def test_fils_sk_pmksa_caching_ctrl_ext(dev, apdev):
"""FILS SK and PMKSA caching with Cache Identifier and external management"""
check_fils_capa(dev[0])
check_erp_capa(dev[0])
hapd_as = start_erp_as(apdev[1])
bssid = apdev[0]['bssid']
params = hostapd.wpa2_eap_params(ssid="fils")
params['wpa_key_mgmt'] = "FILS-SHA384"
params['auth_server_port'] = "18128"
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['fils_realm'] = 'example.com'
params['fils_cache_id'] = "ffee"
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].scan_for_bss(bssid, freq=2412)
dev[0].request("ERP_FLUSH")
id = dev[0].connect("fils", key_mgmt="FILS-SHA384",
eap="PSK", identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
erp="1", scan_freq="2412")
res1 = dev[0].request("PMKSA_GET %d" % id)
logger.info("PMKSA_GET: " + res1)
if "UNKNOWN COMMAND" in res1:
raise HwsimSkip("PMKSA_GET not supported in the build")
if bssid not in res1:
raise Exception("PMKSA cache entry missing")
if "ffee" not in res1:
raise Exception("FILS Cache Identifier not seen in PMKSA cache entry")
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
hapd_as.disable()
dev[0].scan_for_bss(bssid, freq=2412)
dev[0].request("PMKSA_FLUSH")
dev[0].request("ERP_FLUSH")
for entry in res1.splitlines():
if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)):
raise Exception("Failed to add PMKSA entry")
bssid2 = apdev[1]['bssid']
params = hostapd.wpa2_eap_params(ssid="fils")
params['wpa_key_mgmt'] = "FILS-SHA384"
params['auth_server_port'] = "18128"
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['fils_realm'] = 'example.com'
params['fils_cache_id'] = "ffee"
hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
dev[0].scan_for_bss(bssid2, freq=2412)
dev[0].set_network(id, "bssid", bssid2)
dev[0].select_network(id, freq=2412)
ev = dev[0].wait_connected()
if bssid2 not in ev:
raise Exception("Unexpected BSS selected")
def test_pmksa_cache_preauth_vlan_enabled(dev, apdev):
"""RSN pre-authentication to generate PMKSA cache entry (dynamic_vlan optional but station without VLAN set)"""
try:
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['dynamic_vlan'] = '1'
hostapd.add_ap(apdev[0]['ifname'], params)
subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0], apdev[0], "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
params['dynamic_vlan'] = '1'
hostapd.add_ap(apdev[1]['ifname'], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception("No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception("Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
finally:
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
subprocess.call(['brctl', 'delbr', 'ap-br0'])
def test_fils_sk_erp_another_ssid(dev, apdev):
"""FILS SK using ERP and roam to another SSID"""
check_fils_capa(dev[0])
check_erp_capa(dev[0])
start_erp_as(apdev[1])
bssid = apdev[0]['bssid']
params = hostapd.wpa2_eap_params(ssid="fils")
params['wpa_key_mgmt'] = "FILS-SHA256"
params['auth_server_port'] = "18128"
params['erp_domain'] = 'example.com'
params['fils_realm'] = 'example.com'
params['disable_pmksa_caching'] = '1'
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].scan_for_bss(bssid, freq=2412)
dev[0].request("ERP_FLUSH")
id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
eap="PSK", identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
erp="1", scan_freq="2412")
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
hapd.disable()
dev[0].flush_scan_cache()
if "FAIL" in dev[0].request("PMKSA_FLUSH"):
raise Exception("PMKSA_FLUSH failed")
params = hostapd.wpa2_eap_params(ssid="fils2")
params['wpa_key_mgmt'] = "FILS-SHA256"
params['auth_server_port'] = "18128"
params['erp_domain'] = 'example.com'
params['fils_realm'] = 'example.com'
params['disable_pmksa_caching'] = '1'
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].scan_for_bss(bssid, freq=2412)
dev[0].dump_monitor()
id = dev[0].connect("fils2", key_mgmt="FILS-SHA256",
eap="PSK", identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
erp="1", scan_freq="2412", wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"EVENT-ASSOC-REJECT",
"CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Connection using FILS/ERP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
if "EVENT-ASSOC-REJECT" in ev:
raise Exception("Association failed")
hwsim_utils.test_connectivity(dev[0], hapd)
def test_ap_vlan_wpa2_radius_mixed(dev, apdev):
"""AP VLAN with WPA2-Enterprise and tagged+untagged VLANs"""
ifname = 'wlan0.1'
try:
params = hostapd.wpa2_eap_params(ssid="test-vlan")
params['dynamic_vlan'] = "1"
params["vlan_naming"] = "1"
hapd = hostapd.add_ap(apdev[0], params)
dev[0].connect("test-vlan", key_mgmt="WPA-EAP", eap="PAX",
identity="vlan12mixed",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412")
# Add tagged VLAN interface to wpa_supplicant interface for testing
subprocess.call(['ip', 'link', 'add', 'link', dev[0].ifname,
'name', ifname, 'type', 'vlan', 'id', '1'])
subprocess.call(['ifconfig', ifname, 'up'])
logger.info("Test connectivity in untagged VLAN 2")
hwsim_utils.run_connectivity_test(dev[0], hapd, 0,
ifname1=dev[0].ifname,
ifname2="brvlan2")
logger.info("Test connectivity in tagged VLAN 1")
hwsim_utils.run_connectivity_test(dev[0], hapd, 0, ifname1=ifname,
ifname2="brvlan1")
finally:
subprocess.call(['ifconfig', ifname, 'down'])
subprocess.call(['ip', 'link', 'del', ifname])
def test_pmksa_cache_ap_expiration(dev, apdev):
"""PMKSA cache entry expiring on AP"""
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
hostapd.add_ap(apdev[0]['ifname'], params)
bssid = apdev[0]['bssid']
dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
eap="GPSK", identity="gpsk-user-session-timeout",
password="******",
scan_freq="2412")
dev[0].request("DISCONNECT")
time.sleep(5)
dev[0].dump_monitor()
dev[0].request("RECONNECT")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"CTRL-EVENT-CONNECTED"], timeout=20)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-CONNECTED" in ev:
raise Exception("EAP exchange missing")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=20)
if ev is None:
raise Exception("Reassociation with the AP timed out")
dev[0].dump_monitor()
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=20)
if ev is None:
raise Exception("Disconnection event timed out")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=20)
if ev is None:
raise Exception("Reassociation with the AP timed out")
def test_ap_wpa2_eap_tls(dev, apdev):
"""WPA2-Enterprise connection using EAP-TLS"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key")
def test_authsrv_testing_options(dev, apdev):
"""Authentication server and testing options"""
params = authsrv_params()
authsrv = hostapd.add_ap(apdev[1], params)
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['auth_server_port'] = "18128"
hapd = hostapd.add_ap(apdev[0], params)
dev[0].scan_for_bss(hapd.own_addr(), 2412)
# The first two would be fine to run with any server build; the rest are
# actually supposed to fail, but they don't fail when using a server build
# that does not support the TLS protocol tests.
tests = [ "foo@test-unknown",
"foo@test-tls-unknown",
"foo@test-tls-1",
"foo@test-tls-2",
"foo@test-tls-3",
"foo@test-tls-4",
"foo@test-tls-5",
"foo@test-tls-6",
"foo@test-tls-7",
"foo@test-tls-8" ]
for t in tests:
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
eap="TTLS", identity="user",
anonymous_identity=t,
password="******",
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
scan_freq="2412")
dev[0].request("REMOVE_NETWORK all")
dev[0].wait_disconnected()
def test_radius_ipv6(dev, apdev):
"""RADIUS connection over IPv6"""
params = {}
params["ssid"] = "as"
params["beacon_int"] = "2000"
params["radius_server_clients"] = "auth_serv/radius_clients_ipv6.conf"
params["radius_server_ipv6"] = "1"
params["radius_server_auth_port"] = "18129"
params["radius_server_acct_port"] = "18139"
params["eap_server"] = "1"
params["eap_user_file"] = "auth_serv/eap_user.conf"
params["ca_cert"] = "auth_serv/ca.pem"
params["server_cert"] = "auth_serv/server.pem"
params["private_key"] = "auth_serv/server.key"
hostapd.add_ap(apdev[1]["ifname"], params)
params = hostapd.wpa2_eap_params(ssid="radius-ipv6")
params["auth_server_addr"] = "::0"
params["auth_server_port"] = "18129"
params["acct_server_addr"] = "::0"
params["acct_server_port"] = "18139"
params["acct_server_shared_secret"] = "radius"
params["own_ip_addr"] = "::0"
hostapd.add_ap(apdev[0]["ifname"], params)
connect(dev[0], "radius-ipv6")
def test_pmksa_cache_ctrl_events(dev, apdev):
"""PMKSA cache control interface events"""
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
hapd = hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
eap="GPSK", identity="gpsk user",
password="******",
scan_freq="2412", wait_connect=False)
ev = dev[0].wait_event(["PMKSA-CACHE-ADDED"], timeout=15)
if ev is None:
raise Exception("No PMKSA-CACHE-ADDED event")
dev[0].wait_connected()
items = ev.split(' ')
if items[1] != bssid:
raise Exception("BSSID mismatch: " + ev)
if int(items[2]) != id:
raise Exception("network_id mismatch: " + ev)
dev[0].request("PMKSA_FLUSH")
ev = dev[0].wait_event(["PMKSA-CACHE-REMOVED"], timeout=15)
if ev is None:
raise Exception("No PMKSA-CACHE-REMOVED event")
dev[0].wait_disconnected()
dev[0].request("DISCONNECT")
items = ev.split(' ')
if items[1] != bssid:
raise Exception("BSSID mismatch: " + ev)
if int(items[2]) != id:
raise Exception("network_id mismatch: " + ev)
def _test_pmksa_cache_size_limit(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
eap="GPSK", identity="gpsk user",
password="******",
scan_freq="2412", only_add_network=True)
for i in range(33):
bssid = apdev[0]['bssid'][0:15] + "%02x" % i
logger.info("Iteration with BSSID " + bssid)
params['bssid'] = bssid
hostapd.add_ap(apdev[0], params)
dev[0].request("BSS_FLUSH 0")
dev[0].scan_for_bss(bssid, freq=2412, only_new=True)
dev[0].select_network(id)
dev[0].wait_connected()
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
dev[0].dump_monitor()
entries = len(dev[0].request("PMKSA").splitlines()) - 1
if i == 32:
if entries != 32:
raise Exception("Unexpected number of PMKSA entries after expected removal of the oldest entry")
elif i + 1 != entries:
raise Exception("Unexpected number of PMKSA entries")
hapd = hostapd.HostapdGlobal(apdev[0])
hapd.flush()
hapd.remove(apdev[0]['ifname'])
def test_ap_vlan_wpa2_radius(dev, apdev):
"""AP VLAN with WPA2-Enterprise and RADIUS attributes"""
params = hostapd.wpa2_eap_params(ssid="test-vlan")
params["dynamic_vlan"] = "1"
hapd = hostapd.add_ap(apdev[0]["ifname"], params)
dev[0].connect(
"test-vlan",
key_mgmt="WPA-EAP",
eap="PAX",
identity="vlan1",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412",
)
dev[1].connect(
"test-vlan",
key_mgmt="WPA-EAP",
eap="PAX",
identity="vlan2",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412",
)
dev[2].connect(
"test-vlan",
key_mgmt="WPA-EAP",
eap="PAX",
identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412",
)
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
hwsim_utils.test_connectivity_iface(dev[1], hapd, "brvlan2")
hwsim_utils.test_connectivity(dev[2], hapd)
def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
"""WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "PEAP", "user",
anonymous_identity="peap", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
eap_reauth(dev[0], "PEAP")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PEAP", "user",
anonymous_identity="peap", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
fragment_size="200")
logger.info("Password as hash value")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PEAP", "user",
anonymous_identity="peap",
password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "PEAP", "user",
anonymous_identity="peap", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
expect_failure=True)
def test_radius_das_coa(dev, apdev):
"""RADIUS Dynamic Authorization Extensions - CoA"""
try:
import pyrad.client
import pyrad.packet
import pyrad.dictionary
import radius_das
except ImportError:
raise HwsimSkip("No pyrad modules available")
params = hostapd.wpa2_eap_params(ssid="radius-das")
params['radius_das_port'] = "3799"
params['radius_das_client'] = "127.0.0.1 secret"
params['radius_das_require_event_timestamp'] = "1"
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
connect(dev[0], "radius-das")
addr = dev[0].p2p_interface_addr()
sta = hapd.get_sta(addr)
id = sta['dot1xAuthSessionId']
dict = pyrad.dictionary.Dictionary("dictionary.radius")
srv = pyrad.client.Client(server="127.0.0.1", acctport=3799,
secret="secret", dict=dict)
srv.retries = 1
srv.timeout = 1
# hostapd does not currently support CoA-Request, so NAK is expected
logger.info("CoA-Request with matching Acct-Session-Id")
req = radius_das.CoAPacket(dict=dict, secret="secret",
Acct_Session_Id=id,
Event_Timestamp=int(time.time()))
send_and_check_reply(srv, req, pyrad.packet.CoANAK, error_cause=405)
def test_radius_acct_unreachable3(dev, apdev):
"""RADIUS Accounting server initially unreachable, but then available"""
require_under_vm()
subprocess.call(['ip', 'ro', 'replace', 'blackhole', '192.168.213.18'])
as_hapd = hostapd.Hostapd("as")
as_mib_start = as_hapd.get_mib(param="radius_server")
params = hostapd.wpa2_eap_params(ssid="radius-acct")
params['acct_server_addr'] = "192.168.213.18"
params['acct_server_port'] = "1813"
params['acct_server_shared_secret'] = "radius"
hostapd.add_ap(apdev[0]['ifname'], params)
hapd = hostapd.Hostapd(apdev[0]['ifname'])
connect(dev[0], "radius-acct")
subprocess.call(['ip', 'ro', 'del', 'blackhole', '192.168.213.18'])
time.sleep(0.1)
dev[0].request("DISCONNECT")
hapd.set('acct_server_addr_replace', '127.0.0.1')
dev[0].request("RECONNECT")
dev[0].wait_connected()
time.sleep(1)
as_mib_end = as_hapd.get_mib(param="radius_server")
req_s = int(as_mib_start['radiusAccServTotalResponses'])
req_e = int(as_mib_end['radiusAccServTotalResponses'])
if req_e <= req_s:
raise Exception("Unexpected RADIUS server acct MIB value")
def test_pmksa_cache_expiration_disconnect(dev, apdev):
"""PMKSA cache entry expiration (disconnect)"""
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
bssid = apdev[0]['bssid']
dev[0].request("SET dot11RSNAConfigPMKLifetime 2")
dev[0].request("SET dot11RSNAConfigPMKReauthThreshold 100")
dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
eap="GPSK", identity="gpsk user",
password="******",
scan_freq="2412")
pmksa = dev[0].get_pmksa(bssid)
if pmksa is None:
raise Exception("No PMKSA cache entry created")
hapd.request("SET auth_server_shared_secret incorrect")
logger.info("Wait for PMKSA cache entry to expire")
ev = dev[0].wait_event(["WPA: Key negotiation completed",
"CTRL-EVENT-DISCONNECTED"], timeout=15)
if ev is None:
raise Exception("No EAP reauthentication seen")
if "CTRL-EVENT-DISCONNECTED" not in ev:
raise Exception("Missing disconnection")
hapd.request("SET auth_server_shared_secret radius")
ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=15)
if ev is None:
raise Exception("No EAP reauthentication seen")
pmksa2 = dev[0].get_pmksa(bssid)
if pmksa['pmkid'] == pmksa2['pmkid']:
raise Exception("PMKID did not change")
def test_dbus_old_connect_eap(dev, apdev):
"""The old D-Bus interface - add an EAP network and connect"""
(bus,wpas_obj,path,if_obj) = prepare_dbus(dev[0])
ssid = "test-wpa2-eap"
params = hostapd.wpa2_eap_params(ssid=ssid)
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
class TestDbusConnect(TestDbus):
def __init__(self, bus):
TestDbus.__init__(self, bus)
self.connected = False
self.certification_received = False
def __enter__(self):
gobject.timeout_add(1, self.run_connect)
gobject.timeout_add(15000, self.timeout)
self.add_signal(self.stateChange, WPAS_DBUS_OLD_IFACE,
"StateChange")
self.add_signal(self.certification, WPAS_DBUS_OLD_IFACE,
"Certification")
self.loop.run()
return self
def stateChange(self, new, old):
logger.debug("stateChange: %s --> %s" % (old, new))
if new == "COMPLETED":
self.connected = True
self.loop.quit()
def certification(self, depth, subject, hash, cert_hex):
logger.debug("certification: depth={} subject={} hash={} cert_hex={}".format(depth, subject, hash, cert_hex))
self.certification_received = True
def run_connect(self, *args):
logger.debug("run_connect")
path = if_obj.addNetwork(dbus_interface=WPAS_DBUS_OLD_IFACE)
netw_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, path)
params = dbus.Dictionary({ 'ssid': ssid,
'key_mgmt': 'WPA-EAP',
'eap': 'TTLS',
'anonymous_identity': 'ttls',
'identity': 'pap user',
'ca_cert': 'auth_serv/ca.pem',
'phase2': 'auth=PAP',
'password': '******',
'scan_freq': 2412 },
signature='sv')
netw_obj.set(params, dbus_interface=WPAS_DBUS_OLD_NETWORK)
netw_obj.enable(dbus_interface=WPAS_DBUS_OLD_NETWORK)
self.path = path
self.netw_obj = netw_obj
return False
def success(self):
return self.connected and self.certification_received
with TestDbusConnect(bus) as t:
if not t.success():
raise Exception("Expected signals not seen")
def test_suite_b(dev, apdev):
"""WPA2-PSK/GCMP connection"""
if "GCMP" not in dev[0].get_capability("pairwise"):
return "skip"
params = hostapd.wpa2_eap_params(ssid="test-suite-b")
params["wpa_key_mgmt"] = "WPA-EAP-SUITE-B"
params['rsn_pairwise'] = "GCMP"
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
# TODO: Force Suite B configuration for TLS
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B",
eap="TLS", identity="tls user", ca_cert="auth_serv/ca.pem",
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key",
pairwise="GCMP", group="GCMP", scan_freq="2412")
dev[0].request("DISCONNECT")
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=20)
if ev is None:
raise Exception("Disconnection event timed out")
dev[0].dump_monitor()
dev[0].request("RECONNECT")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"CTRL-EVENT-CONNECTED"], timeout=20)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
def test_ap_vlan_wpa2_radius_required(dev, apdev):
"""AP VLAN with WPA2-Enterprise and RADIUS attributes required"""
params = hostapd.wpa2_eap_params(ssid="test-vlan")
params["dynamic_vlan"] = "2"
hostapd.add_ap(apdev[0]["ifname"], params)
dev[0].connect(
"test-vlan",
key_mgmt="WPA-EAP",
eap="PAX",
identity="vlan1",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412",
)
dev[2].connect(
"test-vlan",
key_mgmt="WPA-EAP",
eap="PAX",
identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412",
wait_connect=False,
)
ev = dev[2].wait_event(["CTRL-EVENT-CONNECTED", "CTRL-EVENT-DISCONNECTED"], timeout=20)
if ev is None:
raise Exception("Timeout on connection attempt")
if "CTRL-EVENT-CONNECTED" in ev:
raise Exception("Unexpected success without tunnel parameters")
def test_ap_wpa2_eap_eke(dev, apdev):
"""WPA2-Enterprise connection using EAP-EKE"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="******")
eap_reauth(dev[0], "EKE")
logger.info("Test forced algorithm selection")
for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
"dhgroup=4 encr=1 prf=2 mac=2",
"dhgroup=3 encr=1 prf=2 mac=2",
"dhgroup=3 encr=1 prf=1 mac=1" ]:
dev[0].set_network_quoted(id, "phase1", phase1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
if ev is None:
raise Exception("EAP success timed out")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Association with the AP timed out")
logger.info("Test failed algorithm negotiation")
dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
if ev is None:
raise Exception("EAP failure timed out")
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "EKE", "eke user", password="******",
expect_failure=True)
def test_erp_radius(dev, apdev):
"""ERP enabled on RADIUS server and peer"""
check_erp_capa(dev[0])
start_erp_as(apdev[1])
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['auth_server_port'] = "18128"
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['disable_pmksa_caching'] = '1'
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].request("ERP_FLUSH")
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
eap="PSK", identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
erp="1", scan_freq="2412")
for i in range(3):
dev[0].request("DISCONNECT")
dev[0].wait_disconnected(timeout=15)
dev[0].request("RECONNECT")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
if ev is None:
raise Exception("EAP success timed out")
if "EAP re-authentication completed successfully" not in ev:
raise Exception("Did not use ERP")
dev[0].wait_connected(timeout=15, error="Reconnection timed out")
def test_radius_ipv6(dev, apdev):
"""RADIUS connection over IPv6"""
params = {}
params['ssid'] = 'as'
params['beacon_int'] = '2000'
params['radius_server_clients'] = 'auth_serv/radius_clients_ipv6.conf'
params['radius_server_ipv6'] = '1'
params['radius_server_auth_port'] = '18129'
params['radius_server_acct_port'] = '18139'
params['eap_server'] = '1'
params['eap_user_file'] = 'auth_serv/eap_user.conf'
params['ca_cert'] = 'auth_serv/ca.pem'
params['server_cert'] = 'auth_serv/server.pem'
params['private_key'] = 'auth_serv/server.key'
hostapd.add_ap(apdev[1]['ifname'], params)
params = hostapd.wpa2_eap_params(ssid="radius-ipv6")
params['auth_server_addr'] = "::0"
params['auth_server_port'] = "18129"
params['acct_server_addr'] = "::0"
params['acct_server_port'] = "18139"
params['acct_server_shared_secret'] = "radius"
params['own_ip_addr'] = "::0"
hostapd.add_ap(apdev[0]['ifname'], params)
connect(dev[0], "radius-ipv6")
def test_ap_wpa2_eap_gpsk(dev, apdev):
"""WPA2-Enterprise connection using EAP-GPSK"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
password="******")
eap_reauth(dev[0], "GPSK")
logger.info("Test forced algorithm selection")
for phase1 in [ "cipher=1", "cipher=2" ]:
dev[0].set_network_quoted(id, "phase1", phase1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
if ev is None:
raise Exception("EAP success timed out")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Association with the AP timed out")
logger.info("Test failed algorithm negotiation")
dev[0].set_network_quoted(id, "phase1", "cipher=9")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
if ev is None:
raise Exception("EAP failure timed out")
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
password="******",
expect_failure=True)
def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
hapd = hostapd.Hostapd(apdev[0]['ifname'])
eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
anonymous_identity="ttls", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
domain_suffix_match="w1.fi")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
eap_reauth(dev[0], "TTLS")
sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
raise Exception("dot1xAuthEapolFramesRx did not increase")
if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
raise Exception("backendAuthSuccesses did not increase")
logger.info("Password as hash value")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
anonymous_identity="ttls",
password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
logger.info("Negative test with incorrect password")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
anonymous_identity="ttls", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
expect_failure=True)
def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
"""WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
private_key="auth_serv/user.pkcs12",
private_key_passwd="whatever", ocsp=2)
def test_hostapd_oom_wpa2_eap(dev, apdev):
"""hostapd failing to setup WPA2-EAP mode due to OOM"""
params = hostapd.wpa2_eap_params(ssid="test")
params['acct_server_addr'] = "127.0.0.1"
params['acct_server_port'] = "1813"
params['acct_server_shared_secret'] = "radius"
hostapd_oom_loop(apdev, params)
def test_hostapd_oom_wpa2_eap_radius(dev, apdev):
"""hostapd failing to setup WPA2-EAP mode due to OOM in RADIUS"""
params = hostapd.wpa2_eap_params(ssid="test")
params['acct_server_addr'] = "127.0.0.1"
params['acct_server_port'] = "1813"
params['acct_server_shared_secret'] = "radius"
hostapd_oom_loop(apdev, params, start_func="accounting_init")
def _test_pmksa_cache_preauth_oom(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[0], params)
hostapd.cmd_execute(apdev[0], ['brctl', 'setfd', 'ap-br0', '0'])
hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
bssid=apdev[0]['bssid'])
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[1], params)
bssid1 = apdev[1]['bssid']
tests = [(1, "rsn_preauth_receive"),
(2, "rsn_preauth_receive"),
(1, "rsn_preauth_send"),
(1, "wpa_auth_pmksa_add_preauth;rsn_preauth_finished")]
for test in tests:
hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
with alloc_fail(hapd, test[0], test[1]):
dev[0].scan_for_bss(bssid1, freq="2412")
if "OK" not in dev[0].request("PREAUTH " + bssid1):
raise Exception("PREAUTH failed")
success = False
count = 0
for i in range(50):
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
state = hapd.request('GET_ALLOC_FAIL')
if state.startswith('0:'):
count += 1
if count > 2:
break
logger.info("PMKSA cache success: " + str(success))
dev[0].request("PMKSA_FLUSH")
dev[0].wait_disconnected()
dev[0].wait_connected()
dev[0].dump_monitor()
def test_ap_wpa2_eap_ttls_chap(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/CHAP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "TTLS", "chap user",
anonymous_identity="ttls", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
"""WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "PEAP", "user",
anonymous_identity="ttls", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_dbus_old_scan(dev, apdev):
"""The old D-Bus interface - scanning"""
(bus,wpas_obj,path,if_obj) = prepare_dbus(dev[0])
hapd = hostapd.add_ap(apdev[0]['ifname'], { "ssid": "open" })
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['wpa'] = '3'
hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
class TestDbusScan(TestDbus):
def __init__(self, bus):
TestDbus.__init__(self, bus)
self.scan_completed = False
def __enter__(self):
gobject.timeout_add(1, self.run_scan)
gobject.timeout_add(7000, self.timeout)
self.add_signal(self.scanDone, WPAS_DBUS_OLD_IFACE,
"ScanResultsAvailable")
self.loop.run()
return self
def scanDone(self):
logger.debug("scanDone")
self.scan_completed = True
self.loop.quit()
def run_scan(self, *args):
logger.debug("run_scan")
if not if_obj.scan(dbus_interface=WPAS_DBUS_OLD_IFACE):
raise Exception("Failed to trigger scan")
return False
def success(self):
return self.scan_completed
with TestDbusScan(bus) as t:
if not t.success():
raise Exception("Expected signals not seen")
res = if_obj.scanResults(dbus_interface=WPAS_DBUS_OLD_IFACE)
if len(res) != 2:
raise Exception("Unexpected number of scan results: " + str(res))
for i in range(2):
logger.debug("Scan result BSS path: " + res[i])
bss_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[i])
bss = bss_obj.properties(dbus_interface=WPAS_DBUS_OLD_BSSID,
byte_arrays=True)
logger.debug("BSS: " + str(bss))
obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[0])
try:
bss_obj.properties2(dbus_interface=WPAS_DBUS_OLD_BSSID)
raise Exception("Unknown BSSID method accepted")
except Exception, e:
logger.debug("Unknown BSSID method exception: " + str(e))
def test_erp_radius_eap_methods(dev, apdev):
"""ERP enabled on RADIUS server and peer"""
check_erp_capa(dev[0])
eap_methods = dev[0].get_capability("eap")
start_erp_as()
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['auth_server_port'] = "18128"
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['disable_pmksa_caching'] = '1'
hapd = hostapd.add_ap(apdev[0], params)
erp_test(
dev[0],
hapd,
eap="AKA",
identity="*****@*****.**",
password=
"******"
)
erp_test(
dev[0],
hapd,
reauth=True,
eap="AKA",
identity="*****@*****.**",
password=
"******"
)
erp_test(
dev[0],
hapd,
eap="AKA'",
identity="*****@*****.**",
password=
"******"
)
erp_test(
dev[0],
hapd,
reauth=True,
eap="AKA'",
identity="*****@*****.**",
password=
"******"
)
erp_test(dev[0],
hapd,
eap="EKE",
identity="*****@*****.**",
password="******")
if "FAST" in eap_methods:
erp_test(dev[0],
hapd,
eap="FAST",
identity="*****@*****.**",
password="******",
ca_cert="auth_serv/ca.pem",
phase2="auth=GTC",
phase1="fast_provisioning=2",
pac_file="blob://fast_pac_auth_erp")
erp_test(dev[0],
hapd,
eap="GPSK",
identity="*****@*****.**",
password="******")
erp_test(dev[0],
hapd,
eap="IKEV2",
identity="*****@*****.**",
password="******")
erp_test(dev[0],
hapd,
eap="PAX",
identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
if "MSCHAPV2" in eap_methods:
erp_test(dev[0],
hapd,
eap="PEAP",
identity="*****@*****.**",
password="******",
ca_cert="auth_serv/ca.pem",
phase2="auth=MSCHAPV2")
erp_test(dev[0],
hapd,
eap="TEAP",
identity="*****@*****.**",
password="******",
ca_cert="auth_serv/ca.pem",
phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac")
erp_test(dev[0],
hapd,
eap="PSK",
identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
if "PWD" in eap_methods:
erp_test(dev[0],
hapd,
eap="PWD",
identity="*****@*****.**",
password="******")
erp_test(
dev[0],
hapd,
eap="SAKE",
identity="*****@*****.**",
password_hex=
"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
erp_test(
dev[0],
hapd,
eap="SIM",
identity="*****@*****.**",
password=
"******")
erp_test(
dev[0],
hapd,
reauth=True,
eap="SIM",
identity="*****@*****.**",
password=
"******")
erp_test(dev[0],
hapd,
eap="TLS",
identity="*****@*****.**",
ca_cert="auth_serv/ca.pem",
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key")
erp_test(dev[0],
hapd,
eap="TTLS",
identity="*****@*****.**",
password="******",
ca_cert="auth_serv/ca.pem",
phase2="auth=PAP")
def test_pmksa_cache_ctrl_ext(dev, apdev):
"""PMKSA cache control interface for external management"""
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
hapd = hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
id = dev[0].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk user",
password="******",
scan_freq="2412")
res1 = dev[0].request("PMKSA_GET %d" % id)
logger.info("PMKSA_GET: " + res1)
if "UNKNOWN COMMAND" in res1:
raise HwsimSkip("PMKSA_GET not supported in the build")
if bssid not in res1:
raise Exception("PMKSA cache entry missing")
hostapd.add_ap(apdev[1], params)
bssid2 = apdev[1]['bssid']
dev[0].scan_for_bss(bssid2, freq=2412, force_scan=True)
dev[0].request("ROAM " + bssid2)
dev[0].wait_connected()
res2 = dev[0].request("PMKSA_GET %d" % id)
logger.info("PMKSA_GET: " + res2)
if bssid not in res2:
raise Exception("PMKSA cache entry 1 missing")
if bssid2 not in res2:
raise Exception("PMKSA cache entry 2 missing")
dev[0].request("REMOVE_NETWORK all")
dev[0].wait_disconnected()
dev[0].request("PMKSA_FLUSH")
id = dev[0].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk user",
password="******",
scan_freq="2412",
only_add_network=True)
res3 = dev[0].request("PMKSA_GET %d" % id)
if res3 != '':
raise Exception("Unexpected PMKSA cache entry remains: " + res3)
res4 = dev[0].request("PMKSA_GET %d" % (id + 1234))
if not res4.startswith('FAIL'):
raise Exception("Unexpected PMKSA cache entry for unknown network: " +
res4)
for entry in res2.splitlines():
if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)):
raise Exception("Failed to add PMKSA entry")
dev[0].select_network(id)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"],
timeout=15)
if ev is None:
raise Exception("Connection with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception(
"Unexpected EAP exchange after external PMKSA cache restore")
def test_pmksa_cache_on_roam_back(dev, apdev):
"""PMKSA cache to skip EAP on reassociation back to same AP"""
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
dev[0].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk user",
password="******",
scan_freq="2412")
pmksa = dev[0].get_pmksa(bssid)
if pmksa is None:
raise Exception("No PMKSA cache entry created")
if pmksa['opportunistic'] != '0':
raise Exception("Unexpected opportunistic PMKSA cache entry")
hostapd.add_ap(apdev[1], params)
bssid2 = apdev[1]['bssid']
dev[0].dump_monitor()
logger.info("Roam to AP2")
# It can take some time for the second AP to become ready to reply to Probe
# Request frames especially under heavy CPU load, so allow couple of rounds
# of scanning to avoid reporting errors incorrectly just because of scans
# not having seen the target AP.
for i in range(0, 10):
dev[0].scan(freq="2412")
if dev[0].get_bss(bssid2) is not None:
break
logger.info("Scan again to find target AP")
dev[0].request("ROAM " + bssid2)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
if ev is None:
raise Exception("EAP success timed out")
dev[0].wait_connected(timeout=10, error="Roaming timed out")
pmksa2 = dev[0].get_pmksa(bssid2)
if pmksa2 is None:
raise Exception("No PMKSA cache entry found")
if pmksa2['opportunistic'] != '0':
raise Exception("Unexpected opportunistic PMKSA cache entry")
dev[0].dump_monitor()
logger.info("Roam back to AP1")
dev[0].scan(freq="2412")
dev[0].request("ROAM " + bssid)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"],
timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa1b = dev[0].get_pmksa(bssid)
if pmksa1b is None:
raise Exception("No PMKSA cache entry found")
if pmksa['pmkid'] != pmksa1b['pmkid']:
raise Exception("Unexpected PMKID change for AP1")
dev[0].dump_monitor()
if "FAIL" in dev[0].request("PMKSA_FLUSH"):
raise Exception("PMKSA_FLUSH failed")
if dev[0].get_pmksa(bssid) is not None or dev[0].get_pmksa(
bssid2) is not None:
raise Exception("PMKSA_FLUSH did not remove PMKSA entries")
dev[0].wait_disconnected(timeout=5)
dev[0].wait_connected(timeout=15, error="Reconnection timed out")
def generic_pmksa_cache_preauth(dev,
apdev,
extraparams,
identity,
databridge,
force_disconnect=False):
if not extraparams:
extraparams = [{}, {}]
try:
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
for key, value in extraparams[0].items():
params[key] = value
hapd = hostapd.add_ap(apdev[0], params)
hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0],
hapd,
"PAX",
identity,
password_hex="0123456789abcdef0123456789abcdef")
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = databridge
for key, value in extraparams[1].items():
params[key] = value
hapd1 = hostapd.add_ap(apdev[1], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception(
"No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception(
"Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(
["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
hapd1.wait_sta()
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)
if not force_disconnect:
return
# Disconnect the STA from both APs to avoid forceful ifdown by the
# test script on a VLAN that this has an associated STA. That used to
# trigger a mac80211 warning.
dev[0].request("DISCONNECT")
hapd.request("DISABLE")
finally:
hostapd.cmd_execute(
apdev[0],
['ip', 'link', 'set', 'dev', 'ap-br0', 'down', '2>', '/dev/null'],
shell=True)
hostapd.cmd_execute(apdev[0],
['brctl', 'delbr', 'ap-br0', '2>', '/dev/null'],
shell=True)
def test_pmksa_cache_multiple_sta(dev, apdev):
"""PMKSA cache with multiple stations"""
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
for d in dev:
d.flush_scan_cache()
dev[0].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk-user-session-timeout",
password="******",
scan_freq="2412")
dev[1].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk user",
password="******",
scan_freq="2412")
dev[2].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk-user-session-timeout",
password="******",
scan_freq="2412")
wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
wpas.interface_add("wlan5")
wpas.flush_scan_cache()
wpas.connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk user",
password="******",
scan_freq="2412")
hostapd.add_ap(apdev[1], params)
bssid2 = apdev[1]['bssid']
logger.info("Roam to AP2")
for sta in [dev[1], dev[0], dev[2], wpas]:
sta.dump_monitor()
sta.scan_for_bss(bssid2, freq="2412")
if "OK" not in sta.request("ROAM " + bssid2):
raise Exception("ROAM command failed (" + sta.ifname + ")")
ev = sta.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
if ev is None:
raise Exception("EAP success timed out")
sta.wait_connected(timeout=10, error="Roaming timed out")
sta.dump_monitor()
logger.info("Roam back to AP1")
for sta in [dev[1], wpas, dev[0], dev[2]]:
sta.dump_monitor()
sta.scan(freq="2412")
sta.dump_monitor()
sta.request("ROAM " + bssid)
sta.wait_connected(timeout=10, error="Roaming timed out")
sta.dump_monitor()
time.sleep(4)
logger.info("Roam back to AP2")
for sta in [dev[1], wpas, dev[0], dev[2]]:
sta.dump_monitor()
sta.scan(freq="2412")
sta.dump_monitor()
sta.request("ROAM " + bssid2)
sta.wait_connected(timeout=10, error="Roaming timed out")
sta.dump_monitor()
def test_ap_wpa2_eap_eke(dev, apdev):
"""WPA2-Enterprise connection using EAP-EKE"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "EKE", "eke user", password="******")
def generic_ap_vlan_wpa2_radius_id_change(dev, apdev, tagged):
as_params = {
"ssid": "as",
"beacon_int": "2000",
"radius_server_clients": "auth_serv/radius_clients.conf",
"radius_server_auth_port": '18128',
"eap_server": "1",
"eap_user_file": "auth_serv/eap_user.conf",
"ca_cert": "auth_serv/ca.pem",
"server_cert": "auth_serv/server.pem",
"private_key": "auth_serv/server.key"
}
authserv = hostapd.add_ap(apdev[1], as_params)
params = hostapd.wpa2_eap_params(ssid="test-vlan")
params['dynamic_vlan'] = "1"
params['auth_server_port'] = "18128"
hapd = hostapd.add_ap(apdev[0], params)
identity = "vlan1tagged" if tagged else "vlan1"
dev[0].connect("test-vlan",
key_mgmt="WPA-EAP",
eap="PAX",
identity=identity,
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412")
if tagged:
hwsim_utils.run_connectivity_test(dev[0],
hapd,
0,
ifname1="wlan0.1",
ifname2="brvlan1")
else:
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
logger.info("VLAN-ID -> 2")
authserv.disable()
authserv.set('eap_user_file', "auth_serv/eap_user_vlan.conf")
authserv.enable()
dev[0].dump_monitor()
dev[0].request("REAUTHENTICATE")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
if ev is None:
raise Exception("EAP reauthentication timed out")
ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=5)
if ev is None:
raise Exception("4-way handshake after reauthentication timed out")
state = dev[0].get_status_field('wpa_state')
if state != "COMPLETED":
raise Exception("Unexpected state after reauth: " + state)
sta = hapd.get_sta(dev[0].own_addr())
if 'vlan_id' not in sta:
raise Exception("No VLAN ID in STA info")
if (not tagged) and (sta['vlan_id'] != '2'):
raise Exception("Unexpected VLAN ID: " + sta['vlan_id'])
if tagged:
hwsim_utils.run_connectivity_test(dev[0],
hapd,
0,
ifname1="wlan0.2",
ifname2="brvlan2")
else:
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan2")
logger.info("VLAN-ID -> 1")
time.sleep(1)
authserv.disable()
authserv.set('eap_user_file', "auth_serv/eap_user.conf")
authserv.enable()
dev[0].dump_monitor()
dev[0].request("REAUTHENTICATE")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
if ev is None:
raise Exception("EAP reauthentication timed out")
ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=5)
if ev is None:
raise Exception("4-way handshake after reauthentication timed out")
state = dev[0].get_status_field('wpa_state')
if state != "COMPLETED":
raise Exception("Unexpected state after reauth: " + state)
sta = hapd.get_sta(dev[0].own_addr())
if 'vlan_id' not in sta:
raise Exception("No VLAN ID in STA info")
if (not tagged) and (sta['vlan_id'] != '1'):
raise Exception("Unexpected VLAN ID: " + sta['vlan_id'])
time.sleep(0.2)
try:
if tagged:
hwsim_utils.run_connectivity_test(dev[0],
hapd,
0,
ifname1="wlan0.1",
ifname2="brvlan1")
else:
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
except Exception, e:
# It is possible for new bridge setup to not be ready immediately, so
# try again to avoid reporting issues related to that.
logger.info("First VLAN-ID 1 data test failed - try again")
if tagged:
hwsim_utils.run_connectivity_test(dev[0],
hapd,
0,
ifname1="wlan0.1",
ifname2="brvlan1")
else:
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
def test_fils_sk_multiple_realms(dev, apdev):
"""FILS SK and multiple realms"""
check_fils_capa(dev[0])
check_erp_capa(dev[0])
start_erp_as(apdev[1])
bssid = apdev[0]['bssid']
params = hostapd.wpa2_eap_params(ssid="fils")
params['wpa_key_mgmt'] = "FILS-SHA256"
params['auth_server_port'] = "18128"
params['erp_domain'] = 'example.com'
fils_realms = [ 'r1.example.org', 'r2.EXAMPLE.org', 'r3.example.org',
'r4.example.org', 'r5.example.org', 'r6.example.org',
'r7.example.org', 'r8.example.org',
'example.com',
'r9.example.org', 'r10.example.org', 'r11.example.org',
'r12.example.org', 'r13.example.org', 'r14.example.org',
'r15.example.org', 'r16.example.org' ]
params['fils_realm'] = fils_realms
params['fils_cache_id'] = "1234"
params['hessid'] = bssid
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].scan_for_bss(bssid, freq=2412)
if "OK" not in dev[0].request("ANQP_GET " + bssid + " 275"):
raise Exception("ANQP_GET command failed")
ev = dev[0].wait_event(["GAS-QUERY-DONE"], timeout=10)
if ev is None:
raise Exception("GAS query timed out")
bss = dev[0].get_bss(bssid)
if 'fils_info' not in bss:
raise Exception("FILS Indication element information missing")
if bss['fils_info'] != '02b8':
raise Exception("Unexpected FILS Information: " + bss['fils_info'])
if 'fils_cache_id' not in bss:
raise Exception("FILS Cache Identifier missing")
if bss['fils_cache_id'] != '1234':
raise Exception("Unexpected FILS Cache Identifier: " + bss['fils_cache_id'])
if 'fils_realms' not in bss:
raise Exception("FILS Realm Identifiers missing")
expected = ''
count = 0
for realm in fils_realms:
hash = hashlib.sha256(realm.lower()).digest()
expected += binascii.hexlify(hash[0:2])
count += 1
if count == 7:
break
if bss['fils_realms'] != expected:
raise Exception("Unexpected FILS Realm Identifiers: " + bss['fils_realms'])
if 'anqp_fils_realm_info' not in bss:
raise Exception("FILS Realm Information ANQP-element not seen")
info = bss['anqp_fils_realm_info'];
expected = ''
for realm in fils_realms:
hash = hashlib.sha256(realm.lower()).digest()
expected += binascii.hexlify(hash[0:2])
if info != expected:
raise Exception("Unexpected FILS Realm Info ANQP-element: " + info)
dev[0].request("ERP_FLUSH")
id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
eap="PSK", identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
erp="1", scan_freq="2412")
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
dev[0].dump_monitor()
dev[0].select_network(id, freq=2412)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"EVENT-ASSOC-REJECT",
"CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Connection using FILS/ERP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
if "EVENT-ASSOC-REJECT" in ev:
raise Exception("Association failed")
hwsim_utils.test_connectivity(dev[0], hapd)
def test_dbus_old_scan(dev, apdev):
"""The old D-Bus interface - scanning"""
(bus, wpas_obj, path, if_obj) = prepare_dbus(dev[0])
hapd = hostapd.add_ap(apdev[0], {"ssid": "open"})
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['wpa'] = '3'
hapd2 = hostapd.add_ap(apdev[1], params)
class TestDbusScan(TestDbus):
def __init__(self, bus):
TestDbus.__init__(self, bus)
self.scan_completed = False
def __enter__(self):
gobject.timeout_add(1, self.run_scan)
gobject.timeout_add(7000, self.timeout)
self.add_signal(self.scanDone, WPAS_DBUS_OLD_IFACE,
"ScanResultsAvailable")
self.loop.run()
return self
def scanDone(self):
logger.debug("scanDone")
self.scan_completed = True
self.loop.quit()
def run_scan(self, *args):
logger.debug("run_scan")
if not if_obj.scan(dbus_interface=WPAS_DBUS_OLD_IFACE):
raise Exception("Failed to trigger scan")
return False
def success(self):
return self.scan_completed
with TestDbusScan(bus) as t:
if not t.success():
raise Exception("Expected signals not seen")
res = if_obj.scanResults(dbus_interface=WPAS_DBUS_OLD_IFACE)
if len(res) != 2:
raise Exception("Unexpected number of scan results: " + str(res))
for i in range(2):
logger.debug("Scan result BSS path: " + res[i])
bss_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[i])
bss = bss_obj.properties(dbus_interface=WPAS_DBUS_OLD_BSSID,
byte_arrays=True)
logger.debug("BSS: " + str(bss))
obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[0])
try:
bss_obj.properties2(dbus_interface=WPAS_DBUS_OLD_BSSID)
raise Exception("Unknown BSSID method accepted")
except Exception as e:
logger.debug("Unknown BSSID method exception: " + str(e))
if not if_obj.flush(0, dbus_interface=WPAS_DBUS_OLD_IFACE):
raise Exception("Failed to issue flush(0)")
res = if_obj.scanResults(dbus_interface=WPAS_DBUS_OLD_IFACE)
if len(res) != 0:
raise Exception("Unexpected BSS entry after flush")
if not if_obj.flush(1, dbus_interface=WPAS_DBUS_OLD_IFACE):
raise Exception("Failed to issue flush(1)")
try:
if_obj.flush("foo", dbus_interface=WPAS_DBUS_OLD_IFACE)
raise Exception("Invalid flush arguments accepted")
except dbus.exceptions.DBusException as e:
if not str(e).startswith(
"fi.epitest.hostap.WPASupplicant.InvalidOptions"):
raise Exception("Unexpected error message for invalid flush: " +
str(e))
try:
bss_obj.properties(dbus_interface=WPAS_DBUS_OLD_BSSID,
byte_arrays=True)
except dbus.exceptions.DBusException as e:
if not str(e).startswith(
"fi.epitest.hostap.WPASupplicant.Interface.InvalidBSSID"):
raise Exception("Unexpected error message for invalid BSS: " +
str(e))
def test_dbus_old_connect_eap(dev, apdev):
"""The old D-Bus interface - add an EAP network and connect"""
(bus, wpas_obj, path, if_obj) = prepare_dbus(dev[0])
ssid = "test-wpa2-eap"
params = hostapd.wpa2_eap_params(ssid=ssid)
hapd = hostapd.add_ap(apdev[0], params)
class TestDbusConnect(TestDbus):
def __init__(self, bus):
TestDbus.__init__(self, bus)
self.connected = False
self.certification_received = False
def __enter__(self):
gobject.timeout_add(1, self.run_connect)
gobject.timeout_add(15000, self.timeout)
self.add_signal(self.stateChange, WPAS_DBUS_OLD_IFACE,
"StateChange")
self.add_signal(self.certification, WPAS_DBUS_OLD_IFACE,
"Certification")
self.loop.run()
return self
def stateChange(self, new, old):
logger.debug("stateChange: %s --> %s" % (old, new))
if new == "COMPLETED":
self.connected = True
self.loop.quit()
def certification(self, depth, subject, hash, cert_hex):
logger.debug(
"certification: depth={} subject={} hash={} cert_hex={}".
format(depth, subject, hash, cert_hex))
self.certification_received = True
def run_connect(self, *args):
logger.debug("run_connect")
path = if_obj.addNetwork(dbus_interface=WPAS_DBUS_OLD_IFACE)
netw_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, path)
params = dbus.Dictionary(
{
'ssid': ssid,
'key_mgmt': 'WPA-EAP',
'eap': 'TTLS',
'anonymous_identity': 'ttls',
'identity': 'pap user',
'ca_cert': 'auth_serv/ca.pem',
'phase2': 'auth=PAP',
'password': '******',
'scan_freq': 2412
},
signature='sv')
netw_obj.set(params, dbus_interface=WPAS_DBUS_OLD_NETWORK)
netw_obj.enable(dbus_interface=WPAS_DBUS_OLD_NETWORK)
self.path = path
self.netw_obj = netw_obj
return False
def success(self):
return self.connected and self.certification_received
with TestDbusConnect(bus) as t:
if not t.success():
raise Exception("Expected signals not seen")
def test_ap_wpa2_eap_pwd(dev, apdev):
"""WPA2-Enterprise connection using EAP-pwd"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "PWD", "pwd user", password="******")
def test_ap_wpa2_eap_ikev2(dev, apdev):
"""WPA2-Enterprise connection using EAP-IKEv2"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "IKEV2", "ikev2 user", password="******")
