1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
21 from wpasupplicant import WpaSupplicant
22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
26 openssl_imported = True
28 openssl_imported = False
30 def check_hlr_auc_gw_support():
31 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev, method):
35 res = dev.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method)
39 def check_subject_match_support(dev):
40 tls = dev.request("GET tls_library")
41 if not tls.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
44 def check_altsubject_match_support(dev):
45 tls = dev.request("GET tls_library")
46 if not tls.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
49 def check_domain_match(dev):
50 tls = dev.request("GET tls_library")
51 if tls.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
54 def check_domain_suffix_match(dev):
55 tls = dev.request("GET tls_library")
56 if tls.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
59 def check_domain_match_full(dev):
60 tls = dev.request("GET tls_library")
61 if not tls.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
64 def check_cert_probe_support(dev):
65 tls = dev.request("GET tls_library")
66 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
69 def check_ext_cert_check_support(dev):
70 tls = dev.request("GET tls_library")
71 if not tls.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
74 def check_ocsp_support(dev):
75 tls = dev.request("GET tls_library")
76 #if tls.startswith("internal"):
77 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev):
82 tls = dev.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
86 def check_dh_dsa_support(dev):
87 tls = dev.request("GET tls_library")
88 if tls.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
92 with open(fname, "r") as f:
101 if "-----BEGIN" in l:
103 return base64.b64decode(cert)
105 def eap_connect(dev, ap, method, identity,
106 sha256=False, expect_failure=False, local_error_report=False,
107 maybe_local_error=False, **kwargs):
108 hapd = hostapd.Hostapd(ap['ifname'])
109 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
110 eap=method, identity=identity,
111 wait_connect=False, scan_freq="2412", ieee80211w="1",
113 eap_check_auth(dev, method, True, sha256=sha256,
114 expect_failure=expect_failure,
115 local_error_report=local_error_report,
116 maybe_local_error=maybe_local_error)
119 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
125 expect_failure=False, local_error_report=False,
126 maybe_local_error=False):
127 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
129 raise Exception("Association and EAP start timed out")
130 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev:
135 if maybe_local_error:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev = dev.wait_disconnected(timeout=10)
145 if maybe_local_error and "locally_generated=1" in ev:
147 if not local_error_report:
148 if "reason=23" not in ev:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
153 raise Exception("EAP success timed out")
156 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
158 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
160 raise Exception("Association with the AP timed out")
161 status = dev.get_status()
162 if status["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method not in status["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e = "WPA2-EAP-SHA256"
172 e = "WPA2/IEEE 802.1X/EAP"
174 e = "WPA/IEEE 802.1X/EAP"
175 if status["key_mgmt"] != e:
176 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
180 dev.request("REAUTHENTICATE")
181 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
182 expect_failure=expect_failure)
184 def test_ap_wpa2_eap_sim(dev, apdev):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils.test_connectivity(dev[0], hapd)
192 eap_reauth(dev[0], "SIM")
194 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger.info("Negative test with incorrect key")
201 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger.info("Invalid GSM-Milenage key")
207 dev[0].request("REMOVE_NETWORK all")
208 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
209 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger.info("Invalid GSM-Milenage key(2)")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger.info("Invalid GSM-Milenage key(3)")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger.info("Invalid GSM-Milenage key(4)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger.info("Missing key configuration")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
244 params['auth_server_port'] = "1814"
245 hostapd.add_ap(apdev[0]['ifname'], params)
246 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger.info("SIM fast re-authentication")
250 eap_reauth(dev[0], "SIM")
252 logger.info("SIM full auth with pseudonym")
255 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev[0], "SIM")
258 logger.info("SIM full auth with permanent identity")
261 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev[0], "SIM")
265 logger.info("SIM reauth with mismatching MK")
268 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev[0], "SIM", expect_failure=True)
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger.info("SIM reauth with mismatching counter")
282 eap_reauth(dev[0], "SIM")
283 dev[0].request("REMOVE_NETWORK all")
285 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev, apdev):
294 """EAP-SIM configuration options"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
298 identity="1232010000000000",
299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1="sim_min_num_chal=1",
301 wait_connect=False, scan_freq="2412")
302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
304 raise Exception("No EAP error message seen")
305 dev[0].request("REMOVE_NETWORK all")
307 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
308 identity="1232010000000000",
309 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1="sim_min_num_chal=4",
311 wait_connect=False, scan_freq="2412")
312 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
314 raise Exception("No EAP error message seen (2)")
315 dev[0].request("REMOVE_NETWORK all")
317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1="sim_min_num_chal=2")
320 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity="345678")
324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev, apdev)
329 dev[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
332 check_hlr_auc_gw_support()
333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
334 hostapd.add_ap(apdev[0]['ifname'], params)
335 dev[0].request("SET external_sim 1")
336 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
337 identity="1232010000000000",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
341 raise Exception("Network connected timed out")
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
352 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
362 dev[0].select_network(id, freq="2412")
363 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid = p[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375 raise Exception("EAP failure not reported")
376 dev[0].request("DISCONNECT")
377 dev[0].wait_disconnected()
380 dev[0].select_network(id, freq="2412")
381 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid = p[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393 raise Exception("EAP failure not reported")
394 dev[0].request("DISCONNECT")
395 dev[0].wait_disconnected()
398 dev[0].select_network(id, freq="2412")
399 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid = p[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411 raise Exception("EAP failure not reported")
412 dev[0].request("DISCONNECT")
413 dev[0].wait_disconnected()
416 dev[0].select_network(id, freq="2412")
417 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid = p[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429 raise Exception("EAP failure not reported")
430 dev[0].request("DISCONNECT")
431 dev[0].wait_disconnected()
434 dev[0].select_network(id, freq="2412")
435 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid = p[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
447 raise Exception("EAP failure not reported")
448 dev[0].request("DISCONNECT")
449 dev[0].wait_disconnected()
452 dev[0].select_network(id, freq="2412")
453 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid = p[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
468 """EAP-SIM and OOM"""
469 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
470 hostapd.add_ap(apdev[0]['ifname'], params)
471 tests = [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count, func in tests:
484 with alloc_fail(dev[0], count, func):
485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
486 identity="1232010000000000",
487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect=False, scan_freq="2412")
489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
491 raise Exception("EAP method not selected")
492 dev[0].wait_disconnected()
493 dev[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev, apdev):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils.test_connectivity(dev[0], hapd)
503 eap_reauth(dev[0], "AKA")
505 logger.info("Negative test with incorrect key")
506 dev[0].request("REMOVE_NETWORK all")
507 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
508 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger.info("Invalid Milenage key")
512 dev[0].request("REMOVE_NETWORK all")
513 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger.info("Invalid Milenage key(2)")
518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
519 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger.info("Invalid Milenage key(3)")
523 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
524 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger.info("Invalid Milenage key(4)")
528 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
529 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger.info("Invalid Milenage key(5)")
533 dev[0].request("REMOVE_NETWORK all")
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger.info("Invalid Milenage key(6)")
539 dev[0].request("REMOVE_NETWORK all")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger.info("Missing key configuration")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 params['auth_server_port'] = "1814"
559 hostapd.add_ap(apdev[0]['ifname'], params)
560 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger.info("AKA fast re-authentication")
564 eap_reauth(dev[0], "AKA")
566 logger.info("AKA full auth with pseudonym")
569 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev[0], "AKA")
572 logger.info("AKA full auth with permanent identity")
575 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev[0], "AKA")
579 logger.info("AKA reauth with mismatching MK")
582 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev[0], "AKA", expect_failure=True)
584 dev[0].request("REMOVE_NETWORK all")
586 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
587 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev[0], "AKA")
594 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger.info("AKA reauth with mismatching counter")
596 eap_reauth(dev[0], "AKA")
597 dev[0].request("REMOVE_NETWORK all")
599 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
600 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev, apdev):
608 """EAP-AKA configuration options"""
609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
610 hostapd.add_ap(apdev[0]['ifname'], params)
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev, apdev)
620 dev[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
623 check_hlr_auc_gw_support()
624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
625 hostapd.add_ap(apdev[0]['ifname'], params)
626 dev[0].request("SET external_sim 1")
627 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
628 identity="0232010000000000",
629 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect=False, scan_freq="2412")
631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
633 raise Exception("Network connected timed out")
635 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid = p[0].split('-')[3]
644 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
649 raise Exception("EAP failure not reported")
650 dev[0].request("DISCONNECT")
651 dev[0].wait_disconnected()
653 dev[0].dump_monitor()
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
678 raise Exception("EAP failure not reported")
679 dev[0].request("DISCONNECT")
680 dev[0].wait_disconnected()
682 dev[0].dump_monitor()
684 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev[0].select_network(id, freq="2412")
693 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid = p[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
705 raise Exception("EAP failure not reported")
706 dev[0].request("DISCONNECT")
707 dev[0].wait_disconnected()
709 dev[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
717 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils.test_connectivity(dev[0], hapd)
719 eap_reauth(dev[0], "AKA'")
721 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
723 identity="6555444333222111@both",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect=False, scan_freq="2412")
726 dev[1].wait_connected(timeout=15)
728 logger.info("Negative test with incorrect key")
729 dev[0].request("REMOVE_NETWORK all")
730 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
731 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 params['auth_server_port'] = "1814"
744 hostapd.add_ap(apdev[0]['ifname'], params)
745 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
746 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger.info("AKA' fast re-authentication")
749 eap_reauth(dev[0], "AKA'")
751 logger.info("AKA' full auth with pseudonym")
754 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev[0], "AKA'")
757 logger.info("AKA' full auth with permanent identity")
760 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev[0], "AKA'")
764 logger.info("AKA' reauth with mismatching k_aut")
767 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev[0], "AKA'", expect_failure=True)
769 dev[0].request("REMOVE_NETWORK all")
771 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
772 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev[0], "AKA'")
779 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev[0], "AKA'")
782 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
785 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 key_mgmt = hapd.get_config()['key_mgmt']
797 if key_mgmt.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
799 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
802 hwsim_utils.test_connectivity(dev[0], hapd)
803 eap_reauth(dev[0], "TTLS")
804 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev[0])
810 check_altsubject_match_support(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
814 anonymous_identity="ttls", password="password",
815 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
825 anonymous_identity="ttls", password="wrong",
826 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
828 eap_connect(dev[1], apdev[0], "TTLS", "user",
829 anonymous_identity="ttls", password="password",
830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
838 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev[0])
847 check_altsubject_match_support(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
853 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev[0])
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
862 anonymous_identity="ttls", password="wrong",
863 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
865 eap_connect(dev[1], apdev[0], "TTLS", "user",
866 anonymous_identity="ttls", password="password",
867 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev[0])
873 check_domain_suffix_match(dev[0])
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
877 anonymous_identity="ttls", password="password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
879 domain_suffix_match="server.w1.fi")
880 hwsim_utils.test_connectivity(dev[0], hapd)
881 eap_reauth(dev[0], "TTLS")
882 dev[0].request("REMOVE_NETWORK all")
883 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
887 dev[0].request("REMOVE_NETWORK all")
888 dev[0].wait_disconnected()
889 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
890 anonymous_identity="ttls",
891 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
892 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
894 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
895 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
896 skip_with_fips(dev[0])
897 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
898 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
899 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
900 anonymous_identity="ttls", password="wrong",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
903 eap_connect(dev[1], apdev[0], "TTLS", "user",
904 anonymous_identity="ttls", password="password",
905 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
907 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
908 anonymous_identity="ttls", password="password",
909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
912 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
913 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
914 check_domain_suffix_match(dev[0])
915 check_eap_capa(dev[0], "MSCHAPV2")
916 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
917 hostapd.add_ap(apdev[0]['ifname'], params)
918 hapd = hostapd.Hostapd(apdev[0]['ifname'])
919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity="ttls", password="password",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
922 domain_suffix_match="server.w1.fi")
923 hwsim_utils.test_connectivity(dev[0], hapd)
924 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
925 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
926 eap_reauth(dev[0], "TTLS")
927 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
928 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
929 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
930 raise Exception("dot1xAuthEapolFramesRx did not increase")
931 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
932 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
933 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
934 raise Exception("backendAuthSuccesses did not increase")
936 logger.info("Password as hash value")
937 dev[0].request("REMOVE_NETWORK all")
938 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
939 anonymous_identity="ttls",
940 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
943 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
944 """EAP-TTLS with invalid phase2 parameter values"""
945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
946 hostapd.add_ap(apdev[0]['ifname'], params)
947 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
948 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
949 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
951 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
952 identity="DOMAIN\mschapv2 user",
953 anonymous_identity="ttls", password="password",
954 ca_cert="auth_serv/ca.pem", phase2=t,
955 wait_connect=False, scan_freq="2412")
956 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
957 if ev is None or "method=21" not in ev:
958 raise Exception("EAP-TTLS not started")
959 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
960 "CTRL-EVENT-CONNECTED"], timeout=5)
961 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
962 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
963 dev[0].request("REMOVE_NETWORK all")
964 dev[0].wait_disconnected()
965 dev[0].dump_monitor()
967 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
968 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
969 check_domain_match_full(dev[0])
970 skip_with_fips(dev[0])
971 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
972 hostapd.add_ap(apdev[0]['ifname'], params)
973 hapd = hostapd.Hostapd(apdev[0]['ifname'])
974 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
975 anonymous_identity="ttls", password="password",
976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
977 domain_suffix_match="w1.fi")
978 hwsim_utils.test_connectivity(dev[0], hapd)
979 eap_reauth(dev[0], "TTLS")
981 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
982 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
983 check_domain_match(dev[0])
984 skip_with_fips(dev[0])
985 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
986 hostapd.add_ap(apdev[0]['ifname'], params)
987 hapd = hostapd.Hostapd(apdev[0]['ifname'])
988 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
991 domain_match="Server.w1.fi")
992 hwsim_utils.test_connectivity(dev[0], hapd)
993 eap_reauth(dev[0], "TTLS")
995 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
996 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
997 skip_with_fips(dev[0])
998 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
999 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1000 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1001 anonymous_identity="ttls", password="password1",
1002 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1003 expect_failure=True)
1004 eap_connect(dev[1], apdev[0], "TTLS", "user",
1005 anonymous_identity="ttls", password="password",
1006 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1007 expect_failure=True)
1009 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1010 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1011 skip_with_fips(dev[0])
1012 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1013 hostapd.add_ap(apdev[0]['ifname'], params)
1014 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1015 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1016 anonymous_identity="ttls", password="secret-åäö-€-password",
1017 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1018 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1019 anonymous_identity="ttls",
1020 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1021 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1022 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1023 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1024 eap="TTLS", identity="utf8-user-hash",
1025 anonymous_identity="ttls", password_hex=p,
1026 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1027 wait_connect=False, scan_freq="2412")
1028 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1030 raise Exception("No failure reported")
1031 dev[2].request("REMOVE_NETWORK all")
1032 dev[2].wait_disconnected()
1034 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1035 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1036 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1037 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1038 eap_connect(dev[0], apdev[0], "TTLS", "user",
1039 anonymous_identity="ttls", password="password",
1040 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1041 hwsim_utils.test_connectivity(dev[0], hapd)
1042 eap_reauth(dev[0], "TTLS")
1044 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1045 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1046 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1047 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1048 eap_connect(dev[0], apdev[0], "TTLS", "user",
1049 anonymous_identity="ttls", password="wrong",
1050 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1051 expect_failure=True)
1053 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1054 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1056 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1057 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1058 anonymous_identity="ttls", password="password",
1059 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1060 expect_failure=True)
1062 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1063 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1064 params = int_eap_server_params()
1065 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1066 with alloc_fail(hapd, 1, "eap_gtc_init"):
1067 eap_connect(dev[0], apdev[0], "TTLS", "user",
1068 anonymous_identity="ttls", password="password",
1069 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1070 expect_failure=True)
1071 dev[0].request("REMOVE_NETWORK all")
1073 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1075 eap="TTLS", identity="user",
1076 anonymous_identity="ttls", password="password",
1077 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1078 wait_connect=False, scan_freq="2412")
1079 # This would eventually time out, but we can stop after having reached
1080 # the allocation failure.
1083 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1086 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1087 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1088 check_eap_capa(dev[0], "MD5")
1089 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1090 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1091 eap_connect(dev[0], apdev[0], "TTLS", "user",
1092 anonymous_identity="ttls", password="password",
1093 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1094 hwsim_utils.test_connectivity(dev[0], hapd)
1095 eap_reauth(dev[0], "TTLS")
1097 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1098 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1099 check_eap_capa(dev[0], "MD5")
1100 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1101 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1102 eap_connect(dev[0], apdev[0], "TTLS", "user",
1103 anonymous_identity="ttls", password="wrong",
1104 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1105 expect_failure=True)
1107 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1108 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1109 check_eap_capa(dev[0], "MD5")
1110 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1111 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1112 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1113 anonymous_identity="ttls", password="password",
1114 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1115 expect_failure=True)
1117 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1118 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1119 check_eap_capa(dev[0], "MD5")
1120 params = int_eap_server_params()
1121 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1122 with alloc_fail(hapd, 1, "eap_md5_init"):
1123 eap_connect(dev[0], apdev[0], "TTLS", "user",
1124 anonymous_identity="ttls", password="password",
1125 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1126 expect_failure=True)
1127 dev[0].request("REMOVE_NETWORK all")
1129 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1130 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1131 eap="TTLS", identity="user",
1132 anonymous_identity="ttls", password="password",
1133 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1134 wait_connect=False, scan_freq="2412")
1135 # This would eventually time out, but we can stop after having reached
1136 # the allocation failure.
1139 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1142 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1144 check_eap_capa(dev[0], "MSCHAPV2")
1145 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1146 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1147 eap_connect(dev[0], apdev[0], "TTLS", "user",
1148 anonymous_identity="ttls", password="password",
1149 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1150 hwsim_utils.test_connectivity(dev[0], hapd)
1151 eap_reauth(dev[0], "TTLS")
1153 logger.info("Negative test with incorrect password")
1154 dev[0].request("REMOVE_NETWORK all")
1155 eap_connect(dev[0], apdev[0], "TTLS", "user",
1156 anonymous_identity="ttls", password="password1",
1157 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1158 expect_failure=True)
1160 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1161 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1162 check_eap_capa(dev[0], "MSCHAPV2")
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1166 anonymous_identity="ttls", password="password",
1167 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1168 expect_failure=True)
1170 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1171 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1172 check_eap_capa(dev[0], "MSCHAPV2")
1173 params = int_eap_server_params()
1174 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1175 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1176 eap_connect(dev[0], apdev[0], "TTLS", "user",
1177 anonymous_identity="ttls", password="password",
1178 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1179 expect_failure=True)
1180 dev[0].request("REMOVE_NETWORK all")
1182 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1184 eap="TTLS", identity="user",
1185 anonymous_identity="ttls", password="password",
1186 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1187 wait_connect=False, scan_freq="2412")
1188 # This would eventually time out, but we can stop after having reached
1189 # the allocation failure.
1192 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1194 dev[0].request("REMOVE_NETWORK all")
1196 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1197 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1198 eap="TTLS", identity="user",
1199 anonymous_identity="ttls", password="password",
1200 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1201 wait_connect=False, scan_freq="2412")
1202 # This would eventually time out, but we can stop after having reached
1203 # the allocation failure.
1206 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1208 dev[0].request("REMOVE_NETWORK all")
1210 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1211 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1212 eap="TTLS", identity="user",
1213 anonymous_identity="ttls", password="wrong",
1214 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1215 wait_connect=False, scan_freq="2412")
1216 # This would eventually time out, but we can stop after having reached
1217 # the allocation failure.
1220 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1222 dev[0].request("REMOVE_NETWORK all")
1224 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1225 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227 hostapd.add_ap(apdev[0]['ifname'], params)
1228 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1229 anonymous_identity="0232010000000000@ttls",
1230 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1231 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1233 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1234 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1235 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1236 hostapd.add_ap(apdev[0]['ifname'], params)
1237 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1238 anonymous_identity="0232010000000000@peap",
1239 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1240 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1242 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1243 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1244 check_eap_capa(dev[0], "FAST")
1245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246 hostapd.add_ap(apdev[0]['ifname'], params)
1247 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1248 anonymous_identity="0232010000000000@fast",
1249 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1250 phase1="fast_provisioning=2",
1251 pac_file="blob://fast_pac_auth_aka",
1252 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1254 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1255 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1256 check_eap_capa(dev[0], "MSCHAPV2")
1257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1259 eap_connect(dev[0], apdev[0], "PEAP", "user",
1260 anonymous_identity="peap", password="password",
1261 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1262 hwsim_utils.test_connectivity(dev[0], hapd)
1263 eap_reauth(dev[0], "PEAP")
1264 dev[0].request("REMOVE_NETWORK all")
1265 eap_connect(dev[0], apdev[0], "PEAP", "user",
1266 anonymous_identity="peap", password="password",
1267 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1268 fragment_size="200")
1270 logger.info("Password as hash value")
1271 dev[0].request("REMOVE_NETWORK all")
1272 eap_connect(dev[0], apdev[0], "PEAP", "user",
1273 anonymous_identity="peap",
1274 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1275 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1277 logger.info("Negative test with incorrect password")
1278 dev[0].request("REMOVE_NETWORK all")
1279 eap_connect(dev[0], apdev[0], "PEAP", "user",
1280 anonymous_identity="peap", password="password1",
1281 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1282 expect_failure=True)
1284 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1285 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1286 check_eap_capa(dev[0], "MSCHAPV2")
1287 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1288 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1289 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1290 anonymous_identity="peap", password="password",
1291 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1292 hwsim_utils.test_connectivity(dev[0], hapd)
1293 eap_reauth(dev[0], "PEAP")
1295 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1296 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1297 check_eap_capa(dev[0], "MSCHAPV2")
1298 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1299 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1300 eap_connect(dev[0], apdev[0], "PEAP", "user",
1301 anonymous_identity="peap", password="wrong",
1302 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1303 expect_failure=True)
1305 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1306 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1307 check_eap_capa(dev[0], "MSCHAPV2")
1308 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1309 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1310 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1311 ca_cert="auth_serv/ca.pem",
1312 phase1="peapver=0 crypto_binding=2",
1313 phase2="auth=MSCHAPV2")
1314 hwsim_utils.test_connectivity(dev[0], hapd)
1315 eap_reauth(dev[0], "PEAP")
1317 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1318 ca_cert="auth_serv/ca.pem",
1319 phase1="peapver=0 crypto_binding=1",
1320 phase2="auth=MSCHAPV2")
1321 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1322 ca_cert="auth_serv/ca.pem",
1323 phase1="peapver=0 crypto_binding=0",
1324 phase2="auth=MSCHAPV2")
1326 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1327 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1328 check_eap_capa(dev[0], "MSCHAPV2")
1329 params = int_eap_server_params()
1330 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1331 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1332 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1333 ca_cert="auth_serv/ca.pem",
1334 phase1="peapver=0 crypto_binding=2",
1335 phase2="auth=MSCHAPV2",
1336 expect_failure=True, local_error_report=True)
1338 def test_ap_wpa2_eap_peap_params(dev, apdev):
1339 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1340 check_eap_capa(dev[0], "MSCHAPV2")
1341 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1342 hostapd.add_ap(apdev[0]['ifname'], params)
1343 eap_connect(dev[0], apdev[0], "PEAP", "user",
1344 anonymous_identity="peap", password="password",
1345 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1346 phase1="peapver=0 peaplabel=1",
1347 expect_failure=True)
1348 dev[0].request("REMOVE_NETWORK all")
1349 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1351 anonymous_identity="peap", password="password",
1352 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1353 phase1="peap_outer_success=0",
1354 wait_connect=False, scan_freq="2412")
1355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1357 raise Exception("No EAP success seen")
1358 # This won't succeed to connect with peap_outer_success=0, so stop here.
1359 dev[0].request("REMOVE_NETWORK all")
1360 dev[0].wait_disconnected()
1361 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1362 ca_cert="auth_serv/ca.pem",
1363 phase1="peap_outer_success=1",
1364 phase2="auth=MSCHAPV2")
1365 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1366 ca_cert="auth_serv/ca.pem",
1367 phase1="peap_outer_success=2",
1368 phase2="auth=MSCHAPV2")
1369 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1371 anonymous_identity="peap", password="password",
1372 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1373 phase1="peapver=1 peaplabel=1",
1374 wait_connect=False, scan_freq="2412")
1375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1377 raise Exception("No EAP success seen")
1378 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1380 raise Exception("Unexpected connection")
1382 tests = [ ("peap-ver0", ""),
1384 ("peap-ver0", "peapver=0"),
1385 ("peap-ver1", "peapver=1") ]
1386 for anon,phase1 in tests:
1387 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1388 identity="user", anonymous_identity=anon,
1389 password="password", phase1=phase1,
1390 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1392 dev[0].request("REMOVE_NETWORK all")
1393 dev[0].wait_disconnected()
1395 tests = [ ("peap-ver0", "peapver=1"),
1396 ("peap-ver1", "peapver=0") ]
1397 for anon,phase1 in tests:
1398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1399 identity="user", anonymous_identity=anon,
1400 password="password", phase1=phase1,
1401 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1402 wait_connect=False, scan_freq="2412")
1403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1405 raise Exception("No EAP-Failure seen")
1406 dev[0].request("REMOVE_NETWORK all")
1407 dev[0].wait_disconnected()
1409 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1410 ca_cert="auth_serv/ca.pem",
1411 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1412 phase2="auth=MSCHAPV2")
1414 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1415 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1416 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1417 hostapd.add_ap(apdev[0]['ifname'], params)
1418 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1419 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1420 ca_cert2="auth_serv/ca.pem",
1421 client_cert2="auth_serv/user.pem",
1422 private_key2="auth_serv/user.key")
1423 eap_reauth(dev[0], "PEAP")
1425 def test_ap_wpa2_eap_tls(dev, apdev):
1426 """WPA2-Enterprise connection using EAP-TLS"""
1427 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1428 hostapd.add_ap(apdev[0]['ifname'], params)
1429 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1430 client_cert="auth_serv/user.pem",
1431 private_key="auth_serv/user.key")
1432 eap_reauth(dev[0], "TLS")
1434 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1435 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1436 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1437 hostapd.add_ap(apdev[0]['ifname'], params)
1438 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1439 client_cert="auth_serv/user.pem",
1440 private_key="auth_serv/user.key.pkcs8",
1441 private_key_passwd="whatever")
1443 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1444 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1445 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1446 hostapd.add_ap(apdev[0]['ifname'], params)
1447 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1448 client_cert="auth_serv/user.pem",
1449 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1450 private_key_passwd="whatever")
1452 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1453 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1455 hostapd.add_ap(apdev[0]['ifname'], params)
1456 cert = read_pem("auth_serv/ca.pem")
1457 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1458 raise Exception("Could not set cacert blob")
1459 cert = read_pem("auth_serv/user.pem")
1460 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1461 raise Exception("Could not set usercert blob")
1462 key = read_pem("auth_serv/user.rsa-key")
1463 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1464 raise Exception("Could not set cacert blob")
1465 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1466 client_cert="blob://usercert",
1467 private_key="blob://userkey")
1469 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1470 """EAP-TLS and config blob missing"""
1471 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1472 hostapd.add_ap(apdev[0]['ifname'], params)
1473 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1474 identity="tls user",
1475 ca_cert="blob://testing-blob-does-not-exist",
1476 client_cert="blob://testing-blob-does-not-exist",
1477 private_key="blob://testing-blob-does-not-exist",
1478 wait_connect=False, scan_freq="2412")
1479 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1481 raise Exception("EAP failure not reported")
1482 dev[0].request("REMOVE_NETWORK all")
1483 dev[0].wait_disconnected()
1485 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1486 """EAP-TLS and TLS Message Length in unfragmented packets"""
1487 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1488 hostapd.add_ap(apdev[0]['ifname'], params)
1489 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1490 phase1="include_tls_length=1",
1491 client_cert="auth_serv/user.pem",
1492 private_key="auth_serv/user.key")
1494 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1495 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1496 check_pkcs12_support(dev[0])
1497 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1498 hostapd.add_ap(apdev[0]['ifname'], params)
1499 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1500 private_key="auth_serv/user.pkcs12",
1501 private_key_passwd="whatever")
1502 dev[0].request("REMOVE_NETWORK all")
1503 dev[0].wait_disconnected()
1505 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1506 identity="tls user",
1507 ca_cert="auth_serv/ca.pem",
1508 private_key="auth_serv/user.pkcs12",
1509 wait_connect=False, scan_freq="2412")
1510 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1512 raise Exception("Request for private key passphrase timed out")
1513 id = ev.split(':')[0].split('-')[-1]
1514 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1515 dev[0].wait_connected(timeout=10)
1516 dev[0].request("REMOVE_NETWORK all")
1517 dev[0].wait_disconnected()
1519 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1520 # different files to cover both cases of the extra certificate being the
1521 # one that signed the client certificate and it being unrelated to the
1522 # client certificate.
1523 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1525 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1526 ca_cert="auth_serv/ca.pem",
1528 private_key_passwd="whatever")
1529 dev[0].request("REMOVE_NETWORK all")
1530 dev[0].wait_disconnected()
1532 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1533 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1534 check_pkcs12_support(dev[0])
1535 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1536 hostapd.add_ap(apdev[0]['ifname'], params)
1537 cert = read_pem("auth_serv/ca.pem")
1538 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1539 raise Exception("Could not set cacert blob")
1540 with open("auth_serv/user.pkcs12", "rb") as f:
1541 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1542 raise Exception("Could not set pkcs12 blob")
1543 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1544 private_key="blob://pkcs12",
1545 private_key_passwd="whatever")
1547 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1548 """WPA2-Enterprise negative test - incorrect trust root"""
1549 check_eap_capa(dev[0], "MSCHAPV2")
1550 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1551 hostapd.add_ap(apdev[0]['ifname'], params)
1552 cert = read_pem("auth_serv/ca-incorrect.pem")
1553 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1554 raise Exception("Could not set cacert blob")
1555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1556 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1557 password="password", phase2="auth=MSCHAPV2",
1558 ca_cert="blob://cacert",
1559 wait_connect=False, scan_freq="2412")
1560 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1561 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1562 password="password", phase2="auth=MSCHAPV2",
1563 ca_cert="auth_serv/ca-incorrect.pem",
1564 wait_connect=False, scan_freq="2412")
1566 for dev in (dev[0], dev[1]):
1567 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1569 raise Exception("Association and EAP start timed out")
1571 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1573 raise Exception("EAP method selection timed out")
1574 if "TTLS" not in ev:
1575 raise Exception("Unexpected EAP method")
1577 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1578 "CTRL-EVENT-EAP-SUCCESS",
1579 "CTRL-EVENT-EAP-FAILURE",
1580 "CTRL-EVENT-CONNECTED",
1581 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1583 raise Exception("EAP result timed out")
1584 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1585 raise Exception("TLS certificate error not reported")
1587 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1588 "CTRL-EVENT-EAP-FAILURE",
1589 "CTRL-EVENT-CONNECTED",
1590 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1592 raise Exception("EAP result(2) timed out")
1593 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1594 raise Exception("EAP failure not reported")
1596 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1597 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1599 raise Exception("EAP result(3) timed out")
1600 if "CTRL-EVENT-DISCONNECTED" not in ev:
1601 raise Exception("Disconnection not reported")
1603 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1605 raise Exception("Network block disabling not reported")
1607 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1608 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1610 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1611 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1612 identity="pap user", anonymous_identity="ttls",
1613 password="password", phase2="auth=PAP",
1614 ca_cert="auth_serv/ca.pem",
1615 wait_connect=True, scan_freq="2412")
1616 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1617 identity="pap user", anonymous_identity="ttls",
1618 password="password", phase2="auth=PAP",
1619 ca_cert="auth_serv/ca-incorrect.pem",
1620 only_add_network=True, scan_freq="2412")
1622 dev[0].request("DISCONNECT")
1623 dev[0].wait_disconnected()
1624 dev[0].dump_monitor()
1625 dev[0].select_network(id, freq="2412")
1627 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1629 raise Exception("EAP-TTLS not re-started")
1631 ev = dev[0].wait_disconnected(timeout=15)
1632 if "reason=23" not in ev:
1633 raise Exception("Proper reason code for disconnection not reported")
1635 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1636 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1638 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1639 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1640 identity="pap user", anonymous_identity="ttls",
1641 password="password", phase2="auth=PAP",
1642 wait_connect=True, scan_freq="2412")
1643 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1644 identity="pap user", anonymous_identity="ttls",
1645 password="password", phase2="auth=PAP",
1646 ca_cert="auth_serv/ca-incorrect.pem",
1647 only_add_network=True, scan_freq="2412")
1649 dev[0].request("DISCONNECT")
1650 dev[0].wait_disconnected()
1651 dev[0].dump_monitor()
1652 dev[0].select_network(id, freq="2412")
1654 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1656 raise Exception("EAP-TTLS not re-started")
1658 ev = dev[0].wait_disconnected(timeout=15)
1659 if "reason=23" not in ev:
1660 raise Exception("Proper reason code for disconnection not reported")
1662 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1663 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1664 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1665 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1666 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1667 identity="pap user", anonymous_identity="ttls",
1668 password="password", phase2="auth=PAP",
1669 ca_cert="auth_serv/ca.pem",
1670 wait_connect=True, scan_freq="2412")
1671 dev[0].request("DISCONNECT")
1672 dev[0].wait_disconnected()
1673 dev[0].dump_monitor()
1674 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1675 dev[0].select_network(id, freq="2412")
1677 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1679 raise Exception("EAP-TTLS not re-started")
1681 ev = dev[0].wait_disconnected(timeout=15)
1682 if "reason=23" not in ev:
1683 raise Exception("Proper reason code for disconnection not reported")
1685 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1686 """WPA2-Enterprise negative test - domain suffix mismatch"""
1687 check_domain_suffix_match(dev[0])
1688 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1689 hostapd.add_ap(apdev[0]['ifname'], params)
1690 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1691 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1692 password="password", phase2="auth=MSCHAPV2",
1693 ca_cert="auth_serv/ca.pem",
1694 domain_suffix_match="incorrect.example.com",
1695 wait_connect=False, scan_freq="2412")
1697 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1699 raise Exception("Association and EAP start timed out")
1701 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1703 raise Exception("EAP method selection timed out")
1704 if "TTLS" not in ev:
1705 raise Exception("Unexpected EAP method")
1707 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1708 "CTRL-EVENT-EAP-SUCCESS",
1709 "CTRL-EVENT-EAP-FAILURE",
1710 "CTRL-EVENT-CONNECTED",
1711 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1713 raise Exception("EAP result timed out")
1714 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1715 raise Exception("TLS certificate error not reported")
1716 if "Domain suffix mismatch" not in ev:
1717 raise Exception("Domain suffix mismatch not reported")
1719 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1720 "CTRL-EVENT-EAP-FAILURE",
1721 "CTRL-EVENT-CONNECTED",
1722 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1724 raise Exception("EAP result(2) timed out")
1725 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1726 raise Exception("EAP failure not reported")
1728 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1729 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1731 raise Exception("EAP result(3) timed out")
1732 if "CTRL-EVENT-DISCONNECTED" not in ev:
1733 raise Exception("Disconnection not reported")
1735 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1737 raise Exception("Network block disabling not reported")
1739 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1740 """WPA2-Enterprise negative test - domain mismatch"""
1741 check_domain_match(dev[0])
1742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1743 hostapd.add_ap(apdev[0]['ifname'], params)
1744 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1745 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1746 password="password", phase2="auth=MSCHAPV2",
1747 ca_cert="auth_serv/ca.pem",
1748 domain_match="w1.fi",
1749 wait_connect=False, scan_freq="2412")
1751 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1753 raise Exception("Association and EAP start timed out")
1755 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1757 raise Exception("EAP method selection timed out")
1758 if "TTLS" not in ev:
1759 raise Exception("Unexpected EAP method")
1761 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1762 "CTRL-EVENT-EAP-SUCCESS",
1763 "CTRL-EVENT-EAP-FAILURE",
1764 "CTRL-EVENT-CONNECTED",
1765 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1767 raise Exception("EAP result timed out")
1768 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1769 raise Exception("TLS certificate error not reported")
1770 if "Domain mismatch" not in ev:
1771 raise Exception("Domain mismatch not reported")
1773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1774 "CTRL-EVENT-EAP-FAILURE",
1775 "CTRL-EVENT-CONNECTED",
1776 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1778 raise Exception("EAP result(2) timed out")
1779 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1780 raise Exception("EAP failure not reported")
1782 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1783 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1785 raise Exception("EAP result(3) timed out")
1786 if "CTRL-EVENT-DISCONNECTED" not in ev:
1787 raise Exception("Disconnection not reported")
1789 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1791 raise Exception("Network block disabling not reported")
1793 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1794 """WPA2-Enterprise negative test - subject mismatch"""
1795 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1796 hostapd.add_ap(apdev[0]['ifname'], params)
1797 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1798 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1799 password="password", phase2="auth=MSCHAPV2",
1800 ca_cert="auth_serv/ca.pem",
1801 subject_match="/C=FI/O=w1.fi/CN=example.com",
1802 wait_connect=False, scan_freq="2412")
1804 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1806 raise Exception("Association and EAP start timed out")
1808 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1809 "EAP: Failed to initialize EAP method"], timeout=10)
1811 raise Exception("EAP method selection timed out")
1812 if "EAP: Failed to initialize EAP method" in ev:
1813 tls = dev[0].request("GET tls_library")
1814 if tls.startswith("OpenSSL"):
1815 raise Exception("Failed to select EAP method")
1816 logger.info("subject_match not supported - connection failed, so test succeeded")
1818 if "TTLS" not in ev:
1819 raise Exception("Unexpected EAP method")
1821 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1822 "CTRL-EVENT-EAP-SUCCESS",
1823 "CTRL-EVENT-EAP-FAILURE",
1824 "CTRL-EVENT-CONNECTED",
1825 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1827 raise Exception("EAP result timed out")
1828 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1829 raise Exception("TLS certificate error not reported")
1830 if "Subject mismatch" not in ev:
1831 raise Exception("Subject mismatch not reported")
1833 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1834 "CTRL-EVENT-EAP-FAILURE",
1835 "CTRL-EVENT-CONNECTED",
1836 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1838 raise Exception("EAP result(2) timed out")
1839 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1840 raise Exception("EAP failure not reported")
1842 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1843 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1845 raise Exception("EAP result(3) timed out")
1846 if "CTRL-EVENT-DISCONNECTED" not in ev:
1847 raise Exception("Disconnection not reported")
1849 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1851 raise Exception("Network block disabling not reported")
1853 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1854 """WPA2-Enterprise negative test - altsubject mismatch"""
1855 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1856 hostapd.add_ap(apdev[0]['ifname'], params)
1858 tests = [ "incorrect.example.com",
1859 "DNS:incorrect.example.com",
1863 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1865 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1866 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1867 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1868 password="password", phase2="auth=MSCHAPV2",
1869 ca_cert="auth_serv/ca.pem",
1870 altsubject_match=match,
1871 wait_connect=False, scan_freq="2412")
1873 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1875 raise Exception("Association and EAP start timed out")
1877 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1878 "EAP: Failed to initialize EAP method"], timeout=10)
1880 raise Exception("EAP method selection timed out")
1881 if "EAP: Failed to initialize EAP method" in ev:
1882 tls = dev[0].request("GET tls_library")
1883 if tls.startswith("OpenSSL"):
1884 raise Exception("Failed to select EAP method")
1885 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1887 if "TTLS" not in ev:
1888 raise Exception("Unexpected EAP method")
1890 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1891 "CTRL-EVENT-EAP-SUCCESS",
1892 "CTRL-EVENT-EAP-FAILURE",
1893 "CTRL-EVENT-CONNECTED",
1894 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1896 raise Exception("EAP result timed out")
1897 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1898 raise Exception("TLS certificate error not reported")
1899 if "AltSubject mismatch" not in ev:
1900 raise Exception("altsubject mismatch not reported")
1902 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1903 "CTRL-EVENT-EAP-FAILURE",
1904 "CTRL-EVENT-CONNECTED",
1905 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1907 raise Exception("EAP result(2) timed out")
1908 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1909 raise Exception("EAP failure not reported")
1911 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1912 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1914 raise Exception("EAP result(3) timed out")
1915 if "CTRL-EVENT-DISCONNECTED" not in ev:
1916 raise Exception("Disconnection not reported")
1918 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1920 raise Exception("Network block disabling not reported")
1922 dev[0].request("REMOVE_NETWORK all")
1924 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1925 """WPA2-Enterprise connection using UNAUTH-TLS"""
1926 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1927 hostapd.add_ap(apdev[0]['ifname'], params)
1928 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1929 ca_cert="auth_serv/ca.pem")
1930 eap_reauth(dev[0], "UNAUTH-TLS")
1932 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1933 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1934 check_cert_probe_support(dev[0])
1935 skip_with_fips(dev[0])
1936 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1937 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1938 hostapd.add_ap(apdev[0]['ifname'], params)
1939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1940 identity="probe", ca_cert="probe://",
1941 wait_connect=False, scan_freq="2412")
1942 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1944 raise Exception("Association and EAP start timed out")
1945 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1947 raise Exception("No peer server certificate event seen")
1948 if "hash=" + srv_cert_hash not in ev:
1949 raise Exception("Expected server certificate hash not reported")
1950 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1952 raise Exception("EAP result timed out")
1953 if "Server certificate chain probe" not in ev:
1954 raise Exception("Server certificate probe not reported")
1955 dev[0].wait_disconnected(timeout=10)
1956 dev[0].request("REMOVE_NETWORK all")
1958 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1959 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1960 password="password", phase2="auth=MSCHAPV2",
1961 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1962 wait_connect=False, scan_freq="2412")
1963 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1965 raise Exception("Association and EAP start timed out")
1966 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1968 raise Exception("EAP result timed out")
1969 if "Server certificate mismatch" not in ev:
1970 raise Exception("Server certificate mismatch not reported")
1971 dev[0].wait_disconnected(timeout=10)
1972 dev[0].request("REMOVE_NETWORK all")
1974 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1975 anonymous_identity="ttls", password="password",
1976 ca_cert="hash://server/sha256/" + srv_cert_hash,
1977 phase2="auth=MSCHAPV2")
1979 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1980 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1981 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1982 hostapd.add_ap(apdev[0]['ifname'], params)
1983 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1984 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1985 password="password", phase2="auth=MSCHAPV2",
1986 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1987 wait_connect=False, scan_freq="2412")
1988 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1989 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1990 password="password", phase2="auth=MSCHAPV2",
1991 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1992 wait_connect=False, scan_freq="2412")
1993 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1994 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1995 password="password", phase2="auth=MSCHAPV2",
1996 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1997 wait_connect=False, scan_freq="2412")
1998 for i in range(0, 3):
1999 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2001 raise Exception("Association and EAP start timed out")
2002 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2004 raise Exception("Did not report EAP method initialization failure")
2006 def test_ap_wpa2_eap_pwd(dev, apdev):
2007 """WPA2-Enterprise connection using EAP-pwd"""
2008 check_eap_capa(dev[0], "PWD")
2009 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2010 hostapd.add_ap(apdev[0]['ifname'], params)
2011 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2012 eap_reauth(dev[0], "PWD")
2013 dev[0].request("REMOVE_NETWORK all")
2015 eap_connect(dev[1], apdev[0], "PWD",
2016 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2017 password="secret password",
2020 logger.info("Negative test with incorrect password")
2021 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2022 expect_failure=True, local_error_report=True)
2024 eap_connect(dev[0], apdev[0], "PWD",
2025 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2026 password="secret password",
2029 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2030 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2031 check_eap_capa(dev[0], "PWD")
2032 skip_with_fips(dev[0])
2033 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2034 hostapd.add_ap(apdev[0]['ifname'], params)
2035 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2036 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2037 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2038 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2039 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2040 expect_failure=True, local_error_report=True)
2042 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2043 """WPA2-Enterprise connection using various EAP-pwd groups"""
2044 check_eap_capa(dev[0], "PWD")
2045 tls = dev[0].request("GET tls_library")
2046 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2047 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2048 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2049 groups = [ 19, 20, 21, 25, 26 ]
2050 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2051 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2052 groups += [ 27, 28, 29, 30 ]
2054 logger.info("Group %d" % i)
2055 params['pwd_group'] = str(i)
2056 hostapd.add_ap(apdev[0]['ifname'], params)
2058 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2059 password="secret password")
2060 dev[0].request("REMOVE_NETWORK all")
2061 dev[0].wait_disconnected()
2062 dev[0].dump_monitor()
2064 if "BoringSSL" in tls and i in [ 25 ]:
2065 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2066 dev[0].request("DISCONNECT")
2068 dev[0].request("REMOVE_NETWORK all")
2069 dev[0].dump_monitor()
2073 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2074 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2075 check_eap_capa(dev[0], "PWD")
2076 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2077 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2078 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2079 params['pwd_group'] = "0"
2080 hostapd.add_ap(apdev[0]['ifname'], params)
2081 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2082 identity="pwd user", password="secret password",
2083 scan_freq="2412", wait_connect=False)
2084 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2086 raise Exception("Timeout on EAP failure report")
2088 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2089 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2090 check_eap_capa(dev[0], "PWD")
2091 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2092 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2093 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2094 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2095 "pwd_group": "19", "fragment_size": "40" }
2096 hostapd.add_ap(apdev[0]['ifname'], params)
2097 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2099 def test_ap_wpa2_eap_gpsk(dev, apdev):
2100 """WPA2-Enterprise connection using EAP-GPSK"""
2101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2102 hostapd.add_ap(apdev[0]['ifname'], params)
2103 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2104 password="abcdefghijklmnop0123456789abcdef")
2105 eap_reauth(dev[0], "GPSK")
2107 logger.info("Test forced algorithm selection")
2108 for phase1 in [ "cipher=1", "cipher=2" ]:
2109 dev[0].set_network_quoted(id, "phase1", phase1)
2110 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2112 raise Exception("EAP success timed out")
2113 dev[0].wait_connected(timeout=10)
2115 logger.info("Test failed algorithm negotiation")
2116 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2119 raise Exception("EAP failure timed out")
2121 logger.info("Negative test with incorrect password")
2122 dev[0].request("REMOVE_NETWORK all")
2123 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2124 password="ffcdefghijklmnop0123456789abcdef",
2125 expect_failure=True)
2127 def test_ap_wpa2_eap_sake(dev, apdev):
2128 """WPA2-Enterprise connection using EAP-SAKE"""
2129 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2130 hostapd.add_ap(apdev[0]['ifname'], params)
2131 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2132 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2133 eap_reauth(dev[0], "SAKE")
2135 logger.info("Negative test with incorrect password")
2136 dev[0].request("REMOVE_NETWORK all")
2137 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2138 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2139 expect_failure=True)
2141 def test_ap_wpa2_eap_eke(dev, apdev):
2142 """WPA2-Enterprise connection using EAP-EKE"""
2143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2144 hostapd.add_ap(apdev[0]['ifname'], params)
2145 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2146 eap_reauth(dev[0], "EKE")
2148 logger.info("Test forced algorithm selection")
2149 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2150 "dhgroup=4 encr=1 prf=2 mac=2",
2151 "dhgroup=3 encr=1 prf=2 mac=2",
2152 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2153 dev[0].set_network_quoted(id, "phase1", phase1)
2154 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2156 raise Exception("EAP success timed out")
2157 dev[0].wait_connected(timeout=10)
2159 logger.info("Test failed algorithm negotiation")
2160 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2161 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2163 raise Exception("EAP failure timed out")
2165 logger.info("Negative test with incorrect password")
2166 dev[0].request("REMOVE_NETWORK all")
2167 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2168 expect_failure=True)
2170 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2171 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2172 params = int_eap_server_params()
2173 params['server_id'] = 'example.server@w1.fi'
2174 hostapd.add_ap(apdev[0]['ifname'], params)
2175 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2177 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2178 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2179 params = int_eap_server_params()
2180 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2181 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2183 for count,func in [ (1, "eap_eke_build_commit"),
2184 (2, "eap_eke_build_commit"),
2185 (3, "eap_eke_build_commit"),
2186 (1, "eap_eke_build_confirm"),
2187 (2, "eap_eke_build_confirm"),
2188 (1, "eap_eke_process_commit"),
2189 (2, "eap_eke_process_commit"),
2190 (1, "eap_eke_process_confirm"),
2191 (1, "eap_eke_process_identity"),
2192 (2, "eap_eke_process_identity"),
2193 (3, "eap_eke_process_identity"),
2194 (4, "eap_eke_process_identity") ]:
2195 with alloc_fail(hapd, count, func):
2196 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2197 expect_failure=True)
2198 dev[0].request("REMOVE_NETWORK all")
2200 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2201 (1, "eap_eke_get_session_id", "hello"),
2202 (1, "eap_eke_getKey", "hello"),
2203 (1, "eap_eke_build_msg", "hello"),
2204 (1, "eap_eke_build_failure", "wrong"),
2205 (1, "eap_eke_build_identity", "hello"),
2206 (2, "eap_eke_build_identity", "hello") ]:
2207 with alloc_fail(hapd, count, func):
2208 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2209 eap="EKE", identity="eke user", password=pw,
2210 wait_connect=False, scan_freq="2412")
2211 # This would eventually time out, but we can stop after having
2212 # reached the allocation failure.
2215 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2217 dev[0].request("REMOVE_NETWORK all")
2219 for count in range(1, 1000):
2221 with alloc_fail(hapd, count, "eap_server_sm_step"):
2222 dev[0].connect("test-wpa2-eap",
2223 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2224 eap="EKE", identity="eke user", password=pw,
2225 wait_connect=False, scan_freq="2412")
2226 # This would eventually time out, but we can stop after having
2227 # reached the allocation failure.
2230 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2232 dev[0].request("REMOVE_NETWORK all")
2233 except Exception, e:
2234 if str(e) == "Allocation failure did not trigger":
2236 raise Exception("Too few allocation failures")
2237 logger.info("%d allocation failures tested" % (count - 1))
2241 def test_ap_wpa2_eap_ikev2(dev, apdev):
2242 """WPA2-Enterprise connection using EAP-IKEv2"""
2243 check_eap_capa(dev[0], "IKEV2")
2244 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2245 hostapd.add_ap(apdev[0]['ifname'], params)
2246 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2247 password="ike password")
2248 eap_reauth(dev[0], "IKEV2")
2249 dev[0].request("REMOVE_NETWORK all")
2250 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2251 password="ike password", fragment_size="50")
2253 logger.info("Negative test with incorrect password")
2254 dev[0].request("REMOVE_NETWORK all")
2255 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2256 password="ike-password", expect_failure=True)
2258 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2259 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2260 check_eap_capa(dev[0], "IKEV2")
2261 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2262 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2263 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2264 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2265 "fragment_size": "50" }
2266 hostapd.add_ap(apdev[0]['ifname'], params)
2267 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2268 password="ike password")
2269 eap_reauth(dev[0], "IKEV2")
2271 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2272 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2273 check_eap_capa(dev[0], "IKEV2")
2274 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2275 hostapd.add_ap(apdev[0]['ifname'], params)
2277 tests = [ (1, "dh_init"),
2279 (1, "dh_derive_shared") ]
2280 for count, func in tests:
2281 with alloc_fail(dev[0], count, func):
2282 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2283 identity="ikev2 user", password="ike password",
2284 wait_connect=False, scan_freq="2412")
2285 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2287 raise Exception("EAP method not selected")
2289 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2292 dev[0].request("REMOVE_NETWORK all")
2294 tests = [ (1, "os_get_random;dh_init") ]
2295 for count, func in tests:
2296 with fail_test(dev[0], count, func):
2297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2298 identity="ikev2 user", password="ike password",
2299 wait_connect=False, scan_freq="2412")
2300 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2302 raise Exception("EAP method not selected")
2304 if "0:" in dev[0].request("GET_FAIL"):
2307 dev[0].request("REMOVE_NETWORK all")
2309 def test_ap_wpa2_eap_pax(dev, apdev):
2310 """WPA2-Enterprise connection using EAP-PAX"""
2311 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2312 hostapd.add_ap(apdev[0]['ifname'], params)
2313 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2314 password_hex="0123456789abcdef0123456789abcdef")
2315 eap_reauth(dev[0], "PAX")
2317 logger.info("Negative test with incorrect password")
2318 dev[0].request("REMOVE_NETWORK all")
2319 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2320 password_hex="ff23456789abcdef0123456789abcdef",
2321 expect_failure=True)
2323 def test_ap_wpa2_eap_psk(dev, apdev):
2324 """WPA2-Enterprise connection using EAP-PSK"""
2325 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2326 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2327 params["ieee80211w"] = "2"
2328 hostapd.add_ap(apdev[0]['ifname'], params)
2329 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2330 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2331 eap_reauth(dev[0], "PSK", sha256=True)
2332 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2333 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2335 bss = dev[0].get_bss(apdev[0]['bssid'])
2336 if 'flags' not in bss:
2337 raise Exception("Could not get BSS flags from BSS table")
2338 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2339 raise Exception("Unexpected BSS flags: " + bss['flags'])
2341 logger.info("Negative test with incorrect password")
2342 dev[0].request("REMOVE_NETWORK all")
2343 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2344 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2345 expect_failure=True)
2347 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2348 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2349 skip_with_fips(dev[0])
2350 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2351 hostapd.add_ap(apdev[0]['ifname'], params)
2352 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2353 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2354 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2355 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2356 (1, "=aes_128_eax_encrypt"),
2357 (1, "omac1_aes_vector"),
2358 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2359 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2360 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2361 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2362 (1, "=aes_128_eax_decrypt") ]
2363 for count, func in tests:
2364 with alloc_fail(dev[0], count, func):
2365 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2366 identity="psk.user@example.com",
2367 password_hex="0123456789abcdef0123456789abcdef",
2368 wait_connect=False, scan_freq="2412")
2369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2371 raise Exception("EAP method not selected")
2373 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2376 dev[0].request("REMOVE_NETWORK all")
2378 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2379 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2380 identity="psk.user@example.com",
2381 password_hex="0123456789abcdef0123456789abcdef",
2382 wait_connect=False, scan_freq="2412")
2383 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2385 raise Exception("EAP method failure not reported")
2386 dev[0].request("REMOVE_NETWORK all")
2388 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2389 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2390 check_eap_capa(dev[0], "MSCHAPV2")
2391 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2392 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2393 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2394 identity="user", password="password", phase2="auth=MSCHAPV2",
2395 ca_cert="auth_serv/ca.pem", wait_connect=False,
2397 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2398 hwsim_utils.test_connectivity(dev[0], hapd)
2399 eap_reauth(dev[0], "PEAP", rsn=False)
2400 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2401 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2402 status = dev[0].get_status(extra="VERBOSE")
2403 if 'portControl' not in status:
2404 raise Exception("portControl missing from STATUS-VERBOSE")
2405 if status['portControl'] != 'Auto':
2406 raise Exception("Unexpected portControl value: " + status['portControl'])
2407 if 'eap_session_id' not in status:
2408 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2409 if not status['eap_session_id'].startswith("19"):
2410 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2412 def test_ap_wpa2_eap_interactive(dev, apdev):
2413 """WPA2-Enterprise connection using interactive identity/password entry"""
2414 check_eap_capa(dev[0], "MSCHAPV2")
2415 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2416 hostapd.add_ap(apdev[0]['ifname'], params)
2417 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2419 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2420 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2422 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2423 "TTLS", "ttls", None, "auth=MSCHAPV2",
2424 "DOMAIN\mschapv2 user", "password"),
2425 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2426 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2427 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2428 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2429 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2430 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2431 ("Connection with dynamic PEAP/EAP-GTC password entry",
2432 "PEAP", None, "user", "auth=GTC", None, "password") ]
2433 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2436 anonymous_identity=anon, identity=identity,
2437 ca_cert="auth_serv/ca.pem", phase2=phase2,
2438 wait_connect=False, scan_freq="2412")
2440 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2442 raise Exception("Request for identity timed out")
2443 id = ev.split(':')[0].split('-')[-1]
2444 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2445 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2447 raise Exception("Request for password timed out")
2448 id = ev.split(':')[0].split('-')[-1]
2449 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2450 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2451 dev[0].wait_connected(timeout=10)
2452 dev[0].request("REMOVE_NETWORK all")
2454 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2455 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2456 check_eap_capa(dev[0], "MSCHAPV2")
2457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2458 hostapd.add_ap(apdev[0]['ifname'], params)
2459 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2461 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2462 only_add_network=True)
2464 req_id = "DOMAIN\mschapv2 user"
2465 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2466 anonymous_identity="ttls", identity=None,
2467 password="password",
2468 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2469 wait_connect=False, scan_freq="2412")
2470 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2472 raise Exception("Request for identity timed out")
2473 id = ev.split(':')[0].split('-')[-1]
2474 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2475 dev[0].wait_connected(timeout=10)
2477 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2478 raise Exception("Failed to enable network")
2479 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2481 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2482 dev[0].request("REMOVE_NETWORK all")
2484 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2485 """WPA2-Enterprise connection using EAP vendor test"""
2486 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2487 hostapd.add_ap(apdev[0]['ifname'], params)
2488 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2489 eap_reauth(dev[0], "VENDOR-TEST")
2490 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2493 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2494 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2495 check_eap_capa(dev[0], "FAST")
2496 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2497 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2498 eap_connect(dev[0], apdev[0], "FAST", "user",
2499 anonymous_identity="FAST", password="password",
2500 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2501 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2502 hwsim_utils.test_connectivity(dev[0], hapd)
2503 res = eap_reauth(dev[0], "FAST")
2504 if res['tls_session_reused'] != '1':
2505 raise Exception("EAP-FAST could not use PAC session ticket")
2507 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2508 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2509 check_eap_capa(dev[0], "FAST")
2510 pac_file = os.path.join(params['logdir'], "fast.pac")
2511 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2513 hostapd.add_ap(apdev[0]['ifname'], params)
2516 eap_connect(dev[0], apdev[0], "FAST", "user",
2517 anonymous_identity="FAST", password="password",
2518 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2519 phase1="fast_provisioning=1", pac_file=pac_file)
2520 with open(pac_file, "r") as f:
2522 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2523 raise Exception("PAC file header missing")
2524 if "PAC-Key=" not in data:
2525 raise Exception("PAC-Key missing from PAC file")
2526 dev[0].request("REMOVE_NETWORK all")
2527 eap_connect(dev[0], apdev[0], "FAST", "user",
2528 anonymous_identity="FAST", password="password",
2529 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2532 eap_connect(dev[1], apdev[0], "FAST", "user",
2533 anonymous_identity="FAST", password="password",
2534 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2535 phase1="fast_provisioning=1 fast_pac_format=binary",
2537 dev[1].request("REMOVE_NETWORK all")
2538 eap_connect(dev[1], apdev[0], "FAST", "user",
2539 anonymous_identity="FAST", password="password",
2540 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2541 phase1="fast_pac_format=binary",
2549 os.remove(pac_file2)
2553 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2554 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2555 check_eap_capa(dev[0], "FAST")
2556 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2557 hostapd.add_ap(apdev[0]['ifname'], params)
2558 eap_connect(dev[0], apdev[0], "FAST", "user",
2559 anonymous_identity="FAST", password="password",
2560 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2561 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2562 pac_file="blob://fast_pac_bin")
2563 res = eap_reauth(dev[0], "FAST")
2564 if res['tls_session_reused'] != '1':
2565 raise Exception("EAP-FAST could not use PAC session ticket")
2567 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2568 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2569 check_eap_capa(dev[0], "FAST")
2570 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2571 hostapd.add_ap(apdev[0]['ifname'], params)
2573 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2574 identity="user", anonymous_identity="FAST",
2575 password="password",
2576 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2577 pac_file="blob://fast_pac_not_in_use",
2578 wait_connect=False, scan_freq="2412")
2579 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2581 raise Exception("Timeout on EAP failure report")
2582 dev[0].request("REMOVE_NETWORK all")
2584 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2585 identity="user", anonymous_identity="FAST",
2586 password="password",
2587 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2588 wait_connect=False, scan_freq="2412")
2589 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2591 raise Exception("Timeout on EAP failure report")
2593 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2594 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2595 check_eap_capa(dev[0], "FAST")
2596 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2597 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2598 eap_connect(dev[0], apdev[0], "FAST", "user",
2599 anonymous_identity="FAST", password="password",
2600 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2601 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2602 hwsim_utils.test_connectivity(dev[0], hapd)
2603 res = eap_reauth(dev[0], "FAST")
2604 if res['tls_session_reused'] != '1':
2605 raise Exception("EAP-FAST could not use PAC session ticket")
2607 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2608 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2609 check_eap_capa(dev[0], "FAST")
2610 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2611 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2612 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2613 anonymous_identity="FAST", password="password",
2614 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2615 phase1="fast_provisioning=2",
2616 pac_file="blob://fast_pac_auth")
2617 dev[0].set_network_quoted(id, "identity", "user2")
2618 dev[0].wait_disconnected()
2619 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2621 raise Exception("EAP-FAST not started")
2622 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2624 raise Exception("EAP failure not reported")
2625 dev[0].wait_disconnected()
2627 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2628 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2629 check_eap_capa(dev[0], "FAST")
2630 tls = dev[0].request("GET tls_library")
2631 if tls.startswith("OpenSSL"):
2632 func = "openssl_tls_prf"
2634 elif tls.startswith("internal"):
2635 func = "tls_connection_prf"
2638 raise HwsimSkip("Unsupported TLS library")
2639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2640 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2641 with alloc_fail(dev[0], count, func):
2642 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2643 identity="user", anonymous_identity="FAST",
2644 password="password", ca_cert="auth_serv/ca.pem",
2646 phase1="fast_provisioning=2",
2647 pac_file="blob://fast_pac_auth",
2648 wait_connect=False, scan_freq="2412")
2649 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2651 raise Exception("EAP failure not reported")
2652 dev[0].request("DISCONNECT")
2654 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2655 """EAP-FAST/MSCHAPv2 and server OOM"""
2656 check_eap_capa(dev[0], "FAST")
2658 params = int_eap_server_params()
2659 params['dh_file'] = 'auth_serv/dh.conf'
2660 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2661 params['eap_fast_a_id'] = '1011'
2662 params['eap_fast_a_id_info'] = 'another test server'
2663 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2665 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2666 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2667 anonymous_identity="FAST", password="password",
2668 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2669 phase1="fast_provisioning=1",
2670 pac_file="blob://fast_pac",
2671 expect_failure=True)
2672 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2674 raise Exception("No EAP failure reported")
2675 dev[0].wait_disconnected()
2676 dev[0].request("DISCONNECT")
2678 dev[0].select_network(id, freq="2412")
2680 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2681 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2682 check_ocsp_support(dev[0])
2683 check_pkcs12_support(dev[0])
2684 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2685 hostapd.add_ap(apdev[0]['ifname'], params)
2686 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2687 private_key="auth_serv/user.pkcs12",
2688 private_key_passwd="whatever", ocsp=2)
2690 def int_eap_server_params():
2691 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2692 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2693 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2694 "ca_cert": "auth_serv/ca.pem",
2695 "server_cert": "auth_serv/server.pem",
2696 "private_key": "auth_serv/server.key" }
2699 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2700 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2701 check_ocsp_support(dev[0])
2702 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2703 if not os.path.exists(ocsp):
2704 raise HwsimSkip("No OCSP response available")
2705 params = int_eap_server_params()
2706 params["ocsp_stapling_response"] = ocsp
2707 hostapd.add_ap(apdev[0]['ifname'], params)
2708 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2709 identity="tls user", ca_cert="auth_serv/ca.pem",
2710 private_key="auth_serv/user.pkcs12",
2711 private_key_passwd="whatever", ocsp=2,
2714 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2715 """EAP-TLS and CA signed OCSP response (good)"""
2716 check_ocsp_support(dev[0])
2717 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2718 if not os.path.exists(ocsp):
2719 raise HwsimSkip("No OCSP response available")
2720 params = int_eap_server_params()
2721 params["ocsp_stapling_response"] = ocsp
2722 hostapd.add_ap(apdev[0]['ifname'], params)
2723 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2724 identity="tls user", ca_cert="auth_serv/ca.pem",
2725 private_key="auth_serv/user.pkcs12",
2726 private_key_passwd="whatever", ocsp=2,
2729 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2730 """EAP-TLS and CA signed OCSP response (revoked)"""
2731 check_ocsp_support(dev[0])
2732 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2733 if not os.path.exists(ocsp):
2734 raise HwsimSkip("No OCSP response available")
2735 params = int_eap_server_params()
2736 params["ocsp_stapling_response"] = ocsp
2737 hostapd.add_ap(apdev[0]['ifname'], params)
2738 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2739 identity="tls user", ca_cert="auth_serv/ca.pem",
2740 private_key="auth_serv/user.pkcs12",
2741 private_key_passwd="whatever", ocsp=2,
2742 wait_connect=False, scan_freq="2412")
2745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2747 raise Exception("Timeout on EAP status")
2748 if 'bad certificate status response' in ev:
2750 if 'certificate revoked' in ev:
2754 raise Exception("Unexpected number of EAP status messages")
2756 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2758 raise Exception("Timeout on EAP failure report")
2760 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2761 """EAP-TLS and CA signed OCSP response (unknown)"""
2762 check_ocsp_support(dev[0])
2763 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2764 if not os.path.exists(ocsp):
2765 raise HwsimSkip("No OCSP response available")
2766 params = int_eap_server_params()
2767 params["ocsp_stapling_response"] = ocsp
2768 hostapd.add_ap(apdev[0]['ifname'], params)
2769 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2770 identity="tls user", ca_cert="auth_serv/ca.pem",
2771 private_key="auth_serv/user.pkcs12",
2772 private_key_passwd="whatever", ocsp=2,
2773 wait_connect=False, scan_freq="2412")
2776 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2778 raise Exception("Timeout on EAP status")
2779 if 'bad certificate status response' in ev:
2783 raise Exception("Unexpected number of EAP status messages")
2785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2787 raise Exception("Timeout on EAP failure report")
2789 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2790 """EAP-TLS and server signed OCSP response"""
2791 check_ocsp_support(dev[0])
2792 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2793 if not os.path.exists(ocsp):
2794 raise HwsimSkip("No OCSP response available")
2795 params = int_eap_server_params()
2796 params["ocsp_stapling_response"] = ocsp
2797 hostapd.add_ap(apdev[0]['ifname'], params)
2798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2799 identity="tls user", ca_cert="auth_serv/ca.pem",
2800 private_key="auth_serv/user.pkcs12",
2801 private_key_passwd="whatever", ocsp=2,
2802 wait_connect=False, scan_freq="2412")
2805 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2807 raise Exception("Timeout on EAP status")
2808 if 'bad certificate status response' in ev:
2812 raise Exception("Unexpected number of EAP status messages")
2814 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2816 raise Exception("Timeout on EAP failure report")
2818 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2819 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2820 check_ocsp_support(dev[0])
2821 params = int_eap_server_params()
2822 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2823 hostapd.add_ap(apdev[0]['ifname'], params)
2824 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2825 identity="tls user", ca_cert="auth_serv/ca.pem",
2826 private_key="auth_serv/user.pkcs12",
2827 private_key_passwd="whatever", ocsp=2,
2828 wait_connect=False, scan_freq="2412")
2831 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2833 raise Exception("Timeout on EAP status")
2834 if 'bad certificate status response' in ev:
2838 raise Exception("Unexpected number of EAP status messages")
2840 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2842 raise Exception("Timeout on EAP failure report")
2844 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2845 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2846 check_ocsp_support(dev[0])
2847 params = int_eap_server_params()
2848 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2849 hostapd.add_ap(apdev[0]['ifname'], params)
2850 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2851 identity="tls user", ca_cert="auth_serv/ca.pem",
2852 private_key="auth_serv/user.pkcs12",
2853 private_key_passwd="whatever", ocsp=2,
2854 wait_connect=False, scan_freq="2412")
2857 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2859 raise Exception("Timeout on EAP status")
2860 if 'bad certificate status response' in ev:
2864 raise Exception("Unexpected number of EAP status messages")
2866 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2868 raise Exception("Timeout on EAP failure report")
2870 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2871 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2872 check_ocsp_support(dev[0])
2873 params = int_eap_server_params()
2874 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2875 hostapd.add_ap(apdev[0]['ifname'], params)
2876 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2877 identity="tls user", ca_cert="auth_serv/ca.pem",
2878 private_key="auth_serv/user.pkcs12",
2879 private_key_passwd="whatever", ocsp=2,
2880 wait_connect=False, scan_freq="2412")
2883 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2885 raise Exception("Timeout on EAP status")
2886 if 'bad certificate status response' in ev:
2890 raise Exception("Unexpected number of EAP status messages")
2892 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2894 raise Exception("Timeout on EAP failure report")
2896 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2897 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2898 check_ocsp_support(dev[0])
2899 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2900 if not os.path.exists(ocsp):
2901 raise HwsimSkip("No OCSP response available")
2902 params = int_eap_server_params()
2903 params["ocsp_stapling_response"] = ocsp
2904 hostapd.add_ap(apdev[0]['ifname'], params)
2905 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2906 identity="pap user", ca_cert="auth_serv/ca.pem",
2907 anonymous_identity="ttls", password="password",
2908 phase2="auth=PAP", ocsp=2,
2909 wait_connect=False, scan_freq="2412")
2912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2914 raise Exception("Timeout on EAP status")
2915 if 'bad certificate status response' in ev:
2917 if 'certificate revoked' in ev:
2921 raise Exception("Unexpected number of EAP status messages")
2923 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2925 raise Exception("Timeout on EAP failure report")
2927 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2928 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2929 check_ocsp_support(dev[0])
2930 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2931 if not os.path.exists(ocsp):
2932 raise HwsimSkip("No OCSP response available")
2933 params = int_eap_server_params()
2934 params["ocsp_stapling_response"] = ocsp
2935 hostapd.add_ap(apdev[0]['ifname'], params)
2936 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2937 identity="pap user", ca_cert="auth_serv/ca.pem",
2938 anonymous_identity="ttls", password="password",
2939 phase2="auth=PAP", ocsp=2,
2940 wait_connect=False, scan_freq="2412")
2943 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2945 raise Exception("Timeout on EAP status")
2946 if 'bad certificate status response' in ev:
2950 raise Exception("Unexpected number of EAP status messages")
2952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2954 raise Exception("Timeout on EAP failure report")
2956 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2957 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2958 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2959 if not os.path.exists(ocsp):
2960 raise HwsimSkip("No OCSP response available")
2961 params = int_eap_server_params()
2962 params["ocsp_stapling_response"] = ocsp
2963 hostapd.add_ap(apdev[0]['ifname'], params)
2964 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2965 identity="pap user", ca_cert="auth_serv/ca.pem",
2966 anonymous_identity="ttls", password="password",
2967 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2969 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2970 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2971 check_domain_match_full(dev[0])
2972 params = int_eap_server_params()
2973 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2974 params["private_key"] = "auth_serv/server-no-dnsname.key"
2975 hostapd.add_ap(apdev[0]['ifname'], params)
2976 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2977 identity="tls user", ca_cert="auth_serv/ca.pem",
2978 private_key="auth_serv/user.pkcs12",
2979 private_key_passwd="whatever",
2980 domain_suffix_match="server3.w1.fi",
2983 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2984 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2985 check_domain_match(dev[0])
2986 params = int_eap_server_params()
2987 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2988 params["private_key"] = "auth_serv/server-no-dnsname.key"
2989 hostapd.add_ap(apdev[0]['ifname'], params)
2990 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2991 identity="tls user", ca_cert="auth_serv/ca.pem",
2992 private_key="auth_serv/user.pkcs12",
2993 private_key_passwd="whatever",
2994 domain_match="server3.w1.fi",
2997 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2998 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2999 check_domain_match_full(dev[0])
3000 params = int_eap_server_params()
3001 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3002 params["private_key"] = "auth_serv/server-no-dnsname.key"
3003 hostapd.add_ap(apdev[0]['ifname'], params)
3004 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3005 identity="tls user", ca_cert="auth_serv/ca.pem",
3006 private_key="auth_serv/user.pkcs12",
3007 private_key_passwd="whatever",
3008 domain_suffix_match="w1.fi",
3011 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
3012 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3013 check_domain_suffix_match(dev[0])
3014 params = int_eap_server_params()
3015 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3016 params["private_key"] = "auth_serv/server-no-dnsname.key"
3017 hostapd.add_ap(apdev[0]['ifname'], params)
3018 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3019 identity="tls user", ca_cert="auth_serv/ca.pem",
3020 private_key="auth_serv/user.pkcs12",
3021 private_key_passwd="whatever",
3022 domain_suffix_match="example.com",
3025 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3026 identity="tls user", ca_cert="auth_serv/ca.pem",
3027 private_key="auth_serv/user.pkcs12",
3028 private_key_passwd="whatever",
3029 domain_suffix_match="erver3.w1.fi",
3032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3034 raise Exception("Timeout on EAP failure report")
3035 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3037 raise Exception("Timeout on EAP failure report (2)")
3039 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3040 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3041 check_domain_match(dev[0])
3042 params = int_eap_server_params()
3043 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3044 params["private_key"] = "auth_serv/server-no-dnsname.key"
3045 hostapd.add_ap(apdev[0]['ifname'], params)
3046 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3047 identity="tls user", ca_cert="auth_serv/ca.pem",
3048 private_key="auth_serv/user.pkcs12",
3049 private_key_passwd="whatever",
3050 domain_match="example.com",
3053 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3054 identity="tls user", ca_cert="auth_serv/ca.pem",
3055 private_key="auth_serv/user.pkcs12",
3056 private_key_passwd="whatever",
3057 domain_match="w1.fi",
3060 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3062 raise Exception("Timeout on EAP failure report")
3063 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3065 raise Exception("Timeout on EAP failure report (2)")
3067 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3068 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3069 skip_with_fips(dev[0])
3070 params = int_eap_server_params()
3071 params["server_cert"] = "auth_serv/server-expired.pem"
3072 params["private_key"] = "auth_serv/server-expired.key"
3073 hostapd.add_ap(apdev[0]['ifname'], params)
3074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3075 identity="mschap user", password="password",
3076 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3079 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3081 raise Exception("Timeout on EAP certificate error report")
3082 if "reason=4" not in ev or "certificate has expired" not in ev:
3083 raise Exception("Unexpected failure reason: " + ev)
3084 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3086 raise Exception("Timeout on EAP failure report")
3088 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3089 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3090 skip_with_fips(dev[0])
3091 params = int_eap_server_params()
3092 params["server_cert"] = "auth_serv/server-expired.pem"
3093 params["private_key"] = "auth_serv/server-expired.key"
3094 hostapd.add_ap(apdev[0]['ifname'], params)
3095 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3096 identity="mschap user", password="password",
3097 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3098 phase1="tls_disable_time_checks=1",
3101 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3102 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3103 skip_with_fips(dev[0])
3104 params = int_eap_server_params()
3105 params["server_cert"] = "auth_serv/server-long-duration.pem"
3106 params["private_key"] = "auth_serv/server-long-duration.key"
3107 hostapd.add_ap(apdev[0]['ifname'], params)
3108 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3109 identity="mschap user", password="password",
3110 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3113 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3114 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3115 skip_with_fips(dev[0])
3116 params = int_eap_server_params()
3117 params["server_cert"] = "auth_serv/server-eku-client.pem"
3118 params["private_key"] = "auth_serv/server-eku-client.key"
3119 hostapd.add_ap(apdev[0]['ifname'], params)
3120 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3121 identity="mschap user", password="password",
3122 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3125 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3127 raise Exception("Timeout on EAP failure report")
3129 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3130 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3131 skip_with_fips(dev[0])
3132 params = int_eap_server_params()
3133 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3134 params["private_key"] = "auth_serv/server-eku-client-server.key"
3135 hostapd.add_ap(apdev[0]['ifname'], params)
3136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3137 identity="mschap user", password="password",
3138 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3141 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3142 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3143 skip_with_fips(dev[0])
3144 params = int_eap_server_params()
3145 del params["server_cert"]
3146 params["private_key"] = "auth_serv/server.pkcs12"
3147 hostapd.add_ap(apdev[0]['ifname'], params)
3148 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3149 identity="mschap user", password="password",
3150 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3153 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3154 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3155 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3156 hostapd.add_ap(apdev[0]['ifname'], params)
3157 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3158 anonymous_identity="ttls", password="password",
3159 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3160 dh_file="auth_serv/dh.conf")
3162 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3163 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3164 check_dh_dsa_support(dev[0])
3165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3166 hostapd.add_ap(apdev[0]['ifname'], params)
3167 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3168 anonymous_identity="ttls", password="password",
3169 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3170 dh_file="auth_serv/dsaparam.pem")
3172 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3173 """EAP-TTLS and DH params file not found"""
3174 skip_with_fips(dev[0])
3175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3176 hostapd.add_ap(apdev[0]['ifname'], params)
3177 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3178 identity="mschap user", password="password",
3179 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3180 dh_file="auth_serv/dh-no-such-file.conf",
3181 scan_freq="2412", wait_connect=False)
3182 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3184 raise Exception("EAP failure timed out")
3185 dev[0].request("REMOVE_NETWORK all")
3186 dev[0].wait_disconnected()
3188 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3189 """EAP-TTLS and invalid DH params file"""
3190 skip_with_fips(dev[0])
3191 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3192 hostapd.add_ap(apdev[0]['ifname'], params)
3193 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3194 identity="mschap user", password="password",
3195 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3196 dh_file="auth_serv/ca.pem",
3197 scan_freq="2412", wait_connect=False)
3198 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3200 raise Exception("EAP failure timed out")
3201 dev[0].request("REMOVE_NETWORK all")
3202 dev[0].wait_disconnected()
3204 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3205 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3207 hostapd.add_ap(apdev[0]['ifname'], params)
3208 dh = read_pem("auth_serv/dh2.conf")
3209 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3210 raise Exception("Could not set dhparams blob")
3211 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3212 anonymous_identity="ttls", password="password",
3213 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3214 dh_file="blob://dhparams")
3216 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3217 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3218 params = int_eap_server_params()
3219 params["dh_file"] = "auth_serv/dh2.conf"
3220 hostapd.add_ap(apdev[0]['ifname'], params)
3221 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3222 anonymous_identity="ttls", password="password",
3223 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3225 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3226 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3227 params = int_eap_server_params()
3228 params["dh_file"] = "auth_serv/dsaparam.pem"
3229 hostapd.add_ap(apdev[0]['ifname'], params)
3230 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3231 anonymous_identity="ttls", password="password",
3232 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3234 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3235 """EAP-TLS server and dhparams file not found"""
3236 params = int_eap_server_params()
3237 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3238 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3239 if "FAIL" not in hapd.request("ENABLE"):
3240 raise Exception("Invalid configuration accepted")
3242 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3243 """EAP-TLS server and invalid dhparams file"""
3244 params = int_eap_server_params()
3245 params["dh_file"] = "auth_serv/ca.pem"
3246 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3247 if "FAIL" not in hapd.request("ENABLE"):
3248 raise Exception("Invalid configuration accepted")
3250 def test_ap_wpa2_eap_reauth(dev, apdev):
3251 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3252 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3253 params['eap_reauth_period'] = '2'
3254 hostapd.add_ap(apdev[0]['ifname'], params)
3255 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3256 password_hex="0123456789abcdef0123456789abcdef")
3257 logger.info("Wait for reauthentication")
3258 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3260 raise Exception("Timeout on reauthentication")
3261 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3263 raise Exception("Timeout on reauthentication")
3264 for i in range(0, 20):
3265 state = dev[0].get_status_field("wpa_state")
3266 if state == "COMPLETED":
3269 if state != "COMPLETED":
3270 raise Exception("Reauthentication did not complete")
3272 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3273 """Optional displayable message in EAP Request-Identity"""
3274 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3275 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3276 hostapd.add_ap(apdev[0]['ifname'], params)
3277 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3278 password_hex="0123456789abcdef0123456789abcdef")
3280 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3281 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3282 check_hlr_auc_gw_support()
3283 params = int_eap_server_params()
3284 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3285 params['eap_sim_aka_result_ind'] = "1"
3286 hostapd.add_ap(apdev[0]['ifname'], params)
3288 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3289 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3290 phase1="result_ind=1")
3291 eap_reauth(dev[0], "SIM")
3292 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3293 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3295 dev[0].request("REMOVE_NETWORK all")
3296 dev[1].request("REMOVE_NETWORK all")
3298 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3300 phase1="result_ind=1")
3301 eap_reauth(dev[0], "AKA")
3302 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3303 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3305 dev[0].request("REMOVE_NETWORK all")
3306 dev[1].request("REMOVE_NETWORK all")
3308 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3309 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3310 phase1="result_ind=1")
3311 eap_reauth(dev[0], "AKA'")
3312 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3313 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3315 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3316 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3317 skip_with_fips(dev[0])
3318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3319 hostapd.add_ap(apdev[0]['ifname'], params)
3320 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3321 eap="TTLS", identity="mschap user",
3322 wait_connect=False, scan_freq="2412", ieee80211w="1",
3323 anonymous_identity="ttls", password="password",
3324 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3326 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3328 raise Exception("EAP roundtrip limit not reached")
3330 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3331 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3333 hostapd.add_ap(apdev[0]['ifname'], params)
3334 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3335 eap="PSK", identity="vendor-test",
3336 password_hex="ff23456789abcdef0123456789abcdef",
3340 for i in range(0, 5):
3341 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3343 raise Exception("Association and EAP start timed out")
3344 if "refuse proposed method" in ev:
3348 raise Exception("Unexpected EAP status: " + ev)
3350 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3352 raise Exception("EAP failure timed out")
3354 def test_ap_wpa2_eap_sql(dev, apdev, params):
3355 """WPA2-Enterprise connection using SQLite for user DB"""
3356 skip_with_fips(dev[0])
3360 raise HwsimSkip("No sqlite3 module available")
3361 dbfile = os.path.join(params['logdir'], "eap-user.db")
3366 con = sqlite3.connect(dbfile)
3369 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3370 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3371 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3372 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3373 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3374 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3375 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3376 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3379 params = int_eap_server_params()
3380 params["eap_user_file"] = "sqlite:" + dbfile
3381 hostapd.add_ap(apdev[0]['ifname'], params)
3382 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3383 anonymous_identity="ttls", password="password",
3384 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3385 dev[0].request("REMOVE_NETWORK all")
3386 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3387 anonymous_identity="ttls", password="password",
3388 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3389 dev[1].request("REMOVE_NETWORK all")
3390 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3391 anonymous_identity="ttls", password="password",
3392 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3393 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3394 anonymous_identity="ttls", password="password",
3395 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3399 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3400 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3401 params = int_eap_server_params()
3402 hostapd.add_ap(apdev[0]['ifname'], params)
3403 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3404 identity="\x80", password="password", wait_connect=False)
3405 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3406 identity="a\x80", password="password", wait_connect=False)
3407 for i in range(0, 2):
3408 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3410 raise Exception("Association and EAP start timed out")
3411 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3413 raise Exception("EAP method selection timed out")
3415 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3416 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3417 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3418 hostapd.add_ap(apdev[0]['ifname'], params)
3419 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3420 identity="\x80", password="password", wait_connect=False)
3421 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3422 identity="a\x80", password="password", wait_connect=False)
3423 for i in range(0, 2):
3424 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3426 raise Exception("Association and EAP start timed out")
3427 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3429 raise Exception("EAP method selection timed out")
3431 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3432 """OpenSSL cipher suite configuration on wpa_supplicant"""
3433 tls = dev[0].request("GET tls_library")
3434 if not tls.startswith("OpenSSL"):
3435 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3436 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3437 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3438 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3439 anonymous_identity="ttls", password="password",
3440 openssl_ciphers="AES128",
3441 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3442 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3443 anonymous_identity="ttls", password="password",
3444 openssl_ciphers="EXPORT",
3445 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3446 expect_failure=True, maybe_local_error=True)
3447 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3448 identity="pap user", anonymous_identity="ttls",
3449 password="password",
3450 openssl_ciphers="FOO",
3451 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3453 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3455 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3456 dev[2].request("DISCONNECT")
3458 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3459 """OpenSSL cipher suite configuration on hostapd"""
3460 tls = dev[0].request("GET tls_library")
3461 if not tls.startswith("OpenSSL"):
3462 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3463 params = int_eap_server_params()
3464 params['openssl_ciphers'] = "AES256"
3465 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3466 tls = hapd.request("GET tls_library")
3467 if not tls.startswith("OpenSSL"):
3468 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3469 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3470 anonymous_identity="ttls", password="password",
3471 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3472 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3473 anonymous_identity="ttls", password="password",
3474 openssl_ciphers="AES128",
3475 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3476 expect_failure=True)
3477 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3478 anonymous_identity="ttls", password="password",
3479 openssl_ciphers="HIGH:!ADH",
3480 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3482 params['openssl_ciphers'] = "FOO"
3483 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3484 if "FAIL" not in hapd2.request("ENABLE"):
3485 raise Exception("Invalid openssl_ciphers value accepted")
3487 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3488 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3489 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3490 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3491 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3492 pid = find_wpas_process(dev[0])
3493 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3494 anonymous_identity="ttls", password=password,
3495 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3496 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3497 # event has been delivered, so verify that wpa_supplicant has returned to
3498 # eloop before reading process memory.
3501 buf = read_process_memory(pid, password)
3503 dev[0].request("DISCONNECT")
3504 dev[0].wait_disconnected()
3512 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3513 for l in f.readlines():
3514 if "EAP-TTLS: Derived key - hexdump" in l:
3515 val = l.strip().split(':')[3].replace(' ', '')
3516 msk = binascii.unhexlify(val)
3517 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3518 val = l.strip().split(':')[3].replace(' ', '')
3519 emsk = binascii.unhexlify(val)
3520 if "WPA: PMK - hexdump" in l:
3521 val = l.strip().split(':')[3].replace(' ', '')
3522 pmk = binascii.unhexlify(val)
3523 if "WPA: PTK - hexdump" in l:
3524 val = l.strip().split(':')[3].replace(' ', '')
3525 ptk = binascii.unhexlify(val)
3526 if "WPA: Group Key - hexdump" in l:
3527 val = l.strip().split(':')[3].replace(' ', '')
3528 gtk = binascii.unhexlify(val)
3529 if not msk or not emsk or not pmk or not ptk or not gtk:
3530 raise Exception("Could not find keys from debug log")
3532 raise Exception("Unexpected GTK length")
3538 fname = os.path.join(params['logdir'],
3539 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3541 logger.info("Checking keys in memory while associated")
3542 get_key_locations(buf, password, "Password")
3543 get_key_locations(buf, pmk, "PMK")
3544 get_key_locations(buf, msk, "MSK")
3545 get_key_locations(buf, emsk, "EMSK")
3546 if password not in buf:
3547 raise HwsimSkip("Password not found while associated")
3549 raise HwsimSkip("PMK not found while associated")
3551 raise Exception("KCK not found while associated")
3553 raise Exception("KEK not found while associated")
3555 raise Exception("TK found from memory")
3557 get_key_locations(buf, gtk, "GTK")
3558 raise Exception("GTK found from memory")
3560 logger.info("Checking keys in memory after disassociation")
3561 buf = read_process_memory(pid, password)
3563 # Note: Password is still present in network configuration
3564 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3566 get_key_locations(buf, password, "Password")
3567 get_key_locations(buf, pmk, "PMK")
3568 get_key_locations(buf, msk, "MSK")
3569 get_key_locations(buf, emsk, "EMSK")
3570 verify_not_present(buf, kck, fname, "KCK")
3571 verify_not_present(buf, kek, fname, "KEK")
3572 verify_not_present(buf, tk, fname, "TK")
3573 verify_not_present(buf, gtk, fname, "GTK")
3575 dev[0].request("PMKSA_FLUSH")
3576 dev[0].set_network_quoted(id, "identity", "foo")
3577 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3578 buf = read_process_memory(pid, password)
3579 get_key_locations(buf, password, "Password")
3580 get_key_locations(buf, pmk, "PMK")
3581 get_key_locations(buf, msk, "MSK")
3582 get_key_locations(buf, emsk, "EMSK")
3583 verify_not_present(buf, pmk, fname, "PMK")
3585 dev[0].request("REMOVE_NETWORK all")
3587 logger.info("Checking keys in memory after network profile removal")
3588 buf = read_process_memory(pid, password)
3590 get_key_locations(buf, password, "Password")
3591 get_key_locations(buf, pmk, "PMK")
3592 get_key_locations(buf, msk, "MSK")
3593 get_key_locations(buf, emsk, "EMSK")
3594 verify_not_present(buf, password, fname, "password")
3595 verify_not_present(buf, pmk, fname, "PMK")
3596 verify_not_present(buf, kck, fname, "KCK")
3597 verify_not_present(buf, kek, fname, "KEK")
3598 verify_not_present(buf, tk, fname, "TK")
3599 verify_not_present(buf, gtk, fname, "GTK")
3600 verify_not_present(buf, msk, fname, "MSK")
3601 verify_not_present(buf, emsk, fname, "EMSK")
3603 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3604 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3605 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3606 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3607 bssid = apdev[0]['bssid']
3608 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3609 anonymous_identity="ttls", password="password",
3610 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3612 # Send unexpected WEP EAPOL-Key; this gets dropped
3613 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3615 raise Exception("EAPOL_RX to wpa_supplicant failed")
3617 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3618 """WPA2-EAP and wpas interface in a bridge"""
3622 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3624 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3625 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3626 subprocess.call(['brctl', 'delbr', br_ifname])
3627 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3629 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3630 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3631 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3635 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3636 subprocess.call(['brctl', 'addbr', br_ifname])
3637 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3638 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3639 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3640 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3641 wpas.interface_add(ifname, br_ifname=br_ifname)
3644 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3645 password_hex="0123456789abcdef0123456789abcdef")
3647 eap_reauth(wpas, "PAX")
3649 # Try again as a regression test for packet socket workaround
3650 eap_reauth(wpas, "PAX")
3652 wpas.request("DISCONNECT")
3653 wpas.wait_disconnected()
3655 wpas.request("RECONNECT")
3656 wpas.wait_connected()
3659 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3660 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3661 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3662 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3663 key_mgmt = hapd.get_config()['key_mgmt']
3664 if key_mgmt.split(' ')[0] != "WPA-EAP":
3665 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3666 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3667 anonymous_identity="ttls", password="password",
3668 ca_cert="auth_serv/ca.pem",
3669 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3670 eap_reauth(dev[0], "TTLS")
3672 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3673 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3674 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3675 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3676 key_mgmt = hapd.get_config()['key_mgmt']
3677 if key_mgmt.split(' ')[0] != "WPA-EAP":
3678 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3679 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3680 anonymous_identity="ttls", password="password",
3681 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3683 eap_reauth(dev[0], "TTLS")
3685 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3686 """EAP-TLS and server checking CRL"""
3687 params = int_eap_server_params()
3688 params['check_crl'] = '1'
3689 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3691 # check_crl=1 and no CRL available --> reject connection
3692 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3693 client_cert="auth_serv/user.pem",
3694 private_key="auth_serv/user.key", expect_failure=True)
3695 dev[0].request("REMOVE_NETWORK all")
3698 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3701 # check_crl=1 and valid CRL --> accept
3702 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3703 client_cert="auth_serv/user.pem",
3704 private_key="auth_serv/user.key")
3705 dev[0].request("REMOVE_NETWORK all")
3708 hapd.set("check_crl", "2")
3711 # check_crl=2 and valid CRL --> accept
3712 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3713 client_cert="auth_serv/user.pem",
3714 private_key="auth_serv/user.key")
3715 dev[0].request("REMOVE_NETWORK all")
3717 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3718 """EAP-TLS and OOM"""
3719 check_subject_match_support(dev[0])
3720 check_altsubject_match_support(dev[0])
3721 check_domain_match(dev[0])
3722 check_domain_match_full(dev[0])
3724 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3725 hostapd.add_ap(apdev[0]['ifname'], params)
3727 tests = [ (1, "tls_connection_set_subject_match"),
3728 (2, "tls_connection_set_subject_match"),
3729 (3, "tls_connection_set_subject_match"),
3730 (4, "tls_connection_set_subject_match") ]
3731 for count, func in tests:
3732 with alloc_fail(dev[0], count, func):
3733 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3734 identity="tls user", ca_cert="auth_serv/ca.pem",
3735 client_cert="auth_serv/user.pem",
3736 private_key="auth_serv/user.key",
3737 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3738 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3739 domain_suffix_match="server.w1.fi",
3740 domain_match="server.w1.fi",
3741 wait_connect=False, scan_freq="2412")
3742 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3743 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3745 raise Exception("No passphrase request")
3746 dev[0].request("REMOVE_NETWORK all")
3747 dev[0].wait_disconnected()
3749 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3750 """WPA2-Enterprise connection using MAC ACL"""
3751 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3752 params["macaddr_acl"] = "2"
3753 hostapd.add_ap(apdev[0]['ifname'], params)
3754 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3755 client_cert="auth_serv/user.pem",
3756 private_key="auth_serv/user.key")
3758 def test_ap_wpa2_eap_oom(dev, apdev):
3759 """EAP server and OOM"""
3760 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3761 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3762 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3764 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3765 # The first attempt fails, but STA will send EAPOL-Start to retry and
3767 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3768 identity="tls user", ca_cert="auth_serv/ca.pem",
3769 client_cert="auth_serv/user.pem",
3770 private_key="auth_serv/user.key",
3773 def check_tls_ver(dev, ap, phase1, expected):
3774 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3775 client_cert="auth_serv/user.pem",
3776 private_key="auth_serv/user.key",
3778 ver = dev.get_status_field("eap_tls_version")
3780 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3782 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3783 """EAP-TLS and TLS version configuration"""
3784 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3785 hostapd.add_ap(apdev[0]['ifname'], params)
3787 tls = dev[0].request("GET tls_library")
3788 if tls.startswith("OpenSSL"):
3789 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3790 check_tls_ver(dev[0], apdev[0],
3791 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3793 elif tls.startswith("internal"):
3794 check_tls_ver(dev[0], apdev[0],
3795 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3796 check_tls_ver(dev[1], apdev[0],
3797 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3798 check_tls_ver(dev[2], apdev[0],
3799 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3801 def test_rsn_ie_proto_eap_sta(dev, apdev):
3802 """RSN element protocol testing for EAP cases on STA side"""
3803 bssid = apdev[0]['bssid']
3804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3805 # This is the RSN element used normally by hostapd
3806 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3807 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3808 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3809 identity="gpsk user",
3810 password="abcdefghijklmnop0123456789abcdef",
3813 tests = [ ('No RSN Capabilities field',
3814 '30120100000fac040100000fac040100000fac01'),
3815 ('No AKM Suite fields',
3816 '300c0100000fac040100000fac04'),
3817 ('No Pairwise Cipher Suite fields',
3818 '30060100000fac04'),
3819 ('No Group Data Cipher Suite field',
3821 for txt,ie in tests:
3822 dev[0].request("DISCONNECT")
3823 dev[0].wait_disconnected()
3826 hapd.set('own_ie_override', ie)
3828 dev[0].request("BSS_FLUSH 0")
3829 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3830 dev[0].select_network(id, freq=2412)
3831 dev[0].wait_connected()
3833 def check_tls_session_resumption_capa(dev, hapd):
3834 tls = hapd.request("GET tls_library")
3835 if not tls.startswith("OpenSSL"):
3836 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3838 tls = dev.request("GET tls_library")
3839 if not tls.startswith("OpenSSL"):
3840 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3842 def test_eap_ttls_pap_session_resumption(dev, apdev):
3843 """EAP-TTLS/PAP session resumption"""
3844 params = int_eap_server_params()
3845 params['tls_session_lifetime'] = '60'
3846 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3847 check_tls_session_resumption_capa(dev[0], hapd)
3848 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3849 anonymous_identity="ttls", password="password",
3850 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3852 if dev[0].get_status_field("tls_session_reused") != '0':
3853 raise Exception("Unexpected session resumption on the first connection")
3855 dev[0].request("REAUTHENTICATE")
3856 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3858 raise Exception("EAP success timed out")
3859 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3861 raise Exception("Key handshake with the AP timed out")
3862 if dev[0].get_status_field("tls_session_reused") != '1':
3863 raise Exception("Session resumption not used on the second connection")
3865 def test_eap_ttls_chap_session_resumption(dev, apdev):
3866 """EAP-TTLS/CHAP session resumption"""
3867 params = int_eap_server_params()
3868 params['tls_session_lifetime'] = '60'
3869 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3870 check_tls_session_resumption_capa(dev[0], hapd)
3871 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3872 anonymous_identity="ttls", password="password",
3873 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3874 if dev[0].get_status_field("tls_session_reused") != '0':
3875 raise Exception("Unexpected session resumption on the first connection")
3877 dev[0].request("REAUTHENTICATE")
3878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3880 raise Exception("EAP success timed out")
3881 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3883 raise Exception("Key handshake with the AP timed out")
3884 if dev[0].get_status_field("tls_session_reused") != '1':
3885 raise Exception("Session resumption not used on the second connection")
3887 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3888 """EAP-TTLS/MSCHAP session resumption"""
3889 check_domain_suffix_match(dev[0])
3890 params = int_eap_server_params()
3891 params['tls_session_lifetime'] = '60'
3892 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3893 check_tls_session_resumption_capa(dev[0], hapd)
3894 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3895 anonymous_identity="ttls", password="password",
3896 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3897 domain_suffix_match="server.w1.fi")
3898 if dev[0].get_status_field("tls_session_reused") != '0':
3899 raise Exception("Unexpected session resumption on the first connection")
3901 dev[0].request("REAUTHENTICATE")
3902 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3904 raise Exception("EAP success timed out")
3905 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3907 raise Exception("Key handshake with the AP timed out")
3908 if dev[0].get_status_field("tls_session_reused") != '1':
3909 raise Exception("Session resumption not used on the second connection")
3911 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3912 """EAP-TTLS/MSCHAPv2 session resumption"""
3913 check_domain_suffix_match(dev[0])
3914 check_eap_capa(dev[0], "MSCHAPV2")
3915 params = int_eap_server_params()
3916 params['tls_session_lifetime'] = '60'
3917 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3918 check_tls_session_resumption_capa(dev[0], hapd)
3919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3920 anonymous_identity="ttls", password="password",
3921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3922 domain_suffix_match="server.w1.fi")
3923 if dev[0].get_status_field("tls_session_reused") != '0':
3924 raise Exception("Unexpected session resumption on the first connection")
3926 dev[0].request("REAUTHENTICATE")
3927 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3929 raise Exception("EAP success timed out")
3930 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3932 raise Exception("Key handshake with the AP timed out")
3933 if dev[0].get_status_field("tls_session_reused") != '1':
3934 raise Exception("Session resumption not used on the second connection")
3936 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3937 """EAP-TTLS/EAP-GTC session resumption"""
3938 params = int_eap_server_params()
3939 params['tls_session_lifetime'] = '60'
3940 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3941 check_tls_session_resumption_capa(dev[0], hapd)
3942 eap_connect(dev[0], apdev[0], "TTLS", "user",
3943 anonymous_identity="ttls", password="password",
3944 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3945 if dev[0].get_status_field("tls_session_reused") != '0':
3946 raise Exception("Unexpected session resumption on the first connection")
3948 dev[0].request("REAUTHENTICATE")
3949 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3951 raise Exception("EAP success timed out")
3952 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3954 raise Exception("Key handshake with the AP timed out")
3955 if dev[0].get_status_field("tls_session_reused") != '1':
3956 raise Exception("Session resumption not used on the second connection")
3958 def test_eap_ttls_no_session_resumption(dev, apdev):
3959 """EAP-TTLS session resumption disabled on server"""
3960 params = int_eap_server_params()
3961 params['tls_session_lifetime'] = '0'
3962 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3963 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3964 anonymous_identity="ttls", password="password",
3965 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3967 if dev[0].get_status_field("tls_session_reused") != '0':
3968 raise Exception("Unexpected session resumption on the first connection")
3970 dev[0].request("REAUTHENTICATE")
3971 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3973 raise Exception("EAP success timed out")
3974 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3976 raise Exception("Key handshake with the AP timed out")
3977 if dev[0].get_status_field("tls_session_reused") != '0':
3978 raise Exception("Unexpected session resumption on the second connection")
3980 def test_eap_peap_session_resumption(dev, apdev):
3981 """EAP-PEAP session resumption"""
3982 params = int_eap_server_params()
3983 params['tls_session_lifetime'] = '60'
3984 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3985 check_tls_session_resumption_capa(dev[0], hapd)
3986 eap_connect(dev[0], apdev[0], "PEAP", "user",
3987 anonymous_identity="peap", password="password",
3988 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3989 if dev[0].get_status_field("tls_session_reused") != '0':
3990 raise Exception("Unexpected session resumption on the first connection")
3992 dev[0].request("REAUTHENTICATE")
3993 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3995 raise Exception("EAP success timed out")
3996 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3998 raise Exception("Key handshake with the AP timed out")
3999 if dev[0].get_status_field("tls_session_reused") != '1':
4000 raise Exception("Session resumption not used on the second connection")
4002 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
4003 """EAP-PEAP session resumption with crypto binding"""
4004 params = int_eap_server_params()
4005 params['tls_session_lifetime'] = '60'
4006 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4007 check_tls_session_resumption_capa(dev[0], hapd)
4008 eap_connect(dev[0], apdev[0], "PEAP", "user",
4009 anonymous_identity="peap", password="password",
4010 phase1="peapver=0 crypto_binding=2",
4011 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4012 if dev[0].get_status_field("tls_session_reused") != '0':
4013 raise Exception("Unexpected session resumption on the first connection")
4015 dev[0].request("REAUTHENTICATE")
4016 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4018 raise Exception("EAP success timed out")
4019 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4021 raise Exception("Key handshake with the AP timed out")
4022 if dev[0].get_status_field("tls_session_reused") != '1':
4023 raise Exception("Session resumption not used on the second connection")
4025 def test_eap_peap_no_session_resumption(dev, apdev):
4026 """EAP-PEAP session resumption disabled on server"""
4027 params = int_eap_server_params()
4028 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4029 eap_connect(dev[0], apdev[0], "PEAP", "user",
4030 anonymous_identity="peap", password="password",
4031 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4032 if dev[0].get_status_field("tls_session_reused") != '0':
4033 raise Exception("Unexpected session resumption on the first connection")
4035 dev[0].request("REAUTHENTICATE")
4036 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4038 raise Exception("EAP success timed out")
4039 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4041 raise Exception("Key handshake with the AP timed out")
4042 if dev[0].get_status_field("tls_session_reused") != '0':
4043 raise Exception("Unexpected session resumption on the second connection")
4045 def test_eap_tls_session_resumption(dev, apdev):
4046 """EAP-TLS session resumption"""
4047 params = int_eap_server_params()
4048 params['tls_session_lifetime'] = '60'
4049 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4050 check_tls_session_resumption_capa(dev[0], hapd)
4051 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4052 client_cert="auth_serv/user.pem",
4053 private_key="auth_serv/user.key")
4054 if dev[0].get_status_field("tls_session_reused") != '0':
4055 raise Exception("Unexpected session resumption on the first connection")
4057 dev[0].request("REAUTHENTICATE")
4058 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4060 raise Exception("EAP success timed out")
4061 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4063 raise Exception("Key handshake with the AP timed out")
4064 if dev[0].get_status_field("tls_session_reused") != '1':
4065 raise Exception("Session resumption not used on the second connection")
4067 dev[0].request("REAUTHENTICATE")
4068 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4070 raise Exception("EAP success timed out")
4071 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4073 raise Exception("Key handshake with the AP timed out")
4074 if dev[0].get_status_field("tls_session_reused") != '1':
4075 raise Exception("Session resumption not used on the third connection")
4077 def test_eap_tls_session_resumption_expiration(dev, apdev):
4078 """EAP-TLS session resumption"""
4079 params = int_eap_server_params()
4080 params['tls_session_lifetime'] = '1'
4081 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4082 check_tls_session_resumption_capa(dev[0], hapd)
4083 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4084 client_cert="auth_serv/user.pem",
4085 private_key="auth_serv/user.key")
4086 if dev[0].get_status_field("tls_session_reused") != '0':
4087 raise Exception("Unexpected session resumption on the first connection")
4089 # Allow multiple attempts since OpenSSL may not expire the cached entry
4094 dev[0].request("REAUTHENTICATE")
4095 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4097 raise Exception("EAP success timed out")
4098 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4100 raise Exception("Key handshake with the AP timed out")
4101 if dev[0].get_status_field("tls_session_reused") == '0':
4103 if dev[0].get_status_field("tls_session_reused") != '0':
4104 raise Exception("Session resumption used after lifetime expiration")
4106 def test_eap_tls_no_session_resumption(dev, apdev):
4107 """EAP-TLS session resumption disabled on server"""
4108 params = int_eap_server_params()
4109 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4110 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4111 client_cert="auth_serv/user.pem",
4112 private_key="auth_serv/user.key")
4113 if dev[0].get_status_field("tls_session_reused") != '0':
4114 raise Exception("Unexpected session resumption on the first connection")
4116 dev[0].request("REAUTHENTICATE")
4117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4119 raise Exception("EAP success timed out")
4120 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4122 raise Exception("Key handshake with the AP timed out")
4123 if dev[0].get_status_field("tls_session_reused") != '0':
4124 raise Exception("Unexpected session resumption on the second connection")
4126 def test_eap_tls_session_resumption_radius(dev, apdev):
4127 """EAP-TLS session resumption (RADIUS)"""
4128 params = { "ssid": "as", "beacon_int": "2000",
4129 "radius_server_clients": "auth_serv/radius_clients.conf",
4130 "radius_server_auth_port": '18128',
4132 "eap_user_file": "auth_serv/eap_user.conf",
4133 "ca_cert": "auth_serv/ca.pem",
4134 "server_cert": "auth_serv/server.pem",
4135 "private_key": "auth_serv/server.key",
4136 "tls_session_lifetime": "60" }
4137 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4138 check_tls_session_resumption_capa(dev[0], authsrv)
4140 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4141 params['auth_server_port'] = "18128"
4142 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4143 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4144 client_cert="auth_serv/user.pem",
4145 private_key="auth_serv/user.key")
4146 if dev[0].get_status_field("tls_session_reused") != '0':
4147 raise Exception("Unexpected session resumption on the first connection")
4149 dev[0].request("REAUTHENTICATE")
4150 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4152 raise Exception("EAP success timed out")
4153 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4155 raise Exception("Key handshake with the AP timed out")
4156 if dev[0].get_status_field("tls_session_reused") != '1':
4157 raise Exception("Session resumption not used on the second connection")
4159 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4160 """EAP-TLS session resumption disabled (RADIUS)"""
4161 params = { "ssid": "as", "beacon_int": "2000",
4162 "radius_server_clients": "auth_serv/radius_clients.conf",
4163 "radius_server_auth_port": '18128',
4165 "eap_user_file": "auth_serv/eap_user.conf",
4166 "ca_cert": "auth_serv/ca.pem",
4167 "server_cert": "auth_serv/server.pem",
4168 "private_key": "auth_serv/server.key",
4169 "tls_session_lifetime": "0" }
4170 hostapd.add_ap(apdev[1]['ifname'], params)
4172 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4173 params['auth_server_port'] = "18128"
4174 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4175 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4176 client_cert="auth_serv/user.pem",
4177 private_key="auth_serv/user.key")
4178 if dev[0].get_status_field("tls_session_reused") != '0':
4179 raise Exception("Unexpected session resumption on the first connection")
4181 dev[0].request("REAUTHENTICATE")
4182 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4184 raise Exception("EAP success timed out")
4185 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4187 raise Exception("Key handshake with the AP timed out")
4188 if dev[0].get_status_field("tls_session_reused") != '0':
4189 raise Exception("Unexpected session resumption on the second connection")
4191 def test_eap_mschapv2_errors(dev, apdev):
4192 """EAP-MSCHAPv2 error cases"""
4193 check_eap_capa(dev[0], "MSCHAPV2")
4194 check_eap_capa(dev[0], "FAST")
4196 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4197 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4198 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4199 identity="phase1-user", password="password",
4201 dev[0].request("REMOVE_NETWORK all")
4202 dev[0].wait_disconnected()
4204 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4205 (1, "nt_password_hash;mschapv2_derive_response"),
4206 (1, "nt_password_hash;=mschapv2_derive_response"),
4207 (1, "generate_nt_response;mschapv2_derive_response"),
4208 (1, "generate_authenticator_response;mschapv2_derive_response"),
4209 (1, "nt_password_hash;=mschapv2_derive_response"),
4210 (1, "get_master_key;mschapv2_derive_response"),
4211 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4212 for count, func in tests:
4213 with fail_test(dev[0], count, func):
4214 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4215 identity="phase1-user", password="password",
4216 wait_connect=False, scan_freq="2412")
4217 wait_fail_trigger(dev[0], "GET_FAIL")
4218 dev[0].request("REMOVE_NETWORK all")
4219 dev[0].wait_disconnected()
4221 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4222 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4223 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4224 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4225 for count, func in tests:
4226 with fail_test(dev[0], count, func):
4227 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4228 identity="phase1-user",
4229 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4230 wait_connect=False, scan_freq="2412")
4231 wait_fail_trigger(dev[0], "GET_FAIL")
4232 dev[0].request("REMOVE_NETWORK all")
4233 dev[0].wait_disconnected()
4235 tests = [ (1, "eap_mschapv2_init"),
4236 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4237 (1, "eap_msg_alloc;eap_mschapv2_success"),
4238 (1, "eap_mschapv2_getKey") ]
4239 for count, func in tests:
4240 with alloc_fail(dev[0], count, func):
4241 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4242 identity="phase1-user", password="password",
4243 wait_connect=False, scan_freq="2412")
4244 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4245 dev[0].request("REMOVE_NETWORK all")
4246 dev[0].wait_disconnected()
4248 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4249 for count, func in tests:
4250 with alloc_fail(dev[0], count, func):
4251 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4252 identity="phase1-user", password="wrong password",
4253 wait_connect=False, scan_freq="2412")
4254 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4255 dev[0].request("REMOVE_NETWORK all")
4256 dev[0].wait_disconnected()
4258 tests = [ (2, "eap_mschapv2_init"),
4259 (3, "eap_mschapv2_init") ]
4260 for count, func in tests:
4261 with alloc_fail(dev[0], count, func):
4262 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4263 anonymous_identity="FAST", identity="user",
4264 password="password",
4265 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4266 phase1="fast_provisioning=1",
4267 pac_file="blob://fast_pac",
4268 wait_connect=False, scan_freq="2412")
4269 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4270 dev[0].request("REMOVE_NETWORK all")
4271 dev[0].wait_disconnected()
4273 def test_eap_gpsk_errors(dev, apdev):
4274 """EAP-GPSK error cases"""
4275 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4276 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4277 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4278 identity="gpsk user",
4279 password="abcdefghijklmnop0123456789abcdef",
4281 dev[0].request("REMOVE_NETWORK all")
4282 dev[0].wait_disconnected()
4284 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4285 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4287 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4289 (1, "eap_gpsk_derive_keys_helper", None),
4290 (2, "eap_gpsk_derive_keys_helper", None),
4291 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4293 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4295 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4296 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4297 (1, "eap_gpsk_derive_mid_helper", None) ]
4298 for count, func, phase1 in tests:
4299 with fail_test(dev[0], count, func):
4300 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4301 identity="gpsk user",
4302 password="abcdefghijklmnop0123456789abcdef",
4304 wait_connect=False, scan_freq="2412")
4305 wait_fail_trigger(dev[0], "GET_FAIL")
4306 dev[0].request("REMOVE_NETWORK all")
4307 dev[0].wait_disconnected()
4309 tests = [ (1, "eap_gpsk_init"),
4310 (2, "eap_gpsk_init"),
4311 (3, "eap_gpsk_init"),
4312 (1, "eap_gpsk_process_id_server"),
4313 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4314 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4315 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4316 (1, "eap_gpsk_derive_keys"),
4317 (1, "eap_gpsk_derive_keys_helper"),
4318 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4319 (1, "eap_gpsk_getKey"),
4320 (1, "eap_gpsk_get_emsk"),
4321 (1, "eap_gpsk_get_session_id") ]
4322 for count, func in tests:
4323 with alloc_fail(dev[0], count, func):
4324 dev[0].request("ERP_FLUSH")
4325 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4326 identity="gpsk user", erp="1",
4327 password="abcdefghijklmnop0123456789abcdef",
4328 wait_connect=False, scan_freq="2412")
4329 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4330 dev[0].request("REMOVE_NETWORK all")
4331 dev[0].wait_disconnected()
4333 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4334 """EAP-SIM DB error cases"""
4335 sockpath = '/tmp/hlr_auc_gw.sock-test'
4340 hparams = int_eap_server_params()
4341 hparams['eap_sim_db'] = 'unix:' + sockpath
4342 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4344 # Initial test with hlr_auc_gw socket not available
4345 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4346 eap="SIM", identity="1232010000000000",
4347 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4348 scan_freq="2412", wait_connect=False)
4349 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4351 raise Exception("EAP-Failure not reported")
4352 dev[0].wait_disconnected()
4353 dev[0].request("DISCONNECT")
4355 # Test with invalid responses and response timeout
4357 class test_handler(SocketServer.DatagramRequestHandler):
4359 data = self.request[0].strip()
4360 socket = self.request[1]
4361 logger.debug("Received hlr_auc_gw request: " + data)
4362 # EAP-SIM DB: Failed to parse response string
4363 socket.sendto("FOO", self.client_address)
4364 # EAP-SIM DB: Failed to parse response string
4365 socket.sendto("FOO 1", self.client_address)
4366 # EAP-SIM DB: Unknown external response
4367 socket.sendto("FOO 1 2", self.client_address)
4368 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4370 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4373 dev[0].select_network(id)
4374 server.handle_request()
4375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4377 raise Exception("EAP-Failure not reported")
4378 dev[0].wait_disconnected()
4379 dev[0].request("DISCONNECT")
4381 # Test with a valid response
4383 class test_handler2(SocketServer.DatagramRequestHandler):
4385 data = self.request[0].strip()
4386 socket = self.request[1]
4387 logger.debug("Received hlr_auc_gw request: " + data)
4388 fname = os.path.join(params['logdir'],
4389 'hlr_auc_gw.milenage_db')
4390 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4392 stdout=subprocess.PIPE)
4393 res = cmd.stdout.read().strip()
4395 logger.debug("hlr_auc_gw response: " + res)
4396 socket.sendto(res, self.client_address)
4398 server.RequestHandlerClass = test_handler2
4400 dev[0].select_network(id)
4401 server.handle_request()
4402 dev[0].wait_connected()
4403 dev[0].request("DISCONNECT")
4404 dev[0].wait_disconnected()
4406 def test_eap_tls_sha512(dev, apdev, params):
4407 """EAP-TLS with SHA512 signature"""
4408 params = int_eap_server_params()
4409 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4410 params["server_cert"] = "auth_serv/sha512-server.pem"
4411 params["private_key"] = "auth_serv/sha512-server.key"
4412 hostapd.add_ap(apdev[0]['ifname'], params)
4414 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4415 identity="tls user sha512",
4416 ca_cert="auth_serv/sha512-ca.pem",
4417 client_cert="auth_serv/sha512-user.pem",
4418 private_key="auth_serv/sha512-user.key",
4420 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4421 identity="tls user sha512",
4422 ca_cert="auth_serv/sha512-ca.pem",
4423 client_cert="auth_serv/sha384-user.pem",
4424 private_key="auth_serv/sha384-user.key",
4427 def test_eap_tls_sha384(dev, apdev, params):
4428 """EAP-TLS with SHA384 signature"""
4429 params = int_eap_server_params()
4430 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4431 params["server_cert"] = "auth_serv/sha384-server.pem"
4432 params["private_key"] = "auth_serv/sha384-server.key"
4433 hostapd.add_ap(apdev[0]['ifname'], params)
4435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4436 identity="tls user sha512",
4437 ca_cert="auth_serv/sha512-ca.pem",
4438 client_cert="auth_serv/sha512-user.pem",
4439 private_key="auth_serv/sha512-user.key",
4441 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4442 identity="tls user sha512",
4443 ca_cert="auth_serv/sha512-ca.pem",
4444 client_cert="auth_serv/sha384-user.pem",
4445 private_key="auth_serv/sha384-user.key",
4448 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4449 """WPA2-Enterprise AP and association request RSN IE differences"""
4450 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4451 hostapd.add_ap(apdev[0]['ifname'], params)
4453 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4454 params["ieee80211w"] = "2"
4455 hostapd.add_ap(apdev[1]['ifname'], params)
4457 # Success cases with optional RSN IE fields removed one by one
4458 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4459 "30140100000fac040100000fac040100000fac010000"),
4460 ("Extra PMKIDCount field in RSN IE",
4461 "30160100000fac040100000fac040100000fac0100000000"),
4462 ("Extra Group Management Cipher Suite in RSN IE",
4463 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4464 ("Extra undefined extension field in RSN IE",
4465 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4466 ("RSN IE without RSN Capabilities",
4467 "30120100000fac040100000fac040100000fac01"),
4468 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4469 ("RSN IE without pairwise", "30060100000fac04"),
4470 ("RSN IE without group", "30020100") ]
4471 for title, ie in tests:
4473 set_test_assoc_ie(dev[0], ie)
4474 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4475 identity="gpsk user",
4476 password="abcdefghijklmnop0123456789abcdef",
4478 dev[0].request("REMOVE_NETWORK all")
4479 dev[0].wait_disconnected()
4481 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4482 "30140100000fac040100000fac040100000fac01cc00"),
4483 ("Group management cipher included in assoc req RSN IE",
4484 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4485 for title, ie in tests:
4487 set_test_assoc_ie(dev[0], ie)
4488 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4489 eap="GPSK", identity="gpsk user",
4490 password="abcdefghijklmnop0123456789abcdef",
4492 dev[0].request("REMOVE_NETWORK all")
4493 dev[0].wait_disconnected()
4495 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4496 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4497 for title, ie, status in tests:
4499 set_test_assoc_ie(dev[0], ie)
4500 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4501 identity="gpsk user",
4502 password="abcdefghijklmnop0123456789abcdef",
4503 scan_freq="2412", wait_connect=False)
4504 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4506 raise Exception("Association rejection not reported")
4507 if "status_code=" + str(status) not in ev:
4508 raise Exception("Unexpected status code: " + ev)
4509 dev[0].request("REMOVE_NETWORK all")
4510 dev[0].dump_monitor()
4512 tests = [ ("Management frame protection not enabled",
4513 "30140100000fac040100000fac040100000fac010000", 31),
4514 ("Unsupported management group cipher",
4515 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4516 for title, ie, status in tests:
4518 set_test_assoc_ie(dev[0], ie)
4519 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4520 eap="GPSK", identity="gpsk user",
4521 password="abcdefghijklmnop0123456789abcdef",
4522 scan_freq="2412", wait_connect=False)
4523 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4525 raise Exception("Association rejection not reported")
4526 if "status_code=" + str(status) not in ev:
4527 raise Exception("Unexpected status code: " + ev)
4528 dev[0].request("REMOVE_NETWORK all")
4529 dev[0].dump_monitor()
4531 def test_eap_tls_ext_cert_check(dev, apdev):
4532 """EAP-TLS and external server certification validation"""
4533 # With internal server certificate chain validation
4534 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4535 identity="tls user",
4536 ca_cert="auth_serv/ca.pem",
4537 client_cert="auth_serv/user.pem",
4538 private_key="auth_serv/user.key",
4539 phase1="tls_ext_cert_check=1", scan_freq="2412",
4540 only_add_network=True)
4541 run_ext_cert_check(dev, apdev, id)
4543 def test_eap_ttls_ext_cert_check(dev, apdev):
4544 """EAP-TTLS and external server certification validation"""
4545 # Without internal server certificate chain validation
4546 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4547 identity="pap user", anonymous_identity="ttls",
4548 password="password", phase2="auth=PAP",
4549 phase1="tls_ext_cert_check=1", scan_freq="2412",
4550 only_add_network=True)
4551 run_ext_cert_check(dev, apdev, id)
4553 def test_eap_peap_ext_cert_check(dev, apdev):
4554 """EAP-PEAP and external server certification validation"""
4555 # With internal server certificate chain validation
4556 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4557 identity="user", anonymous_identity="peap",
4558 ca_cert="auth_serv/ca.pem",
4559 password="password", phase2="auth=MSCHAPV2",
4560 phase1="tls_ext_cert_check=1", scan_freq="2412",
4561 only_add_network=True)
4562 run_ext_cert_check(dev, apdev, id)
4564 def test_eap_fast_ext_cert_check(dev, apdev):
4565 """EAP-FAST and external server certification validation"""
4566 check_eap_capa(dev[0], "FAST")
4567 # With internal server certificate chain validation
4568 dev[0].request("SET blob fast_pac_auth_ext ")
4569 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4570 identity="user", anonymous_identity="FAST",
4571 ca_cert="auth_serv/ca.pem",
4572 password="password", phase2="auth=GTC",
4573 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4574 pac_file="blob://fast_pac_auth_ext",
4576 only_add_network=True)
4577 run_ext_cert_check(dev, apdev, id)
4579 def run_ext_cert_check(dev, apdev, net_id):
4580 check_ext_cert_check_support(dev[0])
4581 if not openssl_imported:
4582 raise HwsimSkip("OpenSSL python method not available")
4584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4585 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4587 dev[0].select_network(net_id)
4590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4591 "CTRL-REQ-EXT_CERT_CHECK",
4592 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4594 raise Exception("No peer server certificate event seen")
4595 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4598 vals = ev.split(' ')
4600 if v.startswith("depth="):
4601 depth = int(v.split('=')[1])
4602 elif v.startswith("cert="):
4603 cert = v.split('=')[1]
4604 if depth is not None and cert:
4605 certs[depth] = binascii.unhexlify(cert)
4606 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4607 raise Exception("Unexpected EAP-Success")
4608 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4609 id = ev.split(':')[0].split('-')[-1]
4612 raise Exception("Server certificate not received")
4614 raise Exception("Server certificate issuer not received")
4616 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4618 cn = cert.get_subject().commonName
4619 logger.info("Server certificate CN=" + cn)
4621 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4623 icn = issuer.get_subject().commonName
4624 logger.info("Issuer certificate CN=" + icn)
4626 if cn != "server.w1.fi":
4627 raise Exception("Unexpected server certificate CN: " + cn)
4628 if icn != "Root CA":
4629 raise Exception("Unexpected server certificate issuer CN: " + icn)
4631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4633 raise Exception("Unexpected EAP-Success before external check result indication")
4635 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4636 dev[0].wait_connected()
4638 dev[0].request("DISCONNECT")
4639 dev[0].wait_disconnected()
4640 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4641 raise Exception("PMKSA_FLUSH failed")
4642 dev[0].request("SET blob fast_pac_auth_ext ")
4643 dev[0].request("RECONNECT")
4645 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4647 raise Exception("No peer server certificate event seen (2)")
4648 id = ev.split(':')[0].split('-')[-1]
4649 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4650 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4652 raise Exception("EAP-Failure not reported")
4653 dev[0].request("REMOVE_NETWORK all")
4654 dev[0].wait_disconnected()