def check_hs20_osu_client(): if not os.path.exists("../../hs20/client/hs20-osu-client"): raise HwsimSkip("No hs20-osu-client available")
def test_sae_proto_ecc(dev, apdev): """SAE protocol testing (ECC)""" if "SAE" not in dev[0].get_capability("auth_alg"): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE' hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].request("SET sae_groups 19") tests = [ ("Confirm mismatch", "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8", "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240" ), ("Commit without even full cyclic group field", "13", None), ("Too short commit", "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02", None), ("Invalid commit scalar (0)", "1300" + "0000000000000000000000000000000000000000000000000000000000000000" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8", None), ("Invalid commit scalar (1)", "1300" + "0000000000000000000000000000000000000000000000000000000000000001" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8", None), ("Invalid commit scalar (> r)", "1300" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8", None), ("Commit element not on curve", "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000", None), ("Invalid commit element (y coordinate > P)", "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", None), ("Invalid commit element (x coordinate > P)", "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8", None), ("Different group in commit", "1400" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8", None), ("Too short confirm", "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8", "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42") ] for (note, commit, confirm) in tests: logger.info(note) dev[0].scan_for_bss(bssid, freq=2412) hapd.set("ext_mgmt_frame_handling", "1") dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412", wait_connect=False) logger.info("Commit") for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (commit)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (commit) not received") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030001000000" + commit) hapd.mgmt_tx(resp) if confirm: logger.info("Confirm") for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (confirm)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (confirm) not received") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030002000000" + confirm) hapd.mgmt_tx(resp) time.sleep(0.1) dev[0].request("REMOVE_NETWORK all") hapd.set("ext_mgmt_frame_handling", "0") hapd.dump_monitor()
def require_wmediumd_version(major, minor, patch): revs = get_wmediumd_version() if revs[0] < major or revs[1] < minor or revs[2] < patch: raise HwsimSkip('wmediumd v%s.%s.%s is too old for this test' % (revs[0], revs[1], revs[2]))
def ap_vlan_iface_cleanup_multibss(dev, apdev, cfgfile): # AP VLAN with WPA2-Enterprise and RADIUS attributes changing VLANID # check that multiple bss do not interfere with each other with respect # to deletion of bridge and tagged interface. if not netifaces_imported: raise HwsimSkip("python module netifaces not available") try: ap_vlan_iface_cleanup_multibss_cleanup() ap_vlan_iface_test_and_prepare_environ() as_params = { "ssid": "as", "beacon_int": "2000", "radius_server_clients": "auth_serv/radius_clients.conf", "radius_server_auth_port": '18128', "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", "ca_cert": "auth_serv/ca.pem", "server_cert": "auth_serv/server.pem", "private_key": "auth_serv/server.key", "vlan_naming": "1" } authserv = hostapd.add_ap(apdev[1], as_params) # start the actual test hapd = hostapd.add_iface(apdev[0], cfgfile) hapd1 = hostapd.Hostapd("wlan3-2", 1) hapd1.enable() ifaces = netifaces.interfaces() if "brvlan1" in ifaces: raise Exception("bridge brvlan1 already exists before") if "brvlan2" in ifaces: raise Exception("bridge brvlan2 already exists before") dev[0].connect("bss-1", key_mgmt="WPA-EAP", eap="PAX", identity="vlan1", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") ifaces = netifaces.interfaces() if not("brvlan1" in ifaces): raise Exception("bridge brvlan1 was not created") hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1") if not iface_is_in_bridge("brvlan1", "dummy0.1"): raise Exception("dummy0.1 not in brvlan1") dev[1].connect("bss-2", key_mgmt="WPA-EAP", eap="PAX", identity="vlan1", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity_iface(dev[1], hapd1, "brvlan1") if not iface_is_in_bridge("brvlan1", "dummy0.1"): raise Exception("dummy0.1 not in brvlan1") authserv.disable() authserv.set('eap_user_file', "auth_serv/eap_user_vlan.conf") authserv.enable() logger.info("wlan0 -> VLAN 2") dev[0].dump_monitor() dev[0].request("REAUTHENTICATE") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) if ev is None: raise Exception("EAP reauthentication timed out") ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=5) if ev is None: raise Exception("4-way handshake after reauthentication timed out") state = dev[0].get_status_field('wpa_state') if state != "COMPLETED": raise Exception("Unexpected state after reauth: " + state) ifaces = netifaces.interfaces() if not ("brvlan1" in ifaces): raise Exception("bridge brvlan1 has been removed too early") hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan2", max_tries=5) if not iface_is_in_bridge("brvlan2", "dummy0.2"): raise Exception("dummy0.2 not in brvlan2") logger.info("test wlan1 == VLAN 1") hwsim_utils.test_connectivity_iface(dev[1], hapd1, "brvlan1") if not iface_is_in_bridge("brvlan1", "dummy0.1"): raise Exception("dummy0.1 not in brvlan1") logger.info("wlan1 -> VLAN 2") dev[1].dump_monitor() dev[1].request("REAUTHENTICATE") ev = dev[1].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) if ev is None: raise Exception("EAP reauthentication timed out") ev = dev[1].wait_event(["WPA: Key negotiation completed"], timeout=5) if ev is None: raise Exception("4-way handshake after reauthentication timed out") state = dev[1].get_status_field('wpa_state') if state != "COMPLETED": raise Exception("Unexpected state after reauth: " + state) # it can take some time for data connectivity to be updated hwsim_utils.test_connectivity_iface(dev[1], hapd1, "brvlan2", max_tries=5) logger.info("test wlan0 == VLAN 2") hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan2") if not iface_is_in_bridge("brvlan2", "dummy0.2"): raise Exception("dummy0.2 not in brvlan2") ifaces = netifaces.interfaces() if "brvlan1" in ifaces: raise Exception("bridge brvlan1 has not been cleaned up") # disconnect dev0 first to test a corner case dev[0].request("DISCONNECT") dev[0].wait_disconnected() dev[1].request("DISCONNECT") dev[1].wait_disconnected() # station removal needs some time for i in range(15): time.sleep(1) ifaces = netifaces.interfaces() if "brvlan2" not in ifaces: break ifaces = netifaces.interfaces() if "brvlan2" in ifaces: raise Exception("bridge brvlan2 has not been cleaned up") hapd.request("DISABLE") finally: ap_vlan_iface_cleanup_multibss_cleanup()
def test_sae_invalid_anti_clogging_token_req(dev, apdev): """SAE and invalid anti-clogging token request""" if "SAE" not in dev[0].get_capability("auth_alg"): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE' # Beacon more frequently since Probe Request frames are practically ignored # in this test setup (ext_mgmt_frame_handled=1 on hostapd side) and # wpa_supplicant scans may end up getting ignored if no new results are # available due to the missing Probe Response frames. params['beacon_int'] = '20' hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].request("SET sae_groups 19") dev[0].scan_for_bss(bssid, freq=2412) hapd.set("ext_mgmt_frame_handling", "1") dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["SME: Trying to authenticate"]) if ev is None: raise Exception("No authentication attempt seen (1)") dev[0].dump_monitor() for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (commit)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (commit) not received") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030001004c0013") hapd.mgmt_tx(resp) ev = hapd.wait_event(["MGMT-TX-STATUS"], timeout=5) if ev is None: raise Exception("Management frame TX status not reported (1)") if "stype=11 ok=1" not in ev: raise Exception("Unexpected management frame TX status (1): " + ev) ev = dev[0].wait_event(["SME: Trying to authenticate"]) if ev is None: raise Exception("No authentication attempt seen (2)") dev[0].dump_monitor() for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (commit) (2)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (commit) not received (2)") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030001000100") hapd.mgmt_tx(resp) ev = hapd.wait_event(["MGMT-TX-STATUS"], timeout=5) if ev is None: raise Exception("Management frame TX status not reported (1)") if "stype=11 ok=1" not in ev: raise Exception("Unexpected management frame TX status (1): " + ev) ev = dev[0].wait_event(["SME: Trying to authenticate"]) if ev is None: raise Exception("No authentication attempt seen (3)") dev[0].dump_monitor() dev[0].request("DISCONNECT")
def test_tnc_ttls_errors(dev, apdev): """TNC TTLS local error cases""" if not os.path.exists("tnc/libhostap_imc.so"): raise HwsimSkip("No IMC installed") check_eap_capa(dev[0], "MSCHAPV2") params = int_eap_server_params() params["tnc"] = "1" params["fragment_size"] = "150" hostapd.add_ap(apdev[0]['ifname'], params) tests = [ (1, "eap_ttls_process_phase2_eap;eap_ttls_process_tnc_start", "DOMAIN\mschapv2 user", "auth=MSCHAPV2"), (1, "eap_ttls_process_phase2_eap;eap_ttls_process_tnc_start", "mschap user", "auth=MSCHAP"), (1, "=eap_tnc_init", "chap user", "auth=CHAP"), (1, "tncc_init;eap_tnc_init", "pap user", "auth=PAP"), (1, "eap_msg_alloc;eap_tnc_build_frag_ack", "pap user", "auth=PAP"), (1, "eap_msg_alloc;eap_tnc_build_msg", "pap user", "auth=PAP"), (1, "wpabuf_alloc;=eap_tnc_process_fragment", "pap user", "auth=PAP"), (1, "eap_msg_alloc;=eap_tnc_process", "pap user", "auth=PAP"), (1, "wpabuf_alloc;=eap_tnc_process", "pap user", "auth=PAP"), (1, "dup_binstr;tncc_process_if_tnccs", "pap user", "auth=PAP"), (1, "tncc_get_base64;tncc_process_if_tnccs", "pap user", "auth=PAP"), (1, "tncc_if_tnccs_start", "pap user", "auth=PAP"), (1, "tncc_if_tnccs_end", "pap user", "auth=PAP"), (1, "tncc_parse_imc", "pap user", "auth=PAP"), (2, "tncc_parse_imc", "pap user", "auth=PAP"), (3, "tncc_parse_imc", "pap user", "auth=PAP"), (1, "os_readfile;tncc_read_config", "pap user", "auth=PAP"), (1, "tncc_init", "pap user", "auth=PAP"), (1, "TNC_TNCC_ReportMessageTypes", "pap user", "auth=PAP"), (1, "base64_encode;TNC_TNCC_SendMessage", "pap user", "auth=PAP"), (1, "=TNC_TNCC_SendMessage", "pap user", "auth=PAP"), (1, "tncc_get_base64;tncc_process_if_tnccs", "pap user", "auth=PAP") ] for count, func, identity, phase2 in tests: with alloc_fail(dev[0], count, func): dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", scan_freq="2412", eap="TTLS", anonymous_identity="ttls", identity=identity, password="******", ca_cert="auth_serv/ca.pem", phase2=phase2, fragment_size="150", wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15) if ev is None: raise Exception("Timeout on EAP start") wait_fail_trigger( dev[0], "GET_ALLOC_FAIL", note="Allocation failure not triggered for: %d:%s" % (count, func)) dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() dev[0].dump_monitor()
def check_erp_capa(dev): capab = dev.get_capability("erp") if not capab or 'ERP' not in capab: raise HwsimSkip("ERP not supported in the build")
def run_macsec_psk_br(dev, apdev, count, mka_priority): subprocess.check_call(["brctl", "addbr", "brveth"]) subprocess.call( ["echo 8 > /sys/devices/virtual/net/brveth/bridge/group_fwd_mask"], shell=True) try: for i in range(count): subprocess.check_call([ "ip", "link", "add", "veth%d" % i, "type", "veth", "peer", "name", "vethbr%d" % i ]) subprocess.check_call(["ip", "link", "set", "vethbr%d" % i, "up"]) subprocess.check_call(["brctl", "addif", "brveth", "vethbr%d" % i]) except subprocess.CalledProcessError: raise HwsimSkip("veth not supported (kernel CONFIG_VETH)") subprocess.check_call(["ip", "link", "set", "brveth", "up"]) log_ip_link() wpa = add_wpas_interfaces(count=count) for i in range(count): set_mka_psk_config(wpa[i], mka_priority=mka_priority[i]) wpa[i].dump_monitor() wait_mka_done(wpa) macsec_ifname = [] for i in range(count): macsec_ifname.append(wpa[i].get_driver_status_field("parent_ifname")) timeout = 2 max_tries = 2 if count > 2 else 1 success_seen = False failure_seen = False for i in range(1, count): try: hwsim_utils.test_connectivity(wpa[0], wpa[i], ifname1=macsec_ifname[0], ifname2=macsec_ifname[i], send_len=1400, timeout=timeout, max_tries=max_tries) success_seen = True logger.info("Traffic test %d<->%d success" % (0, i)) except: failure_seen = True logger.info("Traffic test %d<->%d failure" % (0, i)) for i in range(2, count): try: hwsim_utils.test_connectivity(wpa[1], wpa[i], ifname1=macsec_ifname[1], ifname2=macsec_ifname[i], send_len=1400, timeout=timeout, max_tries=max_tries) success_seen = True logger.info("Traffic test %d<->%d success" % (1, i)) except: failure_seen = True logger.info("Traffic test %d<->%d failure" % (1, i)) if not success_seen: raise Exception("None of the data traffic tests succeeded") # Something seems to be failing with three device tests semi-regularly, so # do not report this as a failed test case until the real reason behind # those failures have been determined. if failure_seen: if count < 3: raise Exception("Data traffic test failed") else: logger.info( "Data traffic test failed - ignore for now for >= 3 device cases" ) for i in range(count): wpa[i].close_monitor() for i in range(count): wpa[0].close_control() del wpa[0]
def run_macsec_psk_ns(dev, apdev, params): try: subprocess.check_call([ "ip", "link", "add", "veth0", "type", "veth", "peer", "name", "veth1" ]) except subprocess.CalledProcessError: raise HwsimSkip("veth not supported (kernel CONFIG_VETH)") prefix = "macsec_psk_ns" conffile = os.path.join(params['logdir'], prefix + ".conf") pidfile = os.path.join(params['logdir'], prefix + ".pid") logfile0 = os.path.join(params['logdir'], prefix + ".veth0.log") logfile1 = os.path.join(params['logdir'], prefix + ".veth1.log") cap_veth0 = os.path.join(params['logdir'], prefix + ".veth0.pcap") cap_veth1 = os.path.join(params['logdir'], prefix + ".veth1.pcap") cap_macsec0 = os.path.join(params['logdir'], prefix + ".macsec0.pcap") cap_macsec1 = os.path.join(params['logdir'], prefix + ".macsec1.pcap") for i in range(2): try: subprocess.check_call(["ip", "netns", "add", "ns%d" % i]) except subprocess.CalledProcessError: raise HwsimSkip( "network namespace not supported (kernel CONFIG_NAMESPACES, CONFIG_NET_NS)" ) subprocess.check_call( ["ip", "link", "set", "veth%d" % i, "netns", "ns%d" % i]) subprocess.check_call([ "ip", "netns", "exec", "ns%d" % i, "ip", "link", "set", "dev", "veth%d" % i, "up" ]) cmd = {} cmd[0] = subprocess.Popen([ 'ip', 'netns', 'exec', 'ns0', 'tcpdump', '-p', '-U', '-i', 'veth0', '-w', cap_veth0, '-s', '2000', '--immediate-mode' ], stderr=open('/dev/null', 'w')) cmd[1] = subprocess.Popen([ 'ip', 'netns', 'exec', 'ns1', 'tcpdump', '-p', '-U', '-i', 'veth1', '-w', cap_veth1, '-s', '2000', '--immediate-mode' ], stderr=open('/dev/null', 'w')) write_conf(conffile + '0') write_conf(conffile + '1', mka_priority=100) prg = os.path.join(params['logdir'], 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant') if not os.path.exists(prg): prg = '../../wpa_supplicant/wpa_supplicant' arg = [ "ip", "netns", "exec", "ns0", prg, '-BdddtKW', '-P', pidfile + '0', '-f', logfile0, '-g', '/tmp/wpas-veth0', '-Dmacsec_linux', '-c', conffile + '0', '-i', "veth0" ] logger.info("Start wpa_supplicant: " + str(arg)) try: subprocess.check_call(arg) except subprocess.CalledProcessError: raise HwsimSkip( "macsec supported (wpa_supplicant CONFIG_MACSEC, CONFIG_DRIVER_MACSEC_LINUX; kernel CONFIG_MACSEC)" ) if os.path.exists("wpa_supplicant-macsec2"): logger.info( "Use alternative wpa_supplicant binary for one of the macsec devices" ) prg = "wpa_supplicant-macsec2" arg = [ "ip", "netns", "exec", "ns1", prg, '-BdddtKW', '-P', pidfile + '1', '-f', logfile1, '-g', '/tmp/wpas-veth1', '-Dmacsec_linux', '-c', conffile + '1', '-i', "veth1" ] logger.info("Start wpa_supplicant: " + str(arg)) subprocess.check_call(arg) wpas0 = WpaSupplicant('veth0', '/tmp/wpas-veth0') wpas1 = WpaSupplicant('veth1', '/tmp/wpas-veth1') log_ip_macsec_ns() log_ip_link_ns() logger.info("wpas0 STATUS:\n" + wpas0.request("STATUS")) logger.info("wpas1 STATUS:\n" + wpas1.request("STATUS")) logger.info("wpas0 STATUS-DRIVER:\n" + wpas0.request("STATUS-DRIVER")) logger.info("wpas1 STATUS-DRIVER:\n" + wpas1.request("STATUS-DRIVER")) for i in range(10): macsec_ifname0 = wpas0.get_driver_status_field("parent_ifname") macsec_ifname1 = wpas1.get_driver_status_field("parent_ifname") if "Number of Keys" in wpas0.request("STATUS"): key_tx0 = int(wpas0.get_status_field("Number of Keys Distributed")) key_rx0 = int(wpas0.get_status_field("Number of Keys Received")) else: key_tx0 = 0 key_rx0 = 0 if "Number of Keys" in wpas1.request("STATUS"): key_tx1 = int(wpas1.get_status_field("Number of Keys Distributed")) key_rx1 = int(wpas1.get_status_field("Number of Keys Received")) else: key_tx1 = 0 key_rx1 = 0 if key_rx0 > 0 and key_tx1 > 0: break time.sleep(1) cmd[2] = subprocess.Popen([ 'ip', 'netns', 'exec', 'ns0', 'tcpdump', '-p', '-U', '-i', macsec_ifname0, '-w', cap_macsec0, '-s', '2000', '--immediate-mode' ], stderr=open('/dev/null', 'w')) cmd[3] = subprocess.Popen([ 'ip', 'netns', 'exec', 'ns0', 'tcpdump', '-p', '-U', '-i', macsec_ifname1, '-w', cap_macsec1, '-s', '2000', '--immediate-mode' ], stderr=open('/dev/null', 'w')) time.sleep(0.5) logger.info("wpas0 STATUS:\n" + wpas0.request("STATUS")) logger.info("wpas1 STATUS:\n" + wpas1.request("STATUS")) log_ip_macsec_ns() hwsim_utils.test_connectivity(wpas0, wpas1, ifname1=macsec_ifname0, ifname2=macsec_ifname1, send_len=1400) log_ip_macsec_ns() subprocess.check_call([ 'ip', 'netns', 'exec', 'ns0', 'ip', 'addr', 'add', '192.168.248.17/30', 'dev', macsec_ifname0 ]) subprocess.check_call([ 'ip', 'netns', 'exec', 'ns1', 'ip', 'addr', 'add', '192.168.248.18/30', 'dev', macsec_ifname1 ]) c = subprocess.Popen( ['ip', 'netns', 'exec', 'ns0', 'ping', '-c', '2', '192.168.248.18'], stdout=subprocess.PIPE) res = c.stdout.read().decode() c.stdout.close() logger.info("ping:\n" + res) if "2 packets transmitted, 2 received" not in res: raise Exception("ping did not work") wpas0.close_monitor() wpas0.request("TERMINATE") wpas0.close_control() del wpas0 wpas1.close_monitor() wpas1.request("TERMINATE") wpas1.close_control() del wpas1 time.sleep(1) for i in range(len(cmd)): cmd[i].terminate()
def csa_supported(dev): res = dev.get_driver_status() if (int(res['capa.flags'], 0) & 0x80000000) == 0: raise HwsimSkip("CSA not supported")
def test_dfs_etsi(dev, apdev, params): """DFS and uniform spreading requirement for ETSI [long]""" if not params['long']: raise HwsimSkip( "Skip test case with long duration due to --long not specified") try: hapd = None hapd = start_dfs_ap(apdev[0], allow_failure=True) ev = wait_dfs_event(hapd, "DFS-CAC-COMPLETED", 70) if "success=1" not in ev: raise Exception("CAC failed") if "freq=5260" not in ev: raise Exception("Unexpected DFS freq result") ev = hapd.wait_event(["AP-ENABLED"], timeout=5) if not ev: raise Exception("AP setup timed out") state = hapd.get_status_field("state") if state != "ENABLED": raise Exception("Unexpected interface state") freq = hapd.get_status_field("freq") if freq != "5260": raise Exception("Unexpected frequency") dev[0].connect("dfs", key_mgmt="NONE") hwsim_utils.test_connectivity(dev[0], hapd) hapd.request("RADAR DETECTED freq=%s ht_enabled=1 chan_width=1" % freq) ev = hapd.wait_event(["DFS-RADAR-DETECTED"], timeout=5) if ev is None: raise Exception("DFS-RADAR-DETECTED event not reported") if "freq=%s" % freq not in ev: raise Exception("Incorrect frequency in radar detected event: " + ev) ev = hapd.wait_event(["DFS-NEW-CHANNEL"], timeout=5) if ev is None: raise Exception("DFS-NEW-CHANNEL event not reported") if "freq=%s" % freq in ev: raise Exception("Channel did not change after radar was detected") ev = hapd.wait_event(["AP-CSA-FINISHED", "DFS-CAC-START"], timeout=10) if ev is None: raise Exception( "AP-CSA-FINISHED or DFS-CAC-START event not reported") if "DFS-CAC-START" in ev: # The selected new channel requires CAC ev = wait_dfs_event(hapd, "DFS-CAC-COMPLETED", 70) if "success=1" not in ev: raise Exception("CAC failed") ev = hapd.wait_event(["AP-ENABLED"], timeout=5) if not ev: raise Exception("AP setup timed out") ev = hapd.wait_event(["AP-STA-CONNECTED"], timeout=30) if not ev: raise Exception("STA did not reconnect on new DFS channel") else: # The new channel did not require CAC - try again if "freq=%s" % freq in ev: raise Exception( "Channel did not change after radar was detected(2)") time.sleep(1) hwsim_utils.test_connectivity(dev[0], hapd) finally: dev[0].request("DISCONNECT") if hapd: hapd.request("DISABLE") subprocess.call(['iw', 'reg', 'set', '00']) dev[0].flush_scan_cache()
def test_fils_sk_pmksa_caching_ctrl_ext(dev, apdev): """FILS SK and PMKSA caching with Cache Identifier and external management""" check_fils_capa(dev[0]) check_erp_capa(dev[0]) hapd_as = start_erp_as(apdev[1]) bssid = apdev[0]['bssid'] params = hostapd.wpa2_eap_params(ssid="fils") params['wpa_key_mgmt'] = "FILS-SHA384" params['auth_server_port'] = "18128" params['erp_send_reauth_start'] = '1' params['erp_domain'] = 'example.com' params['fils_realm'] = 'example.com' params['fils_cache_id'] = "ffee" hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].scan_for_bss(bssid, freq=2412) dev[0].request("ERP_FLUSH") id = dev[0].connect("fils", key_mgmt="FILS-SHA384", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", erp="1", scan_freq="2412") res1 = dev[0].request("PMKSA_GET %d" % id) logger.info("PMKSA_GET: " + res1) if "UNKNOWN COMMAND" in res1: raise HwsimSkip("PMKSA_GET not supported in the build") if bssid not in res1: raise Exception("PMKSA cache entry missing") if "ffee" not in res1: raise Exception("FILS Cache Identifier not seen in PMKSA cache entry") dev[0].request("DISCONNECT") dev[0].wait_disconnected() hapd_as.disable() dev[0].scan_for_bss(bssid, freq=2412) dev[0].request("PMKSA_FLUSH") dev[0].request("ERP_FLUSH") for entry in res1.splitlines(): if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)): raise Exception("Failed to add PMKSA entry") bssid2 = apdev[1]['bssid'] params = hostapd.wpa2_eap_params(ssid="fils") params['wpa_key_mgmt'] = "FILS-SHA384" params['auth_server_port'] = "18128" params['erp_send_reauth_start'] = '1' params['erp_domain'] = 'example.com' params['fils_realm'] = 'example.com' params['fils_cache_id'] = "ffee" hapd2 = hostapd.add_ap(apdev[1]['ifname'], params) dev[0].scan_for_bss(bssid2, freq=2412) dev[0].set_network(id, "bssid", bssid2) dev[0].select_network(id, freq=2412) ev = dev[0].wait_connected() if bssid2 not in ev: raise Exception("Unexpected BSS selected")
def check_fils_capa(dev): capa = dev.get_capability("fils") if capa is None or "FILS" not in capa: raise HwsimSkip("FILS not supported")
def test_owe_local_errors(dev, apdev): """Opportunistic Wireless Encryption - local errors on supplicant""" if "OWE" not in dev[0].get_capability("key_mgmt"): raise HwsimSkip("OWE not supported") params = {"ssid": "owe", "wpa": "2", "ieee80211w": "2", "wpa_key_mgmt": "OWE", "rsn_pairwise": "CCMP"} hapd = hostapd.add_ap(apdev[0], params) bssid = hapd.own_addr() dev[0].scan_for_bss(bssid, freq="2412") tests = [(1, "crypto_ecdh_init;owe_build_assoc_req"), (1, "crypto_ecdh_get_pubkey;owe_build_assoc_req"), (1, "wpabuf_alloc;owe_build_assoc_req")] for count, func in tests: with alloc_fail(dev[0], count, func): dev[0].connect("owe", key_mgmt="OWE", owe_group="20", ieee80211w="2", scan_freq="2412", wait_connect=False) wait_fail_trigger(dev[0], "GET_ALLOC_FAIL") dev[0].request("REMOVE_NETWORK all") dev[0].dump_monitor() tests = [(1, "crypto_ecdh_set_peerkey;owe_process_assoc_resp"), (1, "crypto_ecdh_get_pubkey;owe_process_assoc_resp"), (1, "wpabuf_alloc;=owe_process_assoc_resp")] for count, func in tests: with alloc_fail(dev[0], count, func): dev[0].connect("owe", key_mgmt="OWE", owe_group="20", ieee80211w="2", scan_freq="2412", wait_connect=False) dev[0].wait_disconnected() dev[0].request("REMOVE_NETWORK all") dev[0].dump_monitor() tests = [(1, "hmac_sha256;owe_process_assoc_resp", 19), (1, "hmac_sha256_kdf;owe_process_assoc_resp", 19), (1, "hmac_sha384;owe_process_assoc_resp", 20), (1, "hmac_sha384_kdf;owe_process_assoc_resp", 20), (1, "hmac_sha512;owe_process_assoc_resp", 21), (1, "hmac_sha512_kdf;owe_process_assoc_resp", 21)] for count, func, group in tests: with fail_test(dev[0], count, func): dev[0].connect("owe", key_mgmt="OWE", owe_group=str(group), ieee80211w="2", scan_freq="2412", wait_connect=False) dev[0].wait_disconnected() dev[0].request("REMOVE_NETWORK all") dev[0].dump_monitor() dev[0].connect("owe", key_mgmt="OWE", owe_group="18", ieee80211w="2", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=5) if ev is None: raise Exception("No authentication attempt") time.sleep(0.5) dev[0].request("REMOVE_NETWORK all") dev[0].dump_monitor()
def test_ap_vht80plus80(dev, apdev): """VHT with 80+80 MHz channel width""" try: hapd = None hapd2 = None params = { "ssid": "vht", "country_code": "US", "hw_mode": "a", "channel": "52", "ht_capab": "[HT40+]", "ieee80211n": "1", "ieee80211ac": "1", "vht_oper_chwidth": "3", "vht_oper_centr_freq_seg0_idx": "58", "vht_oper_centr_freq_seg1_idx": "155", 'ieee80211d': '1', 'ieee80211h': '1' } hapd = hostapd.add_ap(apdev[0]['ifname'], params, wait_enabled=False) # This will actually fail since DFS on 80+80 is not yet supported ev = hapd.wait_event(["AP-DISABLED"], timeout=5) # ignore result to avoid breaking the test once 80+80 DFS gets enabled params = { "ssid": "vht2", "country_code": "US", "hw_mode": "a", "channel": "36", "ht_capab": "[HT40+]", "ieee80211n": "1", "ieee80211ac": "1", "vht_oper_chwidth": "3", "vht_oper_centr_freq_seg0_idx": "42", "vht_oper_centr_freq_seg1_idx": "155" } hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, wait_enabled=False) ev = hapd2.wait_event(["AP-ENABLED", "AP-DISABLED"], timeout=5) if not ev: raise Exception("AP setup timed out(2)") if "AP-DISABLED" in ev: # Assume this failed due to missing regulatory update for now raise HwsimSkip( "80+80 MHz channel not supported in regulatory information") state = hapd2.get_status_field("state") if state != "ENABLED": raise Exception("Unexpected interface state(2)") dev[1].connect("vht2", key_mgmt="NONE", scan_freq="5180") hwsim_utils.test_connectivity(dev[1], hapd2) sig = dev[1].request("SIGNAL_POLL").splitlines() if "FREQUENCY=5180" not in sig: raise Exception("Unexpected SIGNAL_POLL value(1): " + str(sig)) if "WIDTH=80+80 MHz" not in sig: raise Exception("Unexpected SIGNAL_POLL value(2): " + str(sig)) if "CENTER_FRQ1=5210" not in sig: raise Exception("Unexpected SIGNAL_POLL value(3): " + str(sig)) if "CENTER_FRQ2=5775" not in sig: raise Exception("Unexpected SIGNAL_POLL value(4): " + str(sig)) except Exception, e: if isinstance(e, Exception) and str(e) == "AP startup failed": if not vht_supported(): raise HwsimSkip( "80/160 MHz channel not supported in regulatory information" ) raise
def test_suite_b_192(dev, apdev): """WPA2-PSK/GCMP-256 connection at Suite B 192-bit level""" if "GCMP-256" not in dev[0].get_capability("pairwise"): raise HwsimSkip("GCMP-256 not supported") if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"): raise HwsimSkip("BIP-GMAC-256 not supported") if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"): raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported") tls = dev[0].request("GET tls_library") if not tls.startswith("OpenSSL"): raise HwsimSkip("TLS library not supported for Suite B: " + tls) if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls: raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls) params = { "ssid": "test-suite-b", "wpa": "2", "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", "rsn_pairwise": "GCMP-256", "group_mgmt_cipher": "BIP-GMAC-256", "ieee80211w": "2", "ieee8021x": "1", "openssl_ciphers": "SUITEB192", "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", "ca_cert": "auth_serv/ec2-ca.pem", "server_cert": "auth_serv/ec2-server.pem", "private_key": "auth_serv/ec2-server.key" } hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", ieee80211w="2", openssl_ciphers="SUITEB192", eap="TLS", identity="tls user", ca_cert="auth_serv/ec2-ca.pem", client_cert="auth_serv/ec2-user.pem", private_key="auth_serv/ec2-user.key", pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") tls_cipher = dev[0].get_status_field("EAP TLS cipher") if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384": raise Exception("Unexpected TLS cipher: " + tls_cipher) bss = dev[0].get_bss(apdev[0]['bssid']) if 'flags' not in bss: raise Exception("Could not get BSS flags from BSS table") if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']: raise Exception("Unexpected BSS flags: " + bss['flags']) dev[0].request("DISCONNECT") dev[0].wait_disconnected(timeout=20) dev[0].dump_monitor() dev[0].request("RECONNECT") ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=20) if ev is None: raise Exception("Roaming with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange")
def test_pmksa_cache_ctrl_ext(dev, apdev): """PMKSA cache control interface for external management""" params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") res1 = dev[0].request("PMKSA_GET %d" % id) logger.info("PMKSA_GET: " + res1) if "UNKNOWN COMMAND" in res1: raise HwsimSkip("PMKSA_GET not supported in the build") if bssid not in res1: raise Exception("PMKSA cache entry missing") hostapd.add_ap(apdev[1], params) bssid2 = apdev[1]['bssid'] dev[0].scan_for_bss(bssid2, freq=2412, force_scan=True) dev[0].request("ROAM " + bssid2) dev[0].wait_connected() res2 = dev[0].request("PMKSA_GET %d" % id) logger.info("PMKSA_GET: " + res2) if bssid not in res2: raise Exception("PMKSA cache entry 1 missing") if bssid2 not in res2: raise Exception("PMKSA cache entry 2 missing") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() dev[0].request("PMKSA_FLUSH") id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412", only_add_network=True) res3 = dev[0].request("PMKSA_GET %d" % id) if res3 != '': raise Exception("Unexpected PMKSA cache entry remains: " + res3) res4 = dev[0].request("PMKSA_GET %d" % (id + 1234)) if not res4.startswith('FAIL'): raise Exception("Unexpected PMKSA cache entry for unknown network: " + res4) for entry in res2.splitlines(): if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)): raise Exception("Failed to add PMKSA entry") dev[0].select_network(id) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=15) if ev is None: raise Exception("Connection with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception( "Unexpected EAP exchange after external PMKSA cache restore")
def test_wpa2_psk_key_lifetime_in_memory(dev, apdev, params): """WPA2-PSK and PSK/PTK lifetime in memory""" ssid = "test-wpa2-psk" passphrase = 'qwertyuiop' psk = '602e323e077bc63bd80307ef4745b754b0ae0a925c2638ecd13a794b9527b9e6' pmk = binascii.unhexlify(psk) p = hostapd.wpa2_params(ssid=ssid) p['wpa_psk'] = psk hapd = hostapd.add_ap(apdev[0]['ifname'], p) pid = find_wpas_process(dev[0]) id = dev[0].connect(ssid, raw_psk=psk, scan_freq="2412", only_add_network=True) logger.info("Checking keys in memory after network profile configuration") buf = read_process_memory(pid, pmk) get_key_locations(buf, pmk, "PMK") dev[0].request("REMOVE_NETWORK all") logger.info("Checking keys in memory after network profile removal") buf = read_process_memory(pid, pmk) get_key_locations(buf, pmk, "PMK") id = dev[0].connect(ssid, psk=passphrase, scan_freq="2412", only_add_network=True) logger.info("Checking keys in memory before connection") buf = read_process_memory(pid, pmk) get_key_locations(buf, pmk, "PMK") dev[0].connect_network(id, timeout=20) time.sleep(1) buf = read_process_memory(pid, pmk) dev[0].request("DISCONNECT") dev[0].wait_disconnected() dev[0].relog() ptk = None gtk = None with open(os.path.join(params['logdir'], 'log0'), 'r') as f: for l in f.readlines(): if "WPA: PTK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') ptk = binascii.unhexlify(val) if "WPA: Group Key - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') gtk = binascii.unhexlify(val) if not pmk or not ptk or not gtk: raise Exception("Could not find keys from debug log") if len(gtk) != 16: raise Exception("Unexpected GTK length") kck = ptk[0:16] kek = ptk[16:32] tk = ptk[32:48] logger.info("Checking keys in memory while associated") get_key_locations(buf, pmk, "PMK") if pmk not in buf: raise HwsimSkip("PMK not found while associated") if kck not in buf: raise Exception("KCK not found while associated") if kek not in buf: raise Exception("KEK not found while associated") if tk in buf: raise Exception("TK found from memory") if gtk in buf: raise Exception("GTK found from memory") logger.info("Checking keys in memory after disassociation") buf = read_process_memory(pid, pmk) get_key_locations(buf, pmk, "PMK") # Note: PMK/PSK is still present in network configuration fname = os.path.join(params['logdir'], 'wpa2_psk_key_lifetime_in_memory.memctx-') verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") verify_not_present(buf, gtk, fname, "GTK") dev[0].request("REMOVE_NETWORK all") logger.info("Checking keys in memory after network profile removal") buf = read_process_memory(pid, pmk) get_key_locations(buf, pmk, "PMK") verify_not_present(buf, pmk, fname, "PMK") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") verify_not_present(buf, gtk, fname, "GTK")
def test_sae_invalid_anti_clogging_token_req(dev, apdev): """SAE and invalid anti-clogging token request""" if "SAE" not in dev[0].get_capability("auth_alg"): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE' hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].request("SET sae_groups 19") dev[0].scan_for_bss(bssid, freq=2412) hapd.set("ext_mgmt_frame_handling", "1") dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["SME: Trying to authenticate"]) if ev is None: raise Exception("No authentication attempt seen") dev[0].dump_monitor() for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (commit)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (commit) not received") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030001004c0013") hapd.mgmt_tx(resp) ev = dev[0].wait_event(["SME: Trying to authenticate"]) if ev is None: raise Exception("No authentication attempt seen") dev[0].dump_monitor() for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (commit) (2)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (commit) not received (2)") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030001000100") hapd.mgmt_tx(resp) ev = dev[0].wait_event(["SME: Trying to authenticate"]) if ev is None: raise Exception("No authentication attempt seen") dev[0].dump_monitor() dev[0].request("DISCONNECT")
def test_rrm_neighbor_rep_req(dev, apdev): """wpa_supplicant ctrl_iface NEIGHBOR_REP_REQUEST""" nr1 = "00112233445500000000510107" nr2 = "00112233445600000000510107" nr3 = "dd112233445500000000510107" params = {"ssid": "test"} hostapd.add_ap(apdev[0]['ifname'], params) params = {"ssid": "test2", "rrm_neighbor_report": "1"} hapd = hostapd.add_ap(apdev[1]['ifname'], params) bssid1 = apdev[1]['bssid'] dev[0].connect("test", key_mgmt="NONE", scan_freq="2412") if "FAIL" not in dev[0].request("NEIGHBOR_REP_REQUEST"): raise Exception("Request succeeded unexpectedly (AP without RRM)") if "FAIL" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"abcdef\""): raise Exception("Request succeeded unexpectedly (AP without RRM 2)") dev[0].request("DISCONNECT") rrm = int(dev[0].get_driver_status_field("capa.rrm_flags"), 16) if rrm & 0x5 != 0x5 and rrm & 0x10 != 0x10: raise HwsimSkip("Required RRM capabilities are not supported") dev[0].connect("test2", key_mgmt="NONE", scan_freq="2412") if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST"): raise Exception("Request failed") check_nr_results(dev[0], [bssid1]) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST lci"): raise Exception("Request failed") check_nr_results(dev[0], [bssid1]) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST lci civic"): raise Exception("Request failed") check_nr_results(dev[0], [bssid1]) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\""): raise Exception("Request failed") check_nr_results(dev[0]) if "OK" not in dev[0].request( "NEIGHBOR_REP_REQUEST ssid=\"test3\" lci civic"): raise Exception("Request failed") check_nr_results(dev[0]) if "OK" not in hapd.request( "SET_NEIGHBOR 00:11:22:33:44:55 ssid=\"test3\" nr=" + nr1 + " lci=" + lci + " civic=" + civic): raise Exception("Set neighbor failed") if "OK" not in hapd.request( "SET_NEIGHBOR 00:11:22:33:44:56 ssid=\"test3\" nr=" + nr2 + " lci=" + lci + " civic=" + civic): raise Exception("Set neighbor failed") if "OK" not in hapd.request( "SET_NEIGHBOR 00:11:22:33:44:56 ssid=\"test4\" nr=" + nr2 + " lci=" + lci + " civic=" + civic): raise Exception("Set neighbor failed") if "OK" not in hapd.request( "SET_NEIGHBOR dd:11:22:33:44:55 ssid=\"test5\" nr=" + nr3 + " lci=" + lci): raise Exception("Set neighbor failed") if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\""): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"]) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\" lci"): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"], lci=True) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\" civic"): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"], civic=True) if "OK" not in dev[0].request( "NEIGHBOR_REP_REQUEST ssid=\"test3\" lci civic"): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"], lci=True, civic=True) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test4\""): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:56"]) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test4\" lci"): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:56"], lci=True) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test4\" civic"): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:56"], civic=True) if "OK" not in dev[0].request( "NEIGHBOR_REP_REQUEST ssid=\"test4\" lci civic"): raise Exception("Request failed") check_nr_results(dev[0], ["00:11:22:33:44:56"], lci=True, civic=True) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test5\""): raise Exception("Request failed") check_nr_results(dev[0], ["dd:11:22:33:44:55"]) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test5\" lci"): raise Exception("Request failed") check_nr_results(dev[0], ["dd:11:22:33:44:55"], lci=True) if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test5\" civic"): raise Exception("Request failed") check_nr_results(dev[0], ["dd:11:22:33:44:55"]) if "OK" not in dev[0].request( "NEIGHBOR_REP_REQUEST ssid=\"test5\" lci civic"): raise Exception("Request failed") check_nr_results(dev[0], ["dd:11:22:33:44:55"], lci=True)
def test_erp_key_lifetime_in_memory(dev, apdev, params): """ERP and key lifetime in memory""" check_erp_capa(dev[0]) p = int_eap_server_params() p['erp_send_reauth_start'] = '1' p['erp_domain'] = 'example.com' p['eap_server_erp'] = '1' p['disable_pmksa_caching'] = '1' hapd = hostapd.add_ap(apdev[0], p) password = "******" pid = find_wpas_process(dev[0]) dev[0].request("ERP_FLUSH") dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", identity="*****@*****.**", password=password, ca_cert="auth_serv/ca.pem", phase2="auth=PAP", erp="1", scan_freq="2412") # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED # event has been delivered, so verify that wpa_supplicant has returned to # eloop before reading process memory. time.sleep(1) dev[0].ping() password = password.encode() buf = read_process_memory(pid, password) dev[0].request("DISCONNECT") dev[0].wait_disconnected(timeout=15) dev[0].relog() msk = None emsk = None rRK = None rIK = None pmk = None ptk = None gtk = None with open(os.path.join(params['logdir'], 'log0'), 'r') as f: for l in f.readlines(): if "EAP-TTLS: Derived key - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') msk = binascii.unhexlify(val) if "EAP-TTLS: Derived EMSK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') emsk = binascii.unhexlify(val) if "EAP: ERP rRK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') rRK = binascii.unhexlify(val) if "EAP: ERP rIK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') rIK = binascii.unhexlify(val) if "WPA: PMK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') pmk = binascii.unhexlify(val) if "WPA: PTK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') ptk = binascii.unhexlify(val) if "WPA: Group Key - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') gtk = binascii.unhexlify(val) if not msk or not emsk or not rIK or not rRK or not pmk or not ptk or not gtk: raise Exception("Could not find keys from debug log") if len(gtk) != 16: raise Exception("Unexpected GTK length") kck = ptk[0:16] kek = ptk[16:32] tk = ptk[32:48] fname = os.path.join(params['logdir'], 'erp_key_lifetime_in_memory.memctx-') logger.info("Checking keys in memory while associated") get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") get_key_locations(buf, msk, "MSK") get_key_locations(buf, emsk, "EMSK") get_key_locations(buf, rRK, "rRK") get_key_locations(buf, rIK, "rIK") if password not in buf: raise HwsimSkip("Password not found while associated") if pmk not in buf: raise HwsimSkip("PMK not found while associated") if kck not in buf: raise Exception("KCK not found while associated") if kek not in buf: raise Exception("KEK not found while associated") #if tk in buf: # raise Exception("TK found from memory") logger.info("Checking keys in memory after disassociation") buf = read_process_memory(pid, password) # Note: Password is still present in network configuration # Note: PMK is in EAP fast re-auth data get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") get_key_locations(buf, msk, "MSK") get_key_locations(buf, emsk, "EMSK") get_key_locations(buf, rRK, "rRK") get_key_locations(buf, rIK, "rIK") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") if gtk in buf: get_key_locations(buf, gtk, "GTK") verify_not_present(buf, gtk, fname, "GTK") dev[0].request("RECONNECT") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) if ev is None: raise Exception("EAP success timed out") if "EAP re-authentication completed successfully" not in ev: raise Exception("Did not use ERP") dev[0].wait_connected(timeout=15, error="Reconnection timed out") dev[0].request("DISCONNECT") dev[0].wait_disconnected(timeout=15) dev[0].relog() pmk = None ptk = None gtk = None with open(os.path.join(params['logdir'], 'log0'), 'r') as f: for l in f.readlines(): if "WPA: PMK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') pmk = binascii.unhexlify(val) if "WPA: PTK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') ptk = binascii.unhexlify(val) if "WPA: GTK in EAPOL-Key - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') gtk = binascii.unhexlify(val) if not pmk or not ptk or not gtk: raise Exception("Could not find keys from debug log") kck = ptk[0:16] kek = ptk[16:32] tk = ptk[32:48] logger.info("Checking keys in memory after ERP and disassociation") buf = read_process_memory(pid, password) # Note: Password is still present in network configuration get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") get_key_locations(buf, msk, "MSK") get_key_locations(buf, emsk, "EMSK") get_key_locations(buf, rRK, "rRK") get_key_locations(buf, rIK, "rIK") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") verify_not_present(buf, gtk, fname, "GTK") dev[0].request("REMOVE_NETWORK all") logger.info("Checking keys in memory after network profile removal") buf = read_process_memory(pid, password) # Note: rRK and rIK are still in memory get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") get_key_locations(buf, msk, "MSK") get_key_locations(buf, emsk, "EMSK") get_key_locations(buf, rRK, "rRK") get_key_locations(buf, rIK, "rIK") verify_not_present(buf, password, fname, "password") verify_not_present(buf, pmk, fname, "PMK") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") verify_not_present(buf, gtk, fname, "GTK") verify_not_present(buf, msk, fname, "MSK") verify_not_present(buf, emsk, fname, "EMSK") dev[0].request("ERP_FLUSH") logger.info("Checking keys in memory after ERP_FLUSH") buf = read_process_memory(pid, password) get_key_locations(buf, rRK, "rRK") get_key_locations(buf, rIK, "rIK") verify_not_present(buf, rRK, fname, "rRK") verify_not_present(buf, rIK, fname, "rIK")
def test_ap_cipher_tkip_countermeasures_sta2(dev, apdev, params): """WPA-PSK/TKIP countermeasures (detected by two STAs) [long]""" if not params['long']: raise HwsimSkip("Skip test case with long duration due to --long not specified") skip_with_fips(dev[0]) params = { "ssid": "tkip-countermeasures", "wpa_passphrase": "12345678", "wpa": "1", "wpa_key_mgmt": "WPA-PSK", "wpa_pairwise": "TKIP" } hapd = hostapd.add_ap(apdev[0], params) testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd.get_driver_status_field("phyname"), apdev[0]['ifname']) if hapd.cmd_execute([ "ls", testfile ])[0] != 0: raise HwsimSkip("tkip_mic_test not supported in mac80211") dev[0].connect("tkip-countermeasures", psk="12345678", pairwise="TKIP", group="TKIP", scan_freq="2412") dev[0].dump_monitor() id = dev[1].connect("tkip-countermeasures", psk="12345678", pairwise="TKIP", group="TKIP", scan_freq="2412") dev[1].dump_monitor() hapd.cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile ], shell=True) ev = dev[0].wait_disconnected(timeout=10, error="No disconnection after two Michael MIC failure") if "reason=14" not in ev: raise Exception("Unexpected disconnection reason: " + ev) ev = dev[1].wait_disconnected(timeout=5, error="No disconnection after two Michael MIC failure") if "reason=14" not in ev: raise Exception("Unexpected disconnection reason: " + ev) ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1) if ev is not None: raise Exception("Unexpected connection during TKIP countermeasures") ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1) if ev is not None: raise Exception("Unexpected connection during TKIP countermeasures") dev[0].request("REMOVE_NETWORK all") logger.info("Waiting for TKIP countermeasures to end") connected = False start = os.times()[4] while True: now = os.times()[4] if start + 70 < now: break dev[0].connect("tkip-countermeasures", psk="12345678", pairwise="TKIP", group="TKIP", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-AUTH-REJECT", "CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("No connection result") if "CTRL-EVENT-CONNECTED" in ev: connected = True break if "status_code=1" not in ev: raise Exception("Unexpected connection failure reason during TKIP countermeasures: " + ev) dev[0].request("REMOVE_NETWORK all") time.sleep(1) dev[0].dump_monitor() dev[1].dump_monitor() if not connected: raise Exception("No connection after TKIP countermeasures terminated") ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1) if ev is None: dev[1].request("DISCONNECT") dev[1].select_network(id) dev[1].wait_connected()
def test_sae_bignum_failure(dev, apdev): """SAE and bignum failure""" if "SAE" not in dev[0].get_capability("auth_alg"): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE' params['sae_groups'] = '19 5 22' hapd = hostapd.add_ap(apdev[0], params) dev[0].request("SET sae_groups 19") tests = [(1, "crypto_bignum_init_set;get_rand_1_to_p_1"), (1, "crypto_bignum_init;is_quadratic_residue_blind"), (1, "crypto_bignum_mulmod;is_quadratic_residue_blind"), (2, "crypto_bignum_mulmod;is_quadratic_residue_blind"), (3, "crypto_bignum_mulmod;is_quadratic_residue_blind"), (1, "crypto_bignum_legendre;is_quadratic_residue_blind"), (1, "crypto_bignum_init_set;sae_test_pwd_seed_ecc"), (1, "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc"), (1, "crypto_bignum_init_set;get_random_qr_qnr"), (1, "crypto_bignum_to_bin;sae_derive_pwe_ecc"), (1, "crypto_ec_point_init;sae_derive_pwe_ecc"), (1, "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc"), (1, "crypto_ec_point_init;sae_derive_commit_element_ecc"), (1, "crypto_ec_point_mul;sae_derive_commit_element_ecc"), (1, "crypto_ec_point_invert;sae_derive_commit_element_ecc"), (1, "crypto_bignum_init;=sae_derive_commit"), (1, "crypto_ec_point_init;sae_derive_k_ecc"), (1, "crypto_ec_point_mul;sae_derive_k_ecc"), (1, "crypto_ec_point_add;sae_derive_k_ecc"), (2, "crypto_ec_point_mul;sae_derive_k_ecc"), (1, "crypto_ec_point_to_bin;sae_derive_k_ecc"), (1, "crypto_bignum_legendre;get_random_qr_qnr"), (1, "sha256_prf;sae_derive_keys"), (1, "crypto_bignum_init;sae_derive_keys"), (1, "crypto_bignum_init_set;sae_parse_commit_scalar"), (1, "crypto_bignum_to_bin;sae_parse_commit_element_ecc"), (1, "crypto_ec_point_from_bin;sae_parse_commit_element_ecc")] for count, func in tests: with fail_test(dev[0], count, func): dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412", wait_connect=False) wait_fail_trigger(dev[0], "GET_FAIL") dev[0].request("REMOVE_NETWORK all") dev[0].request("SET sae_groups 5") tests = [(1, "crypto_bignum_init_set;sae_set_group"), (2, "crypto_bignum_init_set;sae_set_group"), (1, "crypto_bignum_init_set;sae_get_rand"), (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"), (1, "crypto_bignum_exptmod;sae_test_pwd_seed_ffc"), (1, "crypto_bignum_init;sae_derive_pwe_ffc"), (1, "crypto_bignum_init;sae_derive_commit_element_ffc"), (1, "crypto_bignum_exptmod;sae_derive_commit_element_ffc"), (1, "crypto_bignum_inverse;sae_derive_commit_element_ffc"), (1, "crypto_bignum_init;sae_derive_k_ffc"), (1, "crypto_bignum_exptmod;sae_derive_k_ffc"), (1, "crypto_bignum_mulmod;sae_derive_k_ffc"), (2, "crypto_bignum_exptmod;sae_derive_k_ffc"), (1, "crypto_bignum_to_bin;sae_derive_k_ffc"), (1, "crypto_bignum_init_set;sae_parse_commit_element_ffc"), (1, "crypto_bignum_init;sae_parse_commit_element_ffc"), (2, "crypto_bignum_init_set;sae_parse_commit_element_ffc"), (1, "crypto_bignum_exptmod;sae_parse_commit_element_ffc")] for count, func in tests: with fail_test(dev[0], count, func): dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412", wait_connect=False) wait_fail_trigger(dev[0], "GET_FAIL") dev[0].request("REMOVE_NETWORK all") dev[0].request("SET sae_groups 22") tests = [(1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"), (1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"), (1, "crypto_bignum_div;sae_test_pwd_seed_ffc")] for count, func in tests: with fail_test(dev[0], count, func): dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412", wait_connect=False) wait_fail_trigger(dev[0], "GET_FAIL") dev[0].request("REMOVE_NETWORK all")
def test_ap_cipher_replay_protection_ap_gcmp(dev, apdev): """GCMP replay protection on AP""" if "GCMP" not in dev[0].get_capability("pairwise"): raise HwsimSkip("GCMP not supported") run_ap_cipher_replay_protection_ap(dev, apdev, "GCMP")
def test_sae_key_lifetime_in_memory(dev, apdev, params): """SAE and key lifetime in memory""" if "SAE" not in dev[0].get_capability("auth_alg"): raise HwsimSkip("SAE not supported") password = "******" p = hostapd.wpa2_params(ssid="test-sae", passphrase=password) p['wpa_key_mgmt'] = 'SAE' hapd = hostapd.add_ap(apdev[0], p) pid = find_wpas_process(dev[0]) dev[0].request("SET sae_groups ") id = dev[0].connect("test-sae", psk=password, key_mgmt="SAE", scan_freq="2412") # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED # event has been delivered, so verify that wpa_supplicant has returned to # eloop before reading process memory. time.sleep(1) dev[0].ping() buf = read_process_memory(pid, password) dev[0].request("DISCONNECT") dev[0].wait_disconnected() dev[0].relog() sae_k = None sae_keyseed = None sae_kck = None pmk = None ptk = None gtk = None with open(os.path.join(params['logdir'], 'log0'), 'r') as f: for l in f.readlines(): if "SAE: k - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') sae_k = binascii.unhexlify(val) if "SAE: keyseed - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') sae_keyseed = binascii.unhexlify(val) if "SAE: KCK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') sae_kck = binascii.unhexlify(val) if "SAE: PMK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') pmk = binascii.unhexlify(val) if "WPA: PTK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') ptk = binascii.unhexlify(val) if "WPA: Group Key - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') gtk = binascii.unhexlify(val) if not sae_k or not sae_keyseed or not sae_kck or not pmk or not ptk or not gtk: raise Exception("Could not find keys from debug log") if len(gtk) != 16: raise Exception("Unexpected GTK length") kck = ptk[0:16] kek = ptk[16:32] tk = ptk[32:48] fname = os.path.join(params['logdir'], 'sae_key_lifetime_in_memory.memctx-') logger.info("Checking keys in memory while associated") get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") if password not in buf: raise HwsimSkip("Password not found while associated") if pmk not in buf: raise HwsimSkip("PMK not found while associated") if kck not in buf: raise Exception("KCK not found while associated") if kek not in buf: raise Exception("KEK not found while associated") #if tk in buf: # raise Exception("TK found from memory") verify_not_present(buf, sae_k, fname, "SAE(k)") verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)") verify_not_present(buf, sae_kck, fname, "SAE(KCK)") logger.info("Checking keys in memory after disassociation") buf = read_process_memory(pid, password) # Note: Password is still present in network configuration # Note: PMK is in PMKSA cache get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") if gtk in buf: get_key_locations(buf, gtk, "GTK") verify_not_present(buf, gtk, fname, "GTK") verify_not_present(buf, sae_k, fname, "SAE(k)") verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)") verify_not_present(buf, sae_kck, fname, "SAE(KCK)") dev[0].request("PMKSA_FLUSH") logger.info("Checking keys in memory after PMKSA cache flush") buf = read_process_memory(pid, password) get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") verify_not_present(buf, pmk, fname, "PMK") dev[0].request("REMOVE_NETWORK all") logger.info("Checking keys in memory after network profile removal") buf = read_process_memory(pid, password) get_key_locations(buf, password, "Password") get_key_locations(buf, pmk, "PMK") verify_not_present(buf, password, fname, "password") verify_not_present(buf, pmk, fname, "PMK") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") verify_not_present(buf, gtk, fname, "GTK") verify_not_present(buf, sae_k, fname, "SAE(k)") verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)") verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
def test_ap_cipher_replay_protection_sta_gtk_gcmp(dev, apdev): """GCMP replay protection on STA (GTK)""" if "GCMP" not in dev[0].get_capability("pairwise"): raise HwsimSkip("GCMP not supported") run_ap_cipher_replay_protection_sta(dev, apdev, "GCMP", gtk=True)
def test_sae_proto_ffc(dev, apdev): """SAE protocol testing (FFC)""" if "SAE" not in dev[0].get_capability("auth_alg"): raise HwsimSkip("SAE not supported") params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678") params['wpa_key_mgmt'] = 'SAE' hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].request("SET sae_groups 2") tests = [ ("Confirm mismatch", "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486", "0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251" ), ("Too short commit", "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174", None), ("Invalid element (0) in commit", "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", None), ("Invalid element (1) in commit", "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", None), ("Invalid element (> P) in commit", "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", None) ] for (note, commit, confirm) in tests: logger.info(note) dev[0].scan_for_bss(bssid, freq=2412) hapd.set("ext_mgmt_frame_handling", "1") dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412", wait_connect=False) logger.info("Commit") for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (commit)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (commit) not received") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030001000000" + commit) hapd.mgmt_tx(resp) if confirm: logger.info("Confirm") for i in range(0, 10): req = hapd.mgmt_rx() if req is None: raise Exception("MGMT RX wait timed out (confirm)") if req['subtype'] == 11: break req = None if not req: raise Exception("Authentication frame (confirm) not received") hapd.dump_monitor() resp = {} resp['fc'] = req['fc'] resp['da'] = req['sa'] resp['sa'] = req['da'] resp['bssid'] = req['bssid'] resp['payload'] = binascii.unhexlify("030002000000" + confirm) hapd.mgmt_tx(resp) time.sleep(0.1) dev[0].request("REMOVE_NETWORK all") hapd.set("ext_mgmt_frame_handling", "0") hapd.dump_monitor()
def test_ap_vht160(dev, apdev): """VHT with 160 MHz channel width""" try: hapd = None hapd2 = None params = { "ssid": "vht", "country_code": "FI", "hw_mode": "a", "channel": "36", "ht_capab": "[HT40+]", "ieee80211n": "1", "ieee80211ac": "1", "vht_oper_chwidth": "2", "vht_oper_centr_freq_seg0_idx": "50", 'ieee80211d': '1', 'ieee80211h': '1' } hapd = hostapd.add_ap(apdev[0]['ifname'], params, wait_enabled=False) ev = wait_dfs_event(hapd, "DFS-CAC-START", 5) if "DFS-CAC-START" not in ev: raise Exception("Unexpected DFS event") state = hapd.get_status_field("state") if state != "DFS": if state == "DISABLED" and not os.path.exists("dfs"): # Not all systems have recent enough CRDA version and # wireless-regdb changes to support 160 MHz and DFS. For now, # do not report failures for this test case. raise HwsimSkip( "CRDA or wireless-regdb did not support 160 MHz") raise Exception("Unexpected interface state: " + state) params = { "ssid": "vht2", "country_code": "FI", "hw_mode": "a", "channel": "104", "ht_capab": "[HT40-]", "ieee80211n": "1", "ieee80211ac": "1", "vht_oper_chwidth": "2", "vht_oper_centr_freq_seg0_idx": "114", 'ieee80211d': '1', 'ieee80211h': '1' } hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, wait_enabled=False) ev = wait_dfs_event(hapd2, "DFS-CAC-START", 5) if "DFS-CAC-START" not in ev: raise Exception("Unexpected DFS event(2)") state = hapd2.get_status_field("state") if state != "DFS": raise Exception("Unexpected interface state(2): " + state) logger.info("Waiting for CAC to complete") ev = wait_dfs_event(hapd, "DFS-CAC-COMPLETED", 70) if "success=1" not in ev: raise Exception("CAC failed") if "freq=5180" not in ev: raise Exception("Unexpected DFS freq result") ev = hapd.wait_event(["AP-ENABLED"], timeout=5) if not ev: raise Exception("AP setup timed out") state = hapd.get_status_field("state") if state != "ENABLED": raise Exception("Unexpected interface state") ev = wait_dfs_event(hapd2, "DFS-CAC-COMPLETED", 70) if "success=1" not in ev: raise Exception("CAC failed(2)") if "freq=5520" not in ev: raise Exception("Unexpected DFS freq result(2)") ev = hapd2.wait_event(["AP-ENABLED"], timeout=5) if not ev: raise Exception("AP setup timed out(2)") state = hapd2.get_status_field("state") if state != "ENABLED": raise Exception("Unexpected interface state(2)") freq = hapd2.get_status_field("freq") if freq != "5520": raise Exception("Unexpected frequency(2)") dev[0].connect("vht", key_mgmt="NONE", scan_freq="5180") hwsim_utils.test_connectivity(dev[0], hapd) sig = dev[0].request("SIGNAL_POLL").splitlines() if "FREQUENCY=5180" not in sig: raise Exception("Unexpected SIGNAL_POLL value(1): " + str(sig)) if "WIDTH=160 MHz" not in sig: raise Exception("Unexpected SIGNAL_POLL value(2): " + str(sig)) dev[1].connect("vht2", key_mgmt="NONE", scan_freq="5520") hwsim_utils.test_connectivity(dev[1], hapd2) sig = dev[1].request("SIGNAL_POLL").splitlines() if "FREQUENCY=5520" not in sig: raise Exception("Unexpected SIGNAL_POLL value(1): " + str(sig)) if "WIDTH=160 MHz" not in sig: raise Exception("Unexpected SIGNAL_POLL value(2): " + str(sig)) except Exception, e: if isinstance(e, Exception) and str(e) == "AP startup failed": if not vht_supported(): raise HwsimSkip( "80/160 MHz channel not supported in regulatory information" ) raise
def test_ft_psk_key_lifetime_in_memory(dev, apdev, params): """WPA2-PSK-FT and key lifetime in memory""" ssid = "test-ft" passphrase = "04c2726b4b8d5f1b4db9c07aa4d9e9d8f765cb5d25ec817e6cc4fcdd5255db0" psk = '93c90846ff67af9037ed83fb72b63dbeddaa81d47f926c20909b5886f1d9358d' pmk = binascii.unhexlify(psk) p = ft_params1(ssid=ssid, passphrase=passphrase) hapd0 = hostapd.add_ap(apdev[0]['ifname'], p) p = ft_params2(ssid=ssid, passphrase=passphrase) hapd1 = hostapd.add_ap(apdev[1]['ifname'], p) pid = find_wpas_process(dev[0]) dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2", scan_freq="2412") # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED # event has been delivered, so verify that wpa_supplicant has returned to # eloop before reading process memory. time.sleep(1) dev[0].ping() buf = read_process_memory(pid, pmk) dev[0].request("DISCONNECT") dev[0].wait_disconnected() dev[0].relog() pmkr0 = None pmkr1 = None ptk = None gtk = None with open(os.path.join(params['logdir'], 'log0'), 'r') as f: for l in f.readlines(): if "FT: PMK-R0 - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') pmkr0 = binascii.unhexlify(val) if "FT: PMK-R1 - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') pmkr1 = binascii.unhexlify(val) if "FT: KCK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') kck = binascii.unhexlify(val) if "FT: KEK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') kek = binascii.unhexlify(val) if "FT: TK - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') tk = binascii.unhexlify(val) if "WPA: Group Key - hexdump" in l: val = l.strip().split(':')[3].replace(' ', '') gtk = binascii.unhexlify(val) if not pmkr0 or not pmkr1 or not kck or not kek or not tk or not gtk: raise Exception("Could not find keys from debug log") if len(gtk) != 16: raise Exception("Unexpected GTK length") logger.info("Checking keys in memory while associated") get_key_locations(buf, pmk, "PMK") get_key_locations(buf, pmkr0, "PMK-R0") get_key_locations(buf, pmkr1, "PMK-R1") if pmk not in buf: raise HwsimSkip("PMK not found while associated") if pmkr0 not in buf: raise HwsimSkip("PMK-R0 not found while associated") if pmkr1 not in buf: raise HwsimSkip("PMK-R1 not found while associated") if kck not in buf: raise Exception("KCK not found while associated") if kek not in buf: raise Exception("KEK not found while associated") if tk in buf: raise Exception("TK found from memory") if gtk in buf: get_key_locations(buf, gtk, "GTK") raise Exception("GTK found from memory") logger.info("Checking keys in memory after disassociation") buf = read_process_memory(pid, pmk) get_key_locations(buf, pmk, "PMK") get_key_locations(buf, pmkr0, "PMK-R0") get_key_locations(buf, pmkr1, "PMK-R1") # Note: PMK/PSK is still present in network configuration fname = os.path.join(params['logdir'], 'ft_psk_key_lifetime_in_memory.memctx-') verify_not_present(buf, pmkr0, fname, "PMK-R0") verify_not_present(buf, pmkr1, fname, "PMK-R1") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") verify_not_present(buf, gtk, fname, "GTK") dev[0].request("REMOVE_NETWORK all") logger.info("Checking keys in memory after network profile removal") buf = read_process_memory(pid, pmk) get_key_locations(buf, pmk, "PMK") get_key_locations(buf, pmkr0, "PMK-R0") get_key_locations(buf, pmkr1, "PMK-R1") verify_not_present(buf, pmk, fname, "PMK") verify_not_present(buf, pmkr0, fname, "PMK-R0") verify_not_present(buf, pmkr1, fname, "PMK-R1") verify_not_present(buf, kck, fname, "KCK") verify_not_present(buf, kek, fname, "KEK") verify_not_present(buf, tk, fname, "TK") verify_not_present(buf, gtk, fname, "GTK")
def test_owe_limited_group_set_pmf(dev, apdev, params): """Opportunistic Wireless Encryption and limited group set (PMF)""" if "OWE" not in dev[0].get_capability("key_mgmt"): raise HwsimSkip("OWE not supported") pcapng = os.path.join(params['logdir'], "hwsim0.pcapng") params = { "ssid": "owe", "wpa": "2", "ieee80211w": "2", "wpa_key_mgmt": "OWE", "rsn_pairwise": "CCMP", "owe_groups": "21" } hapd = hostapd.add_ap(apdev[0], params) bssid = hapd.own_addr() dev[0].scan_for_bss(bssid, freq="2412") dev[0].connect("owe", key_mgmt="OWE", owe_group="19", ieee80211w="2", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"], timeout=10) dev[0].request("DISCONNECT") if ev is None: raise Exception("Association not rejected") if "status_code=77" not in ev: raise Exception("Unexpected rejection reason: " + ev) dev[0].dump_monitor() dev[0].connect("owe", key_mgmt="OWE", owe_group="20", ieee80211w="2", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"], timeout=10) dev[0].request("DISCONNECT") if ev is None: raise Exception("Association not rejected (2)") if "status_code=77" not in ev: raise Exception("Unexpected rejection reason (2): " + ev) dev[0].dump_monitor() dev[0].connect("owe", key_mgmt="OWE", owe_group="21", ieee80211w="2", scan_freq="2412") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() dev[0].dump_monitor() out = run_tshark(pcapng, "wlan.fc.type_subtype == 1", display=['wlan_mgt.fixed.status_code']) status = out.splitlines() logger.info("Association Response frame status codes: " + str(status)) if len(status) != 3: raise Exception("Unexpected number of Association Response frames") if (int(status[0], base=0) != 77 or int(status[1], base=0) != 77 or int(status[2], base=0) != 0): raise Exception("Unexpected Association Response frame status code")