpas.request("DISCONNECT")
3653     wpas.wait_disconnected()
3654     wpas.dump_monitor()
3655     wpas.request("RECONNECT")
3656     wpas.wait_connected()
3657     wpas.dump_monitor()
3658
3659 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3660     """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3661     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3662     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3663     key_mgmt = hapd.get_config()['key_mgmt']
3664     if key_mgmt.split(' ')[0] != "WPA-EAP":
3665         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3666     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3667                 anonymous_identity="ttls", password="password",
3668                 ca_cert="auth_serv/ca.pem",
3669                 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3670     eap_reauth(dev[0], "TTLS")
3671
3672 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3673     """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3674     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3675     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3676     key_mgmt = hapd.get_config()['key_mgmt']
3677     if key_mgmt.split(' ')[0] != "WPA-EAP":
3678         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3679     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3680                 anonymous_identity="ttls", password="password",
3681                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3682                 phase2="auth=PAP")
3683     eap_reauth(dev[0], "TTLS")
3684
3685 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3686     """EAP-TLS and server checking CRL"""
3687     params = int_eap_server_params()
3688     params['check_crl'] = '1'
3689     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3690
3691     # check_crl=1 and no CRL available --> reject connection
3692     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3693                 client_cert="auth_serv/user.pem",
3694                 private_key="auth_serv/user.key", expect_failure=True)
3695     dev[0].request("REMOVE_NETWORK all")
3696
3697     hapd.disable()
3698     hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3699     hapd.enable()
3700
3701     # check_crl=1 and valid CRL --> accept
3702     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3703                 client_cert="auth_serv/user.pem",
3704                 private_key="auth_serv/user.key")
3705     dev[0].request("REMOVE_NETWORK all")
3706
3707     hapd.disable()
3708     hapd.set("check_crl", "2")
3709     hapd.enable()
3710
3711     # check_crl=2 and valid CRL --> accept
3712     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3713                 client_cert="auth_serv/user.pem",
3714                 private_key="auth_serv/user.key")
3715     dev[0].request("REMOVE_NETWORK all")
3716
3717 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3718     """EAP-TLS and OOM"""
3719     check_subject_match_support(dev[0])
3720     check_altsubject_match_support(dev[0])
3721     check_domain_match(dev[0])
3722     check_domain_match_full(dev[0])
3723
3724     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3725     hostapd.add_ap(apdev[0]['ifname'], params)
3726
3727     tests = [ (1, "tls_connection_set_subject_match"),
3728               (2, "tls_connection_set_subject_match"),
3729               (3, "tls_connection_set_subject_match"),
3730               (4, "tls_connection_set_subject_match") ]
3731     for count, func in tests:
3732         with alloc_fail(dev[0], count, func):
3733             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3734                            identity="tls user", ca_cert="auth_serv/ca.pem",
3735                            client_cert="auth_serv/user.pem",
3736                            private_key="auth_serv/user.key",
3737                            subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3738                            altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3739                            domain_suffix_match="server.w1.fi",
3740                            domain_match="server.w1.fi",
3741                            wait_connect=False, scan_freq="2412")
3742             # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3743             ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3744             if ev is None:
3745                 raise Exception("No passphrase request")
3746             dev[0].request("REMOVE_NETWORK all")
3747             dev[0].wait_disconnected()
3748
3749 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3750     """WPA2-Enterprise connection using MAC ACL"""
3751     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3752     params["macaddr_acl"] = "2"
3753     hostapd.add_ap(apdev[0]['ifname'], params)
3754     eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3755                 client_cert="auth_serv/user.pem",
3756                 private_key="auth_serv/user.key")
3757
3758 def test_ap_wpa2_eap_oom(dev, apdev):
3759     """EAP server and OOM"""
3760     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3761     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3762     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3763
3764     with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3765         # The first attempt fails, but STA will send EAPOL-Start to retry and
3766         # that succeeds.
3767         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3768                        identity="tls user", ca_cert="auth_serv/ca.pem",
3769                        client_cert="auth_serv/user.pem",
3770                        private_key="auth_serv/user.key",
3771                        scan_freq="2412")
3772
3773 def check_tls_ver(dev, ap, phase1, expected):
3774     eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3775                 client_cert="auth_serv/user.pem",
3776                 private_key="auth_serv/user.key",
3777                 phase1=phase1)
3778     ver = dev.get_status_field("eap_tls_version")
3779     if ver != expected:
3780         raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3781
3782 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3783     """EAP-TLS and TLS version configuration"""
3784     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3785     hostapd.add_ap(apdev[0]['ifname'], params)
3786
3787     tls = dev[0].request("GET tls_library")
3788     if tls.startswith("OpenSSL"):
3789         if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3790             check_tls_ver(dev[0], apdev[0],
3791                           "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3792                           "TLSv1.2")
3793     elif tls.startswith("internal"):
3794         check_tls_ver(dev[0], apdev[0],
3795                       "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3796     check_tls_ver(dev[1], apdev[0],
3797                   "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3798     check_tls_ver(dev[2], apdev[0],
3799                   "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3800
3801 def test_rsn_ie_proto_eap_sta(dev, apdev):
3802     """RSN element protocol testing for EAP cases on STA side"""
3803     bssid = apdev[0]['bssid']
3804     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3805     # This is the RSN element used normally by hostapd
3806     params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3807     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3808     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3809                         identity="gpsk user",
3810                         password="abcdefghijklmnop0123456789abcdef",
3811                         scan_freq="2412")
3812
3813     tests = [ ('No RSN Capabilities field',
3814                '30120100000fac040100000fac040100000fac01'),
3815               ('No AKM Suite fields',
3816                '300c0100000fac040100000fac04'),
3817               ('No Pairwise Cipher Suite fields',
3818                '30060100000fac04'),
3819               ('No Group Data Cipher Suite field',
3820                '30020100') ]
3821     for txt,ie in tests:
3822         dev[0].request("DISCONNECT")
3823         dev[0].wait_disconnected()
3824         logger.info(txt)
3825         hapd.disable()
3826         hapd.set('own_ie_override', ie)
3827         hapd.enable()
3828         dev[0].request("BSS_FLUSH 0")
3829         dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3830         dev[0].select_network(id, freq=2412)
3831         dev[0].wait_connected()
3832
3833 def check_tls_session_resumption_capa(dev, hapd):
3834     tls = hapd.request("GET tls_library")
3835     if not tls.startswith("OpenSSL"):
3836         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3837
3838     tls = dev.request("GET tls_library")
3839     if not tls.startswith("OpenSSL"):
3840         raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3841
3842 def test_eap_ttls_pap_session_resumption(dev, apdev):
3843     """EAP-TTLS/PAP session resumption"""
3844     params = int_eap_server_params()
3845     params['tls_session_lifetime'] = '60'
3846     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3847     check_tls_session_resumption_capa(dev[0], hapd)
3848     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3849                 anonymous_identity="ttls", password="password",
3850                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3851                 phase2="auth=PAP")
3852     if dev[0].get_status_field("tls_session_reused") != '0':
3853         raise Exception("Unexpected session resumption on the first connection")
3854
3855     dev[0].request("REAUTHENTICATE")
3856     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3857     if ev is None:
3858         raise Exception("EAP success timed out")
3859     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3860     if ev is None:
3861         raise Exception("Key handshake with the AP timed out")
3862     if dev[0].get_status_field("tls_session_reused") != '1':
3863         raise Exception("Session resumption not used on the second connection")
3864
3865 def test_eap_ttls_chap_session_resumption(dev, apdev):
3866     """EAP-TTLS/CHAP session resumption"""
3867     params = int_eap_server_params()
3868     params['tls_session_lifetime'] = '60'
3869     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3870     check_tls_session_resumption_capa(dev[0], hapd)
3871     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3872                 anonymous_identity="ttls", password="password",
3873                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3874     if dev[0].get_status_field("tls_session_reused") != '0':
3875         raise Exception("Unexpected session resumption on the first connection")
3876
3877     dev[0].request("REAUTHENTICATE")
3878     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3879     if ev is None:
3880         raise Exception("EAP success timed out")
3881     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3882     if ev is None:
3883         raise Exception("Key handshake with the AP timed out")
3884     if dev[0].get_status_field("tls_session_reused") != '1':
3885         raise Exception("Session resumption not used on the second connection")
3886
3887 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3888     """EAP-TTLS/MSCHAP session resumption"""
3889     check_domain_suffix_match(dev[0])
3890     params = int_eap_server_params()
3891     params['tls_session_lifetime'] = '60'
3892     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3893     check_tls_session_resumption_capa(dev[0], hapd)
3894     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3895                 anonymous_identity="ttls", password="password",
3896                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3897                 domain_suffix_match="server.w1.fi")
3898     if dev[0].get_status_field("tls_session_reused") != '0':
3899         raise Exception("Unexpected session resumption on the first connection")
3900
3901     dev[0].request("REAUTHENTICATE")
3902     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3903     if ev is None:
3904         raise Exception("EAP success timed out")
3905     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3906     if ev is None:
3907         raise Exception("Key handshake with the AP timed out")
3908     if dev[0].get_status_field("tls_session_reused") != '1':
3909         raise Exception("Session resumption not used on the second connection")
3910
3911 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3912     """EAP-TTLS/MSCHAPv2 session resumption"""
3913     check_domain_suffix_match(dev[0])
3914     check_eap_capa(dev[0], "MSCHAPV2")
3915     params = int_eap_server_params()
3916     params['tls_session_lifetime'] = '60'
3917     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3918     check_tls_session_resumption_capa(dev[0], hapd)
3919     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3920                 anonymous_identity="ttls", password="password",
3921                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3922                 domain_suffix_match="server.w1.fi")
3923     if dev[0].get_status_field("tls_session_reused") != '0':
3924         raise Exception("Unexpected session resumption on the first connection")
3925
3926     dev[0].request("REAUTHENTICATE")
3927     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3928     if ev is None:
3929         raise Exception("EAP success timed out")
3930     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3931     if ev is None:
3932         raise Exception("Key handshake with the AP timed out")
3933     if dev[0].get_status_field("tls_session_reused") != '1':
3934         raise Exception("Session resumption not used on the second connection")
3935
3936 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3937     """EAP-TTLS/EAP-GTC session resumption"""
3938     params = int_eap_server_params()
3939     params['tls_session_lifetime'] = '60'
3940     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3941     check_tls_session_resumption_capa(dev[0], hapd)
3942     eap_connect(dev[0], apdev[0], "TTLS", "user",
3943                 anonymous_identity="ttls", password="password",
3944                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3945     if dev[0].get_status_field("tls_session_reused") != '0':
3946         raise Exception("Unexpected session resumption on the first connection")
3947
3948     dev[0].request("REAUTHENTICATE")
3949     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3950     if ev is None:
3951         raise Exception("EAP success timed out")
3952     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3953     if ev is None:
3954         raise Exception("Key handshake with the AP timed out")
3955     if dev[0].get_status_field("tls_session_reused") != '1':
3956         raise Exception("Session resumption not used on the second connection")
3957
3958 def test_eap_ttls_no_session_resumption(dev, apdev):
3959     """EAP-TTLS session resumption disabled on server"""
3960     params = int_eap_server_params()
3961     params['tls_session_lifetime'] = '0'
3962     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3963     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3964                 anonymous_identity="ttls", password="password",
3965                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3966                 phase2="auth=PAP")
3967     if dev[0].get_status_field("tls_session_reused") != '0':
3968         raise Exception("Unexpected session resumption on the first connection")
3969
3970     dev[0].request("REAUTHENTICATE")
3971     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3972     if ev is None:
3973         raise Exception("EAP success timed out")
3974     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3975     if ev is None:
3976         raise Exception("Key handshake with the AP timed out")
3977     if dev[0].get_status_field("tls_session_reused") != '0':
3978         raise Exception("Unexpected session resumption on the second connection")
3979
3980 def test_eap_peap_session_resumption(dev, apdev):
3981     """EAP-PEAP session resumption"""
3982     params = int_eap_server_params()
3983     params['tls_session_lifetime'] = '60'
3984     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3985     check_tls_session_resumption_capa(dev[0], hapd)
3986     eap_connect(dev[0], apdev[0], "PEAP", "user",
3987                 anonymous_identity="peap", password="password",
3988                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3989     if dev[0].get_status_field("tls_session_reused") != '0':
3990         raise Exception("Unexpected session resumption on the first connection")
3991
3992     dev[0].request("REAUTHENTICATE")
3993     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3994     if ev is None:
3995         raise Exception("EAP success timed out")
3996     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3997     if ev is None:
3998         raise Exception("Key handshake with the AP timed out")
3999     if dev[0].get_status_field("tls_session_reused") != '1':
4000         raise Exception("Session resumption not used on the second connection")
4001
4002 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
4003     """EAP-PEAP session resumption with crypto binding"""
4004     params = int_eap_server_params()
4005     params['tls_session_lifetime'] = '60'
4006     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4007     check_tls_session_resumption_capa(dev[0], hapd)
4008     eap_connect(dev[0], apdev[0], "PEAP", "user",
4009                 anonymous_identity="peap", password="password",
4010                 phase1="peapver=0 crypto_binding=2",
4011                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4012     if dev[0].get_status_field("tls_session_reused") != '0':
4013         raise Exception("Unexpected session resumption on the first connection")
4014
4015     dev[0].request("REAUTHENTICATE")
4016     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4017     if ev is None:
4018         raise Exception("EAP success timed out")
4019     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4020     if ev is None:
4021         raise Exception("Key handshake with the AP timed out")
4022     if dev[0].get_status_field("tls_session_reused") != '1':
4023         raise Exception("Session resumption not used on the second connection")
4024
4025 def test_eap_peap_no_session_resumption(dev, apdev):
4026     """EAP-PEAP session resumption disabled on server"""
4027     params = int_eap_server_params()
4028     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4029     eap_connect(dev[0], apdev[0], "PEAP", "user",
4030                 anonymous_identity="peap", password="password",
4031                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4032     if dev[0].get_status_field("tls_session_reused") != '0':
4033         raise Exception("Unexpected session resumption on the first connection")
4034
4035     dev[0].request("REAUTHENTICATE")
4036     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4037     if ev is None:
4038         raise Exception("EAP success timed out")
4039     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4040     if ev is None:
4041         raise Exception("Key handshake with the AP timed out")
4042     if dev[0].get_status_field("tls_session_reused") != '0':
4043         raise Exception("Unexpected session resumption on the second connection")
4044
4045 def test_eap_tls_session_resumption(dev, apdev):
4046     """EAP-TLS session resumption"""
4047     params = int_eap_server_params()
4048     params['tls_session_lifetime'] = '60'
4049     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4050     check_tls_session_resumption_capa(dev[0], hapd)
4051     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4052                 client_cert="auth_serv/user.pem",
4053                 private_key="auth_serv/user.key")
4054     if dev[0].get_status_field("tls_session_reused") != '0':
4055         raise Exception("Unexpected session resumption on the first connection")
4056
4057     dev[0].request("REAUTHENTICATE")
4058     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4059     if ev is None:
4060         raise Exception("EAP success timed out")
4061     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4062     if ev is None:
4063         raise Exception("Key handshake with the AP timed out")
4064     if dev[0].get_status_field("tls_session_reused") != '1':
4065         raise Exception("Session resumption not used on the second connection")
4066
4067     dev[0].request("REAUTHENTICATE")
4068     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4069     if ev is None:
4070         raise Exception("EAP success timed out")
4071     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4072     if ev is None:
4073         raise Exception("Key handshake with the AP timed out")
4074     if dev[0].get_status_field("tls_session_reused") != '1':
4075         raise Exception("Session resumption not used on the third connection")
4076
4077 def test_eap_tls_session_resumption_expiration(dev, apdev):
4078     """EAP-TLS session resumption"""
4079     params = int_eap_server_params()
4080     params['tls_session_lifetime'] = '1'
4081     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4082     check_tls_session_resumption_capa(dev[0], hapd)
4083     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4084                 client_cert="auth_serv/user.pem",
4085                 private_key="auth_serv/user.key")
4086     if dev[0].get_status_field("tls_session_reused") != '0':
4087         raise Exception("Unexpected session resumption on the first connection")
4088
4089     # Allow multiple attempts since OpenSSL may not expire the cached entry
4090     # immediately.
4091     for i in range(10):
4092         time.sleep(1.2)
4093
4094         dev[0].request("REAUTHENTICATE")
4095         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4096         if ev is None:
4097             raise Exception("EAP success timed out")
4098         ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4099         if ev is None:
4100             raise Exception("Key handshake with the AP timed out")
4101         if dev[0].get_status_field("tls_session_reused") == '0':
4102             break
4103     if dev[0].get_status_field("tls_session_reused") != '0':
4104         raise Exception("Session resumption used after lifetime expiration")
4105
4106 def test_eap_tls_no_session_resumption(dev, apdev):
4107     """EAP-TLS session resumption disabled on server"""
4108     params = int_eap_server_params()
4109     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4110     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4111                 client_cert="auth_serv/user.pem",
4112                 private_key="auth_serv/user.key")
4113     if dev[0].get_status_field("tls_session_reused") != '0':
4114         raise Exception("Unexpected session resumption on the first connection")
4115
4116     dev[0].request("REAUTHENTICATE")
4117     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4118     if ev is None:
4119         raise Exception("EAP success timed out")
4120     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4121     if ev is None:
4122         raise Exception("Key handshake with the AP timed out")
4123     if dev[0].get_status_field("tls_session_reused") != '0':
4124         raise Exception("Unexpected session resumption on the second connection")
4125
4126 def test_eap_tls_session_resumption_radius(dev, apdev):
4127     """EAP-TLS session resumption (RADIUS)"""
4128     params = { "ssid": "as", "beacon_int": "2000",
4129                "radius_server_clients": "auth_serv/radius_clients.conf",
4130                "radius_server_auth_port": '18128',
4131                "eap_server": "1",
4132                "eap_user_file": "auth_serv/eap_user.conf",
4133                "ca_cert": "auth_serv/ca.pem",
4134                "server_cert": "auth_serv/server.pem",
4135                "private_key": "auth_serv/server.key",
4136                "tls_session_lifetime": "60" }
4137     authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4138     check_tls_session_resumption_capa(dev[0], authsrv)
4139
4140     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4141     params['auth_server_port'] = "18128"
4142     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4143     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4144                 client_cert="auth_serv/user.pem",
4145                 private_key="auth_serv/user.key")
4146     if dev[0].get_status_field("tls_session_reused") != '0':
4147         raise Exception("Unexpected session resumption on the first connection")
4148
4149     dev[0].request("REAUTHENTICATE")
4150     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4151     if ev is None:
4152         raise Exception("EAP success timed out")
4153     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4154     if ev is None:
4155         raise Exception("Key handshake with the AP timed out")
4156     if dev[0].get_status_field("tls_session_reused") != '1':
4157         raise Exception("Session resumption not used on the second connection")
4158
4159 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4160     """EAP-TLS session resumption disabled (RADIUS)"""
4161     params = { "ssid": "as", "beacon_int": "2000",
4162                "radius_server_clients": "auth_serv/radius_clients.conf",
4163                "radius_server_auth_port": '18128',
4164                "eap_server": "1",
4165                "eap_user_file": "auth_serv/eap_user.conf",
4166                "ca_cert": "auth_serv/ca.pem",
4167                "server_cert": "auth_serv/server.pem",
4168                "private_key": "auth_serv/server.key",
4169                "tls_session_lifetime": "0" }
4170     hostapd.add_ap(apdev[1]['ifname'], params)
4171
4172     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4173     params['auth_server_port'] = "18128"
4174     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4175     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4176                 client_cert="auth_serv/user.pem",
4177                 private_key="auth_serv/user.key")
4178     if dev[0].get_status_field("tls_session_reused") != '0':
4179         raise Exception("Unexpected session resumption on the first connection")
4180
4181     dev[0].request("REAUTHENTICATE")
4182     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4183     if ev is None:
4184         raise Exception("EAP success timed out")
4185     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4186     if ev is None:
4187         raise Exception("Key handshake with the AP timed out")
4188     if dev[0].get_status_field("tls_session_reused") != '0':
4189         raise Exception("Unexpected session resumption on the second connection")
4190
4191 def test_eap_mschapv2_errors(dev, apdev):
4192     """EAP-MSCHAPv2 error cases"""
4193     check_eap_capa(dev[0], "MSCHAPV2")
4194     check_eap_capa(dev[0], "FAST")
4195
4196     params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4197     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4198     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4199                    identity="phase1-user", password="password",
4200                    scan_freq="2412")
4201     dev[0].request("REMOVE_NETWORK all")
4202     dev[0].wait_disconnected()
4203
4204     tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4205               (1, "nt_password_hash;mschapv2_derive_response"),
4206               (1, "nt_password_hash;=mschapv2_derive_response"),
4207               (1, "generate_nt_response;mschapv2_derive_response"),
4208               (1, "generate_authenticator_response;mschapv2_derive_response"),
4209               (1, "nt_password_hash;=mschapv2_derive_response"),
4210               (1, "get_master_key;mschapv2_derive_response"),
4211               (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4212     for count, func in tests:
4213         with fail_test(dev[0], count, func):
4214             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4215                            identity="phase1-user", password="password",
4216                            wait_connect=False, scan_freq="2412")
4217             wait_fail_trigger(dev[0], "GET_FAIL")
4218             dev[0].request("REMOVE_NETWORK all")
4219             dev[0].wait_disconnected()
4220
4221     tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4222               (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4223               (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4224               (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4225     for count, func in tests:
4226         with fail_test(dev[0], count, func):
4227             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4228                            identity="phase1-user",
4229                            password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4230                            wait_connect=False, scan_freq="2412")
4231             wait_fail_trigger(dev[0], "GET_FAIL")
4232             dev[0].request("REMOVE_NETWORK all")
4233             dev[0].wait_disconnected()
4234
4235     tests = [ (1, "eap_mschapv2_init"),
4236               (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4237               (1, "eap_msg_alloc;eap_mschapv2_success"),
4238               (1, "eap_mschapv2_getKey") ]
4239     for count, func in tests:
4240         with alloc_fail(dev[0], count, func):
4241             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4242                            identity="phase1-user", password="password",
4243                            wait_connect=False, scan_freq="2412")
4244             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4245             dev[0].request("REMOVE_NETWORK all")
4246             dev[0].wait_disconnected()
4247
4248     tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4249     for count, func in tests:
4250         with alloc_fail(dev[0], count, func):
4251             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4252                            identity="phase1-user", password="wrong password",
4253                            wait_connect=False, scan_freq="2412")
4254             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4255             dev[0].request("REMOVE_NETWORK all")
4256             dev[0].wait_disconnected()
4257
4258     tests = [ (2, "eap_mschapv2_init"),
4259               (3, "eap_mschapv2_init") ]
4260     for count, func in tests:
4261         with alloc_fail(dev[0], count, func):
4262             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4263                            anonymous_identity="FAST", identity="user",
4264                            password="password",
4265                            ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4266                            phase1="fast_provisioning=1",
4267                            pac_file="blob://fast_pac",
4268                            wait_connect=False, scan_freq="2412")
4269             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4270             dev[0].request("REMOVE_NETWORK all")
4271             dev[0].wait_disconnected()
4272
4273 def test_eap_gpsk_errors(dev, apdev):
4274     """EAP-GPSK error cases"""
4275     params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4276     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4277     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4278                    identity="gpsk user",
4279                    password="abcdefghijklmnop0123456789abcdef",
4280                    scan_freq="2412")
4281     dev[0].request("REMOVE_NETWORK all")
4282     dev[0].wait_disconnected()
4283
4284     tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4285               (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4286                "cipher=1"),
4287               (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4288                "cipher=2"),
4289               (1, "eap_gpsk_derive_keys_helper", None),
4290               (2, "eap_gpsk_derive_keys_helper", None),
4291               (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4292                "cipher=1"),
4293               (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4294                "cipher=2"),
4295               (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4296               (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4297               (1, "eap_gpsk_derive_mid_helper", None) ]
4298     for count, func, phase1 in tests:
4299         with fail_test(dev[0], count, func):
4300             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4301                            identity="gpsk user",
4302                            password="abcdefghijklmnop0123456789abcdef",
4303                            phase1=phase1,
4304                            wait_connect=False, scan_freq="2412")
4305             wait_fail_trigger(dev[0], "GET_FAIL")
4306             dev[0].request("REMOVE_NETWORK all")
4307             dev[0].wait_disconnected()
4308
4309     tests = [ (1, "eap_gpsk_init"),
4310               (2, "eap_gpsk_init"),
4311               (3, "eap_gpsk_init"),
4312               (1, "eap_gpsk_process_id_server"),
4313               (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4314               (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4315               (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4316               (1, "eap_gpsk_derive_keys"),
4317               (1, "eap_gpsk_derive_keys_helper"),
4318               (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4319               (1, "eap_gpsk_getKey"),
4320               (1, "eap_gpsk_get_emsk"),
4321               (1, "eap_gpsk_get_session_id") ]
4322     for count, func in tests:
4323         with alloc_fail(dev[0], count, func):
4324             dev[0].request("ERP_FLUSH")
4325             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4326                            identity="gpsk user", erp="1",
4327                            password="abcdefghijklmnop0123456789abcdef",
4328                            wait_connect=False, scan_freq="2412")
4329             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4330             dev[0].request("REMOVE_NETWORK all")
4331             dev[0].wait_disconnected()
4332
4333 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4334     """EAP-SIM DB error cases"""
4335     sockpath = '/tmp/hlr_auc_gw.sock-test'
4336     try:
4337         os.remove(sockpath)
4338     except:
4339         pass
4340     hparams = int_eap_server_params()
4341     hparams['eap_sim_db'] = 'unix:' + sockpath
4342     hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4343
4344     # Initial test with hlr_auc_gw socket not available
4345     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4346                         eap="SIM", identity="1232010000000000",
4347                         password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4348                         scan_freq="2412", wait_connect=False)
4349     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4350     if ev is None:
4351         raise Exception("EAP-Failure not reported")
4352     dev[0].wait_disconnected()
4353     dev[0].request("DISCONNECT")
4354
4355     # Test with invalid responses and response timeout
4356
4357     class test_handler(SocketServer.DatagramRequestHandler):
4358         def handle(self):
4359             data = self.request[0].strip()
4360             socket = self.request[1]
4361             logger.debug("Received hlr_auc_gw request: " + data)
4362             # EAP-SIM DB: Failed to parse response string
4363             socket.sendto("FOO", self.client_address)
4364             # EAP-SIM DB: Failed to parse response string
4365             socket.sendto("FOO 1", self.client_address)
4366             # EAP-SIM DB: Unknown external response
4367             socket.sendto("FOO 1 2", self.client_address)
4368             logger.info("No proper response - wait for pending eap_sim_db request timeout")
4369
4370     server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4371     server.timeout = 1
4372
4373     dev[0].select_network(id)
4374     server.handle_request()
4375     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4376     if ev is None:
4377         raise Exception("EAP-Failure not reported")
4378     dev[0].wait_disconnected()
4379     dev[0].request("DISCONNECT")
4380
4381     # Test with a valid response
4382
4383     class test_handler2(SocketServer.DatagramRequestHandler):
4384         def handle(self):
4385             data = self.request[0].strip()
4386             socket = self.request[1]
4387             logger.debug("Received hlr_auc_gw request: " + data)
4388             fname = os.path.join(params['logdir'],
4389                                  'hlr_auc_gw.milenage_db')
4390             cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4391                                     '-m', fname, data],
4392                                    stdout=subprocess.PIPE)
4393             res = cmd.stdout.read().strip()
4394             cmd.stdout.close()
4395             logger.debug("hlr_auc_gw response: " + res)
4396             socket.sendto(res, self.client_address)
4397
4398     server.RequestHandlerClass = test_handler2
4399
4400     dev[0].select_network(id)
4401     server.handle_request()
4402     dev[0].wait_connected()
4403     dev[0].request("DISCONNECT")
4404     dev[0].wait_disconnected()
4405
4406 def test_eap_tls_sha512(dev, apdev, params):
4407     """EAP-TLS with SHA512 signature"""
4408     params = int_eap_server_params()
4409     params["ca_cert"] = "auth_serv/sha512-ca.pem"
4410     params["server_cert"] = "auth_serv/sha512-server.pem"
4411     params["private_key"] = "auth_serv/sha512-server.key"
4412     hostapd.add_ap(apdev[0]['ifname'], params)
4413
4414     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4415                    identity="tls user sha512",
4416                    ca_cert="auth_serv/sha512-ca.pem",
4417                    client_cert="auth_serv/sha512-user.pem",
4418                    private_key="auth_serv/sha512-user.key",
4419                    scan_freq="2412")
4420     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4421                    identity="tls user sha512",
4422                    ca_cert="auth_serv/sha512-ca.pem",
4423                    client_cert="auth_serv/sha384-user.pem",
4424                    private_key="auth_serv/sha384-user.key",
4425                    scan_freq="2412")
4426
4427 def test_eap_tls_sha384(dev, apdev, params):
4428     """EAP-TLS with SHA384 signature"""
4429     params = int_eap_server_params()
4430     params["ca_cert"] = "auth_serv/sha512-ca.pem"
4431     params["server_cert"] = "auth_serv/sha384-server.pem"
4432     params["private_key"] = "auth_serv/sha384-server.key"
4433     hostapd.add_ap(apdev[0]['ifname'], params)
4434
4435     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4436                    identity="tls user sha512",
4437                    ca_cert="auth_serv/sha512-ca.pem",
4438                    client_cert="auth_serv/sha512-user.pem",
4439                    private_key="auth_serv/sha512-user.key",
4440                    scan_freq="2412")
4441     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4442                    identity="tls user sha512",
4443                    ca_cert="auth_serv/sha512-ca.pem",
4444                    client_cert="auth_serv/sha384-user.pem",
4445                    private_key="auth_serv/sha384-user.key",
4446                    scan_freq="2412")
4447
4448 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4449     """WPA2-Enterprise AP and association request RSN IE differences"""
4450     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4451     hostapd.add_ap(apdev[0]['ifname'], params)
4452
4453     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4454     params["ieee80211w"] = "2"
4455     hostapd.add_ap(apdev[1]['ifname'], params)
4456
4457     # Success cases with optional RSN IE fields removed one by one
4458     tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4459                "30140100000fac040100000fac040100000fac010000"),
4460               ("Extra PMKIDCount field in RSN IE",
4461                "30160100000fac040100000fac040100000fac0100000000"),
4462               ("Extra Group Management Cipher Suite in RSN IE",
4463                "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4464               ("Extra undefined extension field in RSN IE",
4465                "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4466               ("RSN IE without RSN Capabilities",
4467                "30120100000fac040100000fac040100000fac01"),
4468               ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4469               ("RSN IE without pairwise", "30060100000fac04"),
4470               ("RSN IE without group", "30020100") ]
4471     for title, ie in tests:
4472         logger.info(title)
4473         set_test_assoc_ie(dev[0], ie)
4474         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4475                        identity="gpsk user",
4476                        password="abcdefghijklmnop0123456789abcdef",
4477                        scan_freq="2412")
4478         dev[0].request("REMOVE_NETWORK all")
4479         dev[0].wait_disconnected()
4480
4481     tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4482                "30140100000fac040100000fac040100000fac01cc00"),
4483               ("Group management cipher included in assoc req RSN IE",
4484                "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4485     for title, ie in tests:
4486         logger.info(title)
4487         set_test_assoc_ie(dev[0], ie)
4488         dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4489                        eap="GPSK", identity="gpsk user",
4490                        password="abcdefghijklmnop0123456789abcdef",
4491                        scan_freq="2412")
4492         dev[0].request("REMOVE_NETWORK all")
4493         dev[0].wait_disconnected()
4494
4495     tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4496               ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4497     for title, ie, status in tests:
4498         logger.info(title)
4499         set_test_assoc_ie(dev[0], ie)
4500         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4501                        identity="gpsk user",
4502                        password="abcdefghijklmnop0123456789abcdef",
4503                        scan_freq="2412", wait_connect=False)
4504         ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4505         if ev is None:
4506             raise Exception("Association rejection not reported")
4507         if "status_code=" + str(status) not in ev:
4508             raise Exception("Unexpected status code: " + ev)
4509         dev[0].request("REMOVE_NETWORK all")
4510         dev[0].dump_monitor()
4511
4512     tests = [ ("Management frame protection not enabled",
4513                "30140100000fac040100000fac040100000fac010000", 31),
4514               ("Unsupported management group cipher",
4515                "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4516     for title, ie, status in tests:
4517         logger.info(title)
4518         set_test_assoc_ie(dev[0], ie)
4519         dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4520                        eap="GPSK", identity="gpsk user",
4521                        password="abcdefghijklmnop0123456789abcdef",
4522                        scan_freq="2412", wait_connect=False)
4523         ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4524         if ev is None:
4525             raise Exception("Association rejection not reported")
4526         if "status_code=" + str(status) not in ev:
4527             raise Exception("Unexpected status code: " + ev)
4528         dev[0].request("REMOVE_NETWORK all")
4529         dev[0].dump_monitor()
4530
4531 def test_eap_tls_ext_cert_check(dev, apdev):
4532     """EAP-TLS and external server certification validation"""
4533     # With internal server certificate chain validation
4534     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4535                         identity="tls user",
4536                         ca_cert="auth_serv/ca.pem",
4537                         client_cert="auth_serv/user.pem",
4538                         private_key="auth_serv/user.key",
4539                         phase1="tls_ext_cert_check=1", scan_freq="2412",
4540                         only_add_network=True)
4541     run_ext_cert_check(dev, apdev, id)
4542
4543 def test_eap_ttls_ext_cert_check(dev, apdev):
4544     """EAP-TTLS and external server certification validation"""
4545     # Without internal server certificate chain validation
4546     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4547                         identity="pap user", anonymous_identity="ttls",
4548                         password="password", phase2="auth=PAP",
4549                         phase1="tls_ext_cert_check=1", scan_freq="2412",
4550                         only_add_network=True)
4551     run_ext_cert_check(dev, apdev, id)
4552
4553 def test_eap_peap_ext_cert_check(dev, apdev):
4554     """EAP-PEAP and external server certification validation"""
4555     # With internal server certificate chain validation
4556     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4557                         identity="user", anonymous_identity="peap",
4558                         ca_cert="auth_serv/ca.pem",
4559                         password="password", phase2="auth=MSCHAPV2",
4560                         phase1="tls_ext_cert_check=1", scan_freq="2412",
4561                         only_add_network=True)
4562     run_ext_cert_check(dev, apdev, id)
4563
4564 def test_eap_fast_ext_cert_check(dev, apdev):
4565     """EAP-FAST and external server certification validation"""
4566     check_eap_capa(dev[0], "FAST")
4567     # With internal server certificate chain validation
4568     dev[0].request("SET blob fast_pac_auth_ext ")
4569     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4570                         identity="user", anonymous_identity="FAST",
4571                         ca_cert="auth_serv/ca.pem",
4572                         password="password", phase2="auth=GTC",
4573                         phase1="tls_ext_cert_check=1 fast_provisioning=2",
4574                         pac_file="blob://fast_pac_auth_ext",
4575                         scan_freq="2412",
4576                         only_add_network=True)
4577     run_ext_cert_check(dev, apdev, id)
4578
4579 def run_ext_cert_check(dev, apdev, net_id):
4580     check_ext_cert_check_support(dev[0])
4581     if not openssl_imported:
4582         raise HwsimSkip("OpenSSL python method not available")
4583
4584     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4585     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4586
4587     dev[0].select_network(net_id)
4588     certs = {}
4589     while True:
4590         ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4591                                 "CTRL-REQ-EXT_CERT_CHECK",
4592                                 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4593         if ev is None:
4594             raise Exception("No peer server certificate event seen")
4595         if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4596             depth = None
4597             cert = None
4598             vals = ev.split(' ')
4599             for v in vals:
4600                 if v.startswith("depth="):
4601                     depth = int(v.split('=')[1])
4602                 elif v.startswith("cert="):
4603                     cert = v.split('=')[1]
4604             if depth is not None and cert:
4605                 certs[depth] = binascii.unhexlify(cert)
4606         elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4607             raise Exception("Unexpected EAP-Success")
4608         elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4609             id = ev.split(':')[0].split('-')[-1]
4610             break
4611     if 0 not in certs:
4612         raise Exception("Server certificate not received")
4613     if 1 not in certs:
4614         raise Exception("Server certificate issuer not received")
4615
4616     cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4617                                            certs[0])
4618     cn = cert.get_subject().commonName
4619     logger.info("Server certificate CN=" + cn)
4620
4621     issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4622                                              certs[1])
4623     icn = issuer.get_subject().commonName
4624     logger.info("Issuer certificate CN=" + icn)
4625
4626     if cn != "server.w1.fi":
4627         raise Exception("Unexpected server certificate CN: " + cn)
4628     if icn != "Root CA":
4629         raise Exception("Unexpected server certificate issuer CN: " + icn)
4630
4631     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4632     if ev:
4633         raise Exception("Unexpected EAP-Success before external check result indication")
4634
4635     dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4636     dev[0].wait_connected()
4637
4638     dev[0].request("DISCONNECT")
4639     dev[0].wait_disconnected()
4640     if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4641         raise Exception("PMKSA_FLUSH failed")
4642     dev[0].request("SET blob fast_pac_auth_ext ")
4643     dev[0].request("RECONNECT")
4644
4645     ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4646     if ev is None:
4647         raise Exception("No peer server certificate event seen (2)")
4648     id = ev.split(':')[0].split('-')[-1]
4649     dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4650     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4651     if ev is None:
4652         raise Exception("EAP-Failure not reported")
4653     dev[0].request("REMOVE_NETWORK all")
4654     dev[0].wait_disconnected()