1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
92 raise Exception("EAP method selection timed out")
94 raise Exception("Unexpected EAP method")
96 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
98 raise Exception("EAP failure timed out")
99 ev = dev.wait_disconnected(timeout=10)
100 if maybe_local_error and "locally_generated=1" in ev:
102 if not local_error_report:
103 if "reason=23" not in ev:
104 raise Exception("Proper reason code for disconnection not reported")
106 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
108 raise Exception("EAP success timed out")
111 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
113 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
115 raise Exception("Association with the AP timed out")
116 status = dev.get_status()
117 if status["wpa_state"] != "COMPLETED":
118 raise Exception("Connection not completed")
120 if status["suppPortStatus"] != "Authorized":
121 raise Exception("Port not authorized")
122 if method not in status["selectedMethod"]:
123 raise Exception("Incorrect EAP method status")
125 e = "WPA2-EAP-SHA256"
127 e = "WPA2/IEEE 802.1X/EAP"
129 e = "WPA/IEEE 802.1X/EAP"
130 if status["key_mgmt"] != e:
131 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
134 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
135 dev.request("REAUTHENTICATE")
136 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
137 expect_failure=expect_failure)
139 def test_ap_wpa2_eap_sim(dev, apdev):
140 """WPA2-Enterprise connection using EAP-SIM"""
141 check_hlr_auc_gw_support()
142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
144 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
145 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 hwsim_utils.test_connectivity(dev[0], hapd)
147 eap_reauth(dev[0], "SIM")
149 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
155 logger.info("Negative test with incorrect key")
156 dev[0].request("REMOVE_NETWORK all")
157 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
158 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
161 logger.info("Invalid GSM-Milenage key")
162 dev[0].request("REMOVE_NETWORK all")
163 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
164 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
167 logger.info("Invalid GSM-Milenage key(2)")
168 dev[0].request("REMOVE_NETWORK all")
169 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
170 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
173 logger.info("Invalid GSM-Milenage key(3)")
174 dev[0].request("REMOVE_NETWORK all")
175 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
176 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
179 logger.info("Invalid GSM-Milenage key(4)")
180 dev[0].request("REMOVE_NETWORK all")
181 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
182 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
185 logger.info("Missing key configuration")
186 dev[0].request("REMOVE_NETWORK all")
187 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
191 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
192 check_hlr_auc_gw_support()
196 raise HwsimSkip("No sqlite3 module available")
197 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
198 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
199 params['auth_server_port'] = "1814"
200 hostapd.add_ap(apdev[0]['ifname'], params)
201 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
202 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
204 logger.info("SIM fast re-authentication")
205 eap_reauth(dev[0], "SIM")
207 logger.info("SIM full auth with pseudonym")
210 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
211 eap_reauth(dev[0], "SIM")
213 logger.info("SIM full auth with permanent identity")
216 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
217 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
218 eap_reauth(dev[0], "SIM")
220 logger.info("SIM reauth with mismatching MK")
223 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
224 eap_reauth(dev[0], "SIM", expect_failure=True)
225 dev[0].request("REMOVE_NETWORK all")
227 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
228 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 eap_reauth(dev[0], "SIM")
235 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
236 logger.info("SIM reauth with mismatching counter")
237 eap_reauth(dev[0], "SIM")
238 dev[0].request("REMOVE_NETWORK all")
240 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
241 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
244 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
245 logger.info("SIM reauth with max reauth count reached")
246 eap_reauth(dev[0], "SIM")
248 def test_ap_wpa2_eap_sim_config(dev, apdev):
249 """EAP-SIM configuration options"""
250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
251 hostapd.add_ap(apdev[0]['ifname'], params)
252 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
253 identity="1232010000000000",
254 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 phase1="sim_min_num_chal=1",
256 wait_connect=False, scan_freq="2412")
257 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
259 raise Exception("No EAP error message seen")
260 dev[0].request("REMOVE_NETWORK all")
262 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263 identity="1232010000000000",
264 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265 phase1="sim_min_num_chal=4",
266 wait_connect=False, scan_freq="2412")
267 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
269 raise Exception("No EAP error message seen (2)")
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
274 phase1="sim_min_num_chal=2")
275 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
276 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
277 anonymous_identity="345678")
279 def test_ap_wpa2_eap_sim_ext(dev, apdev):
280 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
282 _test_ap_wpa2_eap_sim_ext(dev, apdev)
284 dev[0].request("SET external_sim 0")
286 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
287 check_hlr_auc_gw_support()
288 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
289 hostapd.add_ap(apdev[0]['ifname'], params)
290 dev[0].request("SET external_sim 1")
291 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
292 identity="1232010000000000",
293 wait_connect=False, scan_freq="2412")
294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
296 raise Exception("Network connected timed out")
298 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
300 raise Exception("Wait for external SIM processing request timed out")
302 if p[1] != "GSM-AUTH":
303 raise Exception("Unexpected CTRL-REQ-SIM type")
304 rid = p[0].split('-')[3]
307 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
308 # This will fail during processing, but the ctrl_iface command succeeds
309 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
310 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
312 raise Exception("EAP failure not reported")
313 dev[0].request("DISCONNECT")
314 dev[0].wait_disconnected()
317 dev[0].select_network(id, freq="2412")
318 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
320 raise Exception("Wait for external SIM processing request timed out")
322 if p[1] != "GSM-AUTH":
323 raise Exception("Unexpected CTRL-REQ-SIM type")
324 rid = p[0].split('-')[3]
325 # This will fail during GSM auth validation
326 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
327 raise Exception("CTRL-RSP-SIM failed")
328 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
330 raise Exception("EAP failure not reported")
331 dev[0].request("DISCONNECT")
332 dev[0].wait_disconnected()
335 dev[0].select_network(id, freq="2412")
336 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
338 raise Exception("Wait for external SIM processing request timed out")
340 if p[1] != "GSM-AUTH":
341 raise Exception("Unexpected CTRL-REQ-SIM type")
342 rid = p[0].split('-')[3]
343 # This will fail during GSM auth validation
344 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
345 raise Exception("CTRL-RSP-SIM failed")
346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
348 raise Exception("EAP failure not reported")
349 dev[0].request("DISCONNECT")
350 dev[0].wait_disconnected()
353 dev[0].select_network(id, freq="2412")
354 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
356 raise Exception("Wait for external SIM processing request timed out")
358 if p[1] != "GSM-AUTH":
359 raise Exception("Unexpected CTRL-REQ-SIM type")
360 rid = p[0].split('-')[3]
361 # This will fail during GSM auth validation
362 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
363 raise Exception("CTRL-RSP-SIM failed")
364 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
366 raise Exception("EAP failure not reported")
367 dev[0].request("DISCONNECT")
368 dev[0].wait_disconnected()
371 dev[0].select_network(id, freq="2412")
372 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
374 raise Exception("Wait for external SIM processing request timed out")
376 if p[1] != "GSM-AUTH":
377 raise Exception("Unexpected CTRL-REQ-SIM type")
378 rid = p[0].split('-')[3]
379 # This will fail during GSM auth validation
380 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
381 raise Exception("CTRL-RSP-SIM failed")
382 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
384 raise Exception("EAP failure not reported")
385 dev[0].request("DISCONNECT")
386 dev[0].wait_disconnected()
389 dev[0].select_network(id, freq="2412")
390 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
392 raise Exception("Wait for external SIM processing request timed out")
394 if p[1] != "GSM-AUTH":
395 raise Exception("Unexpected CTRL-REQ-SIM type")
396 rid = p[0].split('-')[3]
397 # This will fail during GSM auth validation
398 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
399 raise Exception("CTRL-RSP-SIM failed")
400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
402 raise Exception("EAP failure not reported")
403 dev[0].request("DISCONNECT")
404 dev[0].wait_disconnected()
407 dev[0].select_network(id, freq="2412")
408 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
410 raise Exception("Wait for external SIM processing request timed out")
412 if p[1] != "GSM-AUTH":
413 raise Exception("Unexpected CTRL-REQ-SIM type")
414 rid = p[0].split('-')[3]
415 # This will fail during GSM auth validation
416 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
417 raise Exception("CTRL-RSP-SIM failed")
418 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
420 raise Exception("EAP failure not reported")
422 def test_ap_wpa2_eap_sim_oom(dev, apdev):
423 """EAP-SIM and OOM"""
424 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
425 hostapd.add_ap(apdev[0]['ifname'], params)
426 tests = [ (1, "milenage_f2345"),
427 (2, "milenage_f2345"),
428 (3, "milenage_f2345"),
429 (4, "milenage_f2345"),
430 (5, "milenage_f2345"),
431 (6, "milenage_f2345"),
432 (7, "milenage_f2345"),
433 (8, "milenage_f2345"),
434 (9, "milenage_f2345"),
435 (10, "milenage_f2345"),
436 (11, "milenage_f2345"),
437 (12, "milenage_f2345") ]
438 for count, func in tests:
439 with alloc_fail(dev[0], count, func):
440 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
441 identity="1232010000000000",
442 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
443 wait_connect=False, scan_freq="2412")
444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
446 raise Exception("EAP method not selected")
447 dev[0].wait_disconnected()
448 dev[0].request("REMOVE_NETWORK all")
450 def test_ap_wpa2_eap_aka(dev, apdev):
451 """WPA2-Enterprise connection using EAP-AKA"""
452 check_hlr_auc_gw_support()
453 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
454 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
455 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
456 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
457 hwsim_utils.test_connectivity(dev[0], hapd)
458 eap_reauth(dev[0], "AKA")
460 logger.info("Negative test with incorrect key")
461 dev[0].request("REMOVE_NETWORK all")
462 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
463 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
466 logger.info("Invalid Milenage key")
467 dev[0].request("REMOVE_NETWORK all")
468 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
469 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
472 logger.info("Invalid Milenage key(2)")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
477 logger.info("Invalid Milenage key(3)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
482 logger.info("Invalid Milenage key(4)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
487 logger.info("Invalid Milenage key(5)")
488 dev[0].request("REMOVE_NETWORK all")
489 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
490 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
493 logger.info("Invalid Milenage key(6)")
494 dev[0].request("REMOVE_NETWORK all")
495 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
496 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
499 logger.info("Missing key configuration")
500 dev[0].request("REMOVE_NETWORK all")
501 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
504 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
505 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
506 check_hlr_auc_gw_support()
510 raise HwsimSkip("No sqlite3 module available")
511 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
513 params['auth_server_port'] = "1814"
514 hostapd.add_ap(apdev[0]['ifname'], params)
515 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
516 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
518 logger.info("AKA fast re-authentication")
519 eap_reauth(dev[0], "AKA")
521 logger.info("AKA full auth with pseudonym")
524 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
525 eap_reauth(dev[0], "AKA")
527 logger.info("AKA full auth with permanent identity")
530 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
531 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
532 eap_reauth(dev[0], "AKA")
534 logger.info("AKA reauth with mismatching MK")
537 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
538 eap_reauth(dev[0], "AKA", expect_failure=True)
539 dev[0].request("REMOVE_NETWORK all")
541 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
542 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 eap_reauth(dev[0], "AKA")
549 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
550 logger.info("AKA reauth with mismatching counter")
551 eap_reauth(dev[0], "AKA")
552 dev[0].request("REMOVE_NETWORK all")
554 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
555 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
558 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
559 logger.info("AKA reauth with max reauth count reached")
560 eap_reauth(dev[0], "AKA")
562 def test_ap_wpa2_eap_aka_config(dev, apdev):
563 """EAP-AKA configuration options"""
564 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
565 hostapd.add_ap(apdev[0]['ifname'], params)
566 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
567 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
568 anonymous_identity="2345678")
570 def test_ap_wpa2_eap_aka_ext(dev, apdev):
571 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
573 _test_ap_wpa2_eap_aka_ext(dev, apdev)
575 dev[0].request("SET external_sim 0")
577 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
578 check_hlr_auc_gw_support()
579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
580 hostapd.add_ap(apdev[0]['ifname'], params)
581 dev[0].request("SET external_sim 1")
582 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
583 identity="0232010000000000",
584 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
585 wait_connect=False, scan_freq="2412")
586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
588 raise Exception("Network connected timed out")
590 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
592 raise Exception("Wait for external SIM processing request timed out")
594 if p[1] != "UMTS-AUTH":
595 raise Exception("Unexpected CTRL-REQ-SIM type")
596 rid = p[0].split('-')[3]
599 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
600 # This will fail during processing, but the ctrl_iface command succeeds
601 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
604 raise Exception("EAP failure not reported")
605 dev[0].request("DISCONNECT")
606 dev[0].wait_disconnected()
609 dev[0].select_network(id, freq="2412")
610 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
612 raise Exception("Wait for external SIM processing request timed out")
614 if p[1] != "UMTS-AUTH":
615 raise Exception("Unexpected CTRL-REQ-SIM type")
616 rid = p[0].split('-')[3]
617 # This will fail during UMTS auth validation
618 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
619 raise Exception("CTRL-RSP-SIM failed")
620 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
622 raise Exception("Wait for external SIM processing request timed out")
624 if p[1] != "UMTS-AUTH":
625 raise Exception("Unexpected CTRL-REQ-SIM type")
626 rid = p[0].split('-')[3]
627 # This will fail during UMTS auth validation
628 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
629 raise Exception("CTRL-RSP-SIM failed")
630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
632 raise Exception("EAP failure not reported")
633 dev[0].request("DISCONNECT")
634 dev[0].wait_disconnected()
637 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
640 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
641 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
642 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
643 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
645 dev[0].select_network(id, freq="2412")
646 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
648 raise Exception("Wait for external SIM processing request timed out")
650 if p[1] != "UMTS-AUTH":
651 raise Exception("Unexpected CTRL-REQ-SIM type")
652 rid = p[0].split('-')[3]
653 # This will fail during UMTS auth validation
654 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
655 raise Exception("CTRL-RSP-SIM failed")
656 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
658 raise Exception("EAP failure not reported")
659 dev[0].request("DISCONNECT")
660 dev[0].wait_disconnected()
663 def test_ap_wpa2_eap_aka_prime(dev, apdev):
664 """WPA2-Enterprise connection using EAP-AKA'"""
665 check_hlr_auc_gw_support()
666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
667 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
668 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
669 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
670 hwsim_utils.test_connectivity(dev[0], hapd)
671 eap_reauth(dev[0], "AKA'")
673 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
674 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
675 identity="6555444333222111@both",
676 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
677 wait_connect=False, scan_freq="2412")
678 dev[1].wait_connected(timeout=15)
680 logger.info("Negative test with incorrect key")
681 dev[0].request("REMOVE_NETWORK all")
682 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
683 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
686 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
687 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
688 check_hlr_auc_gw_support()
692 raise HwsimSkip("No sqlite3 module available")
693 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
694 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
695 params['auth_server_port'] = "1814"
696 hostapd.add_ap(apdev[0]['ifname'], params)
697 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
698 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
700 logger.info("AKA' fast re-authentication")
701 eap_reauth(dev[0], "AKA'")
703 logger.info("AKA' full auth with pseudonym")
706 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
707 eap_reauth(dev[0], "AKA'")
709 logger.info("AKA' full auth with permanent identity")
712 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
713 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
714 eap_reauth(dev[0], "AKA'")
716 logger.info("AKA' reauth with mismatching k_aut")
719 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
720 eap_reauth(dev[0], "AKA'", expect_failure=True)
721 dev[0].request("REMOVE_NETWORK all")
723 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 eap_reauth(dev[0], "AKA'")
731 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
732 logger.info("AKA' reauth with mismatching counter")
733 eap_reauth(dev[0], "AKA'")
734 dev[0].request("REMOVE_NETWORK all")
736 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
737 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
740 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
741 logger.info("AKA' reauth with max reauth count reached")
742 eap_reauth(dev[0], "AKA'")
744 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
745 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
746 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
747 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
748 key_mgmt = hapd.get_config()['key_mgmt']
749 if key_mgmt.split(' ')[0] != "WPA-EAP":
750 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
751 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
752 anonymous_identity="ttls", password="password",
753 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
754 hwsim_utils.test_connectivity(dev[0], hapd)
755 eap_reauth(dev[0], "TTLS")
756 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
757 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
759 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
760 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
761 check_subject_match_support(dev[0])
762 check_altsubject_match_support(dev[0])
763 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
764 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
765 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
766 anonymous_identity="ttls", password="password",
767 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
768 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
769 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
770 eap_reauth(dev[0], "TTLS")
772 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
773 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
774 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
775 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
776 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
777 anonymous_identity="ttls", password="wrong",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
780 eap_connect(dev[1], apdev[0], "TTLS", "user",
781 anonymous_identity="ttls", password="password",
782 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
786 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
787 skip_with_fips(dev[0])
788 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
789 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
790 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
793 hwsim_utils.test_connectivity(dev[0], hapd)
794 eap_reauth(dev[0], "TTLS")
796 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
797 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
798 skip_with_fips(dev[0])
799 check_altsubject_match_support(dev[0])
800 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
801 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
802 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
803 anonymous_identity="ttls", password="password",
804 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
805 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
806 eap_reauth(dev[0], "TTLS")
808 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
809 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
810 skip_with_fips(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
814 anonymous_identity="ttls", password="wrong",
815 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
817 eap_connect(dev[1], apdev[0], "TTLS", "user",
818 anonymous_identity="ttls", password="password",
819 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
822 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
823 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
824 skip_with_fips(dev[0])
825 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
826 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
827 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
828 anonymous_identity="ttls", password="password",
829 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
830 domain_suffix_match="server.w1.fi")
831 hwsim_utils.test_connectivity(dev[0], hapd)
832 eap_reauth(dev[0], "TTLS")
833 dev[0].request("REMOVE_NETWORK all")
834 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
835 anonymous_identity="ttls", password="password",
836 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
839 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
840 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
841 skip_with_fips(dev[0])
842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
843 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
844 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
845 anonymous_identity="ttls", password="wrong",
846 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
848 eap_connect(dev[1], apdev[0], "TTLS", "user",
849 anonymous_identity="ttls", password="password",
850 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
852 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
853 anonymous_identity="ttls", password="password",
854 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
858 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
859 check_eap_capa(dev[0], "MSCHAPV2")
860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
861 hostapd.add_ap(apdev[0]['ifname'], params)
862 hapd = hostapd.Hostapd(apdev[0]['ifname'])
863 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
864 anonymous_identity="ttls", password="password",
865 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
866 domain_suffix_match="server.w1.fi")
867 hwsim_utils.test_connectivity(dev[0], hapd)
868 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
869 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
870 eap_reauth(dev[0], "TTLS")
871 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
872 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
873 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
874 raise Exception("dot1xAuthEapolFramesRx did not increase")
875 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
876 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
877 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
878 raise Exception("backendAuthSuccesses did not increase")
880 logger.info("Password as hash value")
881 dev[0].request("REMOVE_NETWORK all")
882 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
883 anonymous_identity="ttls",
884 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
887 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
888 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
889 check_domain_match_full(dev[0])
890 skip_with_fips(dev[0])
891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
892 hostapd.add_ap(apdev[0]['ifname'], params)
893 hapd = hostapd.Hostapd(apdev[0]['ifname'])
894 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
895 anonymous_identity="ttls", password="password",
896 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
897 domain_suffix_match="w1.fi")
898 hwsim_utils.test_connectivity(dev[0], hapd)
899 eap_reauth(dev[0], "TTLS")
901 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
902 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
903 skip_with_fips(dev[0])
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hostapd.add_ap(apdev[0]['ifname'], params)
906 hapd = hostapd.Hostapd(apdev[0]['ifname'])
907 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
908 anonymous_identity="ttls", password="password",
909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
910 domain_match="Server.w1.fi")
911 hwsim_utils.test_connectivity(dev[0], hapd)
912 eap_reauth(dev[0], "TTLS")
914 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
915 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
916 skip_with_fips(dev[0])
917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
918 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity="ttls", password="password1",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
923 eap_connect(dev[1], apdev[0], "TTLS", "user",
924 anonymous_identity="ttls", password="password",
925 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
928 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
930 skip_with_fips(dev[0])
931 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
932 hostapd.add_ap(apdev[0]['ifname'], params)
933 hapd = hostapd.Hostapd(apdev[0]['ifname'])
934 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
935 anonymous_identity="ttls", password="secret-åäö-€-password",
936 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
937 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
938 anonymous_identity="ttls",
939 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
940 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
943 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
945 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
946 eap_connect(dev[0], apdev[0], "TTLS", "user",
947 anonymous_identity="ttls", password="password",
948 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
949 hwsim_utils.test_connectivity(dev[0], hapd)
950 eap_reauth(dev[0], "TTLS")
952 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="wrong",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
961 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
962 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
963 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
964 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
965 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
966 anonymous_identity="ttls", password="password",
967 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
970 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
971 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
972 params = int_eap_server_params()
973 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
974 with alloc_fail(hapd, 1, "eap_gtc_init"):
975 eap_connect(dev[0], apdev[0], "TTLS", "user",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
979 dev[0].request("REMOVE_NETWORK all")
981 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
983 eap="TTLS", identity="user",
984 anonymous_identity="ttls", password="password",
985 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
986 wait_connect=False, scan_freq="2412")
987 # This would eventually time out, but we can stop after having reached
988 # the allocation failure.
991 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
994 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
995 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
996 check_eap_capa(dev[0], "MD5")
997 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
998 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
999 eap_connect(dev[0], apdev[0], "TTLS", "user",
1000 anonymous_identity="ttls", password="password",
1001 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1002 hwsim_utils.test_connectivity(dev[0], hapd)
1003 eap_reauth(dev[0], "TTLS")
1005 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1006 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1007 check_eap_capa(dev[0], "MD5")
1008 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1009 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1010 eap_connect(dev[0], apdev[0], "TTLS", "user",
1011 anonymous_identity="ttls", password="wrong",
1012 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1013 expect_failure=True)
1015 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1016 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1017 check_eap_capa(dev[0], "MD5")
1018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1019 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1020 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1021 anonymous_identity="ttls", password="password",
1022 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1023 expect_failure=True)
1025 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1026 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1027 check_eap_capa(dev[0], "MD5")
1028 params = int_eap_server_params()
1029 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1030 with alloc_fail(hapd, 1, "eap_md5_init"):
1031 eap_connect(dev[0], apdev[0], "TTLS", "user",
1032 anonymous_identity="ttls", password="password",
1033 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1034 expect_failure=True)
1035 dev[0].request("REMOVE_NETWORK all")
1037 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1038 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1039 eap="TTLS", identity="user",
1040 anonymous_identity="ttls", password="password",
1041 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1042 wait_connect=False, scan_freq="2412")
1043 # This would eventually time out, but we can stop after having reached
1044 # the allocation failure.
1047 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1050 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1051 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1052 check_eap_capa(dev[0], "MSCHAPV2")
1053 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1054 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1055 eap_connect(dev[0], apdev[0], "TTLS", "user",
1056 anonymous_identity="ttls", password="password",
1057 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1058 hwsim_utils.test_connectivity(dev[0], hapd)
1059 eap_reauth(dev[0], "TTLS")
1061 logger.info("Negative test with incorrect password")
1062 dev[0].request("REMOVE_NETWORK all")
1063 eap_connect(dev[0], apdev[0], "TTLS", "user",
1064 anonymous_identity="ttls", password="password1",
1065 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1066 expect_failure=True)
1068 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1069 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1070 check_eap_capa(dev[0], "MSCHAPV2")
1071 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1072 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1073 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1074 anonymous_identity="ttls", password="password",
1075 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1076 expect_failure=True)
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1079 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1080 check_eap_capa(dev[0], "MSCHAPV2")
1081 params = int_eap_server_params()
1082 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1083 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1084 eap_connect(dev[0], apdev[0], "TTLS", "user",
1085 anonymous_identity="ttls", password="password",
1086 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1087 expect_failure=True)
1088 dev[0].request("REMOVE_NETWORK all")
1090 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1091 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1092 eap="TTLS", identity="user",
1093 anonymous_identity="ttls", password="password",
1094 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1095 wait_connect=False, scan_freq="2412")
1096 # This would eventually time out, but we can stop after having reached
1097 # the allocation failure.
1100 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1102 dev[0].request("REMOVE_NETWORK all")
1104 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1105 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1106 eap="TTLS", identity="user",
1107 anonymous_identity="ttls", password="password",
1108 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1109 wait_connect=False, scan_freq="2412")
1110 # This would eventually time out, but we can stop after having reached
1111 # the allocation failure.
1114 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1116 dev[0].request("REMOVE_NETWORK all")
1118 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1119 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1120 eap="TTLS", identity="user",
1121 anonymous_identity="ttls", password="wrong",
1122 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1123 wait_connect=False, scan_freq="2412")
1124 # This would eventually time out, but we can stop after having reached
1125 # the allocation failure.
1128 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1130 dev[0].request("REMOVE_NETWORK all")
1132 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1133 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1134 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1135 hostapd.add_ap(apdev[0]['ifname'], params)
1136 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1137 anonymous_identity="0232010000000000@ttls",
1138 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1139 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1141 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1146 anonymous_identity="0232010000000000@peap",
1147 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1150 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1152 check_eap_capa(dev[0], "FAST")
1153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1154 hostapd.add_ap(apdev[0]['ifname'], params)
1155 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1156 anonymous_identity="0232010000000000@fast",
1157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1158 phase1="fast_provisioning=2",
1159 pac_file="blob://fast_pac_auth_aka",
1160 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1162 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1163 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1164 check_eap_capa(dev[0], "MSCHAPV2")
1165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1166 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1167 eap_connect(dev[0], apdev[0], "PEAP", "user",
1168 anonymous_identity="peap", password="password",
1169 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1170 hwsim_utils.test_connectivity(dev[0], hapd)
1171 eap_reauth(dev[0], "PEAP")
1172 dev[0].request("REMOVE_NETWORK all")
1173 eap_connect(dev[0], apdev[0], "PEAP", "user",
1174 anonymous_identity="peap", password="password",
1175 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1176 fragment_size="200")
1178 logger.info("Password as hash value")
1179 dev[0].request("REMOVE_NETWORK all")
1180 eap_connect(dev[0], apdev[0], "PEAP", "user",
1181 anonymous_identity="peap",
1182 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1183 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1185 logger.info("Negative test with incorrect password")
1186 dev[0].request("REMOVE_NETWORK all")
1187 eap_connect(dev[0], apdev[0], "PEAP", "user",
1188 anonymous_identity="peap", password="password1",
1189 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1190 expect_failure=True)
1192 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1193 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1194 check_eap_capa(dev[0], "MSCHAPV2")
1195 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1196 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1197 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1198 anonymous_identity="peap", password="password",
1199 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1200 hwsim_utils.test_connectivity(dev[0], hapd)
1201 eap_reauth(dev[0], "PEAP")
1203 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1204 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1205 check_eap_capa(dev[0], "MSCHAPV2")
1206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1207 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1208 eap_connect(dev[0], apdev[0], "PEAP", "user",
1209 anonymous_identity="peap", password="wrong",
1210 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1211 expect_failure=True)
1213 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1214 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1215 check_eap_capa(dev[0], "MSCHAPV2")
1216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1218 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1219 ca_cert="auth_serv/ca.pem",
1220 phase1="peapver=0 crypto_binding=2",
1221 phase2="auth=MSCHAPV2")
1222 hwsim_utils.test_connectivity(dev[0], hapd)
1223 eap_reauth(dev[0], "PEAP")
1225 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1226 ca_cert="auth_serv/ca.pem",
1227 phase1="peapver=0 crypto_binding=1",
1228 phase2="auth=MSCHAPV2")
1229 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1230 ca_cert="auth_serv/ca.pem",
1231 phase1="peapver=0 crypto_binding=0",
1232 phase2="auth=MSCHAPV2")
1234 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1236 check_eap_capa(dev[0], "MSCHAPV2")
1237 params = int_eap_server_params()
1238 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1239 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1240 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1241 ca_cert="auth_serv/ca.pem",
1242 phase1="peapver=0 crypto_binding=2",
1243 phase2="auth=MSCHAPV2",
1244 expect_failure=True, local_error_report=True)
1246 def test_ap_wpa2_eap_peap_params(dev, apdev):
1247 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1248 check_eap_capa(dev[0], "MSCHAPV2")
1249 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1250 hostapd.add_ap(apdev[0]['ifname'], params)
1251 eap_connect(dev[0], apdev[0], "PEAP", "user",
1252 anonymous_identity="peap", password="password",
1253 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1254 phase1="peapver=0 peaplabel=1",
1255 expect_failure=True)
1256 dev[0].request("REMOVE_NETWORK all")
1257 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1258 ca_cert="auth_serv/ca.pem",
1259 phase1="peap_outer_success=1",
1260 phase2="auth=MSCHAPV2")
1261 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1262 ca_cert="auth_serv/ca.pem",
1263 phase1="peap_outer_success=2",
1264 phase2="auth=MSCHAPV2")
1265 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1267 anonymous_identity="peap", password="password",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1269 phase1="peapver=1 peaplabel=1",
1270 wait_connect=False, scan_freq="2412")
1271 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1273 raise Exception("No EAP success seen")
1274 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1276 raise Exception("Unexpected connection")
1278 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1279 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1281 hostapd.add_ap(apdev[0]['ifname'], params)
1282 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1283 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1284 ca_cert2="auth_serv/ca.pem",
1285 client_cert2="auth_serv/user.pem",
1286 private_key2="auth_serv/user.key")
1287 eap_reauth(dev[0], "PEAP")
1289 def test_ap_wpa2_eap_tls(dev, apdev):
1290 """WPA2-Enterprise connection using EAP-TLS"""
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hostapd.add_ap(apdev[0]['ifname'], params)
1293 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1294 client_cert="auth_serv/user.pem",
1295 private_key="auth_serv/user.key")
1296 eap_reauth(dev[0], "TLS")
1298 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1299 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1300 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1301 hostapd.add_ap(apdev[0]['ifname'], params)
1302 cert = read_pem("auth_serv/ca.pem")
1303 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1304 raise Exception("Could not set cacert blob")
1305 cert = read_pem("auth_serv/user.pem")
1306 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1307 raise Exception("Could not set usercert blob")
1308 key = read_pem("auth_serv/user.rsa-key")
1309 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1310 raise Exception("Could not set cacert blob")
1311 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1312 client_cert="blob://usercert",
1313 private_key="blob://userkey")
1315 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1316 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1317 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1318 hostapd.add_ap(apdev[0]['ifname'], params)
1319 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1320 private_key="auth_serv/user.pkcs12",
1321 private_key_passwd="whatever")
1322 dev[0].request("REMOVE_NETWORK all")
1323 dev[0].wait_disconnected()
1325 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1326 identity="tls user",
1327 ca_cert="auth_serv/ca.pem",
1328 private_key="auth_serv/user.pkcs12",
1329 wait_connect=False, scan_freq="2412")
1330 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1332 raise Exception("Request for private key passphrase timed out")
1333 id = ev.split(':')[0].split('-')[-1]
1334 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1335 dev[0].wait_connected(timeout=10)
1336 dev[0].request("REMOVE_NETWORK all")
1337 dev[0].wait_disconnected()
1339 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1340 private_key="auth_serv/user2.pkcs12",
1341 private_key_passwd="whatever")
1342 dev[0].request("REMOVE_NETWORK all")
1343 dev[0].wait_disconnected()
1345 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1346 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1348 hostapd.add_ap(apdev[0]['ifname'], params)
1349 cert = read_pem("auth_serv/ca.pem")
1350 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1351 raise Exception("Could not set cacert blob")
1352 with open("auth_serv/user.pkcs12", "rb") as f:
1353 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1354 raise Exception("Could not set pkcs12 blob")
1355 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1356 private_key="blob://pkcs12",
1357 private_key_passwd="whatever")
1359 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1360 """WPA2-Enterprise negative test - incorrect trust root"""
1361 check_eap_capa(dev[0], "MSCHAPV2")
1362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1363 hostapd.add_ap(apdev[0]['ifname'], params)
1364 cert = read_pem("auth_serv/ca-incorrect.pem")
1365 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1366 raise Exception("Could not set cacert blob")
1367 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1368 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1369 password="password", phase2="auth=MSCHAPV2",
1370 ca_cert="blob://cacert",
1371 wait_connect=False, scan_freq="2412")
1372 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1373 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1374 password="password", phase2="auth=MSCHAPV2",
1375 ca_cert="auth_serv/ca-incorrect.pem",
1376 wait_connect=False, scan_freq="2412")
1378 for dev in (dev[0], dev[1]):
1379 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1381 raise Exception("Association and EAP start timed out")
1383 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1385 raise Exception("EAP method selection timed out")
1386 if "TTLS" not in ev:
1387 raise Exception("Unexpected EAP method")
1389 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1390 "CTRL-EVENT-EAP-SUCCESS",
1391 "CTRL-EVENT-EAP-FAILURE",
1392 "CTRL-EVENT-CONNECTED",
1393 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1395 raise Exception("EAP result timed out")
1396 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1397 raise Exception("TLS certificate error not reported")
1399 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1400 "CTRL-EVENT-EAP-FAILURE",
1401 "CTRL-EVENT-CONNECTED",
1402 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1404 raise Exception("EAP result(2) timed out")
1405 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1406 raise Exception("EAP failure not reported")
1408 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1409 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1411 raise Exception("EAP result(3) timed out")
1412 if "CTRL-EVENT-DISCONNECTED" not in ev:
1413 raise Exception("Disconnection not reported")
1415 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1417 raise Exception("Network block disabling not reported")
1419 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1423 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1424 identity="pap user", anonymous_identity="ttls",
1425 password="password", phase2="auth=PAP",
1426 ca_cert="auth_serv/ca.pem",
1427 wait_connect=True, scan_freq="2412")
1428 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1429 identity="pap user", anonymous_identity="ttls",
1430 password="password", phase2="auth=PAP",
1431 ca_cert="auth_serv/ca-incorrect.pem",
1432 only_add_network=True, scan_freq="2412")
1434 dev[0].request("DISCONNECT")
1435 dev[0].wait_disconnected()
1436 dev[0].dump_monitor()
1437 dev[0].select_network(id, freq="2412")
1439 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1441 raise Exception("EAP-TTLS not re-started")
1443 ev = dev[0].wait_disconnected(timeout=15)
1444 if "reason=23" not in ev:
1445 raise Exception("Proper reason code for disconnection not reported")
1447 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1448 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1450 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1451 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1452 identity="pap user", anonymous_identity="ttls",
1453 password="password", phase2="auth=PAP",
1454 wait_connect=True, scan_freq="2412")
1455 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1456 identity="pap user", anonymous_identity="ttls",
1457 password="password", phase2="auth=PAP",
1458 ca_cert="auth_serv/ca-incorrect.pem",
1459 only_add_network=True, scan_freq="2412")
1461 dev[0].request("DISCONNECT")
1462 dev[0].wait_disconnected()
1463 dev[0].dump_monitor()
1464 dev[0].select_network(id, freq="2412")
1466 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1468 raise Exception("EAP-TTLS not re-started")
1470 ev = dev[0].wait_disconnected(timeout=15)
1471 if "reason=23" not in ev:
1472 raise Exception("Proper reason code for disconnection not reported")
1474 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1475 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1476 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1477 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1478 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1479 identity="pap user", anonymous_identity="ttls",
1480 password="password", phase2="auth=PAP",
1481 ca_cert="auth_serv/ca.pem",
1482 wait_connect=True, scan_freq="2412")
1483 dev[0].request("DISCONNECT")
1484 dev[0].wait_disconnected()
1485 dev[0].dump_monitor()
1486 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1487 dev[0].select_network(id, freq="2412")
1489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1491 raise Exception("EAP-TTLS not re-started")
1493 ev = dev[0].wait_disconnected(timeout=15)
1494 if "reason=23" not in ev:
1495 raise Exception("Proper reason code for disconnection not reported")
1497 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1498 """WPA2-Enterprise negative test - domain suffix mismatch"""
1499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1500 hostapd.add_ap(apdev[0]['ifname'], params)
1501 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1502 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1503 password="password", phase2="auth=MSCHAPV2",
1504 ca_cert="auth_serv/ca.pem",
1505 domain_suffix_match="incorrect.example.com",
1506 wait_connect=False, scan_freq="2412")
1508 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1510 raise Exception("Association and EAP start timed out")
1512 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1514 raise Exception("EAP method selection timed out")
1515 if "TTLS" not in ev:
1516 raise Exception("Unexpected EAP method")
1518 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1519 "CTRL-EVENT-EAP-SUCCESS",
1520 "CTRL-EVENT-EAP-FAILURE",
1521 "CTRL-EVENT-CONNECTED",
1522 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1524 raise Exception("EAP result timed out")
1525 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1526 raise Exception("TLS certificate error not reported")
1527 if "Domain suffix mismatch" not in ev:
1528 raise Exception("Domain suffix mismatch not reported")
1530 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1531 "CTRL-EVENT-EAP-FAILURE",
1532 "CTRL-EVENT-CONNECTED",
1533 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1535 raise Exception("EAP result(2) timed out")
1536 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1537 raise Exception("EAP failure not reported")
1539 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1540 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1542 raise Exception("EAP result(3) timed out")
1543 if "CTRL-EVENT-DISCONNECTED" not in ev:
1544 raise Exception("Disconnection not reported")
1546 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1548 raise Exception("Network block disabling not reported")
1550 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1551 """WPA2-Enterprise negative test - domain mismatch"""
1552 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1553 hostapd.add_ap(apdev[0]['ifname'], params)
1554 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1555 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1556 password="password", phase2="auth=MSCHAPV2",
1557 ca_cert="auth_serv/ca.pem",
1558 domain_match="w1.fi",
1559 wait_connect=False, scan_freq="2412")
1561 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1563 raise Exception("Association and EAP start timed out")
1565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1567 raise Exception("EAP method selection timed out")
1568 if "TTLS" not in ev:
1569 raise Exception("Unexpected EAP method")
1571 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1572 "CTRL-EVENT-EAP-SUCCESS",
1573 "CTRL-EVENT-EAP-FAILURE",
1574 "CTRL-EVENT-CONNECTED",
1575 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1577 raise Exception("EAP result timed out")
1578 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1579 raise Exception("TLS certificate error not reported")
1580 if "Domain mismatch" not in ev:
1581 raise Exception("Domain mismatch not reported")
1583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1584 "CTRL-EVENT-EAP-FAILURE",
1585 "CTRL-EVENT-CONNECTED",
1586 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1588 raise Exception("EAP result(2) timed out")
1589 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1590 raise Exception("EAP failure not reported")
1592 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1593 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1595 raise Exception("EAP result(3) timed out")
1596 if "CTRL-EVENT-DISCONNECTED" not in ev:
1597 raise Exception("Disconnection not reported")
1599 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1601 raise Exception("Network block disabling not reported")
1603 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1604 """WPA2-Enterprise negative test - subject mismatch"""
1605 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1606 hostapd.add_ap(apdev[0]['ifname'], params)
1607 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1608 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1609 password="password", phase2="auth=MSCHAPV2",
1610 ca_cert="auth_serv/ca.pem",
1611 subject_match="/C=FI/O=w1.fi/CN=example.com",
1612 wait_connect=False, scan_freq="2412")
1614 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1616 raise Exception("Association and EAP start timed out")
1618 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1619 "EAP: Failed to initialize EAP method"], timeout=10)
1621 raise Exception("EAP method selection timed out")
1622 if "EAP: Failed to initialize EAP method" in ev:
1623 tls = dev[0].request("GET tls_library")
1624 if tls.startswith("OpenSSL"):
1625 raise Exception("Failed to select EAP method")
1626 logger.info("subject_match not supported - connection failed, so test succeeded")
1628 if "TTLS" not in ev:
1629 raise Exception("Unexpected EAP method")
1631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1632 "CTRL-EVENT-EAP-SUCCESS",
1633 "CTRL-EVENT-EAP-FAILURE",
1634 "CTRL-EVENT-CONNECTED",
1635 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1637 raise Exception("EAP result timed out")
1638 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1639 raise Exception("TLS certificate error not reported")
1640 if "Subject mismatch" not in ev:
1641 raise Exception("Subject mismatch not reported")
1643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1644 "CTRL-EVENT-EAP-FAILURE",
1645 "CTRL-EVENT-CONNECTED",
1646 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1648 raise Exception("EAP result(2) timed out")
1649 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1650 raise Exception("EAP failure not reported")
1652 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1653 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1655 raise Exception("EAP result(3) timed out")
1656 if "CTRL-EVENT-DISCONNECTED" not in ev:
1657 raise Exception("Disconnection not reported")
1659 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1661 raise Exception("Network block disabling not reported")
1663 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1664 """WPA2-Enterprise negative test - altsubject mismatch"""
1665 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1666 hostapd.add_ap(apdev[0]['ifname'], params)
1668 tests = [ "incorrect.example.com",
1669 "DNS:incorrect.example.com",
1673 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1675 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1676 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1677 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1678 password="password", phase2="auth=MSCHAPV2",
1679 ca_cert="auth_serv/ca.pem",
1680 altsubject_match=match,
1681 wait_connect=False, scan_freq="2412")
1683 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1685 raise Exception("Association and EAP start timed out")
1687 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1688 "EAP: Failed to initialize EAP method"], timeout=10)
1690 raise Exception("EAP method selection timed out")
1691 if "EAP: Failed to initialize EAP method" in ev:
1692 tls = dev[0].request("GET tls_library")
1693 if tls.startswith("OpenSSL"):
1694 raise Exception("Failed to select EAP method")
1695 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1697 if "TTLS" not in ev:
1698 raise Exception("Unexpected EAP method")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1701 "CTRL-EVENT-EAP-SUCCESS",
1702 "CTRL-EVENT-EAP-FAILURE",
1703 "CTRL-EVENT-CONNECTED",
1704 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1706 raise Exception("EAP result timed out")
1707 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1708 raise Exception("TLS certificate error not reported")
1709 if "AltSubject mismatch" not in ev:
1710 raise Exception("altsubject mismatch not reported")
1712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1713 "CTRL-EVENT-EAP-FAILURE",
1714 "CTRL-EVENT-CONNECTED",
1715 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1717 raise Exception("EAP result(2) timed out")
1718 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1719 raise Exception("EAP failure not reported")
1721 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1722 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1724 raise Exception("EAP result(3) timed out")
1725 if "CTRL-EVENT-DISCONNECTED" not in ev:
1726 raise Exception("Disconnection not reported")
1728 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1730 raise Exception("Network block disabling not reported")
1732 dev[0].request("REMOVE_NETWORK all")
1734 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1735 """WPA2-Enterprise connection using UNAUTH-TLS"""
1736 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1737 hostapd.add_ap(apdev[0]['ifname'], params)
1738 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1739 ca_cert="auth_serv/ca.pem")
1740 eap_reauth(dev[0], "UNAUTH-TLS")
1742 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1743 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1744 check_cert_probe_support(dev[0])
1745 skip_with_fips(dev[0])
1746 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1747 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1748 hostapd.add_ap(apdev[0]['ifname'], params)
1749 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1750 identity="probe", ca_cert="probe://",
1751 wait_connect=False, scan_freq="2412")
1752 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1754 raise Exception("Association and EAP start timed out")
1755 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1757 raise Exception("No peer server certificate event seen")
1758 if "hash=" + srv_cert_hash not in ev:
1759 raise Exception("Expected server certificate hash not reported")
1760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1762 raise Exception("EAP result timed out")
1763 if "Server certificate chain probe" not in ev:
1764 raise Exception("Server certificate probe not reported")
1765 dev[0].wait_disconnected(timeout=10)
1766 dev[0].request("REMOVE_NETWORK all")
1768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1769 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1770 password="password", phase2="auth=MSCHAPV2",
1771 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1772 wait_connect=False, scan_freq="2412")
1773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1775 raise Exception("Association and EAP start timed out")
1776 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1778 raise Exception("EAP result timed out")
1779 if "Server certificate mismatch" not in ev:
1780 raise Exception("Server certificate mismatch not reported")
1781 dev[0].wait_disconnected(timeout=10)
1782 dev[0].request("REMOVE_NETWORK all")
1784 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1785 anonymous_identity="ttls", password="password",
1786 ca_cert="hash://server/sha256/" + srv_cert_hash,
1787 phase2="auth=MSCHAPV2")
1789 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1790 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1791 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1792 hostapd.add_ap(apdev[0]['ifname'], params)
1793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1794 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1795 password="password", phase2="auth=MSCHAPV2",
1796 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1797 wait_connect=False, scan_freq="2412")
1798 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1799 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1800 password="password", phase2="auth=MSCHAPV2",
1801 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1802 wait_connect=False, scan_freq="2412")
1803 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1804 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1805 password="password", phase2="auth=MSCHAPV2",
1806 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1807 wait_connect=False, scan_freq="2412")
1808 for i in range(0, 3):
1809 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1811 raise Exception("Association and EAP start timed out")
1812 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1814 raise Exception("Did not report EAP method initialization failure")
1816 def test_ap_wpa2_eap_pwd(dev, apdev):
1817 """WPA2-Enterprise connection using EAP-pwd"""
1818 check_eap_capa(dev[0], "PWD")
1819 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1820 hostapd.add_ap(apdev[0]['ifname'], params)
1821 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1822 eap_reauth(dev[0], "PWD")
1823 dev[0].request("REMOVE_NETWORK all")
1825 eap_connect(dev[1], apdev[0], "PWD",
1826 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1827 password="secret password",
1830 logger.info("Negative test with incorrect password")
1831 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1832 expect_failure=True, local_error_report=True)
1834 eap_connect(dev[0], apdev[0], "PWD",
1835 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1836 password="secret password",
1839 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1840 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1841 check_eap_capa(dev[0], "PWD")
1842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1843 hostapd.add_ap(apdev[0]['ifname'], params)
1844 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1845 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1846 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1847 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1848 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1849 expect_failure=True, local_error_report=True)
1851 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1852 """WPA2-Enterprise connection using various EAP-pwd groups"""
1853 check_eap_capa(dev[0], "PWD")
1854 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1855 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1856 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1857 for i in [ 19, 20, 21, 25, 26 ]:
1858 params['pwd_group'] = str(i)
1859 hostapd.add_ap(apdev[0]['ifname'], params)
1860 dev[0].request("REMOVE_NETWORK all")
1861 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1863 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1864 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1865 check_eap_capa(dev[0], "PWD")
1866 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1867 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1868 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1869 params['pwd_group'] = "0"
1870 hostapd.add_ap(apdev[0]['ifname'], params)
1871 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1872 identity="pwd user", password="secret password",
1873 scan_freq="2412", wait_connect=False)
1874 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1876 raise Exception("Timeout on EAP failure report")
1878 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1879 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1880 check_eap_capa(dev[0], "PWD")
1881 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1882 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1883 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1884 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1885 "pwd_group": "19", "fragment_size": "40" }
1886 hostapd.add_ap(apdev[0]['ifname'], params)
1887 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1889 def test_ap_wpa2_eap_gpsk(dev, apdev):
1890 """WPA2-Enterprise connection using EAP-GPSK"""
1891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1892 hostapd.add_ap(apdev[0]['ifname'], params)
1893 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1894 password="abcdefghijklmnop0123456789abcdef")
1895 eap_reauth(dev[0], "GPSK")
1897 logger.info("Test forced algorithm selection")
1898 for phase1 in [ "cipher=1", "cipher=2" ]:
1899 dev[0].set_network_quoted(id, "phase1", phase1)
1900 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1902 raise Exception("EAP success timed out")
1903 dev[0].wait_connected(timeout=10)
1905 logger.info("Test failed algorithm negotiation")
1906 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1907 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1909 raise Exception("EAP failure timed out")
1911 logger.info("Negative test with incorrect password")
1912 dev[0].request("REMOVE_NETWORK all")
1913 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1914 password="ffcdefghijklmnop0123456789abcdef",
1915 expect_failure=True)
1917 def test_ap_wpa2_eap_sake(dev, apdev):
1918 """WPA2-Enterprise connection using EAP-SAKE"""
1919 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1920 hostapd.add_ap(apdev[0]['ifname'], params)
1921 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1922 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1923 eap_reauth(dev[0], "SAKE")
1925 logger.info("Negative test with incorrect password")
1926 dev[0].request("REMOVE_NETWORK all")
1927 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1928 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1929 expect_failure=True)
1931 def test_ap_wpa2_eap_eke(dev, apdev):
1932 """WPA2-Enterprise connection using EAP-EKE"""
1933 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1934 hostapd.add_ap(apdev[0]['ifname'], params)
1935 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1936 eap_reauth(dev[0], "EKE")
1938 logger.info("Test forced algorithm selection")
1939 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1940 "dhgroup=4 encr=1 prf=2 mac=2",
1941 "dhgroup=3 encr=1 prf=2 mac=2",
1942 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1943 dev[0].set_network_quoted(id, "phase1", phase1)
1944 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1946 raise Exception("EAP success timed out")
1947 dev[0].wait_connected(timeout=10)
1949 logger.info("Test failed algorithm negotiation")
1950 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1951 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1953 raise Exception("EAP failure timed out")
1955 logger.info("Negative test with incorrect password")
1956 dev[0].request("REMOVE_NETWORK all")
1957 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1958 expect_failure=True)
1960 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1961 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1962 params = int_eap_server_params()
1963 params['server_id'] = 'example.server@w1.fi'
1964 hostapd.add_ap(apdev[0]['ifname'], params)
1965 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1967 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1968 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1969 params = int_eap_server_params()
1970 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1971 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1973 for count,func in [ (1, "eap_eke_build_commit"),
1974 (2, "eap_eke_build_commit"),
1975 (3, "eap_eke_build_commit"),
1976 (1, "eap_eke_build_confirm"),
1977 (2, "eap_eke_build_confirm"),
1978 (1, "eap_eke_process_commit"),
1979 (2, "eap_eke_process_commit"),
1980 (1, "eap_eke_process_confirm"),
1981 (1, "eap_eke_process_identity"),
1982 (2, "eap_eke_process_identity"),
1983 (3, "eap_eke_process_identity"),
1984 (4, "eap_eke_process_identity") ]:
1985 with alloc_fail(hapd, count, func):
1986 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1987 expect_failure=True)
1988 dev[0].request("REMOVE_NETWORK all")
1990 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1991 (1, "eap_eke_get_session_id", "hello"),
1992 (1, "eap_eke_getKey", "hello"),
1993 (1, "eap_eke_build_msg", "hello"),
1994 (1, "eap_eke_build_failure", "wrong"),
1995 (1, "eap_eke_build_identity", "hello"),
1996 (2, "eap_eke_build_identity", "hello") ]:
1997 with alloc_fail(hapd, count, func):
1998 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1999 eap="EKE", identity="eke user", password=pw,
2000 wait_connect=False, scan_freq="2412")
2001 # This would eventually time out, but we can stop after having
2002 # reached the allocation failure.
2005 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2007 dev[0].request("REMOVE_NETWORK all")
2009 for count in range(1, 1000):
2011 with alloc_fail(hapd, count, "eap_server_sm_step"):
2012 dev[0].connect("test-wpa2-eap",
2013 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2014 eap="EKE", identity="eke user", password=pw,
2015 wait_connect=False, scan_freq="2412")
2016 # This would eventually time out, but we can stop after having
2017 # reached the allocation failure.
2020 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2022 dev[0].request("REMOVE_NETWORK all")
2023 except Exception, e:
2024 if str(e) == "Allocation failure did not trigger":
2026 raise Exception("Too few allocation failures")
2027 logger.info("%d allocation failures tested" % (count - 1))
2031 def test_ap_wpa2_eap_ikev2(dev, apdev):
2032 """WPA2-Enterprise connection using EAP-IKEv2"""
2033 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2034 hostapd.add_ap(apdev[0]['ifname'], params)
2035 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2036 password="ike password")
2037 eap_reauth(dev[0], "IKEV2")
2038 dev[0].request("REMOVE_NETWORK all")
2039 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2040 password="ike password", fragment_size="50")
2042 logger.info("Negative test with incorrect password")
2043 dev[0].request("REMOVE_NETWORK all")
2044 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2045 password="ike-password", expect_failure=True)
2047 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2048 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2049 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2050 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2051 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2052 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2053 "fragment_size": "50" }
2054 hostapd.add_ap(apdev[0]['ifname'], params)
2055 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2056 password="ike password")
2057 eap_reauth(dev[0], "IKEV2")
2059 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2060 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2061 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2062 hostapd.add_ap(apdev[0]['ifname'], params)
2064 tests = [ (1, "dh_init"),
2066 (1, "dh_derive_shared") ]
2067 for count, func in tests:
2068 with alloc_fail(dev[0], count, func):
2069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2070 identity="ikev2 user", password="ike password",
2071 wait_connect=False, scan_freq="2412")
2072 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2074 raise Exception("EAP method not selected")
2076 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2079 dev[0].request("REMOVE_NETWORK all")
2081 tests = [ (1, "os_get_random;dh_init") ]
2082 for count, func in tests:
2083 with fail_test(dev[0], count, func):
2084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2085 identity="ikev2 user", password="ike password",
2086 wait_connect=False, scan_freq="2412")
2087 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2089 raise Exception("EAP method not selected")
2091 if "0:" in dev[0].request("GET_FAIL"):
2094 dev[0].request("REMOVE_NETWORK all")
2096 def test_ap_wpa2_eap_pax(dev, apdev):
2097 """WPA2-Enterprise connection using EAP-PAX"""
2098 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2099 hostapd.add_ap(apdev[0]['ifname'], params)
2100 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2101 password_hex="0123456789abcdef0123456789abcdef")
2102 eap_reauth(dev[0], "PAX")
2104 logger.info("Negative test with incorrect password")
2105 dev[0].request("REMOVE_NETWORK all")
2106 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2107 password_hex="ff23456789abcdef0123456789abcdef",
2108 expect_failure=True)
2110 def test_ap_wpa2_eap_psk(dev, apdev):
2111 """WPA2-Enterprise connection using EAP-PSK"""
2112 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2113 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2114 params["ieee80211w"] = "2"
2115 hostapd.add_ap(apdev[0]['ifname'], params)
2116 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2117 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2118 eap_reauth(dev[0], "PSK", sha256=True)
2119 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2120 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2122 bss = dev[0].get_bss(apdev[0]['bssid'])
2123 if 'flags' not in bss:
2124 raise Exception("Could not get BSS flags from BSS table")
2125 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2126 raise Exception("Unexpected BSS flags: " + bss['flags'])
2128 logger.info("Negative test with incorrect password")
2129 dev[0].request("REMOVE_NETWORK all")
2130 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2131 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2132 expect_failure=True)
2134 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2135 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2136 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2137 hostapd.add_ap(apdev[0]['ifname'], params)
2138 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2139 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2140 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2141 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2142 (1, "=aes_128_eax_encrypt"),
2143 (1, "omac1_aes_vector"),
2144 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2145 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2146 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2147 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2148 (1, "=aes_128_eax_decrypt") ]
2149 for count, func in tests:
2150 with alloc_fail(dev[0], count, func):
2151 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2152 identity="psk.user@example.com",
2153 password_hex="0123456789abcdef0123456789abcdef",
2154 wait_connect=False, scan_freq="2412")
2155 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2157 raise Exception("EAP method not selected")
2159 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2162 dev[0].request("REMOVE_NETWORK all")
2164 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2165 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2166 identity="psk.user@example.com",
2167 password_hex="0123456789abcdef0123456789abcdef",
2168 wait_connect=False, scan_freq="2412")
2169 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2171 raise Exception("EAP method failure not reported")
2172 dev[0].request("REMOVE_NETWORK all")
2174 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2175 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2176 check_eap_capa(dev[0], "MSCHAPV2")
2177 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2178 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2179 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2180 identity="user", password="password", phase2="auth=MSCHAPV2",
2181 ca_cert="auth_serv/ca.pem", wait_connect=False,
2183 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2184 hwsim_utils.test_connectivity(dev[0], hapd)
2185 eap_reauth(dev[0], "PEAP", rsn=False)
2186 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2187 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2188 status = dev[0].get_status(extra="VERBOSE")
2189 if 'portControl' not in status:
2190 raise Exception("portControl missing from STATUS-VERBOSE")
2191 if status['portControl'] != 'Auto':
2192 raise Exception("Unexpected portControl value: " + status['portControl'])
2193 if 'eap_session_id' not in status:
2194 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2195 if not status['eap_session_id'].startswith("19"):
2196 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2198 def test_ap_wpa2_eap_interactive(dev, apdev):
2199 """WPA2-Enterprise connection using interactive identity/password entry"""
2200 check_eap_capa(dev[0], "MSCHAPV2")
2201 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2202 hostapd.add_ap(apdev[0]['ifname'], params)
2203 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2205 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2206 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2208 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2209 "TTLS", "ttls", None, "auth=MSCHAPV2",
2210 "DOMAIN\mschapv2 user", "password"),
2211 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2212 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2213 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2214 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2215 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2216 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2217 ("Connection with dynamic PEAP/EAP-GTC password entry",
2218 "PEAP", None, "user", "auth=GTC", None, "password") ]
2219 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2221 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2222 anonymous_identity=anon, identity=identity,
2223 ca_cert="auth_serv/ca.pem", phase2=phase2,
2224 wait_connect=False, scan_freq="2412")
2226 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2228 raise Exception("Request for identity timed out")
2229 id = ev.split(':')[0].split('-')[-1]
2230 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2231 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2233 raise Exception("Request for password timed out")
2234 id = ev.split(':')[0].split('-')[-1]
2235 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2236 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2237 dev[0].wait_connected(timeout=10)
2238 dev[0].request("REMOVE_NETWORK all")
2240 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2241 """WPA2-Enterprise connection using EAP vendor test"""
2242 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2243 hostapd.add_ap(apdev[0]['ifname'], params)
2244 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2245 eap_reauth(dev[0], "VENDOR-TEST")
2246 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2249 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2250 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2251 check_eap_capa(dev[0], "FAST")
2252 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2253 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2254 eap_connect(dev[0], apdev[0], "FAST", "user",
2255 anonymous_identity="FAST", password="password",
2256 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2257 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2258 hwsim_utils.test_connectivity(dev[0], hapd)
2259 res = eap_reauth(dev[0], "FAST")
2260 if res['tls_session_reused'] != '1':
2261 raise Exception("EAP-FAST could not use PAC session ticket")
2263 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2264 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2265 check_eap_capa(dev[0], "FAST")
2266 pac_file = os.path.join(params['logdir'], "fast.pac")
2267 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2268 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2269 hostapd.add_ap(apdev[0]['ifname'], params)
2272 eap_connect(dev[0], apdev[0], "FAST", "user",
2273 anonymous_identity="FAST", password="password",
2274 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2275 phase1="fast_provisioning=1", pac_file=pac_file)
2276 with open(pac_file, "r") as f:
2278 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2279 raise Exception("PAC file header missing")
2280 if "PAC-Key=" not in data:
2281 raise Exception("PAC-Key missing from PAC file")
2282 dev[0].request("REMOVE_NETWORK all")
2283 eap_connect(dev[0], apdev[0], "FAST", "user",
2284 anonymous_identity="FAST", password="password",
2285 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2288 eap_connect(dev[1], apdev[0], "FAST", "user",
2289 anonymous_identity="FAST", password="password",
2290 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2291 phase1="fast_provisioning=1 fast_pac_format=binary",
2293 dev[1].request("REMOVE_NETWORK all")
2294 eap_connect(dev[1], apdev[0], "FAST", "user",
2295 anonymous_identity="FAST", password="password",
2296 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2297 phase1="fast_pac_format=binary",
2305 os.remove(pac_file2)
2309 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2310 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2311 check_eap_capa(dev[0], "FAST")
2312 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2313 hostapd.add_ap(apdev[0]['ifname'], params)
2314 eap_connect(dev[0], apdev[0], "FAST", "user",
2315 anonymous_identity="FAST", password="password",
2316 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2317 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2318 pac_file="blob://fast_pac_bin")
2319 res = eap_reauth(dev[0], "FAST")
2320 if res['tls_session_reused'] != '1':
2321 raise Exception("EAP-FAST could not use PAC session ticket")
2323 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2324 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2325 check_eap_capa(dev[0], "FAST")
2326 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2327 hostapd.add_ap(apdev[0]['ifname'], params)
2329 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2330 identity="user", anonymous_identity="FAST",
2331 password="password",
2332 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2333 pac_file="blob://fast_pac_not_in_use",
2334 wait_connect=False, scan_freq="2412")
2335 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2337 raise Exception("Timeout on EAP failure report")
2338 dev[0].request("REMOVE_NETWORK all")
2340 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2341 identity="user", anonymous_identity="FAST",
2342 password="password",
2343 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2344 wait_connect=False, scan_freq="2412")
2345 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2347 raise Exception("Timeout on EAP failure report")
2349 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2350 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2351 check_eap_capa(dev[0], "FAST")
2352 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2353 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2354 eap_connect(dev[0], apdev[0], "FAST", "user",
2355 anonymous_identity="FAST", password="password",
2356 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2357 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2358 hwsim_utils.test_connectivity(dev[0], hapd)
2359 res = eap_reauth(dev[0], "FAST")
2360 if res['tls_session_reused'] != '1':
2361 raise Exception("EAP-FAST could not use PAC session ticket")
2363 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2364 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2365 check_eap_capa(dev[0], "FAST")
2366 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2367 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2368 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2369 anonymous_identity="FAST", password="password",
2370 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2371 phase1="fast_provisioning=2",
2372 pac_file="blob://fast_pac_auth")
2373 dev[0].set_network_quoted(id, "identity", "user2")
2374 dev[0].wait_disconnected()
2375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2377 raise Exception("EAP-FAST not started")
2378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2380 raise Exception("EAP failure not reported")
2381 dev[0].wait_disconnected()
2383 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2384 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2385 check_eap_capa(dev[0], "FAST")
2386 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2387 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2388 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2389 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2390 identity="user", anonymous_identity="FAST",
2391 password="password", ca_cert="auth_serv/ca.pem",
2393 phase1="fast_provisioning=2",
2394 pac_file="blob://fast_pac_auth",
2395 wait_connect=False, scan_freq="2412")
2396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2398 raise Exception("EAP failure not reported")
2399 dev[0].request("DISCONNECT")
2401 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2402 """EAP-FAST/MSCHAPv2 and server OOM"""
2403 check_eap_capa(dev[0], "FAST")
2405 params = int_eap_server_params()
2406 params['dh_file'] = 'auth_serv/dh.conf'
2407 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2408 params['eap_fast_a_id'] = '1011'
2409 params['eap_fast_a_id_info'] = 'another test server'
2410 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2412 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2413 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2414 anonymous_identity="FAST", password="password",
2415 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2416 phase1="fast_provisioning=1",
2417 pac_file="blob://fast_pac",
2418 expect_failure=True)
2419 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2421 raise Exception("No EAP failure reported")
2422 dev[0].wait_disconnected()
2423 dev[0].request("DISCONNECT")
2425 dev[0].select_network(id, freq="2412")
2427 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2428 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2429 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2430 hostapd.add_ap(apdev[0]['ifname'], params)
2431 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2432 private_key="auth_serv/user.pkcs12",
2433 private_key_passwd="whatever", ocsp=2)
2435 def int_eap_server_params():
2436 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2437 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2438 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2439 "ca_cert": "auth_serv/ca.pem",
2440 "server_cert": "auth_serv/server.pem",
2441 "private_key": "auth_serv/server.key" }
2444 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2445 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2446 params = int_eap_server_params()
2447 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2448 hostapd.add_ap(apdev[0]['ifname'], params)
2449 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2450 identity="tls user", ca_cert="auth_serv/ca.pem",
2451 private_key="auth_serv/user.pkcs12",
2452 private_key_passwd="whatever", ocsp=2,
2453 wait_connect=False, scan_freq="2412")
2456 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2458 raise Exception("Timeout on EAP status")
2459 if 'bad certificate status response' in ev:
2463 raise Exception("Unexpected number of EAP status messages")
2465 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2467 raise Exception("Timeout on EAP failure report")
2469 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2470 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2471 params = int_eap_server_params()
2472 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2473 hostapd.add_ap(apdev[0]['ifname'], params)
2474 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2475 identity="tls user", ca_cert="auth_serv/ca.pem",
2476 private_key="auth_serv/user.pkcs12",
2477 private_key_passwd="whatever", ocsp=2,
2478 wait_connect=False, scan_freq="2412")
2481 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2483 raise Exception("Timeout on EAP status")
2484 if 'bad certificate status response' in ev:
2488 raise Exception("Unexpected number of EAP status messages")
2490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2492 raise Exception("Timeout on EAP failure report")
2494 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2495 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2496 params = int_eap_server_params()
2497 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2498 hostapd.add_ap(apdev[0]['ifname'], params)
2499 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2500 identity="tls user", ca_cert="auth_serv/ca.pem",
2501 private_key="auth_serv/user.pkcs12",
2502 private_key_passwd="whatever", ocsp=2,
2503 wait_connect=False, scan_freq="2412")
2506 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2508 raise Exception("Timeout on EAP status")
2509 if 'bad certificate status response' in ev:
2513 raise Exception("Unexpected number of EAP status messages")
2515 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2517 raise Exception("Timeout on EAP failure report")
2519 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2520 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2521 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2522 if not os.path.exists(ocsp):
2523 raise HwsimSkip("No OCSP response available")
2524 params = int_eap_server_params()
2525 params["ocsp_stapling_response"] = ocsp
2526 hostapd.add_ap(apdev[0]['ifname'], params)
2527 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2528 identity="pap user", ca_cert="auth_serv/ca.pem",
2529 anonymous_identity="ttls", password="password",
2530 phase2="auth=PAP", ocsp=2,
2531 wait_connect=False, scan_freq="2412")
2534 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2536 raise Exception("Timeout on EAP status")
2537 if 'bad certificate status response' in ev:
2539 if 'certificate revoked' in ev:
2543 raise Exception("Unexpected number of EAP status messages")
2545 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2547 raise Exception("Timeout on EAP failure report")
2549 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2550 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2551 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2552 if not os.path.exists(ocsp):
2553 raise HwsimSkip("No OCSP response available")
2554 params = int_eap_server_params()
2555 params["ocsp_stapling_response"] = ocsp
2556 hostapd.add_ap(apdev[0]['ifname'], params)
2557 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2558 identity="pap user", ca_cert="auth_serv/ca.pem",
2559 anonymous_identity="ttls", password="password",
2560 phase2="auth=PAP", ocsp=2,
2561 wait_connect=False, scan_freq="2412")
2564 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2566 raise Exception("Timeout on EAP status")
2567 if 'bad certificate status response' in ev:
2571 raise Exception("Unexpected number of EAP status messages")
2573 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2575 raise Exception("Timeout on EAP failure report")
2577 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2578 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2579 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2580 if not os.path.exists(ocsp):
2581 raise HwsimSkip("No OCSP response available")
2582 params = int_eap_server_params()
2583 params["ocsp_stapling_response"] = ocsp
2584 hostapd.add_ap(apdev[0]['ifname'], params)
2585 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2586 identity="pap user", ca_cert="auth_serv/ca.pem",
2587 anonymous_identity="ttls", password="password",
2588 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2590 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2591 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2592 params = int_eap_server_params()
2593 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2594 params["private_key"] = "auth_serv/server-no-dnsname.key"
2595 hostapd.add_ap(apdev[0]['ifname'], params)
2596 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2597 identity="tls user", ca_cert="auth_serv/ca.pem",
2598 private_key="auth_serv/user.pkcs12",
2599 private_key_passwd="whatever",
2600 domain_suffix_match="server3.w1.fi",
2603 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2604 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2605 params = int_eap_server_params()
2606 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2607 params["private_key"] = "auth_serv/server-no-dnsname.key"
2608 hostapd.add_ap(apdev[0]['ifname'], params)
2609 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2610 identity="tls user", ca_cert="auth_serv/ca.pem",
2611 private_key="auth_serv/user.pkcs12",
2612 private_key_passwd="whatever",
2613 domain_match="server3.w1.fi",
2616 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2617 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2618 check_domain_match_full(dev[0])
2619 params = int_eap_server_params()
2620 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2621 params["private_key"] = "auth_serv/server-no-dnsname.key"
2622 hostapd.add_ap(apdev[0]['ifname'], params)
2623 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2624 identity="tls user", ca_cert="auth_serv/ca.pem",
2625 private_key="auth_serv/user.pkcs12",
2626 private_key_passwd="whatever",
2627 domain_suffix_match="w1.fi",
2630 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2631 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2632 params = int_eap_server_params()
2633 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2634 params["private_key"] = "auth_serv/server-no-dnsname.key"
2635 hostapd.add_ap(apdev[0]['ifname'], params)
2636 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2637 identity="tls user", ca_cert="auth_serv/ca.pem",
2638 private_key="auth_serv/user.pkcs12",
2639 private_key_passwd="whatever",
2640 domain_suffix_match="example.com",
2643 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2644 identity="tls user", ca_cert="auth_serv/ca.pem",
2645 private_key="auth_serv/user.pkcs12",
2646 private_key_passwd="whatever",
2647 domain_suffix_match="erver3.w1.fi",
2650 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2652 raise Exception("Timeout on EAP failure report")
2653 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2655 raise Exception("Timeout on EAP failure report (2)")
2657 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2658 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2659 params = int_eap_server_params()
2660 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2661 params["private_key"] = "auth_serv/server-no-dnsname.key"
2662 hostapd.add_ap(apdev[0]['ifname'], params)
2663 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2664 identity="tls user", ca_cert="auth_serv/ca.pem",
2665 private_key="auth_serv/user.pkcs12",
2666 private_key_passwd="whatever",
2667 domain_match="example.com",
2670 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2671 identity="tls user", ca_cert="auth_serv/ca.pem",
2672 private_key="auth_serv/user.pkcs12",
2673 private_key_passwd="whatever",
2674 domain_match="w1.fi",
2677 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2679 raise Exception("Timeout on EAP failure report")
2680 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2682 raise Exception("Timeout on EAP failure report (2)")
2684 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2685 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2686 skip_with_fips(dev[0])
2687 params = int_eap_server_params()
2688 params["server_cert"] = "auth_serv/server-expired.pem"
2689 params["private_key"] = "auth_serv/server-expired.key"
2690 hostapd.add_ap(apdev[0]['ifname'], params)
2691 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2692 identity="mschap user", password="password",
2693 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2696 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2698 raise Exception("Timeout on EAP certificate error report")
2699 if "reason=4" not in ev or "certificate has expired" not in ev:
2700 raise Exception("Unexpected failure reason: " + ev)
2701 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2703 raise Exception("Timeout on EAP failure report")
2705 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2706 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2707 skip_with_fips(dev[0])
2708 params = int_eap_server_params()
2709 params["server_cert"] = "auth_serv/server-expired.pem"
2710 params["private_key"] = "auth_serv/server-expired.key"
2711 hostapd.add_ap(apdev[0]['ifname'], params)
2712 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2713 identity="mschap user", password="password",
2714 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2715 phase1="tls_disable_time_checks=1",
2718 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2719 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2720 skip_with_fips(dev[0])
2721 params = int_eap_server_params()
2722 params["server_cert"] = "auth_serv/server-long-duration.pem"
2723 params["private_key"] = "auth_serv/server-long-duration.key"
2724 hostapd.add_ap(apdev[0]['ifname'], params)
2725 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2726 identity="mschap user", password="password",
2727 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2730 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2731 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2732 skip_with_fips(dev[0])
2733 params = int_eap_server_params()
2734 params["server_cert"] = "auth_serv/server-eku-client.pem"
2735 params["private_key"] = "auth_serv/server-eku-client.key"
2736 hostapd.add_ap(apdev[0]['ifname'], params)
2737 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2738 identity="mschap user", password="password",
2739 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2742 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2744 raise Exception("Timeout on EAP failure report")
2746 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2747 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2748 skip_with_fips(dev[0])
2749 params = int_eap_server_params()
2750 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2751 params["private_key"] = "auth_serv/server-eku-client-server.key"
2752 hostapd.add_ap(apdev[0]['ifname'], params)
2753 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2754 identity="mschap user", password="password",
2755 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2758 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2759 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2760 skip_with_fips(dev[0])
2761 params = int_eap_server_params()
2762 del params["server_cert"]
2763 params["private_key"] = "auth_serv/server.pkcs12"
2764 hostapd.add_ap(apdev[0]['ifname'], params)
2765 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2766 identity="mschap user", password="password",
2767 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2770 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2771 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2772 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2773 hostapd.add_ap(apdev[0]['ifname'], params)
2774 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2775 anonymous_identity="ttls", password="password",
2776 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2777 dh_file="auth_serv/dh.conf")
2779 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2780 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2781 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2782 hostapd.add_ap(apdev[0]['ifname'], params)
2783 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2784 anonymous_identity="ttls", password="password",
2785 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2786 dh_file="auth_serv/dsaparam.pem")
2788 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2789 """EAP-TTLS and DH params file not found"""
2790 skip_with_fips(dev[0])
2791 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2792 hostapd.add_ap(apdev[0]['ifname'], params)
2793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2794 identity="mschap user", password="password",
2795 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2796 dh_file="auth_serv/dh-no-such-file.conf",
2797 scan_freq="2412", wait_connect=False)
2798 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2800 raise Exception("EAP failure timed out")
2801 dev[0].request("REMOVE_NETWORK all")
2802 dev[0].wait_disconnected()
2804 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2805 """EAP-TTLS and invalid DH params file"""
2806 skip_with_fips(dev[0])
2807 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2808 hostapd.add_ap(apdev[0]['ifname'], params)
2809 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2810 identity="mschap user", password="password",
2811 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2812 dh_file="auth_serv/ca.pem",
2813 scan_freq="2412", wait_connect=False)
2814 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2816 raise Exception("EAP failure timed out")
2817 dev[0].request("REMOVE_NETWORK all")
2818 dev[0].wait_disconnected()
2820 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2821 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2823 hostapd.add_ap(apdev[0]['ifname'], params)
2824 dh = read_pem("auth_serv/dh2.conf")
2825 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2826 raise Exception("Could not set dhparams blob")
2827 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2828 anonymous_identity="ttls", password="password",
2829 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2830 dh_file="blob://dhparams")
2832 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2833 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2834 params = int_eap_server_params()
2835 params["dh_file"] = "auth_serv/dh2.conf"
2836 hostapd.add_ap(apdev[0]['ifname'], params)
2837 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2838 anonymous_identity="ttls", password="password",
2839 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2841 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2842 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2843 params = int_eap_server_params()
2844 params["dh_file"] = "auth_serv/dsaparam.pem"
2845 hostapd.add_ap(apdev[0]['ifname'], params)
2846 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2847 anonymous_identity="ttls", password="password",
2848 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2850 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2851 """EAP-TLS server and dhparams file not found"""
2852 params = int_eap_server_params()
2853 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2854 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2855 if "FAIL" not in hapd.request("ENABLE"):
2856 raise Exception("Invalid configuration accepted")
2858 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2859 """EAP-TLS server and invalid dhparams file"""
2860 params = int_eap_server_params()
2861 params["dh_file"] = "auth_serv/ca.pem"
2862 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2863 if "FAIL" not in hapd.request("ENABLE"):
2864 raise Exception("Invalid configuration accepted")
2866 def test_ap_wpa2_eap_reauth(dev, apdev):
2867 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2868 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2869 params['eap_reauth_period'] = '2'
2870 hostapd.add_ap(apdev[0]['ifname'], params)
2871 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2872 password_hex="0123456789abcdef0123456789abcdef")
2873 logger.info("Wait for reauthentication")
2874 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2876 raise Exception("Timeout on reauthentication")
2877 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2879 raise Exception("Timeout on reauthentication")
2880 for i in range(0, 20):
2881 state = dev[0].get_status_field("wpa_state")
2882 if state == "COMPLETED":
2885 if state != "COMPLETED":
2886 raise Exception("Reauthentication did not complete")
2888 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2889 """Optional displayable message in EAP Request-Identity"""
2890 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2891 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2892 hostapd.add_ap(apdev[0]['ifname'], params)
2893 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2894 password_hex="0123456789abcdef0123456789abcdef")
2896 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2897 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2898 check_hlr_auc_gw_support()
2899 params = int_eap_server_params()
2900 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2901 params['eap_sim_aka_result_ind'] = "1"
2902 hostapd.add_ap(apdev[0]['ifname'], params)
2904 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2905 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2906 phase1="result_ind=1")
2907 eap_reauth(dev[0], "SIM")
2908 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2909 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2911 dev[0].request("REMOVE_NETWORK all")
2912 dev[1].request("REMOVE_NETWORK all")
2914 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2915 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2916 phase1="result_ind=1")
2917 eap_reauth(dev[0], "AKA")
2918 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2919 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2921 dev[0].request("REMOVE_NETWORK all")
2922 dev[1].request("REMOVE_NETWORK all")
2924 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2925 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2926 phase1="result_ind=1")
2927 eap_reauth(dev[0], "AKA'")
2928 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2929 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2931 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2932 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2933 skip_with_fips(dev[0])
2934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2935 hostapd.add_ap(apdev[0]['ifname'], params)
2936 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2937 eap="TTLS", identity="mschap user",
2938 wait_connect=False, scan_freq="2412", ieee80211w="1",
2939 anonymous_identity="ttls", password="password",
2940 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2942 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2944 raise Exception("EAP roundtrip limit not reached")
2946 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2947 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2948 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2949 hostapd.add_ap(apdev[0]['ifname'], params)
2950 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2951 eap="PSK", identity="vendor-test",
2952 password_hex="ff23456789abcdef0123456789abcdef",
2956 for i in range(0, 5):
2957 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2959 raise Exception("Association and EAP start timed out")
2960 if "refuse proposed method" in ev:
2964 raise Exception("Unexpected EAP status: " + ev)
2966 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2968 raise Exception("EAP failure timed out")
2970 def test_ap_wpa2_eap_sql(dev, apdev, params):
2971 """WPA2-Enterprise connection using SQLite for user DB"""
2972 skip_with_fips(dev[0])
2976 raise HwsimSkip("No sqlite3 module available")
2977 dbfile = os.path.join(params['logdir'], "eap-user.db")
2982 con = sqlite3.connect(dbfile)
2985 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2986 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2987 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2988 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2989 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2990 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2991 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2992 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2995 params = int_eap_server_params()
2996 params["eap_user_file"] = "sqlite:" + dbfile
2997 hostapd.add_ap(apdev[0]['ifname'], params)
2998 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2999 anonymous_identity="ttls", password="password",
3000 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3001 dev[0].request("REMOVE_NETWORK all")
3002 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3003 anonymous_identity="ttls", password="password",
3004 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3005 dev[1].request("REMOVE_NETWORK all")
3006 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3007 anonymous_identity="ttls", password="password",
3008 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3009 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3010 anonymous_identity="ttls", password="password",
3011 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3015 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3016 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3017 params = int_eap_server_params()
3018 hostapd.add_ap(apdev[0]['ifname'], params)
3019 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3020 identity="\x80", password="password", wait_connect=False)
3021 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3022 identity="a\x80", password="password", wait_connect=False)
3023 for i in range(0, 2):
3024 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3026 raise Exception("Association and EAP start timed out")
3027 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3029 raise Exception("EAP method selection timed out")
3031 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3032 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3033 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3034 hostapd.add_ap(apdev[0]['ifname'], params)
3035 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3036 identity="\x80", password="password", wait_connect=False)
3037 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3038 identity="a\x80", password="password", wait_connect=False)
3039 for i in range(0, 2):
3040 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3042 raise Exception("Association and EAP start timed out")
3043 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3045 raise Exception("EAP method selection timed out")
3047 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3048 """OpenSSL cipher suite configuration on wpa_supplicant"""
3049 tls = dev[0].request("GET tls_library")
3050 if not tls.startswith("OpenSSL"):
3051 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3052 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3053 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3054 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3055 anonymous_identity="ttls", password="password",
3056 openssl_ciphers="AES128",
3057 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3058 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3059 anonymous_identity="ttls", password="password",
3060 openssl_ciphers="EXPORT",
3061 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3062 expect_failure=True, maybe_local_error=True)
3063 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3064 identity="pap user", anonymous_identity="ttls",
3065 password="password",
3066 openssl_ciphers="FOO",
3067 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3069 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3071 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3072 dev[2].request("DISCONNECT")
3074 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3075 """OpenSSL cipher suite configuration on hostapd"""
3076 tls = dev[0].request("GET tls_library")
3077 if not tls.startswith("OpenSSL"):
3078 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3079 params = int_eap_server_params()
3080 params['openssl_ciphers'] = "AES256"
3081 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3082 tls = hapd.request("GET tls_library")
3083 if not tls.startswith("OpenSSL"):
3084 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3085 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3086 anonymous_identity="ttls", password="password",
3087 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3088 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3089 anonymous_identity="ttls", password="password",
3090 openssl_ciphers="AES128",
3091 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3092 expect_failure=True)
3093 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3094 anonymous_identity="ttls", password="password",
3095 openssl_ciphers="HIGH:!ADH",
3096 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3098 params['openssl_ciphers'] = "FOO"
3099 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3100 if "FAIL" not in hapd2.request("ENABLE"):
3101 raise Exception("Invalid openssl_ciphers value accepted")
3103 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3104 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3105 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3106 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3107 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3108 pid = find_wpas_process(dev[0])
3109 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3110 anonymous_identity="ttls", password=password,
3111 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3113 buf = read_process_memory(pid, password)
3115 dev[0].request("DISCONNECT")
3116 dev[0].wait_disconnected()
3124 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3125 for l in f.readlines():
3126 if "EAP-TTLS: Derived key - hexdump" in l:
3127 val = l.strip().split(':')[3].replace(' ', '')
3128 msk = binascii.unhexlify(val)
3129 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3130 val = l.strip().split(':')[3].replace(' ', '')
3131 emsk = binascii.unhexlify(val)
3132 if "WPA: PMK - hexdump" in l:
3133 val = l.strip().split(':')[3].replace(' ', '')
3134 pmk = binascii.unhexlify(val)
3135 if "WPA: PTK - hexdump" in l:
3136 val = l.strip().split(':')[3].replace(' ', '')
3137 ptk = binascii.unhexlify(val)
3138 if "WPA: Group Key - hexdump" in l:
3139 val = l.strip().split(':')[3].replace(' ', '')
3140 gtk = binascii.unhexlify(val)
3141 if not msk or not emsk or not pmk or not ptk or not gtk:
3142 raise Exception("Could not find keys from debug log")
3144 raise Exception("Unexpected GTK length")
3150 fname = os.path.join(params['logdir'],
3151 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3153 logger.info("Checking keys in memory while associated")
3154 get_key_locations(buf, password, "Password")
3155 get_key_locations(buf, pmk, "PMK")
3156 get_key_locations(buf, msk, "MSK")
3157 get_key_locations(buf, emsk, "EMSK")
3158 if password not in buf:
3159 raise HwsimSkip("Password not found while associated")
3161 raise HwsimSkip("PMK not found while associated")
3163 raise Exception("KCK not found while associated")
3165 raise Exception("KEK not found while associated")
3167 raise Exception("TK found from memory")
3169 raise Exception("GTK found from memory")
3171 logger.info("Checking keys in memory after disassociation")
3172 buf = read_process_memory(pid, password)
3174 # Note: Password is still present in network configuration
3175 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3177 get_key_locations(buf, password, "Password")
3178 get_key_locations(buf, pmk, "PMK")
3179 get_key_locations(buf, msk, "MSK")
3180 get_key_locations(buf, emsk, "EMSK")
3181 verify_not_present(buf, kck, fname, "KCK")
3182 verify_not_present(buf, kek, fname, "KEK")
3183 verify_not_present(buf, tk, fname, "TK")
3184 verify_not_present(buf, gtk, fname, "GTK")
3186 dev[0].request("PMKSA_FLUSH")
3187 dev[0].set_network_quoted(id, "identity", "foo")
3188 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3189 buf = read_process_memory(pid, password)
3190 get_key_locations(buf, password, "Password")
3191 get_key_locations(buf, pmk, "PMK")
3192 get_key_locations(buf, msk, "MSK")
3193 get_key_locations(buf, emsk, "EMSK")
3194 verify_not_present(buf, pmk, fname, "PMK")
3196 dev[0].request("REMOVE_NETWORK all")
3198 logger.info("Checking keys in memory after network profile removal")
3199 buf = read_process_memory(pid, password)
3201 get_key_locations(buf, password, "Password")
3202 get_key_locations(buf, pmk, "PMK")
3203 get_key_locations(buf, msk, "MSK")
3204 get_key_locations(buf, emsk, "EMSK")
3205 verify_not_present(buf, password, fname, "password")
3206 verify_not_present(buf, pmk, fname, "PMK")
3207 verify_not_present(buf, kck, fname, "KCK")
3208 verify_not_present(buf, kek, fname, "KEK")
3209 verify_not_present(buf, tk, fname, "TK")
3210 verify_not_present(buf, gtk, fname, "GTK")
3211 verify_not_present(buf, msk, fname, "MSK")
3212 verify_not_present(buf, emsk, fname, "EMSK")
3214 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3215 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3217 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3218 bssid = apdev[0]['bssid']
3219 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3220 anonymous_identity="ttls", password="password",
3221 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3223 # Send unexpected WEP EAPOL-Key; this gets dropped
3224 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3226 raise Exception("EAPOL_RX to wpa_supplicant failed")
3228 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3229 """WPA2-EAP and wpas interface in a bridge"""
3233 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3235 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3236 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3237 subprocess.call(['brctl', 'delbr', br_ifname])
3238 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3240 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3241 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3242 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3246 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3247 subprocess.call(['brctl', 'addbr', br_ifname])
3248 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3249 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3250 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3251 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3252 wpas.interface_add(ifname, br_ifname=br_ifname)
3254 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3255 password_hex="0123456789abcdef0123456789abcdef")
3256 eap_reauth(wpas, "PAX")
3257 # Try again as a regression test for packet socket workaround
3258 eap_reauth(wpas, "PAX")
3259 wpas.request("DISCONNECT")
3260 wpas.wait_disconnected()
3261 wpas.request("RECONNECT")
3262 wpas.wait_connected()
3264 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3265 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3267 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3268 key_mgmt = hapd.get_config()['key_mgmt']
3269 if key_mgmt.split(' ')[0] != "WPA-EAP":
3270 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3271 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3272 anonymous_identity="ttls", password="password",
3273 ca_cert="auth_serv/ca.pem",
3274 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3275 eap_reauth(dev[0], "TTLS")
3277 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3278 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3279 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3280 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3281 key_mgmt = hapd.get_config()['key_mgmt']
3282 if key_mgmt.split(' ')[0] != "WPA-EAP":
3283 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3284 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3285 anonymous_identity="ttls", password="password",
3286 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3288 eap_reauth(dev[0], "TTLS")
3290 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3291 """EAP-TLS and server checking CRL"""
3292 params = int_eap_server_params()
3293 params['check_crl'] = '1'
3294 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3296 # check_crl=1 and no CRL available --> reject connection
3297 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3298 client_cert="auth_serv/user.pem",
3299 private_key="auth_serv/user.key", expect_failure=True)
3300 dev[0].request("REMOVE_NETWORK all")
3303 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3306 # check_crl=1 and valid CRL --> accept
3307 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3308 client_cert="auth_serv/user.pem",
3309 private_key="auth_serv/user.key")
3310 dev[0].request("REMOVE_NETWORK all")
3313 hapd.set("check_crl", "2")
3316 # check_crl=2 and valid CRL --> accept
3317 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3318 client_cert="auth_serv/user.pem",
3319 private_key="auth_serv/user.key")
3320 dev[0].request("REMOVE_NETWORK all")
3322 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3323 """EAP-TLS and OOM"""
3324 check_subject_match_support(dev[0])
3325 check_altsubject_match_support(dev[0])
3326 check_domain_match_full(dev[0])
3328 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3329 hostapd.add_ap(apdev[0]['ifname'], params)
3331 tests = [ (1, "tls_connection_set_subject_match"),
3332 (2, "tls_connection_set_subject_match"),
3333 (3, "tls_connection_set_subject_match"),
3334 (4, "tls_connection_set_subject_match") ]
3335 for count, func in tests:
3336 with alloc_fail(dev[0], count, func):
3337 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3338 identity="tls user", ca_cert="auth_serv/ca.pem",
3339 client_cert="auth_serv/user.pem",
3340 private_key="auth_serv/user.key",
3341 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3342 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3343 domain_suffix_match="server.w1.fi",
3344 domain_match="server.w1.fi",
3345 wait_connect=False, scan_freq="2412")
3346 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3347 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3349 raise Exception("No passphrase request")
3350 dev[0].request("REMOVE_NETWORK all")
3351 dev[0].wait_disconnected()
3353 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3354 """WPA2-Enterprise connection using MAC ACL"""
3355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3356 params["macaddr_acl"] = "2"
3357 hostapd.add_ap(apdev[0]['ifname'], params)
3358 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3359 client_cert="auth_serv/user.pem",
3360 private_key="auth_serv/user.key")
3362 def test_ap_wpa2_eap_oom(dev, apdev):
3363 """EAP server and OOM"""
3364 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3365 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3366 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3368 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3369 # The first attempt fails, but STA will send EAPOL-Start to retry and
3371 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3372 identity="tls user", ca_cert="auth_serv/ca.pem",
3373 client_cert="auth_serv/user.pem",
3374 private_key="auth_serv/user.key",
3377 def check_tls_ver(dev, ap, phase1, expected):
3378 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3379 client_cert="auth_serv/user.pem",
3380 private_key="auth_serv/user.key",
3382 ver = dev.get_status_field("eap_tls_version")
3384 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3386 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3387 """EAP-TLS and TLS version configuration"""
3388 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3389 hostapd.add_ap(apdev[0]['ifname'], params)
3391 tls = dev[0].request("GET tls_library")
3392 if tls.startswith("OpenSSL"):
3393 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3394 check_tls_ver(dev[0], apdev[0],
3395 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3397 check_tls_ver(dev[1], apdev[0],
3398 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3399 check_tls_ver(dev[2], apdev[0],
3400 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")