jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
hostap/tests/hwsim/test_ap_eap.py

817 lines
38 KiB
Python
Raw Normal View History

tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
#!/usr/bin/python
#
# WPA2-Enterprise tests
tests: Use ctrl_iface event for EAP reauth instead of STATUS poll This speeds up the EAP test cases a bit by avoiding polling for wpa_supplicant status. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 08:23:46 +01:00
# Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
#
# This software may be distributed under the terms of the BSD license.
# See README for more details.
import time
import subprocess
import logging
tests: Split run-tests.py logger info into per test case files The run-tests.py -l argument does not take an argument value anymore. Instead, debug output is directed to a separate file <test>.log for each test case. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-31 11:46:42 +01:00
logger = logging.getLogger()
tests: Skip EAP-SIM/AKA/AKA' if hlr_auc_gw not available Do not fail the EAP-SIM/AKA/AKA' test cases if hlr_auc_gw is not available since hlr_auc_gw is not considered required part for the test setup. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-15 16:02:43 +02:00
import os.path
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
import hwsim_utils
import hostapd
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
def eap_connect(dev, ap, method, identity, anonymous_identity=None,
password=None,
tests: Add domain_suffix_match validation This verifies that domain_suffix_match works correctly both for the matching and mismatching cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:47:39 +02:00
phase1=None, phase2=None, ca_cert=None,
tests: Add an EAP-TLS test case This fixes the user.key file (incorrect key was copied previously) and adds a test case for EAP-TLS with WPA2-Enterprise. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 11:25:44 +01:00
domain_suffix_match=None, password_hex=None,
tests: Add more EAP fragmentation tests Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:03:29 +01:00
client_cert=None, private_key=None, sha256=False,
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
fragment_size=None, expect_failure=False,
tests: Verify EAP-PEAP/EAP-TLS Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 18:20:00 +01:00
local_error_report=False,
tests: EAP-FAST Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 09:21:37 +01:00
ca_cert2=None, client_cert2=None, private_key2=None,
tests: subject_match and altsubject_match Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 15:31:22 +01:00
pac_file=None, subject_match=None, altsubject_match=None):
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
hapd = hostapd.Hostapd(ap['ifname'])
tests: Validate EAP-EKE proposal negotiation This covers all currently supported algorithms and the case of no match. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 12:17:57 +01:00
id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
eap=method, identity=identity,
anonymous_identity=anonymous_identity,
password=password, phase1=phase1, phase2=phase2,
ca_cert=ca_cert, domain_suffix_match=domain_suffix_match,
wait_connect=False, scan_freq="2412",
password_hex=password_hex,
client_cert=client_cert, private_key=private_key,
tests: Verify EAP-PEAP/EAP-TLS Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 18:20:00 +01:00
ieee80211w="1", fragment_size=fragment_size,
ca_cert2=ca_cert2, client_cert2=client_cert2,
tests: subject_match and altsubject_match Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 15:31:22 +01:00
private_key2=private_key2, pac_file=pac_file,
subject_match=subject_match,
altsubject_match=altsubject_match)
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
eap_check_auth(dev, method, True, sha256=sha256,
expect_failure=expect_failure,
local_error_report=local_error_report)
if expect_failure:
return id
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
if ev is None:
raise Exception("No connection event received from hostapd")
tests: Validate EAP-EKE proposal negotiation This covers all currently supported algorithms and the case of no match. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 12:17:57 +01:00
return id
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
expect_failure=False, local_error_report=False):
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
if ev is None:
raise Exception("EAP method selection timed out")
if method not in ev:
raise Exception("Unexpected EAP method")
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
if expect_failure:
ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
if ev is None:
raise Exception("EAP failure timed out")
ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
if ev is None:
raise Exception("Disconnection timed out")
if not local_error_report:
if "reason=23" not in ev:
raise Exception("Proper reason code for disconnection not reported")
return
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
if ev is None:
raise Exception("EAP success timed out")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
if initial:
ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
else:
tests: Use ctrl_iface event for EAP reauth instead of STATUS poll This speeds up the EAP test cases a bit by avoiding polling for wpa_supplicant status. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 08:23:46 +01:00
ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
if ev is None:
raise Exception("Association with the AP timed out")
status = dev.get_status()
if status["wpa_state"] != "COMPLETED":
raise Exception("Connection not completed")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
if status["suppPortStatus"] != "Authorized":
raise Exception("Port not authorized")
if method not in status["selectedMethod"]:
raise Exception("Incorrect EAP method status")
tests: WPA2-Enterprise with PMF required Increase test coverage with PMF required configuration and SHA256-based AKM in one of the EAP test cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:36:03 +01:00
if sha256:
e = "WPA2-EAP-SHA256"
elif rsn:
tests: Verify WPA-Enterprise functionality All the previous EAP test cases were using WPA2-Enterprise. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:30:28 +01:00
e = "WPA2/IEEE 802.1X/EAP"
else:
e = "WPA/IEEE 802.1X/EAP"
if status["key_mgmt"] != e:
raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
tests: WPA2-Enterprise with PMF required Increase test coverage with PMF required configuration and SHA256-based AKM in one of the EAP test cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:36:03 +01:00
def eap_reauth(dev, method, rsn=True, sha256=False):
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
dev.request("REAUTHENTICATE")
tests: WPA2-Enterprise with PMF required Increase test coverage with PMF required configuration and SHA256-based AKM in one of the EAP test cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:36:03 +01:00
eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256)
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_sim(dev, apdev):
"""WPA2-Enterprise connection using EAP-SIM"""
tests: Skip EAP-SIM/AKA/AKA' if hlr_auc_gw not available Do not fail the EAP-SIM/AKA/AKA' test cases if hlr_auc_gw is not available since hlr_auc_gw is not considered required part for the test setup. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-15 16:02:43 +02:00
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
logger.info("No hlr_auc_gw available");
return "skip"
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "SIM")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect key")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
expect_failure=True)
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_aka(dev, apdev):
"""WPA2-Enterprise connection using EAP-AKA"""
tests: Skip EAP-SIM/AKA/AKA' if hlr_auc_gw not available Do not fail the EAP-SIM/AKA/AKA' test cases if hlr_auc_gw is not available since hlr_auc_gw is not considered required part for the test setup. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-15 16:02:43 +02:00
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
logger.info("No hlr_auc_gw available");
return "skip"
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "AKA")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect key")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
expect_failure=True)
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_aka_prime(dev, apdev):
"""WPA2-Enterprise connection using EAP-AKA'"""
tests: Skip EAP-SIM/AKA/AKA' if hlr_auc_gw not available Do not fail the EAP-SIM/AKA/AKA' test cases if hlr_auc_gw is not available since hlr_auc_gw is not considered required part for the test setup. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-15 16:02:43 +02:00
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
logger.info("No hlr_auc_gw available");
return "skip"
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "AKA'")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect key")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
expect_failure=True)
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_ttls_pap(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/PAP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TTLS", "pap user",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
anonymous_identity="ttls", password="password",
tests: subject_match and altsubject_match Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 15:31:22 +01:00
ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TTLS")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_ttls_chap(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/CHAP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TTLS", "chap user",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
anonymous_identity="ttls", password="password",
tests: CA certificate in DER format Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 16:06:36 +01:00
ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TTLS")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
anonymous_identity="ttls", password="password",
tests: Add domain_suffix_match validation This verifies that domain_suffix_match works correctly both for the matching and mismatching cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:47:39 +02:00
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
domain_suffix_match="server.w1.fi")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TTLS")
tests: Add more EAP fragmentation tests Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:03:29 +01:00
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
fragment_size="200")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Verify STA command output and EAPOL state Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 17:10:30 +01:00
hapd = hostapd.Hostapd(apdev[0]['ifname'])
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
anonymous_identity="ttls", password="password",
tests: Add domain_suffix_match validation This verifies that domain_suffix_match works correctly both for the matching and mismatching cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:47:39 +02:00
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
domain_suffix_match="w1.fi")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify STA command output and EAPOL state Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 17:10:30 +01:00
sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TTLS")
tests: Verify STA command output and EAPOL state Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 17:10:30 +01:00
sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
raise Exception("dot1xAuthEapolFramesRx did not increase")
if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
raise Exception("backendAuthSuccesses did not increase")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
tests: MSCHAPv2 password as hash value Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 18:30:24 +01:00
logger.info("Password as hash value")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
anonymous_identity="ttls",
password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
anonymous_identity="ttls", password="password1",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
expect_failure=True)
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TTLS", "user",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TTLS")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TTLS", "user",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TTLS")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TTLS", "user",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TTLS")
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "TTLS", "user",
anonymous_identity="ttls", password="password1",
ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
expect_failure=True)
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
"""WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "PEAP", "user",
tests: Verify PEAPv0 Crypto-Binding Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:26:48 +01:00
anonymous_identity="peap", password="password",
tests: Add test cases for WPA2-Enterprise Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:35:26 +02:00
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "PEAP")
tests: Add more EAP fragmentation tests Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:03:29 +01:00
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PEAP", "user",
anonymous_identity="peap", password="password",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
fragment_size="200")
tests: Add negative TLS test case to verify trust root validation Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:41:01 +02:00
tests: MSCHAPv2 password as hash value Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 18:30:24 +01:00
logger.info("Password as hash value")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PEAP", "user",
anonymous_identity="peap",
password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PEAP", "user",
anonymous_identity="peap", password="password1",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
expect_failure=True)
tests: Verify PEAPv0 Crypto-Binding Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:26:48 +01:00
def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
"""WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
tests: Verify PEAPv0 Crypto-Binding Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:26:48 +01:00
ca_cert="auth_serv/ca.pem",
phase1="peapver=0 crypto_binding=2",
phase2="auth=MSCHAPV2")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "PEAP")
tests: Verify PEAPv0 Crypto-Binding Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:26:48 +01:00
tests: Verify EAP-PEAP/EAP-TLS Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 18:20:00 +01:00
def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
"""WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "PEAP", "cert user",
ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
ca_cert2="auth_serv/ca.pem",
client_cert2="auth_serv/user.pem",
private_key2="auth_serv/user.key")
eap_reauth(dev[0], "PEAP")
tests: Add an EAP-TLS test case This fixes the user.key file (incorrect key was copied previously) and adds a test case for EAP-TLS with WPA2-Enterprise. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 11:25:44 +01:00
def test_ap_wpa2_eap_tls(dev, apdev):
"""WPA2-Enterprise connection using EAP-TLS"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
tests: Add an EAP-TLS test case This fixes the user.key file (incorrect key was copied previously) and adds a test case for EAP-TLS with WPA2-Enterprise. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 11:25:44 +01:00
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "TLS")
tests: Add an EAP-TLS test case This fixes the user.key file (incorrect key was copied previously) and adds a test case for EAP-TLS with WPA2-Enterprise. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 11:25:44 +01:00
tests: Add negative TLS test case to verify trust root validation Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:41:01 +02:00
def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
"""WPA2-Enterprise negative test - incorrect trust root"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
password="password", phase2="auth=MSCHAPV2",
ca_cert="auth_serv/ca-incorrect.pem",
tests: Use single channel scans to speed up test cases A full scan in these specific test cases does not add anything to the coverage, so use a single channel scan for the station connection to remove undesired extra time needed for a full scan. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-02 10:22:16 +01:00
wait_connect=False, scan_freq="2412")
tests: Add negative TLS test case to verify trust root validation Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:41:01 +02:00
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
if ev is None:
raise Exception("EAP method selection timed out")
if "TTLS" not in ev:
raise Exception("Unexpected EAP method")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
"CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
raise Exception("TLS certificate error not reported")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(2) timed out")
if "CTRL-EVENT-EAP-FAILURE" not in ev:
raise Exception("EAP failure not reported")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(3) timed out")
if "CTRL-EVENT-DISCONNECTED" not in ev:
raise Exception("Disconnection not reported")
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
if ev is None:
raise Exception("Network block disabling not reported")
tests: Add domain_suffix_match validation This verifies that domain_suffix_match works correctly both for the matching and mismatching cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:47:39 +02:00
def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
"""WPA2-Enterprise negative test - domain suffix mismatch"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
password="password", phase2="auth=MSCHAPV2",
ca_cert="auth_serv/ca.pem",
domain_suffix_match="incorrect.example.com",
tests: Use single channel scans to speed up test cases A full scan in these specific test cases does not add anything to the coverage, so use a single channel scan for the station connection to remove undesired extra time needed for a full scan. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-02 10:22:16 +01:00
wait_connect=False, scan_freq="2412")
tests: Add domain_suffix_match validation This verifies that domain_suffix_match works correctly both for the matching and mismatching cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 18:47:39 +02:00
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
if ev is None:
raise Exception("EAP method selection timed out")
if "TTLS" not in ev:
raise Exception("Unexpected EAP method")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
"CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
raise Exception("TLS certificate error not reported")
if "Domain suffix mismatch" not in ev:
raise Exception("Domain suffix mismatch not reported")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(2) timed out")
if "CTRL-EVENT-EAP-FAILURE" not in ev:
raise Exception("EAP failure not reported")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(3) timed out")
if "CTRL-EVENT-DISCONNECTED" not in ev:
raise Exception("Disconnection not reported")
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
if ev is None:
raise Exception("Network block disabling not reported")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
tests: subject_match and altsubject_match Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 15:31:22 +01:00
def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
"""WPA2-Enterprise negative test - subject mismatch"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
password="password", phase2="auth=MSCHAPV2",
ca_cert="auth_serv/ca.pem",
subject_match="/C=FI/O=w1.fi/CN=example.com",
wait_connect=False, scan_freq="2412")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
if ev is None:
raise Exception("EAP method selection timed out")
if "TTLS" not in ev:
raise Exception("Unexpected EAP method")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
"CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
raise Exception("TLS certificate error not reported")
if "Subject mismatch" not in ev:
raise Exception("Subject mismatch not reported")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(2) timed out")
if "CTRL-EVENT-EAP-FAILURE" not in ev:
raise Exception("EAP failure not reported")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(3) timed out")
if "CTRL-EVENT-DISCONNECTED" not in ev:
raise Exception("Disconnection not reported")
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
if ev is None:
raise Exception("Network block disabling not reported")
def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
"""WPA2-Enterprise negative test - altsubject mismatch"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
password="password", phase2="auth=MSCHAPV2",
ca_cert="auth_serv/ca.pem",
altsubject_match="incorrect.example.com",
wait_connect=False, scan_freq="2412")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
if ev is None:
raise Exception("EAP method selection timed out")
if "TTLS" not in ev:
raise Exception("Unexpected EAP method")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
"CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
raise Exception("TLS certificate error not reported")
if "AltSubject mismatch" not in ev:
raise Exception("altsubject mismatch not reported")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(2) timed out")
if "CTRL-EVENT-EAP-FAILURE" not in ev:
raise Exception("EAP failure not reported")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(3) timed out")
if "CTRL-EVENT-DISCONNECTED" not in ev:
raise Exception("Disconnection not reported")
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
if ev is None:
raise Exception("Network block disabling not reported")
tests: Server certificate trust based on hash value Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 15:52:21 +01:00
def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
srv_cert_hash = "0a3f81f63569226657a069855bb13f3b922670437a2b87585a4734f70ac7315b"
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="probe", ca_cert="probe://",
wait_connect=False, scan_freq="2412")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
if ev is None:
raise Exception("No peer server certificate event seen")
if "hash=" + srv_cert_hash not in ev:
raise Exception("Expected server certificate hash not reported")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "Server certificate chain probe" not in ev:
raise Exception("Server certificate probe not reported")
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("Disconnection event not seen")
dev[0].request("REMOVE_NETWORK all")
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
password="password", phase2="auth=MSCHAPV2",
ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
wait_connect=False, scan_freq="2412")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "Server certificate mismatch" not in ev:
raise Exception("Server certificate mismatch not reported")
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("Disconnection event not seen")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
anonymous_identity="ttls", password="password",
ca_cert="hash://server/sha256/" + srv_cert_hash,
phase2="auth=MSCHAPV2")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
def test_ap_wpa2_eap_pwd(dev, apdev):
"""WPA2-Enterprise connection using EAP-pwd"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "PWD")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
tests: Add more EAP fragmentation tests Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:03:29 +01:00
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password",
fragment_size="90")
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret-password",
expect_failure=True, local_error_report=True)
tests: Verify all implemented EAP-pwd groups Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 08:08:54 +01:00
def test_ap_wpa2_eap_pwd_groups(dev, apdev):
"""WPA2-Enterprise connection using various EAP-pwd groups"""
params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
"rsn_pairwise": "CCMP", "ieee8021x": "1",
"eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
for i in [ 19, 20, 21, 25, 26 ]:
params['pwd_group'] = str(i)
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
def test_ap_wpa2_eap_gpsk(dev, apdev):
"""WPA2-Enterprise connection using EAP-GPSK"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
tests: Validate EAP-GPSK cipher suite negotiation This covers all currently supported algorithms and the case of no match. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 13:20:36 +01:00
password="abcdefghijklmnop0123456789abcdef")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "GPSK")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
tests: Validate EAP-GPSK cipher suite negotiation This covers all currently supported algorithms and the case of no match. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 13:20:36 +01:00
logger.info("Test forced algorithm selection")
for phase1 in [ "cipher=1", "cipher=2" ]:
dev[0].set_network_quoted(id, "phase1", phase1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
if ev is None:
raise Exception("EAP success timed out")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Association with the AP timed out")
logger.info("Test failed algorithm negotiation")
dev[0].set_network_quoted(id, "phase1", "cipher=9")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
if ev is None:
raise Exception("EAP failure timed out")
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
password="ffcdefghijklmnop0123456789abcdef",
expect_failure=True)
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
def test_ap_wpa2_eap_sake(dev, apdev):
"""WPA2-Enterprise connection using EAP-SAKE"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "SAKE", "sake user",
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "SAKE")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "SAKE", "sake user",
password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
expect_failure=True)
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
def test_ap_wpa2_eap_eke(dev, apdev):
"""WPA2-Enterprise connection using EAP-EKE"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "EKE")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
tests: Validate EAP-EKE proposal negotiation This covers all currently supported algorithms and the case of no match. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 12:17:57 +01:00
logger.info("Test forced algorithm selection")
for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
"dhgroup=4 encr=1 prf=2 mac=2",
"dhgroup=3 encr=1 prf=2 mac=2",
"dhgroup=3 encr=1 prf=1 mac=1" ]:
dev[0].set_network_quoted(id, "phase1", phase1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
if ev is None:
raise Exception("EAP success timed out")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Association with the AP timed out")
logger.info("Test failed algorithm negotiation")
dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
if ev is None:
raise Exception("EAP failure timed out")
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
expect_failure=True)
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
def test_ap_wpa2_eap_ikev2(dev, apdev):
"""WPA2-Enterprise connection using EAP-IKEv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
password="ike password")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "IKEV2")
tests: Add more EAP fragmentation tests Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:03:29 +01:00
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
password="ike password", fragment_size="250")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
password="ike-password", expect_failure=True)
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
def test_ap_wpa2_eap_pax(dev, apdev):
"""WPA2-Enterprise connection using EAP-PAX"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
password_hex="0123456789abcdef0123456789abcdef")
tests: Verify EAP fast reauthentication Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 09:41:42 +01:00
eap_reauth(dev[0], "PAX")
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
password_hex="ff23456789abcdef0123456789abcdef",
expect_failure=True)
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
def test_ap_wpa2_eap_psk(dev, apdev):
"""WPA2-Enterprise connection using EAP-PSK"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
tests: WPA2-Enterprise with PMF required Increase test coverage with PMF required configuration and SHA256-based AKM in one of the EAP test cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:36:03 +01:00
params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
params["ieee80211w"] = "2"
tests: Add more EAP test cases This increases EAP method coverage for WPA2-Enterprise to include EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 10:58:38 +01:00
hostapd.add_ap(apdev[0]['ifname'], params)
tests: Make WPA2-Enterprise reauth test cases more robust With the extra latencies removed from run-tests.py operations, it was possible to hit race conditions in pairwise cipher configuration at the end of the 4-way handshake. In some cases, the EAPOL-Start frame from the station was not received by the AP and that could result in these test cases failing. Since there are not really trying to test the race condition, wait for the AP side to complete key configuration prior to initiating the reauthentication sequence. Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 15:35:05 +01:00
eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
tests: WPA2-Enterprise with PMF required Increase test coverage with PMF required configuration and SHA256-based AKM in one of the EAP test cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:36:03 +01:00
password_hex="0123456789abcdef0123456789abcdef", sha256=True)
eap_reauth(dev[0], "PSK", sha256=True)
tests: Verify WPA-Enterprise functionality All the previous EAP test cases were using WPA2-Enterprise. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:30:28 +01:00
tests: Negative test cases with incorrect EAP password Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 17:58:39 +01:00
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
expect_failure=True)
tests: Verify WPA-Enterprise functionality All the previous EAP test cases were using WPA2-Enterprise. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-28 11:30:28 +01:00
def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
"""WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
identity="user", password="password", phase2="auth=MSCHAPV2",
ca_cert="auth_serv/ca.pem", wait_connect=False,
scan_freq="2412")
eap_check_auth(dev[0], "PEAP", True, rsn=False)
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
eap_reauth(dev[0], "PEAP", rsn=False)
tests: Interactive identity/password query for EAP Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 16:42:35 +01:00
def test_ap_wpa2_eap_interactive(dev, apdev):
"""WPA2-Enterprise connection using interactive identity/password entry"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
hapd = hostapd.Hostapd(apdev[0]['ifname'])
tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
"TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
None, "password"),
("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
"TTLS", "ttls", None, "auth=MSCHAPV2",
"DOMAIN\mschapv2 user", "password"),
("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
"TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
("Connection with dynamic TTLS/EAP-MD5 password entry",
"TTLS", "ttls", "user", "autheap=MD5", None, "password"),
("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
"PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
("Connection with dynamic PEAP/EAP-GTC password entry",
"PEAP", None, "user", "auth=GTC", None, "password") ]
for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
logger.info(desc)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
anonymous_identity=anon, identity=identity,
ca_cert="auth_serv/ca.pem", phase2=phase2,
wait_connect=False, scan_freq="2412")
if req_id:
ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
if ev is None:
raise Exception("Request for identity timed out")
id = ev.split(':')[0].split('-')[-1]
dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
if ev is None:
raise Exception("Request for password timed out")
id = ev.split(':')[0].split('-')[-1]
type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Connection timed out")
dev[0].request("REMOVE_NETWORK all")
tests: Verify EAP vendor test Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-05 18:23:29 +01:00
def test_ap_wpa2_eap_vendor_test(dev, apdev):
"""WPA2-Enterprise connection using EAP vendor test"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
eap_reauth(dev[0], "VENDOR-TEST")
tests: EAP-FAST Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 09:21:37 +01:00
def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
"""WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "FAST", "user",
anonymous_identity="FAST", password="password",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
phase1="fast_provisioning=1", pac_file="blob://fast_pac")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
eap_reauth(dev[0], "FAST")
def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
"""WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "FAST", "user",
anonymous_identity="FAST", password="password",
ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
eap_reauth(dev[0], "FAST")
Reference in a new issue Copy permalink