def run_pmksa_cache_preauth_auto(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[0], params)
hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
hapd2 = hostapd.add_ap(apdev[1], params)
eap_connect(dev[0],
None,
"PAX",
"*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
found = False
for i in range(20):
time.sleep(0.5)
res1 = dev[0].get_pmksa(apdev[0]['bssid'])
res2 = dev[0].get_pmksa(apdev[1]['bssid'])
if res1 and res2:
found = True
break
if not found:
raise Exception("The expected PMKSA cache entries not found")
def test_eap_teap_client_cert(dev, apdev):
"""EAP-TEAP with client certificate in Phase 1"""
check_eap_capa(dev[0], "TEAP")
params = int_teap_server_params(eap_teap_auth="2")
hapd = hostapd.add_ap(apdev[0], params)
# verify server accept a client with certificate, but no Phase 2
# configuration
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP",
phase1="teap_provisioning=2",
client_cert="auth_serv/user.pem",
private_key="auth_serv/user.key",
ca_cert="auth_serv/ca.pem",
pac_file="blob://teap_pac")
dev[0].dump_monitor()
res = eap_reauth(dev[0], "TEAP")
if res['tls_session_reused'] != '1':
raise Exception("EAP-TEAP could not use PAC session ticket")
# verify server accepts a client without certificate
eap_connect(dev[1], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac")
def test_pmksa_cache_preauth(dev, apdev):
"""RSN pre-authentication to generate PMKSA cache entry"""
try:
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
hostapd.add_ap(apdev[0]['ifname'], params)
subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0],
apdev[0],
"PAX",
"*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
hostapd.add_ap(apdev[1]['ifname'], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception(
"No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception(
"Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(
["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
finally:
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
subprocess.call(['brctl', 'delbr', 'ap-br0'])
def test_eap_teap_basic_password_auth_no_password(dev, apdev):
"""EAP-TEAP with Basic-Password-Auth and no password configured"""
check_eap_capa(dev[0], "TEAP")
params = int_teap_server_params(eap_teap_auth="1")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP",
ca_cert="auth_serv/ca.pem",
pac_file="blob://teap_pac", expect_failure=True)
def test_pmksa_cache_preauth_vlan_enabled(dev, apdev):
"""RSN pre-authentication to generate PMKSA cache entry (dynamic_vlan optional but station without VLAN set)"""
try:
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['dynamic_vlan'] = '1'
hostapd.add_ap(apdev[0]['ifname'], params)
subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0], apdev[0], "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
params['dynamic_vlan'] = '1'
hostapd.add_ap(apdev[1]['ifname'], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception("No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception("Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
finally:
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
subprocess.call(['brctl', 'delbr', 'ap-br0'])
def test_eap_teap_eap_vendor(dev, apdev):
"""EAP-TEAP with inner EAP-vendor"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "VENDOR-TEST")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "vendor-test-2",
anonymous_identity="TEAP",
ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST",
pac_file="blob://teap_pac")
def test_eap_teap_eap_eke(dev, apdev):
"""EAP-TEAP with inner EAP-EKE"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "EKE")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
anonymous_identity="TEAP", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=EKE",
pac_file="blob://teap_pac")
def run_eap_teap_eap_mschapv2_id(dev, apdev, eap_teap_id, failure=False):
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = int_teap_server_params(eap_teap_id=str(eap_teap_id))
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac",
expect_failure=failure)
def test_eap_teap_eap_mschapv2_separate_result(dev, apdev):
"""EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = int_teap_server_params(eap_teap_separate_result="1")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac")
def test_eap_teap_peer_outer_tlvs(dev, apdev):
"""EAP-TEAP with peer Outer TLVs"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac", phase1="teap_test_outer_tlvs=1")
def test_eap_teap_basic_password_auth_machine(dev, apdev):
"""EAP-TEAP with Basic-Password-Auth using machine credential"""
check_eap_capa(dev[0], "TEAP")
params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="2")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "",
anonymous_identity="TEAP",
machine_identity="machine", machine_password="******",
ca_cert="auth_serv/ca.pem",
pac_file="blob://teap_pac")
def test_eap_teap_basic_password_auth_user_and_machine_no_machine(dev, apdev):
"""EAP-TEAP with Basic-Password-Auth using user and machine credentials (no machine)"""
check_eap_capa(dev[0], "TEAP")
params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user", password="******",
anonymous_identity="TEAP",
ca_cert="auth_serv/ca.pem",
pac_file="blob://teap_pac",
expect_failure=True)
def test_eap_teap_fragmentation(dev, apdev):
"""EAP-TEAP with fragmentation"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac", fragment_size="100")
def test_eap_teap_eap_mschapv2_user_and_machine_no_machine(dev, apdev):
"""EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (no machine)"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = int_teap_server_params(eap_teap_id="5")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user", password="******",
anonymous_identity="TEAP",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac",
expect_failure=True)
def test_eap_teap_eap_mschapv2_machine(dev, apdev):
"""EAP-TEAP with inner EAP-MSCHAPv2 using machine credential"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = int_teap_server_params(eap_teap_id="2")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "",
anonymous_identity="TEAP",
machine_identity="machine", machine_password="******",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac")
def run_eap_teap_tls_cs(dev, apdev, cipher):
check_eap_capa(dev[0], "TEAP")
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls)
params = int_teap_server_params(eap_teap_auth="1")
params['openssl_ciphers'] = cipher
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
ca_cert="auth_serv/ca.pem",
pac_file="blob://teap_pac")
def test_eap_teap_eap_eke_unauth_server_prov(dev, apdev):
"""EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "EKE")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
anonymous_identity="TEAP", password="******",
phase1="teap_provisioning=1",
phase2="auth=EKE", pac_file="blob://teap_pac")
res = eap_reauth(dev[0], "TEAP")
if res['tls_session_reused'] != '1':
raise Exception("EAP-TEAP could not use PAC session ticket")
def test_eap_teap_basic_password_auth_pac_binary(dev, apdev):
"""EAP-TEAP with Basic-Password-Auth and PAC (binary)"""
check_eap_capa(dev[0], "TEAP")
params = int_teap_server_params(eap_teap_auth="1")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
phase1="teap_provisioning=2 teap_max_pac_list_len=2 teap_pac_format=binary",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac_bin")
res = eap_reauth(dev[0], "TEAP")
if res['tls_session_reused'] != '1':
raise Exception("EAP-TEAP could not use PAC session ticket")
def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev, apdev):
"""EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
phase1="teap_provisioning=2",
phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac")
res = eap_reauth(dev[0], "TEAP")
if res['tls_session_reused'] == '1':
raise Exception("Unexpected use of PAC session ticket")
def _test_pmksa_cache_preauth_timeout(dev, apdev):
dev[0].request("SET dot11RSNAConfigSATimeout 1")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
bssid=apdev[0]['bssid'])
if "OK" not in dev[0].request("PREAUTH f2:11:22:33:44:55"):
raise Exception("PREAUTH failed")
ev = dev[0].wait_event(["RSN: pre-authentication with"], timeout=5)
if ev is None:
raise Exception("No timeout event seen")
if "timed out" not in ev:
raise Exception("Unexpected event: " + ev)
def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev, apdev):
"""EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
params = int_teap_server_params(eap_teap_pac_no_inner="1")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user",
anonymous_identity="TEAP", password="******",
phase1="teap_provisioning=2",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
pac_file="blob://teap_pac")
res = eap_reauth(dev[0], "TEAP")
if res['tls_session_reused'] != '1':
raise Exception("EAP-TEAP could not use PAC session ticket")
def _test_pmksa_cache_preauth_oom(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[0], params)
hostapd.cmd_execute(apdev[0], ['brctl', 'setfd', 'ap-br0', '0'])
hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0],
hapd,
"PAX",
"*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
bssid=apdev[0]['bssid'])
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[1], params)
bssid1 = apdev[1]['bssid']
tests = [(1, "rsn_preauth_receive"), (2, "rsn_preauth_receive"),
(1, "rsn_preauth_send"),
(1, "wpa_auth_pmksa_add_preauth;rsn_preauth_finished")]
for test in tests:
hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
with alloc_fail(hapd, test[0], test[1]):
dev[0].scan_for_bss(bssid1, freq="2412")
if "OK" not in dev[0].request("PREAUTH " + bssid1):
raise Exception("PREAUTH failed")
success = False
count = 0
for i in range(50):
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
state = hapd.request('GET_ALLOC_FAIL')
if state.startswith('0:'):
count += 1
if count > 2:
break
logger.info("PMKSA cache success: " + str(success))
dev[0].request("PMKSA_FLUSH")
dev[0].wait_disconnected()
dev[0].wait_connected()
dev[0].dump_monitor()
def test_pmksa_cache_preauth_wpas_oom(dev, apdev):
"""RSN pre-authentication OOM in wpa_supplicant"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
bssid=apdev[0]['bssid'])
for i in range(1, 11):
with alloc_fail(dev[0], i, "rsn_preauth_init"):
res = dev[0].request("PREAUTH f2:11:22:33:44:55").strip()
logger.info("Iteration %d - PREAUTH command results: %s" % (i, res))
for j in range(10):
state = dev[0].request('GET_ALLOC_FAIL')
if state.startswith('0:'):
break
time.sleep(0.05)
def test_eap_teap_eap_mschapv2_user_and_eap_tls_machine(dev, apdev):
"""EAP-TEAP with inner EAP-MSCHAPv2 user and EAP-TLS machine credentials"""
check_eap_capa(dev[0], "TEAP")
check_eap_capa(dev[0], "MSCHAPV2")
check_eap_capa(dev[0], "TLS")
params = int_teap_server_params(eap_teap_id="5")
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "TEAP", "user", password="******",
anonymous_identity="TEAP",
machine_identity="cert user",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
machine_phase2="auth=TLS",
machine_ca_cert="auth_serv/ca.pem",
machine_client_cert="auth_serv/user.pem",
machine_private_key="auth_serv/user.key",
pac_file="blob://teap_pac")
def _test_pmksa_cache_preauth_oom(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[0], params)
hostapd.cmd_execute(apdev[0], ['brctl', 'setfd', 'ap-br0', '0'])
hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
bssid=apdev[0]['bssid'])
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[1], params)
bssid1 = apdev[1]['bssid']
tests = [(1, "rsn_preauth_receive"),
(2, "rsn_preauth_receive"),
(1, "rsn_preauth_send"),
(1, "wpa_auth_pmksa_add_preauth;rsn_preauth_finished")]
for test in tests:
hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
with alloc_fail(hapd, test[0], test[1]):
dev[0].scan_for_bss(bssid1, freq="2412")
if "OK" not in dev[0].request("PREAUTH " + bssid1):
raise Exception("PREAUTH failed")
success = False
count = 0
for i in range(50):
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
state = hapd.request('GET_ALLOC_FAIL')
if state.startswith('0:'):
count += 1
if count > 2:
break
logger.info("PMKSA cache success: " + str(success))
dev[0].request("PMKSA_FLUSH")
dev[0].wait_disconnected()
dev[0].wait_connected()
dev[0].dump_monitor()
def test_rsn_preauth_processing(dev, apdev):
"""RSN pre-authentication processing on AP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = "lo"
hapd = hostapd.add_ap(apdev[0], params)
bssid = hapd.own_addr()
_bssid = binascii.unhexlify(bssid.replace(':', ''))
eap_connect(dev[0],
hapd,
"PAX",
"*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
addr = dev[0].own_addr()
_addr = binascii.unhexlify(addr.replace(':', ''))
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
socket.htons(0x88c7))
sock.bind(("lo", socket.htons(0x88c7)))
foreign = b"\x02\x03\x04\x05\x06\x07"
proto = b"\x88\xc7"
tests = []
# RSN: too short pre-auth packet (len=14)
tests += [_bssid + foreign + proto]
# Not EAPOL-Start
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
# RSN: pre-auth for foreign address 02:03:04:05:06:07
tests += [foreign + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
# RSN: pre-auth for already association STA 02:00:00:00:00:00
tests += [_bssid + _addr + proto + struct.pack('>BBH', 0, 0, 0)]
# New STA
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
# IEEE 802.1X: received EAPOL-Start from STA
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 0)]
# frame too short for this IEEE 802.1X packet
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
# EAPOL-Key - Dropped key data from unauthorized Supplicant
tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 3, 0)]
# EAPOL-Encapsulated-ASF-Alert
tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 4, 0)]
# unknown IEEE 802.1X packet type
tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 255, 0)]
for t in tests:
sock.send(t)
def test_rsn_preauth_processing(dev, apdev):
"""RSN pre-authentication processing on AP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = "lo"
hapd = hostapd.add_ap(apdev[0], params)
bssid = hapd.own_addr()
_bssid = binascii.unhexlify(bssid.replace(':', ''))
eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
addr = dev[0].own_addr()
_addr = binascii.unhexlify(addr.replace(':', ''))
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
socket.htons(0x88c7))
sock.bind(("lo", socket.htons(0x88c7)))
foreign = b"\x02\x03\x04\x05\x06\x07"
proto = b"\x88\xc7"
tests = []
# RSN: too short pre-auth packet (len=14)
tests += [_bssid + foreign + proto]
# Not EAPOL-Start
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
# RSN: pre-auth for foreign address 02:03:04:05:06:07
tests += [foreign + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
# RSN: pre-auth for already association STA 02:00:00:00:00:00
tests += [_bssid + _addr + proto + struct.pack('>BBH', 0, 0, 0)]
# New STA
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
# IEEE 802.1X: received EAPOL-Start from STA
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 0)]
# frame too short for this IEEE 802.1X packet
tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
# EAPOL-Key - Dropped key data from unauthorized Supplicant
tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 3, 0)]
# EAPOL-Encapsulated-ASF-Alert
tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 4, 0)]
# unknown IEEE 802.1X packet type
tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 255, 0)]
for t in tests:
sock.send(t)
def run_pmksa_cache_preauth_auto(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'ap-br0'
hapd = hostapd.add_ap(apdev[0], params)
hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
hapd2 = hostapd.add_ap(apdev[1], params)
eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef")
found = False
for i in range(20):
time.sleep(0.5)
res1 = dev[0].get_pmksa(apdev[0]['bssid'])
res2 = dev[0].get_pmksa(apdev[1]['bssid'])
if res1 and res2:
found = True
break
if not found:
raise Exception("The expected PMKSA cache entries not found")
def generic_pmksa_cache_preauth(dev,
apdev,
extraparams,
identity,
databridge,
force_disconnect=False):
if not extraparams:
extraparams = [{}, {}]
try:
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
for key, value in extraparams[0].iteritems():
params[key] = value
hapd = hostapd.add_ap(apdev[0], params)
hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0],
hapd,
"PAX",
identity,
password_hex="0123456789abcdef0123456789abcdef")
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = databridge
for key, value in extraparams[1].iteritems():
params[key] = value
hostapd.add_ap(apdev[1], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception(
"No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception(
"Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(
["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)
if not force_disconnect:
return
# Disconnect the STA from both APs to avoid forceful ifdown by the
# test script on a VLAN that this has an associated STA. That used to
# trigger a mac80211 warning.
dev[0].request("DISCONNECT")
hapd.request("DISABLE")
finally:
hostapd.cmd_execute(
apdev[0],
['ip', 'link', 'set', 'dev', 'ap-br0', 'down', '2>', '/dev/null'],
shell=True)
hostapd.cmd_execute(apdev[0],
['brctl', 'delbr', 'ap-br0', '2>', '/dev/null'],
shell=True)
def test_pmksa_cache_preauth_vlan_used(dev, apdev):
"""RSN pre-authentication to generate PMKSA cache entry (station with VLAN set)"""
try:
subprocess.call(['brctl', 'addbr', 'brvlan1'])
subprocess.call(['brctl', 'setfd', 'brvlan1', '0'])
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['dynamic_vlan'] = '1'
params['vlan_file'] = 'hostapd.wlan3.vlan'
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0], apdev[0], "PAX", "vlan1",
password_hex="0123456789abcdef0123456789abcdef")
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'brvlan1'
params['dynamic_vlan'] = '1'
params['vlan_file'] = 'hostapd.wlan4.vlan'
hostapd.add_ap(apdev[1]['ifname'], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception("No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception("Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
# Disconnect the STA from both APs to avoid forceful ifdown by the
# test script on a VLAN that this has an associated STA. That used to
# trigger a mac80211 warning.
dev[0].request("DISCONNECT")
hapd.request("DISABLE")
finally:
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'],
stderr=open('/dev/null', 'w'))
subprocess.call(['ip', 'link', 'set', 'dev', 'brvlan1', 'down'])
subprocess.call(['ip', 'link', 'set', 'dev', 'wlan3.1', 'down'],
stderr=open('/dev/null', 'w'))
subprocess.call(['ip', 'link', 'set', 'dev', 'wlan4.1', 'down'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan3.1'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan4.1'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delbr', 'ap-br0'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delbr', 'brvlan1'])
def generic_pmksa_cache_preauth(dev, apdev, extraparams, identity, databridge,
force_disconnect=False):
if not extraparams:
extraparams = [{}, {}]
try:
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
for key, value in extraparams[0].items():
params[key] = value
hapd = hostapd.add_ap(apdev[0], params)
hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0], hapd, "PAX", identity,
password_hex="0123456789abcdef0123456789abcdef")
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = databridge
for key, value in extraparams[1].items():
params[key] = value
hostapd.add_ap(apdev[1], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception("No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception("Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
"CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
# Verify connectivity in the correct VLAN
hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)
if not force_disconnect:
return
# Disconnect the STA from both APs to avoid forceful ifdown by the
# test script on a VLAN that this has an associated STA. That used to
# trigger a mac80211 warning.
dev[0].request("DISCONNECT")
hapd.request("DISABLE")
finally:
hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev',
'ap-br0', 'down', '2>', '/dev/null'],
shell=True)
hostapd.cmd_execute(apdev[0], ['brctl', 'delbr', 'ap-br0',
'2>', '/dev/null'], shell=True)
def test_pmksa_cache_preauth_vlan_used(dev, apdev):
"""RSN pre-authentication to generate PMKSA cache entry (station with VLAN set)"""
try:
subprocess.call(['brctl', 'addbr', 'brvlan1'])
subprocess.call(['brctl', 'setfd', 'brvlan1', '0'])
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['dynamic_vlan'] = '1'
params['vlan_file'] = 'hostapd.wlan3.vlan'
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
eap_connect(dev[0],
apdev[0],
"PAX",
"vlan1",
password_hex="0123456789abcdef0123456789abcdef")
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['bridge'] = 'ap-br0'
params['rsn_preauth'] = '1'
params['rsn_preauth_interfaces'] = 'brvlan1'
params['dynamic_vlan'] = '1'
params['vlan_file'] = 'hostapd.wlan4.vlan'
hostapd.add_ap(apdev[1]['ifname'], params)
bssid1 = apdev[1]['bssid']
dev[0].scan(freq="2412")
success = False
status_seen = False
for i in range(0, 50):
if not status_seen:
status = dev[0].request("STATUS")
if "Pre-authentication EAPOL state machines:" in status:
status_seen = True
time.sleep(0.1)
pmksa = dev[0].get_pmksa(bssid1)
if pmksa:
success = True
break
if not success:
raise Exception(
"No PMKSA cache entry created from pre-authentication")
if not status_seen:
raise Exception(
"Pre-authentication EAPOL status was not available")
dev[0].scan(freq="2412")
if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info")
dev[0].request("ROAM " + bssid1)
ev = dev[0].wait_event(
["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
pmksa2 = dev[0].get_pmksa(bssid1)
if pmksa2 is None:
raise Exception("No PMKSA cache entry")
if pmksa['pmkid'] != pmksa2['pmkid']:
raise Exception("Unexpected PMKID change")
# Disconnect the STA from both APs to avoid forceful ifdown by the
# test script on a VLAN that this has an associated STA. That used to
# trigger a mac80211 warning.
dev[0].request("DISCONNECT")
hapd.request("DISABLE")
finally:
subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'],
stderr=open('/dev/null', 'w'))
subprocess.call(['ip', 'link', 'set', 'dev', 'brvlan1', 'down'])
subprocess.call(['ip', 'link', 'set', 'dev', 'wlan3.1', 'down'],
stderr=open('/dev/null', 'w'))
subprocess.call(['ip', 'link', 'set', 'dev', 'wlan4.1', 'down'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan3.1'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan4.1'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delbr', 'ap-br0'],
stderr=open('/dev/null', 'w'))
subprocess.call(['brctl', 'delbr', 'brvlan1'])