Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d8e02214ea
Branches Tags
krackattacks
/
tests
/
hwsim
/
test_ap_eap.py

test_ap_eap.py 95 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002 
  1. # -*- coding: utf-8 -*-
    2. 

  2. # WPA2-Enterprise tests
    3. 

  3. # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
    4. 

  4. #
    5. 

  5. # This software may be distributed under the terms of the BSD license.
    6. 

  6. # See README for more details.
    7. 

  7. 

  8. import base64
    9. 

  9. import time
    10. 

  10. import subprocess
    11. 

  11. import logging
    12. 

  12. logger = logging.getLogger()
    13. 

  13. import os
    14. 

  14. 

  15. import hwsim_utils
    16. 

  16. import hostapd
    17. 

  17. from test_ap_psk import check_mib
    18. 

  18. 

  19. def read_pem(fname):
    20. 

  20.     with open(fname, "r") as f:
    21. 

  21.         lines = f.readlines()
    22. 

  22.         copy = False
    23. 

  23.         cert = ""
    24. 

  24.         for l in lines:
    25. 

  25.             if "-----END" in l:
    26. 

  26.                 break
    27. 

  27.             if copy:
    28. 

  28.                 cert = cert + l
    29. 

  29.             if "-----BEGIN" in l:
    30. 

  30.                 copy = True
    31. 

  31.     return base64.b64decode(cert)
    32. 

  32. 

  33. def eap_connect(dev, ap, method, identity,
    34. 

  34.                 sha256=False, expect_failure=False, local_error_report=False,
    35. 

  35.                 **kwargs):
    36. 

  36.     hapd = hostapd.Hostapd(ap['ifname'])
    37. 

  37.     id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
    38. 

  38.                      eap=method, identity=identity,
    39. 

  39.                      wait_connect=False, scan_freq="2412", ieee80211w="1",
    40. 

  40.                      **kwargs)
    41. 

  41.     eap_check_auth(dev, method, True, sha256=sha256,
    42. 

  42.                    expect_failure=expect_failure,
    43. 

  43.                    local_error_report=local_error_report)
    44. 

  44.     if expect_failure:
    45. 

  45.         return id
    46. 

  46.     ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
    47. 

  47.     if ev is None:
    48. 

  48.         raise Exception("No connection event received from hostapd")
    49. 

  49.     return id
    50. 

  50. 

  51. def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
    52. 

  52.                    expect_failure=False, local_error_report=False):
    53. 

  53.     ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    54. 

  54.     if ev is None:
    55. 

  55.         raise Exception("Association and EAP start timed out")
    56. 

  56.     ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
    57. 

  57.     if ev is None:
    58. 

  58.         raise Exception("EAP method selection timed out")
    59. 

  59.     if method not in ev:
    60. 

  60.         raise Exception("Unexpected EAP method")
    61. 

  61.     if expect_failure:
    62. 

  62.         ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
    63. 

  63.         if ev is None:
    64. 

  64.             raise Exception("EAP failure timed out")
    65. 

  65.         ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
    66. 

  66.         if ev is None:
    67. 

  67.             raise Exception("Disconnection timed out")
    68. 

  68.         if not local_error_report:
    69. 

  69.             if "reason=23" not in ev:
    70. 

  70.                 raise Exception("Proper reason code for disconnection not reported")
    71. 

  71.         return
    72. 

  72.     ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
    73. 

  73.     if ev is None:
    74. 

  74.         raise Exception("EAP success timed out")
    75. 

  75. 

  76.     if initial:
    77. 

  77.         ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
    78. 

  78.     else:
    79. 

  79.         ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
    80. 

  80.     if ev is None:
    81. 

  81.         raise Exception("Association with the AP timed out")
    82. 

  82.     status = dev.get_status()
    83. 

  83.     if status["wpa_state"] != "COMPLETED":
    84. 

  84.         raise Exception("Connection not completed")
    85. 

  85. 

  86.     if status["suppPortStatus"] != "Authorized":
    87. 

  87.         raise Exception("Port not authorized")
    88. 

  88.     if method not in status["selectedMethod"]:
    89. 

  89.         raise Exception("Incorrect EAP method status")
    90. 

  90.     if sha256:
    91. 

  91.         e = "WPA2-EAP-SHA256"
    92. 

  92.     elif rsn:
    93. 

  93.         e = "WPA2/IEEE 802.1X/EAP"
    94. 

  94.     else:
    95. 

  95.         e = "WPA/IEEE 802.1X/EAP"
    96. 

  96.     if status["key_mgmt"] != e:
    97. 

  97.         raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
    98. 

  98. 

  99. def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
    100. 

  100.     dev.request("REAUTHENTICATE")
    101. 

  101.     eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
    102. 

  102.                    expect_failure=expect_failure)
    103. 

  103. 

  104. def test_ap_wpa2_eap_sim(dev, apdev):
    105. 

  105.     """WPA2-Enterprise connection using EAP-SIM"""
    106. 

  106.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    107. 

  107.         logger.info("No hlr_auc_gw available");
    108. 

  108.         return "skip"
    109. 

  109.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    110. 

  110.     hostapd.add_ap(apdev[0]['ifname'], params)
    111. 

  111.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    112. 

  112.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    113. 

  113.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    114. 

  114.     eap_reauth(dev[0], "SIM")
    115. 

  115. 

  116.     eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
    117. 

  117.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    118. 

  118.     eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
    119. 

  119.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
    120. 

  120.                 expect_failure=True)
    121. 

  121. 

  122.     logger.info("Negative test with incorrect key")
    123. 

  123.     dev[0].request("REMOVE_NETWORK all")
    124. 

  124.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    125. 

  125.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
    126. 

  126.                 expect_failure=True)
    127. 

  127. 

  128.     logger.info("Invalid GSM-Milenage key")
    129. 

  129.     dev[0].request("REMOVE_NETWORK all")
    130. 

  130.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    131. 

  131.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
    132. 

  132.                 expect_failure=True)
    133. 

  133. 

  134.     logger.info("Invalid GSM-Milenage key(2)")
    135. 

  135.     dev[0].request("REMOVE_NETWORK all")
    136. 

  136.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    137. 

  137.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
    138. 

  138.                 expect_failure=True)
    139. 

  139. 

  140.     logger.info("Invalid GSM-Milenage key(3)")
    141. 

  141.     dev[0].request("REMOVE_NETWORK all")
    142. 

  142.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    143. 

  143.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
    144. 

  144.                 expect_failure=True)
    145. 

  145. 

  146.     logger.info("Invalid GSM-Milenage key(4)")
    147. 

  147.     dev[0].request("REMOVE_NETWORK all")
    148. 

  148.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    149. 

  149.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
    150. 

  150.                 expect_failure=True)
    151. 

  151. 

  152.     logger.info("Missing key configuration")
    153. 

  153.     dev[0].request("REMOVE_NETWORK all")
    154. 

  154.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    155. 

  155.                 expect_failure=True)
    156. 

  156. 

  157. def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
    158. 

  158.     """WPA2-Enterprise connection using EAP-SIM (SQL)"""
    159. 

  159.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    160. 

  160.         logger.info("No hlr_auc_gw available");
    161. 

  161.         return "skip"
    162. 

  162.     try:
    163. 

  163.         import sqlite3
    164. 

  164.     except ImportError:
    165. 

  165.         return "skip"
    166. 

  166.     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
    167. 

  167.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    168. 

  168.     params['auth_server_port'] = "1814"
    169. 

  169.     hostapd.add_ap(apdev[0]['ifname'], params)
    170. 

  170.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    171. 

  171.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    172. 

  172. 

  173.     logger.info("SIM fast re-authentication")
    174. 

  174.     eap_reauth(dev[0], "SIM")
    175. 

  175. 

  176.     logger.info("SIM full auth with pseudonym")
    177. 

  177.     with con:
    178. 

  178.         cur = con.cursor()
    179. 

  179.         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
    180. 

  180.     eap_reauth(dev[0], "SIM")
    181. 

  181. 

  182.     logger.info("SIM full auth with permanent identity")
    183. 

  183.     with con:
    184. 

  184.         cur = con.cursor()
    185. 

  185.         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
    186. 

  186.         cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
    187. 

  187.     eap_reauth(dev[0], "SIM")
    188. 

  188. 

  189.     logger.info("SIM reauth with mismatching MK")
    190. 

  190.     with con:
    191. 

  191.         cur = con.cursor()
    192. 

  192.         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
    193. 

  193.     eap_reauth(dev[0], "SIM", expect_failure=True)
    194. 

  194.     dev[0].request("REMOVE_NETWORK all")
    195. 

  195. 

  196.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    197. 

  197.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    198. 

  198.     with con:
    199. 

  199.         cur = con.cursor()
    200. 

  200.         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
    201. 

  201.     eap_reauth(dev[0], "SIM")
    202. 

  202.     with con:
    203. 

  203.         cur = con.cursor()
    204. 

  204.         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
    205. 

  205.     logger.info("SIM reauth with mismatching counter")
    206. 

  206.     eap_reauth(dev[0], "SIM")
    207. 

  207.     dev[0].request("REMOVE_NETWORK all")
    208. 

  208. 

  209.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    210. 

  210.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    211. 

  211.     with con:
    212. 

  212.         cur = con.cursor()
    213. 

  213.         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
    214. 

  214.     logger.info("SIM reauth with max reauth count reached")
    215. 

  215.     eap_reauth(dev[0], "SIM")
    216. 

  216. 

  217. def test_ap_wpa2_eap_sim_config(dev, apdev):
    218. 

  218.     """EAP-SIM configuration options"""
    219. 

  219.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    220. 

  220.     hostapd.add_ap(apdev[0]['ifname'], params)
    221. 

  221.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
    222. 

  222.                    identity="1232010000000000",
    223. 

  223.                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
    224. 

  224.                    phase1="sim_min_num_chal=1",
    225. 

  225.                    wait_connect=False, scan_freq="2412")
    226. 

  226.     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
    227. 

  227.     if ev is None:
    228. 

  228.         raise Exception("No EAP error message seen")
    229. 

  229.     dev[0].request("REMOVE_NETWORK all")
    230. 

  230. 

  231.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
    232. 

  232.                    identity="1232010000000000",
    233. 

  233.                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
    234. 

  234.                    phase1="sim_min_num_chal=4",
    235. 

  235.                    wait_connect=False, scan_freq="2412")
    236. 

  236.     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
    237. 

  237.     if ev is None:
    238. 

  238.         raise Exception("No EAP error message seen (2)")
    239. 

  239.     dev[0].request("REMOVE_NETWORK all")
    240. 

  240. 

  241.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    242. 

  242.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
    243. 

  243.                 phase1="sim_min_num_chal=2")
    244. 

  244.     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
    245. 

  245.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
    246. 

  246.                 anonymous_identity="345678")
    247. 

  247. 

  248. def test_ap_wpa2_eap_aka(dev, apdev):
    249. 

  249.     """WPA2-Enterprise connection using EAP-AKA"""
    250. 

  250.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    251. 

  251.         logger.info("No hlr_auc_gw available");
    252. 

  252.         return "skip"
    253. 

  253.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    254. 

  254.     hostapd.add_ap(apdev[0]['ifname'], params)
    255. 

  255.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    256. 

  256.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    257. 

  257.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    258. 

  258.     eap_reauth(dev[0], "AKA")
    259. 

  259. 

  260.     logger.info("Negative test with incorrect key")
    261. 

  261.     dev[0].request("REMOVE_NETWORK all")
    262. 

  262.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    263. 

  263.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    264. 

  264.                 expect_failure=True)
    265. 

  265. 

  266.     logger.info("Invalid Milenage key")
    267. 

  267.     dev[0].request("REMOVE_NETWORK all")
    268. 

  268.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    269. 

  269.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
    270. 

  270.                 expect_failure=True)
    271. 

  271. 

  272.     logger.info("Invalid Milenage key(2)")
    273. 

  273.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    274. 

  274.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    275. 

  275.                 expect_failure=True)
    276. 

  276. 

  277.     logger.info("Invalid Milenage key(3)")
    278. 

  278.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    279. 

  279.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
    280. 

  280.                 expect_failure=True)
    281. 

  281. 

  282.     logger.info("Invalid Milenage key(4)")
    283. 

  283.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    284. 

  284.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
    285. 

  285.                 expect_failure=True)
    286. 

  286. 

  287.     logger.info("Invalid Milenage key(5)")
    288. 

  288.     dev[0].request("REMOVE_NETWORK all")
    289. 

  289.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    290. 

  290.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
    291. 

  291.                 expect_failure=True)
    292. 

  292. 

  293.     logger.info("Invalid Milenage key(6)")
    294. 

  294.     dev[0].request("REMOVE_NETWORK all")
    295. 

  295.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    296. 

  296.                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
    297. 

  297.                 expect_failure=True)
    298. 

  298. 

  299.     logger.info("Missing key configuration")
    300. 

  300.     dev[0].request("REMOVE_NETWORK all")
    301. 

  301.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    302. 

  302.                 expect_failure=True)
    303. 

  303. 

  304. def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
    305. 

  305.     """WPA2-Enterprise connection using EAP-AKA (SQL)"""
    306. 

  306.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    307. 

  307.         logger.info("No hlr_auc_gw available");
    308. 

  308.         return "skip"
    309. 

  309.     try:
    310. 

  310.         import sqlite3
    311. 

  311.     except ImportError:
    312. 

  312.         return "skip"
    313. 

  313.     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
    314. 

  314.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    315. 

  315.     params['auth_server_port'] = "1814"
    316. 

  316.     hostapd.add_ap(apdev[0]['ifname'], params)
    317. 

  317.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    318. 

  318.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    319. 

  319. 

  320.     logger.info("AKA fast re-authentication")
    321. 

  321.     eap_reauth(dev[0], "AKA")
    322. 

  322. 

  323.     logger.info("AKA full auth with pseudonym")
    324. 

  324.     with con:
    325. 

  325.         cur = con.cursor()
    326. 

  326.         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
    327. 

  327.     eap_reauth(dev[0], "AKA")
    328. 

  328. 

  329.     logger.info("AKA full auth with permanent identity")
    330. 

  330.     with con:
    331. 

  331.         cur = con.cursor()
    332. 

  332.         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
    333. 

  333.         cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
    334. 

  334.     eap_reauth(dev[0], "AKA")
    335. 

  335. 

  336.     logger.info("AKA reauth with mismatching MK")
    337. 

  337.     with con:
    338. 

  338.         cur = con.cursor()
    339. 

  339.         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
    340. 

  340.     eap_reauth(dev[0], "AKA", expect_failure=True)
    341. 

  341.     dev[0].request("REMOVE_NETWORK all")
    342. 

  342. 

  343.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    344. 

  344.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    345. 

  345.     with con:
    346. 

  346.         cur = con.cursor()
    347. 

  347.         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
    348. 

  348.     eap_reauth(dev[0], "AKA")
    349. 

  349.     with con:
    350. 

  350.         cur = con.cursor()
    351. 

  351.         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
    352. 

  352.     logger.info("AKA reauth with mismatching counter")
    353. 

  353.     eap_reauth(dev[0], "AKA")
    354. 

  354.     dev[0].request("REMOVE_NETWORK all")
    355. 

  355. 

  356.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    357. 

  357.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    358. 

  358.     with con:
    359. 

  359.         cur = con.cursor()
    360. 

  360.         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
    361. 

  361.     logger.info("AKA reauth with max reauth count reached")
    362. 

  362.     eap_reauth(dev[0], "AKA")
    363. 

  363. 

  364. def test_ap_wpa2_eap_aka_config(dev, apdev):
    365. 

  365.     """EAP-AKA configuration options"""
    366. 

  366.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    367. 

  367.     hostapd.add_ap(apdev[0]['ifname'], params)
    368. 

  368.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    369. 

  369.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    370. 

  370.                 anonymous_identity="2345678")
    371. 

  371. 

  372. def test_ap_wpa2_eap_aka_ext(dev, apdev):
    373. 

  373.     """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
    374. 

  374.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    375. 

  375.         logger.info("No hlr_auc_gw available");
    376. 

  376.         return "skip"
    377. 

  377.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    378. 

  378.     hostapd.add_ap(apdev[0]['ifname'], params)
    379. 

  379.     dev[0].request("SET external_sim 1")
    380. 

  380.     id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
    381. 

  381.                         identity="0232010000000000",
    382. 

  382.                         password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    383. 

  383.                         wait_connect=False, scan_freq="2412")
    384. 

  384.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
    385. 

  385.     if ev is None:
    386. 

  386.         raise Exception("Network connected timed out")
    387. 

  387. 

  388.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    389. 

  389.     if ev is None:
    390. 

  390.         raise Exception("Wait for external SIM processing request timed out")
    391. 

  391.     p = ev.split(':', 2)
    392. 

  392.     if p[1] != "UMTS-AUTH":
    393. 

  393.         raise Exception("Unexpected CTRL-REQ-SIM type")
    394. 

  394.     rid = p[0].split('-')[3]
    395. 

  395. 

  396.     # IK:CK:RES
    397. 

  397.     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
    398. 

  398.     # This will fail during processing, but the ctrl_iface command succeeds
    399. 

  399.     dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
    400. 

  400.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    401. 

  401.     if ev is None:
    402. 

  402.         raise Exception("EAP failure not reported")
    403. 

  403.     dev[0].request("DISCONNECT")
    404. 

  404. 

  405.     dev[0].request("REASSOCIATE")
    406. 

  406.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    407. 

  407.     if ev is None:
    408. 

  408.         raise Exception("Wait for external SIM processing request timed out")
    409. 

  409.     p = ev.split(':', 2)
    410. 

  410.     if p[1] != "UMTS-AUTH":
    411. 

  411.         raise Exception("Unexpected CTRL-REQ-SIM type")
    412. 

  412.     rid = p[0].split('-')[3]
    413. 

  413.     # This will fail during UMTS auth validation
    414. 

  414.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp):
    415. 

  415.         raise Exception("CTRL-RSP-SIM failed")
    416. 

  416.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    417. 

  417.     if ev is None:
    418. 

  418.         raise Exception("EAP failure not reported")
    419. 

  419.     dev[0].request("DISCONNECT")
    420. 

  420. 

  421.     dev[0].select_network(id, freq="2412")
    422. 

  422.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    423. 

  423.     if ev is None:
    424. 

  424.         raise Exception("Wait for external SIM processing request timed out")
    425. 

  425.     p = ev.split(':', 2)
    426. 

  426.     if p[1] != "UMTS-AUTH":
    427. 

  427.         raise Exception("Unexpected CTRL-REQ-SIM type")
    428. 

  428.     rid = p[0].split('-')[3]
    429. 

  429.     # This will fail during UMTS auth validation
    430. 

  430.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
    431. 

  431.         raise Exception("CTRL-RSP-SIM failed")
    432. 

  432.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    433. 

  433.     if ev is None:
    434. 

  434.         raise Exception("Wait for external SIM processing request timed out")
    435. 

  435.     p = ev.split(':', 2)
    436. 

  436.     if p[1] != "UMTS-AUTH":
    437. 

  437.         raise Exception("Unexpected CTRL-REQ-SIM type")
    438. 

  438.     rid = p[0].split('-')[3]
    439. 

  439.     # This will fail during UMTS auth validation
    440. 

  440.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
    441. 

  441.         raise Exception("CTRL-RSP-SIM failed")
    442. 

  442.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    443. 

  443.     if ev is None:
    444. 

  444.         raise Exception("EAP failure not reported")
    445. 

  445.     dev[0].request("DISCONNECT")
    446. 

  446. 

  447.     dev[0].select_network(id, freq="2412")
    448. 

  448.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    449. 

  449.     if ev is None:
    450. 

  450.         raise Exception("Wait for external SIM processing request timed out")
    451. 

  451.     p = ev.split(':', 2)
    452. 

  452.     if p[1] != "UMTS-AUTH":
    453. 

  453.         raise Exception("Unexpected CTRL-REQ-SIM type")
    454. 

  454.     rid = p[0].split('-')[3]
    455. 

  455.     # This will fail during UMTS auth validation
    456. 

  456.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:34"):
    457. 

  457.         raise Exception("CTRL-RSP-SIM failed")
    458. 

  458.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    459. 

  459.     if ev is None:
    460. 

  460.         raise Exception("EAP failure not reported")
    461. 

  461.     dev[0].request("DISCONNECT")
    462. 

  462. 

  463.     dev[0].select_network(id, freq="2412")
    464. 

  464.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    465. 

  465.     if ev is None:
    466. 

  466.         raise Exception("Wait for external SIM processing request timed out")
    467. 

  467.     p = ev.split(':', 2)
    468. 

  468.     if p[1] != "UMTS-AUTH":
    469. 

  469.         raise Exception("Unexpected CTRL-REQ-SIM type")
    470. 

  470.     rid = p[0].split('-')[3]
    471. 

  471.     # This will fail during UMTS auth validation
    472. 

  472.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344"):
    473. 

  473.         raise Exception("CTRL-RSP-SIM failed")
    474. 

  474.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    475. 

  475.     if ev is None:
    476. 

  476.         raise Exception("EAP failure not reported")
    477. 

  477.     dev[0].request("DISCONNECT")
    478. 

  478. 

  479.     dev[0].select_network(id, freq="2412")
    480. 

  480.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    481. 

  481.     if ev is None:
    482. 

  482.         raise Exception("Wait for external SIM processing request timed out")
    483. 

  483.     p = ev.split(':', 2)
    484. 

  484.     if p[1] != "UMTS-AUTH":
    485. 

  485.         raise Exception("Unexpected CTRL-REQ-SIM type")
    486. 

  486.     rid = p[0].split('-')[3]
    487. 

  487.     # This will fail during UMTS auth validation
    488. 

  488.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344"):
    489. 

  489.         raise Exception("CTRL-RSP-SIM failed")
    490. 

  490.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    491. 

  491.     if ev is None:
    492. 

  492.         raise Exception("EAP failure not reported")
    493. 

  493.     dev[0].request("DISCONNECT")
    494. 

  494. 

  495.     dev[0].select_network(id, freq="2412")
    496. 

  496.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    497. 

  497.     if ev is None:
    498. 

  498.         raise Exception("Wait for external SIM processing request timed out")
    499. 

  499.     p = ev.split(':', 2)
    500. 

  500.     if p[1] != "UMTS-AUTH":
    501. 

  501.         raise Exception("Unexpected CTRL-REQ-SIM type")
    502. 

  502.     rid = p[0].split('-')[3]
    503. 

  503.     # This will fail during UMTS auth validation
    504. 

  504.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344"):
    505. 

  505.         raise Exception("CTRL-RSP-SIM failed")
    506. 

  506.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    507. 

  507.     if ev is None:
    508. 

  508.         raise Exception("EAP failure not reported")
    509. 

  509.     dev[0].request("DISCONNECT")
    510. 

  510. 

  511.     dev[0].select_network(id, freq="2412")
    512. 

  512.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    513. 

  513.     if ev is None:
    514. 

  514.         raise Exception("Wait for external SIM processing request timed out")
    515. 

  515.     p = ev.split(':', 2)
    516. 

  516.     if p[1] != "UMTS-AUTH":
    517. 

  517.         raise Exception("Unexpected CTRL-REQ-SIM type")
    518. 

  518.     rid = p[0].split('-')[3]
    519. 

  519.     # This will fail during UMTS auth validation
    520. 

  520.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344"):
    521. 

  521.         raise Exception("CTRL-RSP-SIM failed")
    522. 

  522.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    523. 

  523.     if ev is None:
    524. 

  524.         raise Exception("EAP failure not reported")
    525. 

  525.     dev[0].request("DISCONNECT")
    526. 

  526. 

  527.     dev[0].select_network(id, freq="2412")
    528. 

  528.     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
    529. 

  529.     if ev is None:
    530. 

  530.         raise Exception("Wait for external SIM processing request timed out")
    531. 

  531.     p = ev.split(':', 2)
    532. 

  532.     if p[1] != "UMTS-AUTH":
    533. 

  533.         raise Exception("Unexpected CTRL-REQ-SIM type")
    534. 

  534.     rid = p[0].split('-')[3]
    535. 

  535.     # This will fail during UMTS auth validation
    536. 

  536.     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"):
    537. 

  537.         raise Exception("CTRL-RSP-SIM failed")
    538. 

  538.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
    539. 

  539.     if ev is None:
    540. 

  540.         raise Exception("EAP failure not reported")
    541. 

  541. 

  542. def test_ap_wpa2_eap_aka_prime(dev, apdev):
    543. 

  543.     """WPA2-Enterprise connection using EAP-AKA'"""
    544. 

  544.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    545. 

  545.         logger.info("No hlr_auc_gw available");
    546. 

  546.         return "skip"
    547. 

  547.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    548. 

  548.     hostapd.add_ap(apdev[0]['ifname'], params)
    549. 

  549.     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
    550. 

  550.                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    551. 

  551.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    552. 

  552.     eap_reauth(dev[0], "AKA'")
    553. 

  553. 

  554.     logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
    555. 

  555.     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
    556. 

  556.                    identity="6555444333222111@both",
    557. 

  557.                    password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
    558. 

  558.                    wait_connect=False, scan_freq="2412")
    559. 

  559.     ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
    560. 

  560.     if ev is None:
    561. 

  561.         raise Exception("Connection with the AP timed out")
    562. 

  562. 

  563.     logger.info("Negative test with incorrect key")
    564. 

  564.     dev[0].request("REMOVE_NETWORK all")
    565. 

  565.     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
    566. 

  566.                 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
    567. 

  567.                 expect_failure=True)
    568. 

  568. 

  569. def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
    570. 

  570.     """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
    571. 

  571.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    572. 

  572.         logger.info("No hlr_auc_gw available");
    573. 

  573.         return "skip"
    574. 

  574.     try:
    575. 

  575.         import sqlite3
    576. 

  576.     except ImportError:
    577. 

  577.         return "skip"
    578. 

  578.     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
    579. 

  579.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    580. 

  580.     params['auth_server_port'] = "1814"
    581. 

  581.     hostapd.add_ap(apdev[0]['ifname'], params)
    582. 

  582.     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
    583. 

  583.                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    584. 

  584. 

  585.     logger.info("AKA' fast re-authentication")
    586. 

  586.     eap_reauth(dev[0], "AKA'")
    587. 

  587. 

  588.     logger.info("AKA' full auth with pseudonym")
    589. 

  589.     with con:
    590. 

  590.         cur = con.cursor()
    591. 

  591.         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
    592. 

  592.     eap_reauth(dev[0], "AKA'")
    593. 

  593. 

  594.     logger.info("AKA' full auth with permanent identity")
    595. 

  595.     with con:
    596. 

  596.         cur = con.cursor()
    597. 

  597.         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
    598. 

  598.         cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
    599. 

  599.     eap_reauth(dev[0], "AKA'")
    600. 

  600. 

  601.     logger.info("AKA' reauth with mismatching k_aut")
    602. 

  602.     with con:
    603. 

  603.         cur = con.cursor()
    604. 

  604.         cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
    605. 

  605.     eap_reauth(dev[0], "AKA'", expect_failure=True)
    606. 

  606.     dev[0].request("REMOVE_NETWORK all")
    607. 

  607. 

  608.     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
    609. 

  609.                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    610. 

  610.     with con:
    611. 

  611.         cur = con.cursor()
    612. 

  612.         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
    613. 

  613.     eap_reauth(dev[0], "AKA'")
    614. 

  614.     with con:
    615. 

  615.         cur = con.cursor()
    616. 

  616.         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
    617. 

  617.     logger.info("AKA' reauth with mismatching counter")
    618. 

  618.     eap_reauth(dev[0], "AKA'")
    619. 

  619.     dev[0].request("REMOVE_NETWORK all")
    620. 

  620. 

  621.     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
    622. 

  622.                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    623. 

  623.     with con:
    624. 

  624.         cur = con.cursor()
    625. 

  625.         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
    626. 

  626.     logger.info("AKA' reauth with max reauth count reached")
    627. 

  627.     eap_reauth(dev[0], "AKA'")
    628. 

  628. 

  629. def test_ap_wpa2_eap_ttls_pap(dev, apdev):
    630. 

  630.     """WPA2-Enterprise connection using EAP-TTLS/PAP"""
    631. 

  631.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    632. 

  632.     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
    633. 

  633.     key_mgmt = hapd.get_config()['key_mgmt']
    634. 

  634.     if key_mgmt.split(' ')[0] != "WPA-EAP":
    635. 

  635.         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
    636. 

  636.     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
    637. 

  637.                 anonymous_identity="ttls", password="password",
    638. 

  638.                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
    639. 

  639.                 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
    640. 

  640.                 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
    641. 

  641.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    642. 

  642.     eap_reauth(dev[0], "TTLS")
    643. 

  643.     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
    644. 

  644.                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
    645. 

  645. 

  646. def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
    647. 

  647.     """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
    648. 

  648.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    649. 

  649.     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
    650. 

  650.     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
    651. 

  651.                 anonymous_identity="ttls", password="wrong",
    652. 

  652.                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
    653. 

  653.                 expect_failure=True)
    654. 

  654.     eap_connect(dev[1], apdev[0], "TTLS", "user",
    655. 

  655.                 anonymous_identity="ttls", password="password",
    656. 

  656.                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
    657. 

  657.                 expect_failure=True)
    658. 

  658. 

  659. def test_ap_wpa2_eap_ttls_chap(dev, apdev):
    660. 

  660.     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
    661. 

  661.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    662. 

  662.     hostapd.add_ap(apdev[0]['ifname'], params)
    663. 

  663.     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
    664. 

  664.                 anonymous_identity="ttls", password="password",
    665. 

  665.                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
    666. 

  666.                 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
    667. 

  667.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    668. 

  668.     eap_reauth(dev[0], "TTLS")
    669. 

  669. 

  670. def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
    671. 

  671.     """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
    672. 

  672.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    673. 

  673.     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
    674. 

  674.     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
    675. 

  675.                 anonymous_identity="ttls", password="wrong",
    676. 

  676.                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
    677. 

  677.                 expect_failure=True)
    678. 

  678.     eap_connect(dev[1], apdev[0], "TTLS", "user",
    679. 

  679.                 anonymous_identity="ttls", password="password",
    680. 

  680.                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
    681. 

  681.                 expect_failure=True)
    682. 

  682. 

  683. def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
    684. 

  684.     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
    685. 

  685.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    686. 

  686.     hostapd.add_ap(apdev[0]['ifname'], params)
    687. 

  687.     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
    688. 

  688.                 anonymous_identity="ttls", password="password",
    689. 

  689.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    690. 

  690.                 domain_suffix_match="server.w1.fi")
    691. 

  691.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    692. 

  692.     eap_reauth(dev[0], "TTLS")
    693. 

  693.     dev[0].request("REMOVE_NETWORK all")
    694. 

  694.     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
    695. 

  695.                 anonymous_identity="ttls", password="password",
    696. 

  696.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    697. 

  697.                 fragment_size="200")
    698. 

  698. 

  699. def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
    700. 

  700.     """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
    701. 

  701.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    702. 

  702.     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
    703. 

  703.     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
    704. 

  704.                 anonymous_identity="ttls", password="wrong",
    705. 

  705.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    706. 

  706.                 expect_failure=True)
    707. 

  707.     eap_connect(dev[1], apdev[0], "TTLS", "user",
    708. 

  708.                 anonymous_identity="ttls", password="password",
    709. 

  709.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    710. 

  710.                 expect_failure=True)
    711. 

  711.     eap_connect(dev[2], apdev[0], "TTLS", "no such user",
    712. 

  712.                 anonymous_identity="ttls", password="password",
    713. 

  713.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    714. 

  714.                 expect_failure=True)
    715. 

  715. 

  716. def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
    717. 

  717.     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
    718. 

  718.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    719. 

  719.     hostapd.add_ap(apdev[0]['ifname'], params)
    720. 

  720.     hapd = hostapd.Hostapd(apdev[0]['ifname'])
    721. 

  721.     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
    722. 

  722.                 anonymous_identity="ttls", password="password",
    723. 

  723.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    724. 

  724.                 domain_suffix_match="w1.fi")
    725. 

  725.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    726. 

  726.     sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
    727. 

  727.     eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
    728. 

  728.     eap_reauth(dev[0], "TTLS")
    729. 

  729.     sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
    730. 

  730.     eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
    731. 

  731.     if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
    732. 

  732.         raise Exception("dot1xAuthEapolFramesRx did not increase")
    733. 

  733.     if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
    734. 

  734.         raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
    735. 

  735.     if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
    736. 

  736.         raise Exception("backendAuthSuccesses did not increase")
    737. 

  737. 

  738.     logger.info("Password as hash value")
    739. 

  739.     dev[0].request("REMOVE_NETWORK all")
    740. 

  740.     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
    741. 

  741.                 anonymous_identity="ttls",
    742. 

  742.                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
    743. 

  743.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
    744. 

  744. 

  745. def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
    746. 

  746.     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
    747. 

  747.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    748. 

  748.     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
    749. 

  749.     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
    750. 

  750.                 anonymous_identity="ttls", password="password1",
    751. 

  751.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    752. 

  752.                 expect_failure=True)
    753. 

  753.     eap_connect(dev[1], apdev[0], "TTLS", "user",
    754. 

  754.                 anonymous_identity="ttls", password="password",
    755. 

  755.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    756. 

  756.                 expect_failure=True)
    757. 

  757. 

  758. def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
    759. 

  759.     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
    760. 

  760.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    761. 

  761.     hostapd.add_ap(apdev[0]['ifname'], params)
    762. 

  762.     hapd = hostapd.Hostapd(apdev[0]['ifname'])
    763. 

  763.     eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
    764. 

  764.                 anonymous_identity="ttls", password="secret-åäö-€-password",
    765. 

  765.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
    766. 

  766.     eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
    767. 

  767.                 anonymous_identity="ttls",
    768. 

  768.                 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
    769. 

  769.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
    770. 

  770. 

  771. def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
    772. 

  772.     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
    773. 

  773.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    774. 

  774.     hostapd.add_ap(apdev[0]['ifname'], params)
    775. 

  775.     eap_connect(dev[0], apdev[0], "TTLS", "user",
    776. 

  776.                 anonymous_identity="ttls", password="password",
    777. 

  777.                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
    778. 

  778.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    779. 

  779.     eap_reauth(dev[0], "TTLS")
    780. 

  780. 

  781. def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
    782. 

  782.     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
    783. 

  783.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    784. 

  784.     hostapd.add_ap(apdev[0]['ifname'], params)
    785. 

  785.     eap_connect(dev[0], apdev[0], "TTLS", "user",
    786. 

  786.                 anonymous_identity="ttls", password="password",
    787. 

  787.                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
    788. 

  788.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    789. 

  789.     eap_reauth(dev[0], "TTLS")
    790. 

  790. 

  791. def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
    792. 

  792.     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
    793. 

  793.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    794. 

  794.     hostapd.add_ap(apdev[0]['ifname'], params)
    795. 

  795.     eap_connect(dev[0], apdev[0], "TTLS", "user",
    796. 

  796.                 anonymous_identity="ttls", password="password",
    797. 

  797.                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
    798. 

  798.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    799. 

  799.     eap_reauth(dev[0], "TTLS")
    800. 

  800. 

  801.     logger.info("Negative test with incorrect password")
    802. 

  802.     dev[0].request("REMOVE_NETWORK all")
    803. 

  803.     eap_connect(dev[0], apdev[0], "TTLS", "user",
    804. 

  804.                 anonymous_identity="ttls", password="password1",
    805. 

  805.                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
    806. 

  806.                 expect_failure=True)
    807. 

  807. 

  808. def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
    809. 

  809.     """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
    810. 

  810.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    811. 

  811.     hostapd.add_ap(apdev[0]['ifname'], params)
    812. 

  812.     eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
    813. 

  813.                 anonymous_identity="0232010000000000@ttls",
    814. 

  814.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    815. 

  815.                 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
    816. 

  816. 

  817. def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
    818. 

  818.     """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
    819. 

  819.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    820. 

  820.     hostapd.add_ap(apdev[0]['ifname'], params)
    821. 

  821.     eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
    822. 

  822.                 anonymous_identity="0232010000000000@peap",
    823. 

  823.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    824. 

  824.                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
    825. 

  825. 

  826. def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
    827. 

  827.     """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
    828. 

  828.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    829. 

  829.     hostapd.add_ap(apdev[0]['ifname'], params)
    830. 

  830.     eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
    831. 

  831.                 anonymous_identity="0232010000000000@fast",
    832. 

  832.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    833. 

  833.                 phase1="fast_provisioning=2",
    834. 

  834.                 pac_file="blob://fast_pac_auth_aka",
    835. 

  835.                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
    836. 

  836. 

  837. def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
    838. 

  838.     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
    839. 

  839.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    840. 

  840.     hostapd.add_ap(apdev[0]['ifname'], params)
    841. 

  841.     eap_connect(dev[0], apdev[0], "PEAP", "user",
    842. 

  842.                 anonymous_identity="peap", password="password",
    843. 

  843.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
    844. 

  844.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    845. 

  845.     eap_reauth(dev[0], "PEAP")
    846. 

  846.     dev[0].request("REMOVE_NETWORK all")
    847. 

  847.     eap_connect(dev[0], apdev[0], "PEAP", "user",
    848. 

  848.                 anonymous_identity="peap", password="password",
    849. 

  849.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    850. 

  850.                 fragment_size="200")
    851. 

  851. 

  852.     logger.info("Password as hash value")
    853. 

  853.     dev[0].request("REMOVE_NETWORK all")
    854. 

  854.     eap_connect(dev[0], apdev[0], "PEAP", "user",
    855. 

  855.                 anonymous_identity="peap",
    856. 

  856.                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
    857. 

  857.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
    858. 

  858. 

  859.     logger.info("Negative test with incorrect password")
    860. 

  860.     dev[0].request("REMOVE_NETWORK all")
    861. 

  861.     eap_connect(dev[0], apdev[0], "PEAP", "user",
    862. 

  862.                 anonymous_identity="peap", password="password1",
    863. 

  863.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    864. 

  864.                 expect_failure=True)
    865. 

  865. 

  866. def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
    867. 

  867.     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
    868. 

  868.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    869. 

  869.     hostapd.add_ap(apdev[0]['ifname'], params)
    870. 

  870.     eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
    871. 

  871.                 ca_cert="auth_serv/ca.pem",
    872. 

  872.                 phase1="peapver=0 crypto_binding=2",
    873. 

  873.                 phase2="auth=MSCHAPV2")
    874. 

  874.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    875. 

  875.     eap_reauth(dev[0], "PEAP")
    876. 

  876. 

  877.     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
    878. 

  878.                 ca_cert="auth_serv/ca.pem",
    879. 

  879.                 phase1="peapver=0 crypto_binding=1",
    880. 

  880.                 phase2="auth=MSCHAPV2")
    881. 

  881.     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
    882. 

  882.                 ca_cert="auth_serv/ca.pem",
    883. 

  883.                 phase1="peapver=0 crypto_binding=0",
    884. 

  884.                 phase2="auth=MSCHAPV2")
    885. 

  885. 

  886. def test_ap_wpa2_eap_peap_params(dev, apdev):
    887. 

  887.     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
    888. 

  888.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    889. 

  889.     hostapd.add_ap(apdev[0]['ifname'], params)
    890. 

  890.     eap_connect(dev[0], apdev[0], "PEAP", "user",
    891. 

  891.                 anonymous_identity="peap", password="password",
    892. 

  892.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    893. 

  893.                 phase1="peapver=0 peaplabel=1",
    894. 

  894.                 expect_failure=True)
    895. 

  895.     dev[0].request("REMOVE_NETWORK all")
    896. 

  896.     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
    897. 

  897.                 ca_cert="auth_serv/ca.pem",
    898. 

  898.                 phase1="peap_outer_success=1",
    899. 

  899.                 phase2="auth=MSCHAPV2")
    900. 

  900.     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
    901. 

  901.                 ca_cert="auth_serv/ca.pem",
    902. 

  902.                 phase1="peap_outer_success=2",
    903. 

  903.                 phase2="auth=MSCHAPV2")
    904. 

  904.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
    905. 

  905.                    identity="user",
    906. 

  906.                    anonymous_identity="peap", password="password",
    907. 

  907.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    908. 

  908.                    phase1="peapver=1 peaplabel=1",
    909. 

  909.                    wait_connect=False, scan_freq="2412")
    910. 

  910.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
    911. 

  911.     if ev is None:
    912. 

  912.         raise Exception("No EAP success seen")
    913. 

  913.     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
    914. 

  914.     if ev is not None:
    915. 

  915.         raise Exception("Unexpected connection")
    916. 

  916. 

  917. def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
    918. 

  918.     """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
    919. 

  919.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    920. 

  920.     hostapd.add_ap(apdev[0]['ifname'], params)
    921. 

  921.     eap_connect(dev[0], apdev[0], "PEAP", "cert user",
    922. 

  922.                 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
    923. 

  923.                 ca_cert2="auth_serv/ca.pem",
    924. 

  924.                 client_cert2="auth_serv/user.pem",
    925. 

  925.                 private_key2="auth_serv/user.key")
    926. 

  926.     eap_reauth(dev[0], "PEAP")
    927. 

  927. 

  928. def test_ap_wpa2_eap_tls(dev, apdev):
    929. 

  929.     """WPA2-Enterprise connection using EAP-TLS"""
    930. 

  930.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    931. 

  931.     hostapd.add_ap(apdev[0]['ifname'], params)
    932. 

  932.     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
    933. 

  933.                 client_cert="auth_serv/user.pem",
    934. 

  934.                 private_key="auth_serv/user.key")
    935. 

  935.     eap_reauth(dev[0], "TLS")
    936. 

  936. 

  937. def test_ap_wpa2_eap_tls_blob(dev, apdev):
    938. 

  938.     """WPA2-Enterprise connection using EAP-TLS and config blobs"""
    939. 

  939.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    940. 

  940.     hostapd.add_ap(apdev[0]['ifname'], params)
    941. 

  941.     cert = read_pem("auth_serv/ca.pem")
    942. 

  942.     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
    943. 

  943.         raise Exception("Could not set cacert blob")
    944. 

  944.     cert = read_pem("auth_serv/user.pem")
    945. 

  945.     if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
    946. 

  946.         raise Exception("Could not set usercert blob")
    947. 

  947.     key = read_pem("auth_serv/user.key")
    948. 

  948.     if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
    949. 

  949.         raise Exception("Could not set cacert blob")
    950. 

  950.     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
    951. 

  951.                 client_cert="blob://usercert",
    952. 

  952.                 private_key="blob://userkey")
    953. 

  953. 

  954. def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
    955. 

  955.     """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
    956. 

  956.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    957. 

  957.     hostapd.add_ap(apdev[0]['ifname'], params)
    958. 

  958.     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
    959. 

  959.                 private_key="auth_serv/user.pkcs12",
    960. 

  960.                 private_key_passwd="whatever")
    961. 

  961.     dev[0].request("REMOVE_NETWORK all")
    962. 

  962.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
    963. 

  963.                    identity="tls user",
    964. 

  964.                    ca_cert="auth_serv/ca.pem",
    965. 

  965.                    private_key="auth_serv/user.pkcs12",
    966. 

  966.                    wait_connect=False, scan_freq="2412")
    967. 

  967.     ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
    968. 

  968.     if ev is None:
    969. 

  969.         raise Exception("Request for private key passphrase timed out")
    970. 

  970.     id = ev.split(':')[0].split('-')[-1]
    971. 

  971.     dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
    972. 

  972.     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
    973. 

  973.     if ev is None:
    974. 

  974.         raise Exception("Connection timed out")
    975. 

  975. 

  976. def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
    977. 

  977.     """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
    978. 

  978.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    979. 

  979.     hostapd.add_ap(apdev[0]['ifname'], params)
    980. 

  980.     cert = read_pem("auth_serv/ca.pem")
    981. 

  981.     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
    982. 

  982.         raise Exception("Could not set cacert blob")
    983. 

  983.     with open("auth_serv/user.pkcs12", "rb") as f:
    984. 

  984.         if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
    985. 

  985.             raise Exception("Could not set pkcs12 blob")
    986. 

  986.     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
    987. 

  987.                 private_key="blob://pkcs12",
    988. 

  988.                 private_key_passwd="whatever")
    989. 

  989. 

  990. def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
    991. 

  991.     """WPA2-Enterprise negative test - incorrect trust root"""
    992. 

  992.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    993. 

  993.     hostapd.add_ap(apdev[0]['ifname'], params)
    994. 

  994.     cert = read_pem("auth_serv/ca-incorrect.pem")
    995. 

  995.     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
    996. 

  996.         raise Exception("Could not set cacert blob")
    997. 

  997.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    998. 

  998.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    999. 

  999.                    password="password", phase2="auth=MSCHAPV2",
    1000. 

  1000.                    ca_cert="blob://cacert",
    1001. 

  1001.                    wait_connect=False, scan_freq="2412")
    1002. 

  1002.     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1003. 

  1003.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1004. 

  1004.                    password="password", phase2="auth=MSCHAPV2",
    1005. 

  1005.                    ca_cert="auth_serv/ca-incorrect.pem",
    1006. 

  1006.                    wait_connect=False, scan_freq="2412")
    1007. 

  1007. 

  1008.     for dev in (dev[0], dev[1]):
    1009. 

  1009.         ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1010. 

  1010.         if ev is None:
    1011. 

  1011.             raise Exception("Association and EAP start timed out")
    1012. 

  1012. 

  1013.         ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
    1014. 

  1014.         if ev is None:
    1015. 

  1015.             raise Exception("EAP method selection timed out")
    1016. 

  1016.         if "TTLS" not in ev:
    1017. 

  1017.             raise Exception("Unexpected EAP method")
    1018. 

  1018. 

  1019.         ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
    1020. 

  1020.                              "CTRL-EVENT-EAP-SUCCESS",
    1021. 

  1021.                              "CTRL-EVENT-EAP-FAILURE",
    1022. 

  1022.                              "CTRL-EVENT-CONNECTED",
    1023. 

  1023.                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1024. 

  1024.         if ev is None:
    1025. 

  1025.             raise Exception("EAP result timed out")
    1026. 

  1026.         if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
    1027. 

  1027.             raise Exception("TLS certificate error not reported")
    1028. 

  1028. 

  1029.         ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
    1030. 

  1030.                              "CTRL-EVENT-EAP-FAILURE",
    1031. 

  1031.                              "CTRL-EVENT-CONNECTED",
    1032. 

  1032.                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1033. 

  1033.         if ev is None:
    1034. 

  1034.             raise Exception("EAP result(2) timed out")
    1035. 

  1035.         if "CTRL-EVENT-EAP-FAILURE" not in ev:
    1036. 

  1036.             raise Exception("EAP failure not reported")
    1037. 

  1037. 

  1038.         ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
    1039. 

  1039.                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1040. 

  1040.         if ev is None:
    1041. 

  1041.             raise Exception("EAP result(3) timed out")
    1042. 

  1042.         if "CTRL-EVENT-DISCONNECTED" not in ev:
    1043. 

  1043.             raise Exception("Disconnection not reported")
    1044. 

  1044. 

  1045.         ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
    1046. 

  1046.         if ev is None:
    1047. 

  1047.             raise Exception("Network block disabling not reported")
    1048. 

  1048. 

  1049. def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
    1050. 

  1050.     """WPA2-Enterprise negative test - domain suffix mismatch"""
    1051. 

  1051.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1052. 

  1052.     hostapd.add_ap(apdev[0]['ifname'], params)
    1053. 

  1053.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1054. 

  1054.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1055. 

  1055.                    password="password", phase2="auth=MSCHAPV2",
    1056. 

  1056.                    ca_cert="auth_serv/ca.pem",
    1057. 

  1057.                    domain_suffix_match="incorrect.example.com",
    1058. 

  1058.                    wait_connect=False, scan_freq="2412")
    1059. 

  1059. 

  1060.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1061. 

  1061.     if ev is None:
    1062. 

  1062.         raise Exception("Association and EAP start timed out")
    1063. 

  1063. 

  1064.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
    1065. 

  1065.     if ev is None:
    1066. 

  1066.         raise Exception("EAP method selection timed out")
    1067. 

  1067.     if "TTLS" not in ev:
    1068. 

  1068.         raise Exception("Unexpected EAP method")
    1069. 

  1069. 

  1070.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
    1071. 

  1071.                             "CTRL-EVENT-EAP-SUCCESS",
    1072. 

  1072.                             "CTRL-EVENT-EAP-FAILURE",
    1073. 

  1073.                             "CTRL-EVENT-CONNECTED",
    1074. 

  1074.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1075. 

  1075.     if ev is None:
    1076. 

  1076.         raise Exception("EAP result timed out")
    1077. 

  1077.     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
    1078. 

  1078.         raise Exception("TLS certificate error not reported")
    1079. 

  1079.     if "Domain suffix mismatch" not in ev:
    1080. 

  1080.         raise Exception("Domain suffix mismatch not reported")
    1081. 

  1081. 

  1082.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
    1083. 

  1083.                             "CTRL-EVENT-EAP-FAILURE",
    1084. 

  1084.                             "CTRL-EVENT-CONNECTED",
    1085. 

  1085.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1086. 

  1086.     if ev is None:
    1087. 

  1087.         raise Exception("EAP result(2) timed out")
    1088. 

  1088.     if "CTRL-EVENT-EAP-FAILURE" not in ev:
    1089. 

  1089.         raise Exception("EAP failure not reported")
    1090. 

  1090. 

  1091.     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
    1092. 

  1092.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1093. 

  1093.     if ev is None:
    1094. 

  1094.         raise Exception("EAP result(3) timed out")
    1095. 

  1095.     if "CTRL-EVENT-DISCONNECTED" not in ev:
    1096. 

  1096.         raise Exception("Disconnection not reported")
    1097. 

  1097. 

  1098.     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
    1099. 

  1099.     if ev is None:
    1100. 

  1100.         raise Exception("Network block disabling not reported")
    1101. 

  1101. 

  1102. def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
    1103. 

  1103.     """WPA2-Enterprise negative test - subject mismatch"""
    1104. 

  1104.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1105. 

  1105.     hostapd.add_ap(apdev[0]['ifname'], params)
    1106. 

  1106.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1107. 

  1107.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1108. 

  1108.                    password="password", phase2="auth=MSCHAPV2",
    1109. 

  1109.                    ca_cert="auth_serv/ca.pem",
    1110. 

  1110.                    subject_match="/C=FI/O=w1.fi/CN=example.com",
    1111. 

  1111.                    wait_connect=False, scan_freq="2412")
    1112. 

  1112. 

  1113.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1114. 

  1114.     if ev is None:
    1115. 

  1115.         raise Exception("Association and EAP start timed out")
    1116. 

  1116. 

  1117.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
    1118. 

  1118.     if ev is None:
    1119. 

  1119.         raise Exception("EAP method selection timed out")
    1120. 

  1120.     if "TTLS" not in ev:
    1121. 

  1121.         raise Exception("Unexpected EAP method")
    1122. 

  1122. 

  1123.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
    1124. 

  1124.                             "CTRL-EVENT-EAP-SUCCESS",
    1125. 

  1125.                             "CTRL-EVENT-EAP-FAILURE",
    1126. 

  1126.                             "CTRL-EVENT-CONNECTED",
    1127. 

  1127.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1128. 

  1128.     if ev is None:
    1129. 

  1129.         raise Exception("EAP result timed out")
    1130. 

  1130.     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
    1131. 

  1131.         raise Exception("TLS certificate error not reported")
    1132. 

  1132.     if "Subject mismatch" not in ev:
    1133. 

  1133.         raise Exception("Subject mismatch not reported")
    1134. 

  1134. 

  1135.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
    1136. 

  1136.                             "CTRL-EVENT-EAP-FAILURE",
    1137. 

  1137.                             "CTRL-EVENT-CONNECTED",
    1138. 

  1138.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1139. 

  1139.     if ev is None:
    1140. 

  1140.         raise Exception("EAP result(2) timed out")
    1141. 

  1141.     if "CTRL-EVENT-EAP-FAILURE" not in ev:
    1142. 

  1142.         raise Exception("EAP failure not reported")
    1143. 

  1143. 

  1144.     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
    1145. 

  1145.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1146. 

  1146.     if ev is None:
    1147. 

  1147.         raise Exception("EAP result(3) timed out")
    1148. 

  1148.     if "CTRL-EVENT-DISCONNECTED" not in ev:
    1149. 

  1149.         raise Exception("Disconnection not reported")
    1150. 

  1150. 

  1151.     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
    1152. 

  1152.     if ev is None:
    1153. 

  1153.         raise Exception("Network block disabling not reported")
    1154. 

  1154. 

  1155. def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
    1156. 

  1156.     """WPA2-Enterprise negative test - altsubject mismatch"""
    1157. 

  1157.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1158. 

  1158.     hostapd.add_ap(apdev[0]['ifname'], params)
    1159. 

  1159.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1160. 

  1160.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1161. 

  1161.                    password="password", phase2="auth=MSCHAPV2",
    1162. 

  1162.                    ca_cert="auth_serv/ca.pem",
    1163. 

  1163.                    altsubject_match="incorrect.example.com",
    1164. 

  1164.                    wait_connect=False, scan_freq="2412")
    1165. 

  1165. 

  1166.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1167. 

  1167.     if ev is None:
    1168. 

  1168.         raise Exception("Association and EAP start timed out")
    1169. 

  1169. 

  1170.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
    1171. 

  1171.     if ev is None:
    1172. 

  1172.         raise Exception("EAP method selection timed out")
    1173. 

  1173.     if "TTLS" not in ev:
    1174. 

  1174.         raise Exception("Unexpected EAP method")
    1175. 

  1175. 

  1176.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
    1177. 

  1177.                             "CTRL-EVENT-EAP-SUCCESS",
    1178. 

  1178.                             "CTRL-EVENT-EAP-FAILURE",
    1179. 

  1179.                             "CTRL-EVENT-CONNECTED",
    1180. 

  1180.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1181. 

  1181.     if ev is None:
    1182. 

  1182.         raise Exception("EAP result timed out")
    1183. 

  1183.     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
    1184. 

  1184.         raise Exception("TLS certificate error not reported")
    1185. 

  1185.     if "AltSubject mismatch" not in ev:
    1186. 

  1186.         raise Exception("altsubject mismatch not reported")
    1187. 

  1187. 

  1188.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
    1189. 

  1189.                             "CTRL-EVENT-EAP-FAILURE",
    1190. 

  1190.                             "CTRL-EVENT-CONNECTED",
    1191. 

  1191.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1192. 

  1192.     if ev is None:
    1193. 

  1193.         raise Exception("EAP result(2) timed out")
    1194. 

  1194.     if "CTRL-EVENT-EAP-FAILURE" not in ev:
    1195. 

  1195.         raise Exception("EAP failure not reported")
    1196. 

  1196. 

  1197.     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
    1198. 

  1198.                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
    1199. 

  1199.     if ev is None:
    1200. 

  1200.         raise Exception("EAP result(3) timed out")
    1201. 

  1201.     if "CTRL-EVENT-DISCONNECTED" not in ev:
    1202. 

  1202.         raise Exception("Disconnection not reported")
    1203. 

  1203. 

  1204.     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
    1205. 

  1205.     if ev is None:
    1206. 

  1206.         raise Exception("Network block disabling not reported")
    1207. 

  1207. 

  1208. def test_ap_wpa2_eap_unauth_tls(dev, apdev):
    1209. 

  1209.     """WPA2-Enterprise connection using UNAUTH-TLS"""
    1210. 

  1210.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1211. 

  1211.     hostapd.add_ap(apdev[0]['ifname'], params)
    1212. 

  1212.     eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
    1213. 

  1213.                 ca_cert="auth_serv/ca.pem")
    1214. 

  1214.     eap_reauth(dev[0], "UNAUTH-TLS")
    1215. 

  1215. 

  1216. def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
    1217. 

  1217.     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
    1218. 

  1218.     srv_cert_hash = "0a3f81f63569226657a069855bb13f3b922670437a2b87585a4734f70ac7315b"
    1219. 

  1219.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1220. 

  1220.     hostapd.add_ap(apdev[0]['ifname'], params)
    1221. 

  1221.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1222. 

  1222.                    identity="probe", ca_cert="probe://",
    1223. 

  1223.                    wait_connect=False, scan_freq="2412")
    1224. 

  1224.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1225. 

  1225.     if ev is None:
    1226. 

  1226.         raise Exception("Association and EAP start timed out")
    1227. 

  1227.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
    1228. 

  1228.     if ev is None:
    1229. 

  1229.         raise Exception("No peer server certificate event seen")
    1230. 

  1230.     if "hash=" + srv_cert_hash not in ev:
    1231. 

  1231.         raise Exception("Expected server certificate hash not reported")
    1232. 

  1232.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
    1233. 

  1233.     if ev is None:
    1234. 

  1234.         raise Exception("EAP result timed out")
    1235. 

  1235.     if "Server certificate chain probe" not in ev:
    1236. 

  1236.         raise Exception("Server certificate probe not reported")
    1237. 

  1237.     ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
    1238. 

  1238.     if ev is None:
    1239. 

  1239.         raise Exception("Disconnection event not seen")
    1240. 

  1240.     dev[0].request("REMOVE_NETWORK all")
    1241. 

  1241. 

  1242.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1243. 

  1243.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1244. 

  1244.                    password="password", phase2="auth=MSCHAPV2",
    1245. 

  1245.                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
    1246. 

  1246.                    wait_connect=False, scan_freq="2412")
    1247. 

  1247.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1248. 

  1248.     if ev is None:
    1249. 

  1249.         raise Exception("Association and EAP start timed out")
    1250. 

  1250.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
    1251. 

  1251.     if ev is None:
    1252. 

  1252.         raise Exception("EAP result timed out")
    1253. 

  1253.     if "Server certificate mismatch" not in ev:
    1254. 

  1254.         raise Exception("Server certificate mismatch not reported")
    1255. 

  1255.     ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
    1256. 

  1256.     if ev is None:
    1257. 

  1257.         raise Exception("Disconnection event not seen")
    1258. 

  1258.     dev[0].request("REMOVE_NETWORK all")
    1259. 

  1259. 

  1260.     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
    1261. 

  1261.                 anonymous_identity="ttls", password="password",
    1262. 

  1262.                 ca_cert="hash://server/sha256/" + srv_cert_hash,
    1263. 

  1263.                 phase2="auth=MSCHAPV2")
    1264. 

  1264. 

  1265. def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
    1266. 

  1266.     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
    1267. 

  1267.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1268. 

  1268.     hostapd.add_ap(apdev[0]['ifname'], params)
    1269. 

  1269.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1270. 

  1270.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1271. 

  1271.                    password="password", phase2="auth=MSCHAPV2",
    1272. 

  1272.                    ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
    1273. 

  1273.                    wait_connect=False, scan_freq="2412")
    1274. 

  1274.     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1275. 

  1275.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1276. 

  1276.                    password="password", phase2="auth=MSCHAPV2",
    1277. 

  1277.                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
    1278. 

  1278.                    wait_connect=False, scan_freq="2412")
    1279. 

  1279.     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1280. 

  1280.                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
    1281. 

  1281.                    password="password", phase2="auth=MSCHAPV2",
    1282. 

  1282.                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
    1283. 

  1283.                    wait_connect=False, scan_freq="2412")
    1284. 

  1284.     for i in range(0, 3):
    1285. 

  1285.         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1286. 

  1286.         if ev is None:
    1287. 

  1287.             raise Exception("Association and EAP start timed out")
    1288. 

  1288.         ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
    1289. 

  1289.         if ev is None:
    1290. 

  1290.             raise Exception("Did not report EAP method initialization failure")
    1291. 

  1291. 

  1292. def test_ap_wpa2_eap_pwd(dev, apdev):
    1293. 

  1293.     """WPA2-Enterprise connection using EAP-pwd"""
    1294. 

  1294.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1295. 

  1295.     hostapd.add_ap(apdev[0]['ifname'], params)
    1296. 

  1296.     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
    1297. 

  1297.     eap_reauth(dev[0], "PWD")
    1298. 

  1298.     dev[0].request("REMOVE_NETWORK all")
    1299. 

  1299. 

  1300.     eap_connect(dev[1], apdev[0], "PWD",
    1301. 

  1301.                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
    1302. 

  1302.                 password="secret password",
    1303. 

  1303.                 fragment_size="90")
    1304. 

  1304. 

  1305.     logger.info("Negative test with incorrect password")
    1306. 

  1306.     eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
    1307. 

  1307.                 expect_failure=True, local_error_report=True)
    1308. 

  1308. 

  1309.     eap_connect(dev[0], apdev[0], "PWD",
    1310. 

  1310.                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
    1311. 

  1311.                 password="secret password",
    1312. 

  1312.                 fragment_size="31")
    1313. 

  1313. 

  1314. def test_ap_wpa2_eap_pwd_groups(dev, apdev):
    1315. 

  1315.     """WPA2-Enterprise connection using various EAP-pwd groups"""
    1316. 

  1316.     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
    1317. 

  1317.                "rsn_pairwise": "CCMP", "ieee8021x": "1",
    1318. 

  1318.                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
    1319. 

  1319.     for i in [ 19, 20, 21, 25, 26 ]:
    1320. 

  1320.         params['pwd_group'] = str(i)
    1321. 

  1321.         hostapd.add_ap(apdev[0]['ifname'], params)
    1322. 

  1322.         dev[0].request("REMOVE_NETWORK all")
    1323. 

  1323.         eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
    1324. 

  1324. 

  1325. def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
    1326. 

  1326.     """WPA2-Enterprise connection using invalid EAP-pwd group"""
    1327. 

  1327.     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
    1328. 

  1328.                "rsn_pairwise": "CCMP", "ieee8021x": "1",
    1329. 

  1329.                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
    1330. 

  1330.     params['pwd_group'] = "0"
    1331. 

  1331.     hostapd.add_ap(apdev[0]['ifname'], params)
    1332. 

  1332.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
    1333. 

  1333.                    identity="pwd user", password="secret password",
    1334. 

  1334.                    scan_freq="2412", wait_connect=False)
    1335. 

  1335.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1336. 

  1336.     if ev is None:
    1337. 

  1337.         raise Exception("Timeout on EAP failure report")
    1338. 

  1338. 

  1339. def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
    1340. 

  1340.     """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
    1341. 

  1341.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1342. 

  1342.     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
    1343. 

  1343.                "rsn_pairwise": "CCMP", "ieee8021x": "1",
    1344. 

  1344.                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
    1345. 

  1345.                "pwd_group": "19", "fragment_size": "40" }
    1346. 

  1346.     hostapd.add_ap(apdev[0]['ifname'], params)
    1347. 

  1347.     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
    1348. 

  1348. 

  1349. def test_ap_wpa2_eap_gpsk(dev, apdev):
    1350. 

  1350.     """WPA2-Enterprise connection using EAP-GPSK"""
    1351. 

  1351.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1352. 

  1352.     hostapd.add_ap(apdev[0]['ifname'], params)
    1353. 

  1353.     id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
    1354. 

  1354.                      password="abcdefghijklmnop0123456789abcdef")
    1355. 

  1355.     eap_reauth(dev[0], "GPSK")
    1356. 

  1356. 

  1357.     logger.info("Test forced algorithm selection")
    1358. 

  1358.     for phase1 in [ "cipher=1", "cipher=2" ]:
    1359. 

  1359.         dev[0].set_network_quoted(id, "phase1", phase1)
    1360. 

  1360.         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
    1361. 

  1361.         if ev is None:
    1362. 

  1362.             raise Exception("EAP success timed out")
    1363. 

  1363.         ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
    1364. 

  1364.         if ev is None:
    1365. 

  1365.             raise Exception("Association with the AP timed out")
    1366. 

  1366. 

  1367.     logger.info("Test failed algorithm negotiation")
    1368. 

  1368.     dev[0].set_network_quoted(id, "phase1", "cipher=9")
    1369. 

  1369.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
    1370. 

  1370.     if ev is None:
    1371. 

  1371.         raise Exception("EAP failure timed out")
    1372. 

  1372. 

  1373.     logger.info("Negative test with incorrect password")
    1374. 

  1374.     dev[0].request("REMOVE_NETWORK all")
    1375. 

  1375.     eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
    1376. 

  1376.                 password="ffcdefghijklmnop0123456789abcdef",
    1377. 

  1377.                 expect_failure=True)
    1378. 

  1378. 

  1379. def test_ap_wpa2_eap_sake(dev, apdev):
    1380. 

  1380.     """WPA2-Enterprise connection using EAP-SAKE"""
    1381. 

  1381.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1382. 

  1382.     hostapd.add_ap(apdev[0]['ifname'], params)
    1383. 

  1383.     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
    1384. 

  1384.                 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
    1385. 

  1385.     eap_reauth(dev[0], "SAKE")
    1386. 

  1386. 

  1387.     logger.info("Negative test with incorrect password")
    1388. 

  1388.     dev[0].request("REMOVE_NETWORK all")
    1389. 

  1389.     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
    1390. 

  1390.                 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
    1391. 

  1391.                 expect_failure=True)
    1392. 

  1392. 

  1393. def test_ap_wpa2_eap_eke(dev, apdev):
    1394. 

  1394.     """WPA2-Enterprise connection using EAP-EKE"""
    1395. 

  1395.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1396. 

  1396.     hostapd.add_ap(apdev[0]['ifname'], params)
    1397. 

  1397.     id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
    1398. 

  1398.     eap_reauth(dev[0], "EKE")
    1399. 

  1399. 

  1400.     logger.info("Test forced algorithm selection")
    1401. 

  1401.     for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
    1402. 

  1402.                     "dhgroup=4 encr=1 prf=2 mac=2",
    1403. 

  1403.                     "dhgroup=3 encr=1 prf=2 mac=2",
    1404. 

  1404.                     "dhgroup=3 encr=1 prf=1 mac=1" ]:
    1405. 

  1405.         dev[0].set_network_quoted(id, "phase1", phase1)
    1406. 

  1406.         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
    1407. 

  1407.         if ev is None:
    1408. 

  1408.             raise Exception("EAP success timed out")
    1409. 

  1409.         ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
    1410. 

  1410.         if ev is None:
    1411. 

  1411.             raise Exception("Association with the AP timed out")
    1412. 

  1412. 

  1413.     logger.info("Test failed algorithm negotiation")
    1414. 

  1414.     dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
    1415. 

  1415.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
    1416. 

  1416.     if ev is None:
    1417. 

  1417.         raise Exception("EAP failure timed out")
    1418. 

  1418. 

  1419.     logger.info("Negative test with incorrect password")
    1420. 

  1420.     dev[0].request("REMOVE_NETWORK all")
    1421. 

  1421.     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
    1422. 

  1422.                 expect_failure=True)
    1423. 

  1423. 

  1424. def test_ap_wpa2_eap_ikev2(dev, apdev):
    1425. 

  1425.     """WPA2-Enterprise connection using EAP-IKEv2"""
    1426. 

  1426.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1427. 

  1427.     hostapd.add_ap(apdev[0]['ifname'], params)
    1428. 

  1428.     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
    1429. 

  1429.                 password="ike password")
    1430. 

  1430.     eap_reauth(dev[0], "IKEV2")
    1431. 

  1431.     dev[0].request("REMOVE_NETWORK all")
    1432. 

  1432.     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
    1433. 

  1433.                 password="ike password", fragment_size="50")
    1434. 

  1434. 

  1435.     logger.info("Negative test with incorrect password")
    1436. 

  1436.     dev[0].request("REMOVE_NETWORK all")
    1437. 

  1437.     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
    1438. 

  1438.                 password="ike-password", expect_failure=True)
    1439. 

  1439. 

  1440. def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
    1441. 

  1441.     """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
    1442. 

  1442.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1443. 

  1443.     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
    1444. 

  1444.                "rsn_pairwise": "CCMP", "ieee8021x": "1",
    1445. 

  1445.                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
    1446. 

  1446.                "fragment_size": "50" }
    1447. 

  1447.     hostapd.add_ap(apdev[0]['ifname'], params)
    1448. 

  1448.     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
    1449. 

  1449.                 password="ike password")
    1450. 

  1450.     eap_reauth(dev[0], "IKEV2")
    1451. 

  1451. 

  1452. def test_ap_wpa2_eap_pax(dev, apdev):
    1453. 

  1453.     """WPA2-Enterprise connection using EAP-PAX"""
    1454. 

  1454.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1455. 

  1455.     hostapd.add_ap(apdev[0]['ifname'], params)
    1456. 

  1456.     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
    1457. 

  1457.                 password_hex="0123456789abcdef0123456789abcdef")
    1458. 

  1458.     eap_reauth(dev[0], "PAX")
    1459. 

  1459. 

  1460.     logger.info("Negative test with incorrect password")
    1461. 

  1461.     dev[0].request("REMOVE_NETWORK all")
    1462. 

  1462.     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
    1463. 

  1463.                 password_hex="ff23456789abcdef0123456789abcdef",
    1464. 

  1464.                 expect_failure=True)
    1465. 

  1465. 

  1466. def test_ap_wpa2_eap_psk(dev, apdev):
    1467. 

  1467.     """WPA2-Enterprise connection using EAP-PSK"""
    1468. 

  1468.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1469. 

  1469.     params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
    1470. 

  1470.     params["ieee80211w"] = "2"
    1471. 

  1471.     hostapd.add_ap(apdev[0]['ifname'], params)
    1472. 

  1472.     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
    1473. 

  1473.                 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
    1474. 

  1474.     eap_reauth(dev[0], "PSK", sha256=True)
    1475. 

  1475.     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
    1476. 

  1476.                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
    1477. 

  1477. 

  1478.     logger.info("Negative test with incorrect password")
    1479. 

  1479.     dev[0].request("REMOVE_NETWORK all")
    1480. 

  1480.     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
    1481. 

  1481.                 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
    1482. 

  1482.                 expect_failure=True)
    1483. 

  1483. 

  1484. def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
    1485. 

  1485.     """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
    1486. 

  1486.     params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
    1487. 

  1487.     hostapd.add_ap(apdev[0]['ifname'], params)
    1488. 

  1488.     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
    1489. 

  1489.                    identity="user", password="password", phase2="auth=MSCHAPV2",
    1490. 

  1490.                    ca_cert="auth_serv/ca.pem", wait_connect=False,
    1491. 

  1491.                    scan_freq="2412")
    1492. 

  1492.     eap_check_auth(dev[0], "PEAP", True, rsn=False)
    1493. 

  1493.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    1494. 

  1494.     eap_reauth(dev[0], "PEAP", rsn=False)
    1495. 

  1495.     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
    1496. 

  1496.                         ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
    1497. 

  1497. 

  1498. def test_ap_wpa2_eap_interactive(dev, apdev):
    1499. 

  1499.     """WPA2-Enterprise connection using interactive identity/password entry"""
    1500. 

  1500.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1501. 

  1501.     hostapd.add_ap(apdev[0]['ifname'], params)
    1502. 

  1502.     hapd = hostapd.Hostapd(apdev[0]['ifname'])
    1503. 

  1503. 

  1504.     tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
    1505. 

  1505.                "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
    1506. 

  1506.                None, "password"),
    1507. 

  1507.               ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
    1508. 

  1508.                "TTLS", "ttls", None, "auth=MSCHAPV2",
    1509. 

  1509.                "DOMAIN\mschapv2 user", "password"),
    1510. 

  1510.               ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
    1511. 

  1511.                "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
    1512. 

  1512.               ("Connection with dynamic TTLS/EAP-MD5 password entry",
    1513. 

  1513.                "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
    1514. 

  1514.               ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
    1515. 

  1515.                "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
    1516. 

  1516.               ("Connection with dynamic PEAP/EAP-GTC password entry",
    1517. 

  1517.                "PEAP", None, "user", "auth=GTC", None, "password") ]
    1518. 

  1518.     for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
    1519. 

  1519.         logger.info(desc)
    1520. 

  1520.         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
    1521. 

  1521.                        anonymous_identity=anon, identity=identity,
    1522. 

  1522.                        ca_cert="auth_serv/ca.pem", phase2=phase2,
    1523. 

  1523.                        wait_connect=False, scan_freq="2412")
    1524. 

  1524.         if req_id:
    1525. 

  1525.             ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
    1526. 

  1526.             if ev is None:
    1527. 

  1527.                 raise Exception("Request for identity timed out")
    1528. 

  1528.             id = ev.split(':')[0].split('-')[-1]
    1529. 

  1529.             dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
    1530. 

  1530.         ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
    1531. 

  1531.         if ev is None:
    1532. 

  1532.             raise Exception("Request for password timed out")
    1533. 

  1533.         id = ev.split(':')[0].split('-')[-1]
    1534. 

  1534.         type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
    1535. 

  1535.         dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
    1536. 

  1536.         ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
    1537. 

  1537.         if ev is None:
    1538. 

  1538.             raise Exception("Connection timed out")
    1539. 

  1539.         dev[0].request("REMOVE_NETWORK all")
    1540. 

  1540. 

  1541. def test_ap_wpa2_eap_vendor_test(dev, apdev):
    1542. 

  1542.     """WPA2-Enterprise connection using EAP vendor test"""
    1543. 

  1543.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1544. 

  1544.     hostapd.add_ap(apdev[0]['ifname'], params)
    1545. 

  1545.     eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
    1546. 

  1546.     eap_reauth(dev[0], "VENDOR-TEST")
    1547. 

  1547. 

  1548. def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
    1549. 

  1549.     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
    1550. 

  1550.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1551. 

  1551.     hostapd.add_ap(apdev[0]['ifname'], params)
    1552. 

  1552.     eap_connect(dev[0], apdev[0], "FAST", "user",
    1553. 

  1553.                 anonymous_identity="FAST", password="password",
    1554. 

  1554.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1555. 

  1555.                 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
    1556. 

  1556.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    1557. 

  1557.     eap_reauth(dev[0], "FAST")
    1558. 

  1558. 

  1559. def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
    1560. 

  1560.     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
    1561. 

  1561.     pac_file = os.path.join(params['logdir'], "fast.pac")
    1562. 

  1562.     pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
    1563. 

  1563.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1564. 

  1564.     hostapd.add_ap(apdev[0]['ifname'], params)
    1565. 

  1565. 

  1566.     try:
    1567. 

  1567.         eap_connect(dev[0], apdev[0], "FAST", "user",
    1568. 

  1568.                     anonymous_identity="FAST", password="password",
    1569. 

  1569.                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1570. 

  1570.                     phase1="fast_provisioning=1", pac_file=pac_file)
    1571. 

  1571.         with open(pac_file, "r") as f:
    1572. 

  1572.             data = f.read()
    1573. 

  1573.             if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
    1574. 

  1574.                 raise Exception("PAC file header missing")
    1575. 

  1575.             if "PAC-Key=" not in data:
    1576. 

  1576.                 raise Exception("PAC-Key missing from PAC file")
    1577. 

  1577.         dev[0].request("REMOVE_NETWORK all")
    1578. 

  1578.         eap_connect(dev[0], apdev[0], "FAST", "user",
    1579. 

  1579.                     anonymous_identity="FAST", password="password",
    1580. 

  1580.                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1581. 

  1581.                     pac_file=pac_file)
    1582. 

  1582. 

  1583.         eap_connect(dev[1], apdev[0], "FAST", "user",
    1584. 

  1584.                     anonymous_identity="FAST", password="password",
    1585. 

  1585.                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1586. 

  1586.                     phase1="fast_provisioning=1 fast_pac_format=binary",
    1587. 

  1587.                     pac_file=pac_file2)
    1588. 

  1588.         dev[1].request("REMOVE_NETWORK all")
    1589. 

  1589.         eap_connect(dev[1], apdev[0], "FAST", "user",
    1590. 

  1590.                     anonymous_identity="FAST", password="password",
    1591. 

  1591.                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1592. 

  1592.                     phase1="fast_pac_format=binary",
    1593. 

  1593.                     pac_file=pac_file2)
    1594. 

  1594.     finally:
    1595. 

  1595.         subprocess.call(['sudo', 'rm', pac_file])
    1596. 

  1596.         subprocess.call(['sudo', 'rm', pac_file2])
    1597. 

  1597. 

  1598. def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
    1599. 

  1599.     """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
    1600. 

  1600.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1601. 

  1601.     hostapd.add_ap(apdev[0]['ifname'], params)
    1602. 

  1602.     eap_connect(dev[0], apdev[0], "FAST", "user",
    1603. 

  1603.                 anonymous_identity="FAST", password="password",
    1604. 

  1604.                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1605. 

  1605.                 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
    1606. 

  1606.                 pac_file="blob://fast_pac_bin")
    1607. 

  1607.     eap_reauth(dev[0], "FAST")
    1608. 

  1608. 

  1609. def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
    1610. 

  1610.     """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
    1611. 

  1611.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1612. 

  1612.     hostapd.add_ap(apdev[0]['ifname'], params)
    1613. 

  1613. 

  1614.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
    1615. 

  1615.                    identity="user", anonymous_identity="FAST",
    1616. 

  1616.                    password="password",
    1617. 

  1617.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1618. 

  1618.                    pac_file="blob://fast_pac_not_in_use",
    1619. 

  1619.                    wait_connect=False, scan_freq="2412")
    1620. 

  1620.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1621. 

  1621.     if ev is None:
    1622. 

  1622.         raise Exception("Timeout on EAP failure report")
    1623. 

  1623.     dev[0].request("REMOVE_NETWORK all")
    1624. 

  1624. 

  1625.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
    1626. 

  1626.                    identity="user", anonymous_identity="FAST",
    1627. 

  1627.                    password="password",
    1628. 

  1628.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
    1629. 

  1629.                    wait_connect=False, scan_freq="2412")
    1630. 

  1630.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1631. 

  1631.     if ev is None:
    1632. 

  1632.         raise Exception("Timeout on EAP failure report")
    1633. 

  1633. 

  1634. def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
    1635. 

  1635.     """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
    1636. 

  1636.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1637. 

  1637.     hostapd.add_ap(apdev[0]['ifname'], params)
    1638. 

  1638.     eap_connect(dev[0], apdev[0], "FAST", "user",
    1639. 

  1639.                 anonymous_identity="FAST", password="password",
    1640. 

  1640.                 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
    1641. 

  1641.                 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
    1642. 

  1642.     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
    1643. 

  1643.     eap_reauth(dev[0], "FAST")
    1644. 

  1644. 

  1645. def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
    1646. 

  1646.     """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
    1647. 

  1647.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1648. 

  1648.     hostapd.add_ap(apdev[0]['ifname'], params)
    1649. 

  1649.     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
    1650. 

  1650.                 private_key="auth_serv/user.pkcs12",
    1651. 

  1651.                 private_key_passwd="whatever", ocsp=2)
    1652. 

  1652. 

  1653. def int_eap_server_params():
    1654. 

  1654.     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
    1655. 

  1655.                "rsn_pairwise": "CCMP", "ieee8021x": "1",
    1656. 

  1656.                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
    1657. 

  1657.                "ca_cert": "auth_serv/ca.pem",
    1658. 

  1658.                "server_cert": "auth_serv/server.pem",
    1659. 

  1659.                "private_key": "auth_serv/server.key" }
    1660. 

  1660.     return params
    1661. 

  1661.     
    1662. 

  1662. def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
    1663. 

  1663.     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
    1664. 

  1664.     params = int_eap_server_params()
    1665. 

  1665.     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
    1666. 

  1666.     hostapd.add_ap(apdev[0]['ifname'], params)
    1667. 

  1667.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
    1668. 

  1668.                    identity="tls user", ca_cert="auth_serv/ca.pem",
    1669. 

  1669.                    private_key="auth_serv/user.pkcs12",
    1670. 

  1670.                    private_key_passwd="whatever", ocsp=2,
    1671. 

  1671.                    wait_connect=False, scan_freq="2412")
    1672. 

  1672.     count = 0
    1673. 

  1673.     while True:
    1674. 

  1674.         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
    1675. 

  1675.         if ev is None:
    1676. 

  1676.             raise Exception("Timeout on EAP status")
    1677. 

  1677.         if 'bad certificate status response' in ev:
    1678. 

  1678.             break
    1679. 

  1679.         count = count + 1
    1680. 

  1680.         if count > 10:
    1681. 

  1681.             raise Exception("Unexpected number of EAP status messages")
    1682. 

  1682. 

  1683.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1684. 

  1684.     if ev is None:
    1685. 

  1685.         raise Exception("Timeout on EAP failure report")
    1686. 

  1686. 

  1687. def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
    1688. 

  1688.     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
    1689. 

  1689.     params = int_eap_server_params()
    1690. 

  1690.     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
    1691. 

  1691.     params["private_key"] = "auth_serv/server-no-dnsname.key"
    1692. 

  1692.     hostapd.add_ap(apdev[0]['ifname'], params)
    1693. 

  1693.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
    1694. 

  1694.                    identity="tls user", ca_cert="auth_serv/ca.pem",
    1695. 

  1695.                    private_key="auth_serv/user.pkcs12",
    1696. 

  1696.                    private_key_passwd="whatever",
    1697. 

  1697.                    domain_suffix_match="server3.w1.fi",
    1698. 

  1698.                    scan_freq="2412")
    1699. 

  1699.     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
    1700. 

  1700.                    identity="tls user", ca_cert="auth_serv/ca.pem",
    1701. 

  1701.                    private_key="auth_serv/user.pkcs12",
    1702. 

  1702.                    private_key_passwd="whatever",
    1703. 

  1703.                    domain_suffix_match="w1.fi",
    1704. 

  1704.                    scan_freq="2412")
    1705. 

  1705. 

  1706. def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
    1707. 

  1707.     """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
    1708. 

  1708.     params = int_eap_server_params()
    1709. 

  1709.     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
    1710. 

  1710.     params["private_key"] = "auth_serv/server-no-dnsname.key"
    1711. 

  1711.     hostapd.add_ap(apdev[0]['ifname'], params)
    1712. 

  1712.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
    1713. 

  1713.                    identity="tls user", ca_cert="auth_serv/ca.pem",
    1714. 

  1714.                    private_key="auth_serv/user.pkcs12",
    1715. 

  1715.                    private_key_passwd="whatever",
    1716. 

  1716.                    domain_suffix_match="example.com",
    1717. 

  1717.                    wait_connect=False,
    1718. 

  1718.                    scan_freq="2412")
    1719. 

  1719.     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
    1720. 

  1720.                    identity="tls user", ca_cert="auth_serv/ca.pem",
    1721. 

  1721.                    private_key="auth_serv/user.pkcs12",
    1722. 

  1722.                    private_key_passwd="whatever",
    1723. 

  1723.                    domain_suffix_match="erver3.w1.fi",
    1724. 

  1724.                    wait_connect=False,
    1725. 

  1725.                    scan_freq="2412")
    1726. 

  1726.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1727. 

  1727.     if ev is None:
    1728. 

  1728.         raise Exception("Timeout on EAP failure report")
    1729. 

  1729.     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1730. 

  1730.     if ev is None:
    1731. 

  1731.         raise Exception("Timeout on EAP failure report (2)")
    1732. 

  1732. 

  1733. def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
    1734. 

  1734.     """WPA2-Enterprise using EAP-TTLS and expired certificate"""
    1735. 

  1735.     params = int_eap_server_params()
    1736. 

  1736.     params["server_cert"] = "auth_serv/server-expired.pem"
    1737. 

  1737.     params["private_key"] = "auth_serv/server-expired.key"
    1738. 

  1738.     hostapd.add_ap(apdev[0]['ifname'], params)
    1739. 

  1739.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1740. 

  1740.                    identity="mschap user", password="password",
    1741. 

  1741.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    1742. 

  1742.                    wait_connect=False,
    1743. 

  1743.                    scan_freq="2412")
    1744. 

  1744.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
    1745. 

  1745.     if ev is None:
    1746. 

  1746.         raise Exception("Timeout on EAP certificate error report")
    1747. 

  1747.     if "reason=4" not in ev or "certificate has expired" not in ev:
    1748. 

  1748.         raise Exception("Unexpected failure reason: " + ev)
    1749. 

  1749.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1750. 

  1750.     if ev is None:
    1751. 

  1751.         raise Exception("Timeout on EAP failure report")
    1752. 

  1752. 

  1753. def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
    1754. 

  1754.     """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
    1755. 

  1755.     params = int_eap_server_params()
    1756. 

  1756.     params["server_cert"] = "auth_serv/server-expired.pem"
    1757. 

  1757.     params["private_key"] = "auth_serv/server-expired.key"
    1758. 

  1758.     hostapd.add_ap(apdev[0]['ifname'], params)
    1759. 

  1759.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1760. 

  1760.                    identity="mschap user", password="password",
    1761. 

  1761.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    1762. 

  1762.                    phase1="tls_disable_time_checks=1",
    1763. 

  1763.                    scan_freq="2412")
    1764. 

  1764. 

  1765. def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
    1766. 

  1766.     """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
    1767. 

  1767.     params = int_eap_server_params()
    1768. 

  1768.     params["server_cert"] = "auth_serv/server-eku-client.pem"
    1769. 

  1769.     params["private_key"] = "auth_serv/server-eku-client.key"
    1770. 

  1770.     hostapd.add_ap(apdev[0]['ifname'], params)
    1771. 

  1771.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1772. 

  1772.                    identity="mschap user", password="password",
    1773. 

  1773.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    1774. 

  1774.                    wait_connect=False,
    1775. 

  1775.                    scan_freq="2412")
    1776. 

  1776.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1777. 

  1777.     if ev is None:
    1778. 

  1778.         raise Exception("Timeout on EAP failure report")
    1779. 

  1779. 

  1780. def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
    1781. 

  1781.     """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
    1782. 

  1782.     params = int_eap_server_params()
    1783. 

  1783.     params["server_cert"] = "auth_serv/server-eku-client-server.pem"
    1784. 

  1784.     params["private_key"] = "auth_serv/server-eku-client-server.key"
    1785. 

  1785.     hostapd.add_ap(apdev[0]['ifname'], params)
    1786. 

  1786.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1787. 

  1787.                    identity="mschap user", password="password",
    1788. 

  1788.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    1789. 

  1789.                    scan_freq="2412")
    1790. 

  1790. 

  1791. def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
    1792. 

  1792.     """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
    1793. 

  1793.     params = int_eap_server_params()
    1794. 

  1794.     del params["server_cert"]
    1795. 

  1795.     params["private_key"] = "auth_serv/server.pkcs12"
    1796. 

  1796.     hostapd.add_ap(apdev[0]['ifname'], params)
    1797. 

  1797.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1798. 

  1798.                    identity="mschap user", password="password",
    1799. 

  1799.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    1800. 

  1800.                    scan_freq="2412")
    1801. 

  1801. 

  1802. def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
    1803. 

  1803.     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
    1804. 

  1804.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1805. 

  1805.     hostapd.add_ap(apdev[0]['ifname'], params)
    1806. 

  1806.     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
    1807. 

  1807.                 anonymous_identity="ttls", password="password",
    1808. 

  1808.                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
    1809. 

  1809.                 dh_file="auth_serv/dh.conf")
    1810. 

  1810. 

  1811. def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
    1812. 

  1812.     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
    1813. 

  1813.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1814. 

  1814.     hostapd.add_ap(apdev[0]['ifname'], params)
    1815. 

  1815.     dh = read_pem("auth_serv/dh.conf")
    1816. 

  1816.     if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
    1817. 

  1817.         raise Exception("Could not set dhparams blob")
    1818. 

  1818.     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
    1819. 

  1819.                 anonymous_identity="ttls", password="password",
    1820. 

  1820.                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
    1821. 

  1821.                 dh_file="blob://dhparams")
    1822. 

  1822. 

  1823. def test_ap_wpa2_eap_reauth(dev, apdev):
    1824. 

  1824.     """WPA2-Enterprise and Authenticator forcing reauthentication"""
    1825. 

  1825.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1826. 

  1826.     params['eap_reauth_period'] = '2'
    1827. 

  1827.     hostapd.add_ap(apdev[0]['ifname'], params)
    1828. 

  1828.     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
    1829. 

  1829.                 password_hex="0123456789abcdef0123456789abcdef")
    1830. 

  1830.     logger.info("Wait for reauthentication")
    1831. 

  1831.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1832. 

  1832.     if ev is None:
    1833. 

  1833.         raise Exception("Timeout on reauthentication")
    1834. 

  1834.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
    1835. 

  1835.     if ev is None:
    1836. 

  1836.         raise Exception("Timeout on reauthentication")
    1837. 

  1837.     for i in range(0, 20):
    1838. 

  1838.         state = dev[0].get_status_field("wpa_state")
    1839. 

  1839.         if state == "COMPLETED":
    1840. 

  1840.             break
    1841. 

  1841.         time.sleep(0.1)
    1842. 

  1842.     if state != "COMPLETED":
    1843. 

  1843.         raise Exception("Reauthentication did not complete")
    1844. 

  1844. 

  1845. def test_ap_wpa2_eap_request_identity_message(dev, apdev):
    1846. 

  1846.     """Optional displayable message in EAP Request-Identity"""
    1847. 

  1847.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1848. 

  1848.     params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
    1849. 

  1849.     hostapd.add_ap(apdev[0]['ifname'], params)
    1850. 

  1850.     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
    1851. 

  1851.                 password_hex="0123456789abcdef0123456789abcdef")
    1852. 

  1852. 

  1853. def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
    1854. 

  1854.     """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
    1855. 

  1855.     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
    1856. 

  1856.         logger.info("No hlr_auc_gw available");
    1857. 

  1857.         return "skip"
    1858. 

  1858.     params = int_eap_server_params()
    1859. 

  1859.     params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
    1860. 

  1860.     params['eap_sim_aka_result_ind'] = "1"
    1861. 

  1861.     hostapd.add_ap(apdev[0]['ifname'], params)
    1862. 

  1862. 

  1863.     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
    1864. 

  1864.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
    1865. 

  1865.                 phase1="result_ind=1")
    1866. 

  1866.     eap_reauth(dev[0], "SIM")
    1867. 

  1867.     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
    1868. 

  1868.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    1869. 

  1869. 

  1870.     dev[0].request("REMOVE_NETWORK all")
    1871. 

  1871.     dev[1].request("REMOVE_NETWORK all")
    1872. 

  1872. 

  1873.     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
    1874. 

  1874.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
    1875. 

  1875.                 phase1="result_ind=1")
    1876. 

  1876.     eap_reauth(dev[0], "AKA")
    1877. 

  1877.     eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
    1878. 

  1878.                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    1879. 

  1879. 

  1880.     dev[0].request("REMOVE_NETWORK all")
    1881. 

  1881.     dev[1].request("REMOVE_NETWORK all")
    1882. 

  1882. 

  1883.     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
    1884. 

  1884.                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
    1885. 

  1885.                 phase1="result_ind=1")
    1886. 

  1886.     eap_reauth(dev[0], "AKA'")
    1887. 

  1887.     eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
    1888. 

  1888.                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    1889. 

  1889. 

  1890. def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
    1891. 

  1891.     """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
    1892. 

  1892.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1893. 

  1893.     hostapd.add_ap(apdev[0]['ifname'], params)
    1894. 

  1894.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
    1895. 

  1895.                    eap="TTLS", identity="mschap user",
    1896. 

  1896.                    wait_connect=False, scan_freq="2412", ieee80211w="1",
    1897. 

  1897.                    anonymous_identity="ttls", password="password",
    1898. 

  1898.                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
    1899. 

  1899.                    fragment_size="10")
    1900. 

  1900.     ev = dev[0].wait_event(["EAP: more than"], timeout=20)
    1901. 

  1901.     if ev is None:
    1902. 

  1902.         raise Exception("EAP roundtrip limit not reached")
    1903. 

  1903. 

  1904. def test_ap_wpa2_eap_expanded_nak(dev, apdev):
    1905. 

  1905.     """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
    1906. 

  1906.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1907. 

  1907.     hostapd.add_ap(apdev[0]['ifname'], params)
    1908. 

  1908.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
    1909. 

  1909.                    eap="PSK", identity="vendor-test",
    1910. 

  1910.                    password_hex="ff23456789abcdef0123456789abcdef",
    1911. 

  1911.                    wait_connect=False)
    1912. 

  1912. 

  1913.     found = False
    1914. 

  1914.     for i in range(0, 5):
    1915. 

  1915.         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
    1916. 

  1916.         if ev is None:
    1917. 

  1917.             raise Exception("Association and EAP start timed out")
    1918. 

  1918.         if "refuse proposed method" in ev:
    1919. 

  1919.             found = True
    1920. 

  1920.             break
    1921. 

  1921.     if not found:
    1922. 

  1922.         raise Exception("Unexpected EAP status: " + ev)
    1923. 

  1923. 

  1924.     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
    1925. 

  1925.     if ev is None:
    1926. 

  1926.         raise Exception("EAP failure timed out")
    1927. 

  1927. 

  1928. def test_ap_wpa2_eap_sql(dev, apdev, params):
    1929. 

  1929.     """WPA2-Enterprise connection using SQLite for user DB"""
    1930. 

  1930.     try:
    1931. 

  1931.         import sqlite3
    1932. 

  1932.     except ImportError:
    1933. 

  1933.         return "skip"
    1934. 

  1934.     dbfile = os.path.join(params['logdir'], "eap-user.db")
    1935. 

  1935.     try:
    1936. 

  1936.         os.remove(dbfile)
    1937. 

  1937.     except:
    1938. 

  1938.         pass
    1939. 

  1939.     con = sqlite3.connect(dbfile)
    1940. 

  1940.     with con:
    1941. 

  1941.         cur = con.cursor()
    1942. 

  1942.         cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
    1943. 

  1943.         cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
    1944. 

  1944.         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
    1945. 

  1945.         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
    1946. 

  1946.         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
    1947. 

  1947.         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
    1948. 

  1948.         cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
    1949. 

  1949.         cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
    1950. 

  1950. 

  1951.     try:
    1952. 

  1952.         params = int_eap_server_params()
    1953. 

  1953.         params["eap_user_file"] = "sqlite:" + dbfile
    1954. 

  1954.         hostapd.add_ap(apdev[0]['ifname'], params)
    1955. 

  1955.         eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
    1956. 

  1956.                     anonymous_identity="ttls", password="password",
    1957. 

  1957.                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
    1958. 

  1958.         dev[0].request("REMOVE_NETWORK all")
    1959. 

  1959.         eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
    1960. 

  1960.                     anonymous_identity="ttls", password="password",
    1961. 

  1961.                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
    1962. 

  1962.         dev[1].request("REMOVE_NETWORK all")
    1963. 

  1963.         eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
    1964. 

  1964.                     anonymous_identity="ttls", password="password",
    1965. 

  1965.                     ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
    1966. 

  1966.         eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
    1967. 

  1967.                     anonymous_identity="ttls", password="password",
    1968. 

  1968.                     ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
    1969. 

  1969.     finally:
    1970. 

  1970.         os.remove(dbfile)
    1971. 

  1971. 

  1972. def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
    1973. 

  1973.     """WPA2-Enterprise connection attempt using non-ASCII identity"""
    1974. 

  1974.     params = int_eap_server_params()
    1975. 

  1975.     hostapd.add_ap(apdev[0]['ifname'], params)
    1976. 

  1976.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1977. 

  1977.                    identity="\x80", password="password", wait_connect=False)
    1978. 

  1978.     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1979. 

  1979.                    identity="a\x80", password="password", wait_connect=False)
    1980. 

  1980.     for i in range(0, 2):
    1981. 

  1981.         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1982. 

  1982.         if ev is None:
    1983. 

  1983.             raise Exception("Association and EAP start timed out")
    1984. 

  1984.         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
    1985. 

  1985.         if ev is None:
    1986. 

  1986.             raise Exception("EAP method selection timed out")
    1987. 

  1987. 

  1988. def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
    1989. 

  1989.     """WPA2-Enterprise connection attempt using non-ASCII identity"""
    1990. 

  1990.     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    1991. 

  1991.     hostapd.add_ap(apdev[0]['ifname'], params)
    1992. 

  1992.     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1993. 

  1993.                    identity="\x80", password="password", wait_connect=False)
    1994. 

  1994.     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
    1995. 

  1995.                    identity="a\x80", password="password", wait_connect=False)
    1996. 

  1996.     for i in range(0, 2):
    1997. 

  1997.         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    1998. 

  1998.         if ev is None:
    1999. 

  1999.             raise Exception("Association and EAP start timed out")
    2000. 

  2000.         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
    2001. 

  2001.         if ev is None:
    2002. 

  2002.             raise Exception("EAP method selection timed out")
    2003.