# IEEE 802.1X tests # Copyright (c) 2013-2019, Jouni Malinen # # This software may be distributed under the terms of the BSD license. # See README for more details. from remotehost import remote_compatible import binascii import hmac import logging import os import time import hostapd import hwsim_utils from utils import * from tshark import run_tshark logger = logging.getLogger() def test_ieee8021x_wep104(dev, apdev): """IEEE 802.1X connection using dynamic WEP104""" check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "13" params["wep_key_len_unicast"] = "13" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd) def test_ieee8021x_wep40(dev, apdev): """IEEE 802.1X connection using dynamic WEP40""" check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "5" params["wep_key_len_unicast"] = "5" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd) def test_ieee8021x_wep_index_workaround(dev, apdev): """IEEE 802.1X and EAPOL-Key index workaround""" check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "5" params["eapol_key_index_workaround"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eapol_flags="1", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") def test_ieee8021x_open(dev, apdev): """IEEE 802.1X connection using open network""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) id = dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd) logger.info("Test EAPOL-Logoff") dev[0].request("LOGOFF") ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"]) if ev is None: raise Exception("Did not get disconnected") if "reason=23" not in ev: raise Exception("Unexpected disconnection reason") dev[0].request("LOGON") dev[0].connect_network(id) hwsim_utils.test_connectivity(dev[0], hapd) def test_ieee8021x_static_wep40(dev, apdev): """IEEE 802.1X connection using static WEP40""" run_static_wep(dev, apdev, '"hello"') def test_ieee8021x_static_wep104(dev, apdev): """IEEE 802.1X connection using static WEP104""" run_static_wep(dev, apdev, '"hello-there-/"') def run_static_wep(dev, apdev, key): check_wep_capa(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key0"] = key hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", wep_key0=key, eapol_flags="0", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd) def test_ieee8021x_proto(dev, apdev): """IEEE 802.1X and EAPOL supplicant protocol testing""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[1].request("SET ext_eapol_frame_io 1") dev[1].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) id = dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") ev = dev[1].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) start = dev[0].get_mib() tests = ["11", "11223344", "020000050a93000501", "020300050a93000501", "0203002c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "0203002c0100050000000000000000000000000000000000000000000000000000000000000000000000000000000000", "02aa00050a93000501"] for frame in tests: res = dev[0].request("EAPOL_RX " + bssid + " " + frame) if "OK" not in res: raise Exception("EAPOL_RX to wpa_supplicant failed") dev[1].request("EAPOL_RX " + bssid + " " + frame) stop = dev[0].get_mib() logger.info("MIB before test frames: " + str(start)) logger.info("MIB after test frames: " + str(stop)) vals = ['dot1xSuppInvalidEapolFramesRx', 'dot1xSuppEapLengthErrorFramesRx'] for val in vals: if int(stop[val]) <= int(start[val]): raise Exception(val + " did not increase") @remote_compatible def test_ieee8021x_eapol_start(dev, apdev): """IEEE 802.1X and EAPOL-Start retransmissions""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] addr0 = dev[0].own_addr() hapd.set("ext_eapol_frame_io", "1") try: dev[0].request("SET EAPOL::startPeriod 1") dev[0].request("SET EAPOL::maxStart 1") dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) held = False for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae == "HELD": mib = hapd.get_sta(addr0, info="eapol") if mib['auth_pae_state'] != 'AUTHENTICATING': raise Exception("Unexpected Auth PAE state: " + mib['auth_pae_state']) held = True break time.sleep(0.25) if not held: raise Exception("PAE state HELD not reached") dev[0].wait_disconnected() finally: dev[0].request("SET EAPOL::startPeriod 30") dev[0].request("SET EAPOL::maxStart 3") def test_ieee8021x_held(dev, apdev): """IEEE 802.1X and HELD state""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] hapd.set("ext_eapol_frame_io", "1") try: dev[0].request("SET EAPOL::startPeriod 1") dev[0].request("SET EAPOL::maxStart 0") dev[0].request("SET EAPOL::heldPeriod 1") dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) held = False for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae == "HELD": held = True break time.sleep(0.25) if not held: raise Exception("PAE state HELD not reached") hapd.set("ext_eapol_frame_io", "0") for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae != "HELD": held = False break time.sleep(0.25) if held: raise Exception("PAE state HELD not left") ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED", "CTRL-EVENT-DISCONNECTED"], timeout=10) if ev is None: raise Exception("Connection timed out") if "CTRL-EVENT-DISCONNECTED" in ev: raise Exception("Unexpected disconnection") finally: dev[0].request("SET EAPOL::startPeriod 30") dev[0].request("SET EAPOL::maxStart 3") dev[0].request("SET EAPOL::heldPeriod 60") def test_ieee8021x_force_unauth(dev, apdev): """IEEE 802.1X and FORCE_UNAUTH state""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") dev[0].request("SET EAPOL::portControl ForceUnauthorized") pae = dev[0].get_status_field('Supplicant PAE state') dev[0].wait_disconnected() dev[0].request("SET EAPOL::portControl Auto") def send_eapol_key(dev, bssid, signkey, frame_start, frame_end): zero_sign = "00000000000000000000000000000000" frame = frame_start + zero_sign + frame_end hmac_obj = hmac.new(binascii.unhexlify(signkey), digestmod='MD5') hmac_obj.update(binascii.unhexlify(frame)) sign = hmac_obj.digest() frame = frame_start + binascii.hexlify(sign).decode() + frame_end dev.request("EAPOL_RX " + bssid + " " + frame) def test_ieee8021x_eapol_key(dev, apdev): """IEEE 802.1X connection and EAPOL-Key protocol tests""" check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "5" params["wep_key_len_unicast"] = "5" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="VENDOR-TEST", identity="vendor-test", scan_freq="2412") # Hardcoded MSK from VENDOR-TEST encrkey = "1111111111111111111111111111111111111111111111111111111111111111" signkey = "2222222222222222222222222222222222222222222222222222222222222222" # EAPOL-Key replay counter does not increase send_eapol_key(dev[0], bssid, signkey, "02030031" + "010005" + "0000000000000000" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30a4") # EAPOL-Key too large Key Length field value send_eapol_key(dev[0], bssid, signkey, "02030031" + "010021" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30a4") # EAPOL-Key too much key data send_eapol_key(dev[0], bssid, signkey, "0203004d" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", 33*"ff") # EAPOL-Key too little key data send_eapol_key(dev[0], bssid, signkey, "02030030" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30") # EAPOL-Key with no key data and too long WEP key length send_eapol_key(dev[0], bssid, signkey, "0203002c" + "010020" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "") def test_ieee8021x_reauth(dev, apdev): """IEEE 802.1X and EAPOL_REAUTH request""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) if ev is None: raise Exception("EAP authentication did not start") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd) def test_ieee8021x_reauth_peap(dev, apdev): """IEEE 802.1X and EAPOL_REAUTH request (PEAP and session resumption)""" run_ieee8021x_reauth_peap(dev, apdev, False) def test_ieee8021x_reauth_peap2(dev, apdev): """IEEE 802.1X and EAPOL_REAUTH request (PEAP and session resumption; Phase 2 auth forced)""" run_ieee8021x_reauth_peap(dev, apdev, True) def run_ieee8021x_reauth_peap(dev, apdev, phase2_auth): params = {"eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", "ca_cert": "auth_serv/ca.pem", "server_cert": "auth_serv/server.pem", "private_key": "auth_serv/server.key", "dh_file": "auth_serv/dh.conf", "tls_session_lifetime": "60"} params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) phase1 = "phase2_auth=2" if phase2_auth else "" dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PEAP", identity="user", anonymous_identity="peap", password="password", ca_cert="auth_serv/ca.pem", phase1=phase1, phase2="auth=MSCHAPV2", scan_freq="2412") hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) if ev is None: raise Exception("EAP authentication did not start") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") reused = dev[0].get_status_field("tls_session_reused") == '1' if phase2_auth and reused: raise Exception("Session resumption used on the second connection") if not phase2_auth and not reused: raise Exception("Session resumption not used on the second connection") def test_ieee8021x_reauth_wep(dev, apdev, params): """IEEE 802.1X and EAPOL_REAUTH request with WEP""" check_wep_capa(dev[0]) logdir = params['logdir'] params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "13" params["wep_key_len_unicast"] = "13" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd) hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) if ev is None: raise Exception("EAP authentication did not start") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd) out = run_tshark(os.path.join(logdir, "hwsim0.pcapng"), "llc.type == 0x888e", ["eapol.type", "eap.code"]) if out is None: raise Exception("Could not find EAPOL frames in capture") num_eapol_key = 0 num_eap_req = 0 num_eap_resp = 0 for line in out.splitlines(): vals = line.split() if vals[0] == '3': num_eapol_key += 1 if vals[0] == '0' and len(vals) == 2: if vals[1] == '1': num_eap_req += 1 elif vals[1] == '2': num_eap_resp += 1 logger.info("num_eapol_key: %d" % num_eapol_key) logger.info("num_eap_req: %d" % num_eap_req) logger.info("num_eap_resp: %d" % num_eap_resp) if num_eapol_key < 4: raise Exception("Did not see four unencrypted EAPOL-Key frames") if num_eap_req < 6: raise Exception("Did not see six unencrypted EAP-Request frames") if num_eap_resp < 6: raise Exception("Did not see six unencrypted EAP-Response frames") def test_ieee8021x_set_conf(dev, apdev): """IEEE 802.1X and EAPOL_SET command""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") addr0 = dev[0].own_addr() tests = ["EAPOL_SET 1", "EAPOL_SET %sfoo bar" % addr0, "EAPOL_SET %s foo" % addr0, "EAPOL_SET %s foo bar" % addr0, "EAPOL_SET %s AdminControlledDirections bar" % addr0, "EAPOL_SET %s AdminControlledPortControl bar" % addr0, "EAPOL_SET %s reAuthEnabled bar" % addr0, "EAPOL_SET %s KeyTransmissionEnabled bar" % addr0, "EAPOL_SET 11:22:33:44:55:66 AdminControlledDirections Both"] for t in tests: if "FAIL" not in hapd.request(t): raise Exception("Invalid EAPOL_SET command accepted: " + t) tests = [("AdminControlledDirections", "adminControlledDirections", "In"), ("AdminControlledDirections", "adminControlledDirections", "Both"), ("quietPeriod", "quietPeriod", "13"), ("serverTimeout", "serverTimeout", "7"), ("reAuthPeriod", "reAuthPeriod", "1234"), ("reAuthEnabled", "reAuthEnabled", "FALSE"), ("reAuthEnabled", "reAuthEnabled", "TRUE"), ("KeyTransmissionEnabled", "keyTxEnabled", "TRUE"), ("KeyTransmissionEnabled", "keyTxEnabled", "FALSE"), ("AdminControlledPortControl", "portControl", "ForceAuthorized"), ("AdminControlledPortControl", "portControl", "ForceUnauthorized"), ("AdminControlledPortControl", "portControl", "Auto")] for param, mibparam, val in tests: if "OK" not in hapd.request("EAPOL_SET %s %s %s" % (addr0, param, val)): raise Exception("Failed to set %s %s" % (param, val)) mib = hapd.get_sta(addr0, info="eapol") if mib[mibparam] != val: raise Exception("Unexpected %s value: %s (expected %s)" % (param, mib[mibparam], val)) ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd) def test_ieee8021x_auth_awhile(dev, apdev): """IEEE 802.1X and EAPOL Authenticator aWhile handling""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" params['auth_server_port'] = "18129" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] addr0 = dev[0].own_addr() params = {} params['ssid'] = 'as' params['beacon_int'] = '2000' params['radius_server_clients'] = 'auth_serv/radius_clients.conf' params['radius_server_auth_port'] = '18129' params['eap_server'] = '1' params['eap_user_file'] = 'auth_serv/eap_user.conf' params['ca_cert'] = 'auth_serv/ca.pem' params['server_cert'] = 'auth_serv/server.pem' params['private_key'] = 'auth_serv/server.key' hapd1 = hostapd.add_ap(apdev[1], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hapd1.disable() if "OK" not in hapd.request("EAPOL_SET %s serverTimeout 1" % addr0): raise Exception("Failed to set serverTimeout") hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) for i in range(40): mib = hapd.get_sta(addr0, info="eapol") val = int(mib['aWhile']) if val > 0: break time.sleep(1) if val == 0: raise Exception("aWhile did not increase") hapd.dump_monitor() for i in range(40): mib = hapd.get_sta(addr0, info="eapol") val = int(mib['aWhile']) if val < 5: break time.sleep(1) ev = hapd.wait_event(["CTRL-EVENT-EAP-PROPOSED"], timeout=10) if ev is None: raise Exception("Authentication restart not seen") def test_ieee8021x_open_leap(dev, apdev): """IEEE 802.1X connection with LEAP included in configuration""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[1].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="LEAP", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK LEAP", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") ev = dev[1].wait_event(["CTRL-EVENT-AUTH-REJECT"], timeout=5) dev[1].request("DISCONNECT") def test_ieee8021x_and_wpa_enabled(dev, apdev): """IEEE 802.1X connection using dynamic WEP104 when WPA enabled""" check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "13" params["wep_key_len_unicast"] = "13" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X WPA-EAP", eap="PSK", identity="psk.user@example.com", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd)