def check_hs20_osu_client():
if not os.path.exists("../../hs20/client/hs20-osu-client"):
raise HwsimSkip("No hs20-osu-client available")
def test_sae_proto_ecc(dev, apdev):
"""SAE protocol testing (ECC)"""
if "SAE" not in dev[0].get_capability("auth_alg"):
raise HwsimSkip("SAE not supported")
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
params['wpa_key_mgmt'] = 'SAE'
hapd = hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
dev[0].request("SET sae_groups 19")
tests = [
("Confirm mismatch", "1300" +
"033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
"0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240"
), ("Commit without even full cyclic group field", "13", None),
("Too short commit", "1300" +
"033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02",
None),
("Invalid commit scalar (0)", "1300" +
"0000000000000000000000000000000000000000000000000000000000000000" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
None),
("Invalid commit scalar (1)", "1300" +
"0000000000000000000000000000000000000000000000000000000000000001" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
None),
("Invalid commit scalar (> r)", "1300" +
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
None),
("Commit element not on curve", "1300" +
"033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000",
None),
("Invalid commit element (y coordinate > P)", "1300" +
"033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
None),
("Invalid commit element (x coordinate > P)", "1300" +
"033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" +
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
None),
("Different group in commit", "1400" +
"033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
None),
("Too short confirm", "1300" +
"033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" +
"559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
"0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42")
]
for (note, commit, confirm) in tests:
logger.info(note)
dev[0].scan_for_bss(bssid, freq=2412)
hapd.set("ext_mgmt_frame_handling", "1")
dev[0].connect("test-sae",
psk="12345678",
key_mgmt="SAE",
scan_freq="2412",
wait_connect=False)
logger.info("Commit")
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (commit)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (commit) not received")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030001000000" + commit)
hapd.mgmt_tx(resp)
if confirm:
logger.info("Confirm")
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (confirm)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (confirm) not received")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030002000000" + confirm)
hapd.mgmt_tx(resp)
time.sleep(0.1)
dev[0].request("REMOVE_NETWORK all")
hapd.set("ext_mgmt_frame_handling", "0")
hapd.dump_monitor()
def require_wmediumd_version(major, minor, patch):
revs = get_wmediumd_version()
if revs[0] < major or revs[1] < minor or revs[2] < patch:
raise HwsimSkip('wmediumd v%s.%s.%s is too old for this test' %
(revs[0], revs[1], revs[2]))
def ap_vlan_iface_cleanup_multibss(dev, apdev, cfgfile):
# AP VLAN with WPA2-Enterprise and RADIUS attributes changing VLANID
# check that multiple bss do not interfere with each other with respect
# to deletion of bridge and tagged interface.
if not netifaces_imported:
raise HwsimSkip("python module netifaces not available")
try:
ap_vlan_iface_cleanup_multibss_cleanup()
ap_vlan_iface_test_and_prepare_environ()
as_params = { "ssid": "as",
"beacon_int": "2000",
"radius_server_clients": "auth_serv/radius_clients.conf",
"radius_server_auth_port": '18128',
"eap_server": "1",
"eap_user_file": "auth_serv/eap_user.conf",
"ca_cert": "auth_serv/ca.pem",
"server_cert": "auth_serv/server.pem",
"private_key": "auth_serv/server.key",
"vlan_naming": "1" }
authserv = hostapd.add_ap(apdev[1], as_params)
# start the actual test
hapd = hostapd.add_iface(apdev[0], cfgfile)
hapd1 = hostapd.Hostapd("wlan3-2", 1)
hapd1.enable()
ifaces = netifaces.interfaces()
if "brvlan1" in ifaces:
raise Exception("bridge brvlan1 already exists before")
if "brvlan2" in ifaces:
raise Exception("bridge brvlan2 already exists before")
dev[0].connect("bss-1", key_mgmt="WPA-EAP", eap="PAX",
identity="vlan1",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412")
ifaces = netifaces.interfaces()
if not("brvlan1" in ifaces):
raise Exception("bridge brvlan1 was not created")
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
if not iface_is_in_bridge("brvlan1", "dummy0.1"):
raise Exception("dummy0.1 not in brvlan1")
dev[1].connect("bss-2", key_mgmt="WPA-EAP", eap="PAX",
identity="vlan1",
password_hex="0123456789abcdef0123456789abcdef",
scan_freq="2412")
hwsim_utils.test_connectivity_iface(dev[1], hapd1, "brvlan1")
if not iface_is_in_bridge("brvlan1", "dummy0.1"):
raise Exception("dummy0.1 not in brvlan1")
authserv.disable()
authserv.set('eap_user_file', "auth_serv/eap_user_vlan.conf")
authserv.enable()
logger.info("wlan0 -> VLAN 2")
dev[0].dump_monitor()
dev[0].request("REAUTHENTICATE")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
if ev is None:
raise Exception("EAP reauthentication timed out")
ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=5)
if ev is None:
raise Exception("4-way handshake after reauthentication timed out")
state = dev[0].get_status_field('wpa_state')
if state != "COMPLETED":
raise Exception("Unexpected state after reauth: " + state)
ifaces = netifaces.interfaces()
if not ("brvlan1" in ifaces):
raise Exception("bridge brvlan1 has been removed too early")
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan2",
max_tries=5)
if not iface_is_in_bridge("brvlan2", "dummy0.2"):
raise Exception("dummy0.2 not in brvlan2")
logger.info("test wlan1 == VLAN 1")
hwsim_utils.test_connectivity_iface(dev[1], hapd1, "brvlan1")
if not iface_is_in_bridge("brvlan1", "dummy0.1"):
raise Exception("dummy0.1 not in brvlan1")
logger.info("wlan1 -> VLAN 2")
dev[1].dump_monitor()
dev[1].request("REAUTHENTICATE")
ev = dev[1].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
if ev is None:
raise Exception("EAP reauthentication timed out")
ev = dev[1].wait_event(["WPA: Key negotiation completed"], timeout=5)
if ev is None:
raise Exception("4-way handshake after reauthentication timed out")
state = dev[1].get_status_field('wpa_state')
if state != "COMPLETED":
raise Exception("Unexpected state after reauth: " + state)
# it can take some time for data connectivity to be updated
hwsim_utils.test_connectivity_iface(dev[1], hapd1, "brvlan2",
max_tries=5)
logger.info("test wlan0 == VLAN 2")
hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan2")
if not iface_is_in_bridge("brvlan2", "dummy0.2"):
raise Exception("dummy0.2 not in brvlan2")
ifaces = netifaces.interfaces()
if "brvlan1" in ifaces:
raise Exception("bridge brvlan1 has not been cleaned up")
# disconnect dev0 first to test a corner case
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
dev[1].request("DISCONNECT")
dev[1].wait_disconnected()
# station removal needs some time
for i in range(15):
time.sleep(1)
ifaces = netifaces.interfaces()
if "brvlan2" not in ifaces:
break
ifaces = netifaces.interfaces()
if "brvlan2" in ifaces:
raise Exception("bridge brvlan2 has not been cleaned up")
hapd.request("DISABLE")
finally:
ap_vlan_iface_cleanup_multibss_cleanup()
def test_sae_invalid_anti_clogging_token_req(dev, apdev):
"""SAE and invalid anti-clogging token request"""
if "SAE" not in dev[0].get_capability("auth_alg"):
raise HwsimSkip("SAE not supported")
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
params['wpa_key_mgmt'] = 'SAE'
# Beacon more frequently since Probe Request frames are practically ignored
# in this test setup (ext_mgmt_frame_handled=1 on hostapd side) and
# wpa_supplicant scans may end up getting ignored if no new results are
# available due to the missing Probe Response frames.
params['beacon_int'] = '20'
hapd = hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
dev[0].request("SET sae_groups 19")
dev[0].scan_for_bss(bssid, freq=2412)
hapd.set("ext_mgmt_frame_handling", "1")
dev[0].connect("test-sae",
psk="12345678",
key_mgmt="SAE",
scan_freq="2412",
wait_connect=False)
ev = dev[0].wait_event(["SME: Trying to authenticate"])
if ev is None:
raise Exception("No authentication attempt seen (1)")
dev[0].dump_monitor()
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (commit)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (commit) not received")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030001004c0013")
hapd.mgmt_tx(resp)
ev = hapd.wait_event(["MGMT-TX-STATUS"], timeout=5)
if ev is None:
raise Exception("Management frame TX status not reported (1)")
if "stype=11 ok=1" not in ev:
raise Exception("Unexpected management frame TX status (1): " + ev)
ev = dev[0].wait_event(["SME: Trying to authenticate"])
if ev is None:
raise Exception("No authentication attempt seen (2)")
dev[0].dump_monitor()
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (commit) (2)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (commit) not received (2)")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030001000100")
hapd.mgmt_tx(resp)
ev = hapd.wait_event(["MGMT-TX-STATUS"], timeout=5)
if ev is None:
raise Exception("Management frame TX status not reported (1)")
if "stype=11 ok=1" not in ev:
raise Exception("Unexpected management frame TX status (1): " + ev)
ev = dev[0].wait_event(["SME: Trying to authenticate"])
if ev is None:
raise Exception("No authentication attempt seen (3)")
dev[0].dump_monitor()
dev[0].request("DISCONNECT")
def test_tnc_ttls_errors(dev, apdev):
"""TNC TTLS local error cases"""
if not os.path.exists("tnc/libhostap_imc.so"):
raise HwsimSkip("No IMC installed")
check_eap_capa(dev[0], "MSCHAPV2")
params = int_eap_server_params()
params["tnc"] = "1"
params["fragment_size"] = "150"
hostapd.add_ap(apdev[0]['ifname'], params)
tests = [
(1, "eap_ttls_process_phase2_eap;eap_ttls_process_tnc_start",
"DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
(1, "eap_ttls_process_phase2_eap;eap_ttls_process_tnc_start",
"mschap user", "auth=MSCHAP"),
(1, "=eap_tnc_init", "chap user", "auth=CHAP"),
(1, "tncc_init;eap_tnc_init", "pap user", "auth=PAP"),
(1, "eap_msg_alloc;eap_tnc_build_frag_ack", "pap user", "auth=PAP"),
(1, "eap_msg_alloc;eap_tnc_build_msg", "pap user", "auth=PAP"),
(1, "wpabuf_alloc;=eap_tnc_process_fragment", "pap user", "auth=PAP"),
(1, "eap_msg_alloc;=eap_tnc_process", "pap user", "auth=PAP"),
(1, "wpabuf_alloc;=eap_tnc_process", "pap user", "auth=PAP"),
(1, "dup_binstr;tncc_process_if_tnccs", "pap user", "auth=PAP"),
(1, "tncc_get_base64;tncc_process_if_tnccs", "pap user", "auth=PAP"),
(1, "tncc_if_tnccs_start", "pap user", "auth=PAP"),
(1, "tncc_if_tnccs_end", "pap user", "auth=PAP"),
(1, "tncc_parse_imc", "pap user", "auth=PAP"),
(2, "tncc_parse_imc", "pap user", "auth=PAP"),
(3, "tncc_parse_imc", "pap user", "auth=PAP"),
(1, "os_readfile;tncc_read_config", "pap user", "auth=PAP"),
(1, "tncc_init", "pap user", "auth=PAP"),
(1, "TNC_TNCC_ReportMessageTypes", "pap user", "auth=PAP"),
(1, "base64_encode;TNC_TNCC_SendMessage", "pap user", "auth=PAP"),
(1, "=TNC_TNCC_SendMessage", "pap user", "auth=PAP"),
(1, "tncc_get_base64;tncc_process_if_tnccs", "pap user", "auth=PAP")
]
for count, func, identity, phase2 in tests:
with alloc_fail(dev[0], count, func):
dev[0].connect("test-wpa2-eap",
key_mgmt="WPA-EAP",
scan_freq="2412",
eap="TTLS",
anonymous_identity="ttls",
identity=identity,
password="******",
ca_cert="auth_serv/ca.pem",
phase2=phase2,
fragment_size="150",
wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
timeout=15)
if ev is None:
raise Exception("Timeout on EAP start")
wait_fail_trigger(
dev[0],
"GET_ALLOC_FAIL",
note="Allocation failure not triggered for: %d:%s" %
(count, func))
dev[0].request("REMOVE_NETWORK all")
dev[0].wait_disconnected()
dev[0].dump_monitor()
def check_erp_capa(dev):
capab = dev.get_capability("erp")
if not capab or 'ERP' not in capab:
raise HwsimSkip("ERP not supported in the build")
def run_macsec_psk_br(dev, apdev, count, mka_priority):
subprocess.check_call(["brctl", "addbr", "brveth"])
subprocess.call(
["echo 8 > /sys/devices/virtual/net/brveth/bridge/group_fwd_mask"],
shell=True)
try:
for i in range(count):
subprocess.check_call([
"ip", "link", "add",
"veth%d" % i, "type", "veth", "peer", "name",
"vethbr%d" % i
])
subprocess.check_call(["ip", "link", "set", "vethbr%d" % i, "up"])
subprocess.check_call(["brctl", "addif", "brveth", "vethbr%d" % i])
except subprocess.CalledProcessError:
raise HwsimSkip("veth not supported (kernel CONFIG_VETH)")
subprocess.check_call(["ip", "link", "set", "brveth", "up"])
log_ip_link()
wpa = add_wpas_interfaces(count=count)
for i in range(count):
set_mka_psk_config(wpa[i], mka_priority=mka_priority[i])
wpa[i].dump_monitor()
wait_mka_done(wpa)
macsec_ifname = []
for i in range(count):
macsec_ifname.append(wpa[i].get_driver_status_field("parent_ifname"))
timeout = 2
max_tries = 2 if count > 2 else 1
success_seen = False
failure_seen = False
for i in range(1, count):
try:
hwsim_utils.test_connectivity(wpa[0],
wpa[i],
ifname1=macsec_ifname[0],
ifname2=macsec_ifname[i],
send_len=1400,
timeout=timeout,
max_tries=max_tries)
success_seen = True
logger.info("Traffic test %d<->%d success" % (0, i))
except:
failure_seen = True
logger.info("Traffic test %d<->%d failure" % (0, i))
for i in range(2, count):
try:
hwsim_utils.test_connectivity(wpa[1],
wpa[i],
ifname1=macsec_ifname[1],
ifname2=macsec_ifname[i],
send_len=1400,
timeout=timeout,
max_tries=max_tries)
success_seen = True
logger.info("Traffic test %d<->%d success" % (1, i))
except:
failure_seen = True
logger.info("Traffic test %d<->%d failure" % (1, i))
if not success_seen:
raise Exception("None of the data traffic tests succeeded")
# Something seems to be failing with three device tests semi-regularly, so
# do not report this as a failed test case until the real reason behind
# those failures have been determined.
if failure_seen:
if count < 3:
raise Exception("Data traffic test failed")
else:
logger.info(
"Data traffic test failed - ignore for now for >= 3 device cases"
)
for i in range(count):
wpa[i].close_monitor()
for i in range(count):
wpa[0].close_control()
del wpa[0]
def run_macsec_psk_ns(dev, apdev, params):
try:
subprocess.check_call([
"ip", "link", "add", "veth0", "type", "veth", "peer", "name",
"veth1"
])
except subprocess.CalledProcessError:
raise HwsimSkip("veth not supported (kernel CONFIG_VETH)")
prefix = "macsec_psk_ns"
conffile = os.path.join(params['logdir'], prefix + ".conf")
pidfile = os.path.join(params['logdir'], prefix + ".pid")
logfile0 = os.path.join(params['logdir'], prefix + ".veth0.log")
logfile1 = os.path.join(params['logdir'], prefix + ".veth1.log")
cap_veth0 = os.path.join(params['logdir'], prefix + ".veth0.pcap")
cap_veth1 = os.path.join(params['logdir'], prefix + ".veth1.pcap")
cap_macsec0 = os.path.join(params['logdir'], prefix + ".macsec0.pcap")
cap_macsec1 = os.path.join(params['logdir'], prefix + ".macsec1.pcap")
for i in range(2):
try:
subprocess.check_call(["ip", "netns", "add", "ns%d" % i])
except subprocess.CalledProcessError:
raise HwsimSkip(
"network namespace not supported (kernel CONFIG_NAMESPACES, CONFIG_NET_NS)"
)
subprocess.check_call(
["ip", "link", "set",
"veth%d" % i, "netns",
"ns%d" % i])
subprocess.check_call([
"ip", "netns", "exec",
"ns%d" % i, "ip", "link", "set", "dev",
"veth%d" % i, "up"
])
cmd = {}
cmd[0] = subprocess.Popen([
'ip', 'netns', 'exec', 'ns0', 'tcpdump', '-p', '-U', '-i', 'veth0',
'-w', cap_veth0, '-s', '2000', '--immediate-mode'
],
stderr=open('/dev/null', 'w'))
cmd[1] = subprocess.Popen([
'ip', 'netns', 'exec', 'ns1', 'tcpdump', '-p', '-U', '-i', 'veth1',
'-w', cap_veth1, '-s', '2000', '--immediate-mode'
],
stderr=open('/dev/null', 'w'))
write_conf(conffile + '0')
write_conf(conffile + '1', mka_priority=100)
prg = os.path.join(params['logdir'],
'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
if not os.path.exists(prg):
prg = '../../wpa_supplicant/wpa_supplicant'
arg = [
"ip", "netns", "exec", "ns0", prg, '-BdddtKW', '-P', pidfile + '0',
'-f', logfile0, '-g', '/tmp/wpas-veth0', '-Dmacsec_linux', '-c',
conffile + '0', '-i', "veth0"
]
logger.info("Start wpa_supplicant: " + str(arg))
try:
subprocess.check_call(arg)
except subprocess.CalledProcessError:
raise HwsimSkip(
"macsec supported (wpa_supplicant CONFIG_MACSEC, CONFIG_DRIVER_MACSEC_LINUX; kernel CONFIG_MACSEC)"
)
if os.path.exists("wpa_supplicant-macsec2"):
logger.info(
"Use alternative wpa_supplicant binary for one of the macsec devices"
)
prg = "wpa_supplicant-macsec2"
arg = [
"ip", "netns", "exec", "ns1", prg, '-BdddtKW', '-P', pidfile + '1',
'-f', logfile1, '-g', '/tmp/wpas-veth1', '-Dmacsec_linux', '-c',
conffile + '1', '-i', "veth1"
]
logger.info("Start wpa_supplicant: " + str(arg))
subprocess.check_call(arg)
wpas0 = WpaSupplicant('veth0', '/tmp/wpas-veth0')
wpas1 = WpaSupplicant('veth1', '/tmp/wpas-veth1')
log_ip_macsec_ns()
log_ip_link_ns()
logger.info("wpas0 STATUS:\n" + wpas0.request("STATUS"))
logger.info("wpas1 STATUS:\n" + wpas1.request("STATUS"))
logger.info("wpas0 STATUS-DRIVER:\n" + wpas0.request("STATUS-DRIVER"))
logger.info("wpas1 STATUS-DRIVER:\n" + wpas1.request("STATUS-DRIVER"))
for i in range(10):
macsec_ifname0 = wpas0.get_driver_status_field("parent_ifname")
macsec_ifname1 = wpas1.get_driver_status_field("parent_ifname")
if "Number of Keys" in wpas0.request("STATUS"):
key_tx0 = int(wpas0.get_status_field("Number of Keys Distributed"))
key_rx0 = int(wpas0.get_status_field("Number of Keys Received"))
else:
key_tx0 = 0
key_rx0 = 0
if "Number of Keys" in wpas1.request("STATUS"):
key_tx1 = int(wpas1.get_status_field("Number of Keys Distributed"))
key_rx1 = int(wpas1.get_status_field("Number of Keys Received"))
else:
key_tx1 = 0
key_rx1 = 0
if key_rx0 > 0 and key_tx1 > 0:
break
time.sleep(1)
cmd[2] = subprocess.Popen([
'ip', 'netns', 'exec', 'ns0', 'tcpdump', '-p', '-U', '-i',
macsec_ifname0, '-w', cap_macsec0, '-s', '2000', '--immediate-mode'
],
stderr=open('/dev/null', 'w'))
cmd[3] = subprocess.Popen([
'ip', 'netns', 'exec', 'ns0', 'tcpdump', '-p', '-U', '-i',
macsec_ifname1, '-w', cap_macsec1, '-s', '2000', '--immediate-mode'
],
stderr=open('/dev/null', 'w'))
time.sleep(0.5)
logger.info("wpas0 STATUS:\n" + wpas0.request("STATUS"))
logger.info("wpas1 STATUS:\n" + wpas1.request("STATUS"))
log_ip_macsec_ns()
hwsim_utils.test_connectivity(wpas0,
wpas1,
ifname1=macsec_ifname0,
ifname2=macsec_ifname1,
send_len=1400)
log_ip_macsec_ns()
subprocess.check_call([
'ip', 'netns', 'exec', 'ns0', 'ip', 'addr', 'add', '192.168.248.17/30',
'dev', macsec_ifname0
])
subprocess.check_call([
'ip', 'netns', 'exec', 'ns1', 'ip', 'addr', 'add', '192.168.248.18/30',
'dev', macsec_ifname1
])
c = subprocess.Popen(
['ip', 'netns', 'exec', 'ns0', 'ping', '-c', '2', '192.168.248.18'],
stdout=subprocess.PIPE)
res = c.stdout.read().decode()
c.stdout.close()
logger.info("ping:\n" + res)
if "2 packets transmitted, 2 received" not in res:
raise Exception("ping did not work")
wpas0.close_monitor()
wpas0.request("TERMINATE")
wpas0.close_control()
del wpas0
wpas1.close_monitor()
wpas1.request("TERMINATE")
wpas1.close_control()
del wpas1
time.sleep(1)
for i in range(len(cmd)):
cmd[i].terminate()
def csa_supported(dev):
res = dev.get_driver_status()
if (int(res['capa.flags'], 0) & 0x80000000) == 0:
raise HwsimSkip("CSA not supported")
def test_dfs_etsi(dev, apdev, params):
"""DFS and uniform spreading requirement for ETSI [long]"""
if not params['long']:
raise HwsimSkip(
"Skip test case with long duration due to --long not specified")
try:
hapd = None
hapd = start_dfs_ap(apdev[0], allow_failure=True)
ev = wait_dfs_event(hapd, "DFS-CAC-COMPLETED", 70)
if "success=1" not in ev:
raise Exception("CAC failed")
if "freq=5260" not in ev:
raise Exception("Unexpected DFS freq result")
ev = hapd.wait_event(["AP-ENABLED"], timeout=5)
if not ev:
raise Exception("AP setup timed out")
state = hapd.get_status_field("state")
if state != "ENABLED":
raise Exception("Unexpected interface state")
freq = hapd.get_status_field("freq")
if freq != "5260":
raise Exception("Unexpected frequency")
dev[0].connect("dfs", key_mgmt="NONE")
hwsim_utils.test_connectivity(dev[0], hapd)
hapd.request("RADAR DETECTED freq=%s ht_enabled=1 chan_width=1" % freq)
ev = hapd.wait_event(["DFS-RADAR-DETECTED"], timeout=5)
if ev is None:
raise Exception("DFS-RADAR-DETECTED event not reported")
if "freq=%s" % freq not in ev:
raise Exception("Incorrect frequency in radar detected event: " +
ev)
ev = hapd.wait_event(["DFS-NEW-CHANNEL"], timeout=5)
if ev is None:
raise Exception("DFS-NEW-CHANNEL event not reported")
if "freq=%s" % freq in ev:
raise Exception("Channel did not change after radar was detected")
ev = hapd.wait_event(["AP-CSA-FINISHED", "DFS-CAC-START"], timeout=10)
if ev is None:
raise Exception(
"AP-CSA-FINISHED or DFS-CAC-START event not reported")
if "DFS-CAC-START" in ev:
# The selected new channel requires CAC
ev = wait_dfs_event(hapd, "DFS-CAC-COMPLETED", 70)
if "success=1" not in ev:
raise Exception("CAC failed")
ev = hapd.wait_event(["AP-ENABLED"], timeout=5)
if not ev:
raise Exception("AP setup timed out")
ev = hapd.wait_event(["AP-STA-CONNECTED"], timeout=30)
if not ev:
raise Exception("STA did not reconnect on new DFS channel")
else:
# The new channel did not require CAC - try again
if "freq=%s" % freq in ev:
raise Exception(
"Channel did not change after radar was detected(2)")
time.sleep(1)
hwsim_utils.test_connectivity(dev[0], hapd)
finally:
dev[0].request("DISCONNECT")
if hapd:
hapd.request("DISABLE")
subprocess.call(['iw', 'reg', 'set', '00'])
dev[0].flush_scan_cache()
def test_fils_sk_pmksa_caching_ctrl_ext(dev, apdev):
"""FILS SK and PMKSA caching with Cache Identifier and external management"""
check_fils_capa(dev[0])
check_erp_capa(dev[0])
hapd_as = start_erp_as(apdev[1])
bssid = apdev[0]['bssid']
params = hostapd.wpa2_eap_params(ssid="fils")
params['wpa_key_mgmt'] = "FILS-SHA384"
params['auth_server_port'] = "18128"
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['fils_realm'] = 'example.com'
params['fils_cache_id'] = "ffee"
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].scan_for_bss(bssid, freq=2412)
dev[0].request("ERP_FLUSH")
id = dev[0].connect("fils",
key_mgmt="FILS-SHA384",
eap="PSK",
identity="*****@*****.**",
password_hex="0123456789abcdef0123456789abcdef",
erp="1",
scan_freq="2412")
res1 = dev[0].request("PMKSA_GET %d" % id)
logger.info("PMKSA_GET: " + res1)
if "UNKNOWN COMMAND" in res1:
raise HwsimSkip("PMKSA_GET not supported in the build")
if bssid not in res1:
raise Exception("PMKSA cache entry missing")
if "ffee" not in res1:
raise Exception("FILS Cache Identifier not seen in PMKSA cache entry")
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
hapd_as.disable()
dev[0].scan_for_bss(bssid, freq=2412)
dev[0].request("PMKSA_FLUSH")
dev[0].request("ERP_FLUSH")
for entry in res1.splitlines():
if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)):
raise Exception("Failed to add PMKSA entry")
bssid2 = apdev[1]['bssid']
params = hostapd.wpa2_eap_params(ssid="fils")
params['wpa_key_mgmt'] = "FILS-SHA384"
params['auth_server_port'] = "18128"
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['fils_realm'] = 'example.com'
params['fils_cache_id'] = "ffee"
hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
dev[0].scan_for_bss(bssid2, freq=2412)
dev[0].set_network(id, "bssid", bssid2)
dev[0].select_network(id, freq=2412)
ev = dev[0].wait_connected()
if bssid2 not in ev:
raise Exception("Unexpected BSS selected")
def check_fils_capa(dev):
capa = dev.get_capability("fils")
if capa is None or "FILS" not in capa:
raise HwsimSkip("FILS not supported")
def test_owe_local_errors(dev, apdev):
"""Opportunistic Wireless Encryption - local errors on supplicant"""
if "OWE" not in dev[0].get_capability("key_mgmt"):
raise HwsimSkip("OWE not supported")
params = {"ssid": "owe",
"wpa": "2",
"ieee80211w": "2",
"wpa_key_mgmt": "OWE",
"rsn_pairwise": "CCMP"}
hapd = hostapd.add_ap(apdev[0], params)
bssid = hapd.own_addr()
dev[0].scan_for_bss(bssid, freq="2412")
tests = [(1, "crypto_ecdh_init;owe_build_assoc_req"),
(1, "crypto_ecdh_get_pubkey;owe_build_assoc_req"),
(1, "wpabuf_alloc;owe_build_assoc_req")]
for count, func in tests:
with alloc_fail(dev[0], count, func):
dev[0].connect("owe", key_mgmt="OWE", owe_group="20",
ieee80211w="2",
scan_freq="2412", wait_connect=False)
wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
dev[0].request("REMOVE_NETWORK all")
dev[0].dump_monitor()
tests = [(1, "crypto_ecdh_set_peerkey;owe_process_assoc_resp"),
(1, "crypto_ecdh_get_pubkey;owe_process_assoc_resp"),
(1, "wpabuf_alloc;=owe_process_assoc_resp")]
for count, func in tests:
with alloc_fail(dev[0], count, func):
dev[0].connect("owe", key_mgmt="OWE", owe_group="20",
ieee80211w="2",
scan_freq="2412", wait_connect=False)
dev[0].wait_disconnected()
dev[0].request("REMOVE_NETWORK all")
dev[0].dump_monitor()
tests = [(1, "hmac_sha256;owe_process_assoc_resp", 19),
(1, "hmac_sha256_kdf;owe_process_assoc_resp", 19),
(1, "hmac_sha384;owe_process_assoc_resp", 20),
(1, "hmac_sha384_kdf;owe_process_assoc_resp", 20),
(1, "hmac_sha512;owe_process_assoc_resp", 21),
(1, "hmac_sha512_kdf;owe_process_assoc_resp", 21)]
for count, func, group in tests:
with fail_test(dev[0], count, func):
dev[0].connect("owe", key_mgmt="OWE", owe_group=str(group),
ieee80211w="2",
scan_freq="2412", wait_connect=False)
dev[0].wait_disconnected()
dev[0].request("REMOVE_NETWORK all")
dev[0].dump_monitor()
dev[0].connect("owe", key_mgmt="OWE", owe_group="18",
ieee80211w="2",
scan_freq="2412", wait_connect=False)
ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=5)
if ev is None:
raise Exception("No authentication attempt")
time.sleep(0.5)
dev[0].request("REMOVE_NETWORK all")
dev[0].dump_monitor()
def test_ap_vht80plus80(dev, apdev):
"""VHT with 80+80 MHz channel width"""
try:
hapd = None
hapd2 = None
params = {
"ssid": "vht",
"country_code": "US",
"hw_mode": "a",
"channel": "52",
"ht_capab": "[HT40+]",
"ieee80211n": "1",
"ieee80211ac": "1",
"vht_oper_chwidth": "3",
"vht_oper_centr_freq_seg0_idx": "58",
"vht_oper_centr_freq_seg1_idx": "155",
'ieee80211d': '1',
'ieee80211h': '1'
}
hapd = hostapd.add_ap(apdev[0]['ifname'], params, wait_enabled=False)
# This will actually fail since DFS on 80+80 is not yet supported
ev = hapd.wait_event(["AP-DISABLED"], timeout=5)
# ignore result to avoid breaking the test once 80+80 DFS gets enabled
params = {
"ssid": "vht2",
"country_code": "US",
"hw_mode": "a",
"channel": "36",
"ht_capab": "[HT40+]",
"ieee80211n": "1",
"ieee80211ac": "1",
"vht_oper_chwidth": "3",
"vht_oper_centr_freq_seg0_idx": "42",
"vht_oper_centr_freq_seg1_idx": "155"
}
hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, wait_enabled=False)
ev = hapd2.wait_event(["AP-ENABLED", "AP-DISABLED"], timeout=5)
if not ev:
raise Exception("AP setup timed out(2)")
if "AP-DISABLED" in ev:
# Assume this failed due to missing regulatory update for now
raise HwsimSkip(
"80+80 MHz channel not supported in regulatory information")
state = hapd2.get_status_field("state")
if state != "ENABLED":
raise Exception("Unexpected interface state(2)")
dev[1].connect("vht2", key_mgmt="NONE", scan_freq="5180")
hwsim_utils.test_connectivity(dev[1], hapd2)
sig = dev[1].request("SIGNAL_POLL").splitlines()
if "FREQUENCY=5180" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(1): " + str(sig))
if "WIDTH=80+80 MHz" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(2): " + str(sig))
if "CENTER_FRQ1=5210" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(3): " + str(sig))
if "CENTER_FRQ2=5775" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(4): " + str(sig))
except Exception, e:
if isinstance(e, Exception) and str(e) == "AP startup failed":
if not vht_supported():
raise HwsimSkip(
"80/160 MHz channel not supported in regulatory information"
)
raise
def test_suite_b_192(dev, apdev):
"""WPA2-PSK/GCMP-256 connection at Suite B 192-bit level"""
if "GCMP-256" not in dev[0].get_capability("pairwise"):
raise HwsimSkip("GCMP-256 not supported")
if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
raise HwsimSkip("BIP-GMAC-256 not supported")
if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("TLS library not supported for Suite B: " + tls)
if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
params = {
"ssid": "test-suite-b",
"wpa": "2",
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
"rsn_pairwise": "GCMP-256",
"group_mgmt_cipher": "BIP-GMAC-256",
"ieee80211w": "2",
"ieee8021x": "1",
"openssl_ciphers": "SUITEB192",
"eap_server": "1",
"eap_user_file": "auth_serv/eap_user.conf",
"ca_cert": "auth_serv/ec2-ca.pem",
"server_cert": "auth_serv/ec2-server.pem",
"private_key": "auth_serv/ec2-server.key"
}
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-suite-b",
key_mgmt="WPA-EAP-SUITE-B-192",
ieee80211w="2",
openssl_ciphers="SUITEB192",
eap="TLS",
identity="tls user",
ca_cert="auth_serv/ec2-ca.pem",
client_cert="auth_serv/ec2-user.pem",
private_key="auth_serv/ec2-user.key",
pairwise="GCMP-256",
group="GCMP-256",
scan_freq="2412")
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
raise Exception("Unexpected TLS cipher: " + tls_cipher)
bss = dev[0].get_bss(apdev[0]['bssid'])
if 'flags' not in bss:
raise Exception("Could not get BSS flags from BSS table")
if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
raise Exception("Unexpected BSS flags: " + bss['flags'])
dev[0].request("DISCONNECT")
dev[0].wait_disconnected(timeout=20)
dev[0].dump_monitor()
dev[0].request("RECONNECT")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"],
timeout=20)
if ev is None:
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
def test_pmksa_cache_ctrl_ext(dev, apdev):
"""PMKSA cache control interface for external management"""
params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
hapd = hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
id = dev[0].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk user",
password="******",
scan_freq="2412")
res1 = dev[0].request("PMKSA_GET %d" % id)
logger.info("PMKSA_GET: " + res1)
if "UNKNOWN COMMAND" in res1:
raise HwsimSkip("PMKSA_GET not supported in the build")
if bssid not in res1:
raise Exception("PMKSA cache entry missing")
hostapd.add_ap(apdev[1], params)
bssid2 = apdev[1]['bssid']
dev[0].scan_for_bss(bssid2, freq=2412, force_scan=True)
dev[0].request("ROAM " + bssid2)
dev[0].wait_connected()
res2 = dev[0].request("PMKSA_GET %d" % id)
logger.info("PMKSA_GET: " + res2)
if bssid not in res2:
raise Exception("PMKSA cache entry 1 missing")
if bssid2 not in res2:
raise Exception("PMKSA cache entry 2 missing")
dev[0].request("REMOVE_NETWORK all")
dev[0].wait_disconnected()
dev[0].request("PMKSA_FLUSH")
id = dev[0].connect("test-pmksa-cache",
proto="RSN",
key_mgmt="WPA-EAP",
eap="GPSK",
identity="gpsk user",
password="******",
scan_freq="2412",
only_add_network=True)
res3 = dev[0].request("PMKSA_GET %d" % id)
if res3 != '':
raise Exception("Unexpected PMKSA cache entry remains: " + res3)
res4 = dev[0].request("PMKSA_GET %d" % (id + 1234))
if not res4.startswith('FAIL'):
raise Exception("Unexpected PMKSA cache entry for unknown network: " +
res4)
for entry in res2.splitlines():
if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)):
raise Exception("Failed to add PMKSA entry")
dev[0].select_network(id)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"],
timeout=15)
if ev is None:
raise Exception("Connection with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception(
"Unexpected EAP exchange after external PMKSA cache restore")
def test_wpa2_psk_key_lifetime_in_memory(dev, apdev, params):
"""WPA2-PSK and PSK/PTK lifetime in memory"""
ssid = "test-wpa2-psk"
passphrase = 'qwertyuiop'
psk = '602e323e077bc63bd80307ef4745b754b0ae0a925c2638ecd13a794b9527b9e6'
pmk = binascii.unhexlify(psk)
p = hostapd.wpa2_params(ssid=ssid)
p['wpa_psk'] = psk
hapd = hostapd.add_ap(apdev[0]['ifname'], p)
pid = find_wpas_process(dev[0])
id = dev[0].connect(ssid,
raw_psk=psk,
scan_freq="2412",
only_add_network=True)
logger.info("Checking keys in memory after network profile configuration")
buf = read_process_memory(pid, pmk)
get_key_locations(buf, pmk, "PMK")
dev[0].request("REMOVE_NETWORK all")
logger.info("Checking keys in memory after network profile removal")
buf = read_process_memory(pid, pmk)
get_key_locations(buf, pmk, "PMK")
id = dev[0].connect(ssid,
psk=passphrase,
scan_freq="2412",
only_add_network=True)
logger.info("Checking keys in memory before connection")
buf = read_process_memory(pid, pmk)
get_key_locations(buf, pmk, "PMK")
dev[0].connect_network(id, timeout=20)
time.sleep(1)
buf = read_process_memory(pid, pmk)
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
dev[0].relog()
ptk = None
gtk = None
with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
for l in f.readlines():
if "WPA: PTK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
ptk = binascii.unhexlify(val)
if "WPA: Group Key - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
gtk = binascii.unhexlify(val)
if not pmk or not ptk or not gtk:
raise Exception("Could not find keys from debug log")
if len(gtk) != 16:
raise Exception("Unexpected GTK length")
kck = ptk[0:16]
kek = ptk[16:32]
tk = ptk[32:48]
logger.info("Checking keys in memory while associated")
get_key_locations(buf, pmk, "PMK")
if pmk not in buf:
raise HwsimSkip("PMK not found while associated")
if kck not in buf:
raise Exception("KCK not found while associated")
if kek not in buf:
raise Exception("KEK not found while associated")
if tk in buf:
raise Exception("TK found from memory")
if gtk in buf:
raise Exception("GTK found from memory")
logger.info("Checking keys in memory after disassociation")
buf = read_process_memory(pid, pmk)
get_key_locations(buf, pmk, "PMK")
# Note: PMK/PSK is still present in network configuration
fname = os.path.join(params['logdir'],
'wpa2_psk_key_lifetime_in_memory.memctx-')
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
verify_not_present(buf, gtk, fname, "GTK")
dev[0].request("REMOVE_NETWORK all")
logger.info("Checking keys in memory after network profile removal")
buf = read_process_memory(pid, pmk)
get_key_locations(buf, pmk, "PMK")
verify_not_present(buf, pmk, fname, "PMK")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
verify_not_present(buf, gtk, fname, "GTK")
def test_sae_invalid_anti_clogging_token_req(dev, apdev):
"""SAE and invalid anti-clogging token request"""
if "SAE" not in dev[0].get_capability("auth_alg"):
raise HwsimSkip("SAE not supported")
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
params['wpa_key_mgmt'] = 'SAE'
hapd = hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
dev[0].request("SET sae_groups 19")
dev[0].scan_for_bss(bssid, freq=2412)
hapd.set("ext_mgmt_frame_handling", "1")
dev[0].connect("test-sae",
psk="12345678",
key_mgmt="SAE",
scan_freq="2412",
wait_connect=False)
ev = dev[0].wait_event(["SME: Trying to authenticate"])
if ev is None:
raise Exception("No authentication attempt seen")
dev[0].dump_monitor()
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (commit)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (commit) not received")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030001004c0013")
hapd.mgmt_tx(resp)
ev = dev[0].wait_event(["SME: Trying to authenticate"])
if ev is None:
raise Exception("No authentication attempt seen")
dev[0].dump_monitor()
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (commit) (2)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (commit) not received (2)")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030001000100")
hapd.mgmt_tx(resp)
ev = dev[0].wait_event(["SME: Trying to authenticate"])
if ev is None:
raise Exception("No authentication attempt seen")
dev[0].dump_monitor()
dev[0].request("DISCONNECT")
def test_rrm_neighbor_rep_req(dev, apdev):
"""wpa_supplicant ctrl_iface NEIGHBOR_REP_REQUEST"""
nr1 = "00112233445500000000510107"
nr2 = "00112233445600000000510107"
nr3 = "dd112233445500000000510107"
params = {"ssid": "test"}
hostapd.add_ap(apdev[0]['ifname'], params)
params = {"ssid": "test2", "rrm_neighbor_report": "1"}
hapd = hostapd.add_ap(apdev[1]['ifname'], params)
bssid1 = apdev[1]['bssid']
dev[0].connect("test", key_mgmt="NONE", scan_freq="2412")
if "FAIL" not in dev[0].request("NEIGHBOR_REP_REQUEST"):
raise Exception("Request succeeded unexpectedly (AP without RRM)")
if "FAIL" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"abcdef\""):
raise Exception("Request succeeded unexpectedly (AP without RRM 2)")
dev[0].request("DISCONNECT")
rrm = int(dev[0].get_driver_status_field("capa.rrm_flags"), 16)
if rrm & 0x5 != 0x5 and rrm & 0x10 != 0x10:
raise HwsimSkip("Required RRM capabilities are not supported")
dev[0].connect("test2", key_mgmt="NONE", scan_freq="2412")
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST"):
raise Exception("Request failed")
check_nr_results(dev[0], [bssid1])
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST lci"):
raise Exception("Request failed")
check_nr_results(dev[0], [bssid1])
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST lci civic"):
raise Exception("Request failed")
check_nr_results(dev[0], [bssid1])
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\""):
raise Exception("Request failed")
check_nr_results(dev[0])
if "OK" not in dev[0].request(
"NEIGHBOR_REP_REQUEST ssid=\"test3\" lci civic"):
raise Exception("Request failed")
check_nr_results(dev[0])
if "OK" not in hapd.request(
"SET_NEIGHBOR 00:11:22:33:44:55 ssid=\"test3\" nr=" + nr1 +
" lci=" + lci + " civic=" + civic):
raise Exception("Set neighbor failed")
if "OK" not in hapd.request(
"SET_NEIGHBOR 00:11:22:33:44:56 ssid=\"test3\" nr=" + nr2 +
" lci=" + lci + " civic=" + civic):
raise Exception("Set neighbor failed")
if "OK" not in hapd.request(
"SET_NEIGHBOR 00:11:22:33:44:56 ssid=\"test4\" nr=" + nr2 +
" lci=" + lci + " civic=" + civic):
raise Exception("Set neighbor failed")
if "OK" not in hapd.request(
"SET_NEIGHBOR dd:11:22:33:44:55 ssid=\"test5\" nr=" + nr3 +
" lci=" + lci):
raise Exception("Set neighbor failed")
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\""):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"])
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\" lci"):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"],
lci=True)
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test3\" civic"):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"],
civic=True)
if "OK" not in dev[0].request(
"NEIGHBOR_REP_REQUEST ssid=\"test3\" lci civic"):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:55", "00:11:22:33:44:56"],
lci=True,
civic=True)
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test4\""):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:56"])
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test4\" lci"):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:56"], lci=True)
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test4\" civic"):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:56"], civic=True)
if "OK" not in dev[0].request(
"NEIGHBOR_REP_REQUEST ssid=\"test4\" lci civic"):
raise Exception("Request failed")
check_nr_results(dev[0], ["00:11:22:33:44:56"], lci=True, civic=True)
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test5\""):
raise Exception("Request failed")
check_nr_results(dev[0], ["dd:11:22:33:44:55"])
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test5\" lci"):
raise Exception("Request failed")
check_nr_results(dev[0], ["dd:11:22:33:44:55"], lci=True)
if "OK" not in dev[0].request("NEIGHBOR_REP_REQUEST ssid=\"test5\" civic"):
raise Exception("Request failed")
check_nr_results(dev[0], ["dd:11:22:33:44:55"])
if "OK" not in dev[0].request(
"NEIGHBOR_REP_REQUEST ssid=\"test5\" lci civic"):
raise Exception("Request failed")
check_nr_results(dev[0], ["dd:11:22:33:44:55"], lci=True)
def test_erp_key_lifetime_in_memory(dev, apdev, params):
"""ERP and key lifetime in memory"""
check_erp_capa(dev[0])
p = int_eap_server_params()
p['erp_send_reauth_start'] = '1'
p['erp_domain'] = 'example.com'
p['eap_server_erp'] = '1'
p['disable_pmksa_caching'] = '1'
hapd = hostapd.add_ap(apdev[0], p)
password = "******"
pid = find_wpas_process(dev[0])
dev[0].request("ERP_FLUSH")
dev[0].connect("test-wpa2-eap",
key_mgmt="WPA-EAP",
eap="TTLS",
identity="*****@*****.**",
password=password,
ca_cert="auth_serv/ca.pem",
phase2="auth=PAP",
erp="1",
scan_freq="2412")
# The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
# event has been delivered, so verify that wpa_supplicant has returned to
# eloop before reading process memory.
time.sleep(1)
dev[0].ping()
password = password.encode()
buf = read_process_memory(pid, password)
dev[0].request("DISCONNECT")
dev[0].wait_disconnected(timeout=15)
dev[0].relog()
msk = None
emsk = None
rRK = None
rIK = None
pmk = None
ptk = None
gtk = None
with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
for l in f.readlines():
if "EAP-TTLS: Derived key - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
msk = binascii.unhexlify(val)
if "EAP-TTLS: Derived EMSK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
emsk = binascii.unhexlify(val)
if "EAP: ERP rRK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
rRK = binascii.unhexlify(val)
if "EAP: ERP rIK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
rIK = binascii.unhexlify(val)
if "WPA: PMK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
pmk = binascii.unhexlify(val)
if "WPA: PTK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
ptk = binascii.unhexlify(val)
if "WPA: Group Key - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
gtk = binascii.unhexlify(val)
if not msk or not emsk or not rIK or not rRK or not pmk or not ptk or not gtk:
raise Exception("Could not find keys from debug log")
if len(gtk) != 16:
raise Exception("Unexpected GTK length")
kck = ptk[0:16]
kek = ptk[16:32]
tk = ptk[32:48]
fname = os.path.join(params['logdir'],
'erp_key_lifetime_in_memory.memctx-')
logger.info("Checking keys in memory while associated")
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
get_key_locations(buf, msk, "MSK")
get_key_locations(buf, emsk, "EMSK")
get_key_locations(buf, rRK, "rRK")
get_key_locations(buf, rIK, "rIK")
if password not in buf:
raise HwsimSkip("Password not found while associated")
if pmk not in buf:
raise HwsimSkip("PMK not found while associated")
if kck not in buf:
raise Exception("KCK not found while associated")
if kek not in buf:
raise Exception("KEK not found while associated")
#if tk in buf:
# raise Exception("TK found from memory")
logger.info("Checking keys in memory after disassociation")
buf = read_process_memory(pid, password)
# Note: Password is still present in network configuration
# Note: PMK is in EAP fast re-auth data
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
get_key_locations(buf, msk, "MSK")
get_key_locations(buf, emsk, "EMSK")
get_key_locations(buf, rRK, "rRK")
get_key_locations(buf, rIK, "rIK")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
if gtk in buf:
get_key_locations(buf, gtk, "GTK")
verify_not_present(buf, gtk, fname, "GTK")
dev[0].request("RECONNECT")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
if ev is None:
raise Exception("EAP success timed out")
if "EAP re-authentication completed successfully" not in ev:
raise Exception("Did not use ERP")
dev[0].wait_connected(timeout=15, error="Reconnection timed out")
dev[0].request("DISCONNECT")
dev[0].wait_disconnected(timeout=15)
dev[0].relog()
pmk = None
ptk = None
gtk = None
with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
for l in f.readlines():
if "WPA: PMK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
pmk = binascii.unhexlify(val)
if "WPA: PTK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
ptk = binascii.unhexlify(val)
if "WPA: GTK in EAPOL-Key - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
gtk = binascii.unhexlify(val)
if not pmk or not ptk or not gtk:
raise Exception("Could not find keys from debug log")
kck = ptk[0:16]
kek = ptk[16:32]
tk = ptk[32:48]
logger.info("Checking keys in memory after ERP and disassociation")
buf = read_process_memory(pid, password)
# Note: Password is still present in network configuration
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
get_key_locations(buf, msk, "MSK")
get_key_locations(buf, emsk, "EMSK")
get_key_locations(buf, rRK, "rRK")
get_key_locations(buf, rIK, "rIK")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
verify_not_present(buf, gtk, fname, "GTK")
dev[0].request("REMOVE_NETWORK all")
logger.info("Checking keys in memory after network profile removal")
buf = read_process_memory(pid, password)
# Note: rRK and rIK are still in memory
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
get_key_locations(buf, msk, "MSK")
get_key_locations(buf, emsk, "EMSK")
get_key_locations(buf, rRK, "rRK")
get_key_locations(buf, rIK, "rIK")
verify_not_present(buf, password, fname, "password")
verify_not_present(buf, pmk, fname, "PMK")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
verify_not_present(buf, gtk, fname, "GTK")
verify_not_present(buf, msk, fname, "MSK")
verify_not_present(buf, emsk, fname, "EMSK")
dev[0].request("ERP_FLUSH")
logger.info("Checking keys in memory after ERP_FLUSH")
buf = read_process_memory(pid, password)
get_key_locations(buf, rRK, "rRK")
get_key_locations(buf, rIK, "rIK")
verify_not_present(buf, rRK, fname, "rRK")
verify_not_present(buf, rIK, fname, "rIK")
def test_ap_cipher_tkip_countermeasures_sta2(dev, apdev, params):
"""WPA-PSK/TKIP countermeasures (detected by two STAs) [long]"""
if not params['long']:
raise HwsimSkip("Skip test case with long duration due to --long not specified")
skip_with_fips(dev[0])
params = { "ssid": "tkip-countermeasures",
"wpa_passphrase": "12345678",
"wpa": "1",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP" }
hapd = hostapd.add_ap(apdev[0], params)
testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd.get_driver_status_field("phyname"), apdev[0]['ifname'])
if hapd.cmd_execute([ "ls", testfile ])[0] != 0:
raise HwsimSkip("tkip_mic_test not supported in mac80211")
dev[0].connect("tkip-countermeasures", psk="12345678",
pairwise="TKIP", group="TKIP", scan_freq="2412")
dev[0].dump_monitor()
id = dev[1].connect("tkip-countermeasures", psk="12345678",
pairwise="TKIP", group="TKIP", scan_freq="2412")
dev[1].dump_monitor()
hapd.cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile ],
shell=True)
ev = dev[0].wait_disconnected(timeout=10,
error="No disconnection after two Michael MIC failure")
if "reason=14" not in ev:
raise Exception("Unexpected disconnection reason: " + ev)
ev = dev[1].wait_disconnected(timeout=5,
error="No disconnection after two Michael MIC failure")
if "reason=14" not in ev:
raise Exception("Unexpected disconnection reason: " + ev)
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
if ev is not None:
raise Exception("Unexpected connection during TKIP countermeasures")
ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
if ev is not None:
raise Exception("Unexpected connection during TKIP countermeasures")
dev[0].request("REMOVE_NETWORK all")
logger.info("Waiting for TKIP countermeasures to end")
connected = False
start = os.times()[4]
while True:
now = os.times()[4]
if start + 70 < now:
break
dev[0].connect("tkip-countermeasures", psk="12345678",
pairwise="TKIP", group="TKIP", scan_freq="2412",
wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-AUTH-REJECT",
"CTRL-EVENT-CONNECTED"], timeout=10)
if ev is None:
raise Exception("No connection result")
if "CTRL-EVENT-CONNECTED" in ev:
connected = True
break
if "status_code=1" not in ev:
raise Exception("Unexpected connection failure reason during TKIP countermeasures: " + ev)
dev[0].request("REMOVE_NETWORK all")
time.sleep(1)
dev[0].dump_monitor()
dev[1].dump_monitor()
if not connected:
raise Exception("No connection after TKIP countermeasures terminated")
ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
if ev is None:
dev[1].request("DISCONNECT")
dev[1].select_network(id)
dev[1].wait_connected()
def test_sae_bignum_failure(dev, apdev):
"""SAE and bignum failure"""
if "SAE" not in dev[0].get_capability("auth_alg"):
raise HwsimSkip("SAE not supported")
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
params['wpa_key_mgmt'] = 'SAE'
params['sae_groups'] = '19 5 22'
hapd = hostapd.add_ap(apdev[0], params)
dev[0].request("SET sae_groups 19")
tests = [(1, "crypto_bignum_init_set;get_rand_1_to_p_1"),
(1, "crypto_bignum_init;is_quadratic_residue_blind"),
(1, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
(2, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
(3, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
(1, "crypto_bignum_legendre;is_quadratic_residue_blind"),
(1, "crypto_bignum_init_set;sae_test_pwd_seed_ecc"),
(1, "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc"),
(1, "crypto_bignum_init_set;get_random_qr_qnr"),
(1, "crypto_bignum_to_bin;sae_derive_pwe_ecc"),
(1, "crypto_ec_point_init;sae_derive_pwe_ecc"),
(1, "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc"),
(1, "crypto_ec_point_init;sae_derive_commit_element_ecc"),
(1, "crypto_ec_point_mul;sae_derive_commit_element_ecc"),
(1, "crypto_ec_point_invert;sae_derive_commit_element_ecc"),
(1, "crypto_bignum_init;=sae_derive_commit"),
(1, "crypto_ec_point_init;sae_derive_k_ecc"),
(1, "crypto_ec_point_mul;sae_derive_k_ecc"),
(1, "crypto_ec_point_add;sae_derive_k_ecc"),
(2, "crypto_ec_point_mul;sae_derive_k_ecc"),
(1, "crypto_ec_point_to_bin;sae_derive_k_ecc"),
(1, "crypto_bignum_legendre;get_random_qr_qnr"),
(1, "sha256_prf;sae_derive_keys"),
(1, "crypto_bignum_init;sae_derive_keys"),
(1, "crypto_bignum_init_set;sae_parse_commit_scalar"),
(1, "crypto_bignum_to_bin;sae_parse_commit_element_ecc"),
(1, "crypto_ec_point_from_bin;sae_parse_commit_element_ecc")]
for count, func in tests:
with fail_test(dev[0], count, func):
dev[0].connect("test-sae",
psk="12345678",
key_mgmt="SAE",
scan_freq="2412",
wait_connect=False)
wait_fail_trigger(dev[0], "GET_FAIL")
dev[0].request("REMOVE_NETWORK all")
dev[0].request("SET sae_groups 5")
tests = [(1, "crypto_bignum_init_set;sae_set_group"),
(2, "crypto_bignum_init_set;sae_set_group"),
(1, "crypto_bignum_init_set;sae_get_rand"),
(1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
(1, "crypto_bignum_exptmod;sae_test_pwd_seed_ffc"),
(1, "crypto_bignum_init;sae_derive_pwe_ffc"),
(1, "crypto_bignum_init;sae_derive_commit_element_ffc"),
(1, "crypto_bignum_exptmod;sae_derive_commit_element_ffc"),
(1, "crypto_bignum_inverse;sae_derive_commit_element_ffc"),
(1, "crypto_bignum_init;sae_derive_k_ffc"),
(1, "crypto_bignum_exptmod;sae_derive_k_ffc"),
(1, "crypto_bignum_mulmod;sae_derive_k_ffc"),
(2, "crypto_bignum_exptmod;sae_derive_k_ffc"),
(1, "crypto_bignum_to_bin;sae_derive_k_ffc"),
(1, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
(1, "crypto_bignum_init;sae_parse_commit_element_ffc"),
(2, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
(1, "crypto_bignum_exptmod;sae_parse_commit_element_ffc")]
for count, func in tests:
with fail_test(dev[0], count, func):
dev[0].connect("test-sae",
psk="12345678",
key_mgmt="SAE",
scan_freq="2412",
wait_connect=False)
wait_fail_trigger(dev[0], "GET_FAIL")
dev[0].request("REMOVE_NETWORK all")
dev[0].request("SET sae_groups 22")
tests = [(1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
(1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
(1, "crypto_bignum_div;sae_test_pwd_seed_ffc")]
for count, func in tests:
with fail_test(dev[0], count, func):
dev[0].connect("test-sae",
psk="12345678",
key_mgmt="SAE",
scan_freq="2412",
wait_connect=False)
wait_fail_trigger(dev[0], "GET_FAIL")
dev[0].request("REMOVE_NETWORK all")
def test_ap_cipher_replay_protection_ap_gcmp(dev, apdev):
"""GCMP replay protection on AP"""
if "GCMP" not in dev[0].get_capability("pairwise"):
raise HwsimSkip("GCMP not supported")
run_ap_cipher_replay_protection_ap(dev, apdev, "GCMP")
def test_sae_key_lifetime_in_memory(dev, apdev, params):
"""SAE and key lifetime in memory"""
if "SAE" not in dev[0].get_capability("auth_alg"):
raise HwsimSkip("SAE not supported")
password = "******"
p = hostapd.wpa2_params(ssid="test-sae", passphrase=password)
p['wpa_key_mgmt'] = 'SAE'
hapd = hostapd.add_ap(apdev[0], p)
pid = find_wpas_process(dev[0])
dev[0].request("SET sae_groups ")
id = dev[0].connect("test-sae",
psk=password,
key_mgmt="SAE",
scan_freq="2412")
# The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
# event has been delivered, so verify that wpa_supplicant has returned to
# eloop before reading process memory.
time.sleep(1)
dev[0].ping()
buf = read_process_memory(pid, password)
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
dev[0].relog()
sae_k = None
sae_keyseed = None
sae_kck = None
pmk = None
ptk = None
gtk = None
with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
for l in f.readlines():
if "SAE: k - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
sae_k = binascii.unhexlify(val)
if "SAE: keyseed - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
sae_keyseed = binascii.unhexlify(val)
if "SAE: KCK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
sae_kck = binascii.unhexlify(val)
if "SAE: PMK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
pmk = binascii.unhexlify(val)
if "WPA: PTK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
ptk = binascii.unhexlify(val)
if "WPA: Group Key - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
gtk = binascii.unhexlify(val)
if not sae_k or not sae_keyseed or not sae_kck or not pmk or not ptk or not gtk:
raise Exception("Could not find keys from debug log")
if len(gtk) != 16:
raise Exception("Unexpected GTK length")
kck = ptk[0:16]
kek = ptk[16:32]
tk = ptk[32:48]
fname = os.path.join(params['logdir'],
'sae_key_lifetime_in_memory.memctx-')
logger.info("Checking keys in memory while associated")
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
if password not in buf:
raise HwsimSkip("Password not found while associated")
if pmk not in buf:
raise HwsimSkip("PMK not found while associated")
if kck not in buf:
raise Exception("KCK not found while associated")
if kek not in buf:
raise Exception("KEK not found while associated")
#if tk in buf:
# raise Exception("TK found from memory")
verify_not_present(buf, sae_k, fname, "SAE(k)")
verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
logger.info("Checking keys in memory after disassociation")
buf = read_process_memory(pid, password)
# Note: Password is still present in network configuration
# Note: PMK is in PMKSA cache
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
if gtk in buf:
get_key_locations(buf, gtk, "GTK")
verify_not_present(buf, gtk, fname, "GTK")
verify_not_present(buf, sae_k, fname, "SAE(k)")
verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
dev[0].request("PMKSA_FLUSH")
logger.info("Checking keys in memory after PMKSA cache flush")
buf = read_process_memory(pid, password)
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
verify_not_present(buf, pmk, fname, "PMK")
dev[0].request("REMOVE_NETWORK all")
logger.info("Checking keys in memory after network profile removal")
buf = read_process_memory(pid, password)
get_key_locations(buf, password, "Password")
get_key_locations(buf, pmk, "PMK")
verify_not_present(buf, password, fname, "password")
verify_not_present(buf, pmk, fname, "PMK")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
verify_not_present(buf, gtk, fname, "GTK")
verify_not_present(buf, sae_k, fname, "SAE(k)")
verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
def test_ap_cipher_replay_protection_sta_gtk_gcmp(dev, apdev):
"""GCMP replay protection on STA (GTK)"""
if "GCMP" not in dev[0].get_capability("pairwise"):
raise HwsimSkip("GCMP not supported")
run_ap_cipher_replay_protection_sta(dev, apdev, "GCMP", gtk=True)
def test_sae_proto_ffc(dev, apdev):
"""SAE protocol testing (FFC)"""
if "SAE" not in dev[0].get_capability("auth_alg"):
raise HwsimSkip("SAE not supported")
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
params['wpa_key_mgmt'] = 'SAE'
hapd = hostapd.add_ap(apdev[0], params)
bssid = apdev[0]['bssid']
dev[0].request("SET sae_groups 2")
tests = [
("Confirm mismatch", "0200" +
"0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2"
+
"a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486",
"0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251"
),
("Too short commit", "0200" +
"0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2"
+
"a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174",
None),
("Invalid element (0) in commit", "0200" +
"0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2"
+
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
None),
("Invalid element (1) in commit", "0200" +
"0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2"
+
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
None),
("Invalid element (> P) in commit", "0200" +
"0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2"
+
"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
None)
]
for (note, commit, confirm) in tests:
logger.info(note)
dev[0].scan_for_bss(bssid, freq=2412)
hapd.set("ext_mgmt_frame_handling", "1")
dev[0].connect("test-sae",
psk="12345678",
key_mgmt="SAE",
scan_freq="2412",
wait_connect=False)
logger.info("Commit")
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (commit)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (commit) not received")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030001000000" + commit)
hapd.mgmt_tx(resp)
if confirm:
logger.info("Confirm")
for i in range(0, 10):
req = hapd.mgmt_rx()
if req is None:
raise Exception("MGMT RX wait timed out (confirm)")
if req['subtype'] == 11:
break
req = None
if not req:
raise Exception("Authentication frame (confirm) not received")
hapd.dump_monitor()
resp = {}
resp['fc'] = req['fc']
resp['da'] = req['sa']
resp['sa'] = req['da']
resp['bssid'] = req['bssid']
resp['payload'] = binascii.unhexlify("030002000000" + confirm)
hapd.mgmt_tx(resp)
time.sleep(0.1)
dev[0].request("REMOVE_NETWORK all")
hapd.set("ext_mgmt_frame_handling", "0")
hapd.dump_monitor()
def test_ap_vht160(dev, apdev):
"""VHT with 160 MHz channel width"""
try:
hapd = None
hapd2 = None
params = {
"ssid": "vht",
"country_code": "FI",
"hw_mode": "a",
"channel": "36",
"ht_capab": "[HT40+]",
"ieee80211n": "1",
"ieee80211ac": "1",
"vht_oper_chwidth": "2",
"vht_oper_centr_freq_seg0_idx": "50",
'ieee80211d': '1',
'ieee80211h': '1'
}
hapd = hostapd.add_ap(apdev[0]['ifname'], params, wait_enabled=False)
ev = wait_dfs_event(hapd, "DFS-CAC-START", 5)
if "DFS-CAC-START" not in ev:
raise Exception("Unexpected DFS event")
state = hapd.get_status_field("state")
if state != "DFS":
if state == "DISABLED" and not os.path.exists("dfs"):
# Not all systems have recent enough CRDA version and
# wireless-regdb changes to support 160 MHz and DFS. For now,
# do not report failures for this test case.
raise HwsimSkip(
"CRDA or wireless-regdb did not support 160 MHz")
raise Exception("Unexpected interface state: " + state)
params = {
"ssid": "vht2",
"country_code": "FI",
"hw_mode": "a",
"channel": "104",
"ht_capab": "[HT40-]",
"ieee80211n": "1",
"ieee80211ac": "1",
"vht_oper_chwidth": "2",
"vht_oper_centr_freq_seg0_idx": "114",
'ieee80211d': '1',
'ieee80211h': '1'
}
hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, wait_enabled=False)
ev = wait_dfs_event(hapd2, "DFS-CAC-START", 5)
if "DFS-CAC-START" not in ev:
raise Exception("Unexpected DFS event(2)")
state = hapd2.get_status_field("state")
if state != "DFS":
raise Exception("Unexpected interface state(2): " + state)
logger.info("Waiting for CAC to complete")
ev = wait_dfs_event(hapd, "DFS-CAC-COMPLETED", 70)
if "success=1" not in ev:
raise Exception("CAC failed")
if "freq=5180" not in ev:
raise Exception("Unexpected DFS freq result")
ev = hapd.wait_event(["AP-ENABLED"], timeout=5)
if not ev:
raise Exception("AP setup timed out")
state = hapd.get_status_field("state")
if state != "ENABLED":
raise Exception("Unexpected interface state")
ev = wait_dfs_event(hapd2, "DFS-CAC-COMPLETED", 70)
if "success=1" not in ev:
raise Exception("CAC failed(2)")
if "freq=5520" not in ev:
raise Exception("Unexpected DFS freq result(2)")
ev = hapd2.wait_event(["AP-ENABLED"], timeout=5)
if not ev:
raise Exception("AP setup timed out(2)")
state = hapd2.get_status_field("state")
if state != "ENABLED":
raise Exception("Unexpected interface state(2)")
freq = hapd2.get_status_field("freq")
if freq != "5520":
raise Exception("Unexpected frequency(2)")
dev[0].connect("vht", key_mgmt="NONE", scan_freq="5180")
hwsim_utils.test_connectivity(dev[0], hapd)
sig = dev[0].request("SIGNAL_POLL").splitlines()
if "FREQUENCY=5180" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(1): " + str(sig))
if "WIDTH=160 MHz" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(2): " + str(sig))
dev[1].connect("vht2", key_mgmt="NONE", scan_freq="5520")
hwsim_utils.test_connectivity(dev[1], hapd2)
sig = dev[1].request("SIGNAL_POLL").splitlines()
if "FREQUENCY=5520" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(1): " + str(sig))
if "WIDTH=160 MHz" not in sig:
raise Exception("Unexpected SIGNAL_POLL value(2): " + str(sig))
except Exception, e:
if isinstance(e, Exception) and str(e) == "AP startup failed":
if not vht_supported():
raise HwsimSkip(
"80/160 MHz channel not supported in regulatory information"
)
raise
def test_ft_psk_key_lifetime_in_memory(dev, apdev, params):
"""WPA2-PSK-FT and key lifetime in memory"""
ssid = "test-ft"
passphrase = "04c2726b4b8d5f1b4db9c07aa4d9e9d8f765cb5d25ec817e6cc4fcdd5255db0"
psk = '93c90846ff67af9037ed83fb72b63dbeddaa81d47f926c20909b5886f1d9358d'
pmk = binascii.unhexlify(psk)
p = ft_params1(ssid=ssid, passphrase=passphrase)
hapd0 = hostapd.add_ap(apdev[0]['ifname'], p)
p = ft_params2(ssid=ssid, passphrase=passphrase)
hapd1 = hostapd.add_ap(apdev[1]['ifname'], p)
pid = find_wpas_process(dev[0])
dev[0].connect(ssid,
psk=passphrase,
key_mgmt="FT-PSK",
proto="WPA2",
scan_freq="2412")
# The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
# event has been delivered, so verify that wpa_supplicant has returned to
# eloop before reading process memory.
time.sleep(1)
dev[0].ping()
buf = read_process_memory(pid, pmk)
dev[0].request("DISCONNECT")
dev[0].wait_disconnected()
dev[0].relog()
pmkr0 = None
pmkr1 = None
ptk = None
gtk = None
with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
for l in f.readlines():
if "FT: PMK-R0 - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
pmkr0 = binascii.unhexlify(val)
if "FT: PMK-R1 - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
pmkr1 = binascii.unhexlify(val)
if "FT: KCK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
kck = binascii.unhexlify(val)
if "FT: KEK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
kek = binascii.unhexlify(val)
if "FT: TK - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
tk = binascii.unhexlify(val)
if "WPA: Group Key - hexdump" in l:
val = l.strip().split(':')[3].replace(' ', '')
gtk = binascii.unhexlify(val)
if not pmkr0 or not pmkr1 or not kck or not kek or not tk or not gtk:
raise Exception("Could not find keys from debug log")
if len(gtk) != 16:
raise Exception("Unexpected GTK length")
logger.info("Checking keys in memory while associated")
get_key_locations(buf, pmk, "PMK")
get_key_locations(buf, pmkr0, "PMK-R0")
get_key_locations(buf, pmkr1, "PMK-R1")
if pmk not in buf:
raise HwsimSkip("PMK not found while associated")
if pmkr0 not in buf:
raise HwsimSkip("PMK-R0 not found while associated")
if pmkr1 not in buf:
raise HwsimSkip("PMK-R1 not found while associated")
if kck not in buf:
raise Exception("KCK not found while associated")
if kek not in buf:
raise Exception("KEK not found while associated")
if tk in buf:
raise Exception("TK found from memory")
if gtk in buf:
get_key_locations(buf, gtk, "GTK")
raise Exception("GTK found from memory")
logger.info("Checking keys in memory after disassociation")
buf = read_process_memory(pid, pmk)
get_key_locations(buf, pmk, "PMK")
get_key_locations(buf, pmkr0, "PMK-R0")
get_key_locations(buf, pmkr1, "PMK-R1")
# Note: PMK/PSK is still present in network configuration
fname = os.path.join(params['logdir'],
'ft_psk_key_lifetime_in_memory.memctx-')
verify_not_present(buf, pmkr0, fname, "PMK-R0")
verify_not_present(buf, pmkr1, fname, "PMK-R1")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
verify_not_present(buf, gtk, fname, "GTK")
dev[0].request("REMOVE_NETWORK all")
logger.info("Checking keys in memory after network profile removal")
buf = read_process_memory(pid, pmk)
get_key_locations(buf, pmk, "PMK")
get_key_locations(buf, pmkr0, "PMK-R0")
get_key_locations(buf, pmkr1, "PMK-R1")
verify_not_present(buf, pmk, fname, "PMK")
verify_not_present(buf, pmkr0, fname, "PMK-R0")
verify_not_present(buf, pmkr1, fname, "PMK-R1")
verify_not_present(buf, kck, fname, "KCK")
verify_not_present(buf, kek, fname, "KEK")
verify_not_present(buf, tk, fname, "TK")
verify_not_present(buf, gtk, fname, "GTK")
def test_owe_limited_group_set_pmf(dev, apdev, params):
"""Opportunistic Wireless Encryption and limited group set (PMF)"""
if "OWE" not in dev[0].get_capability("key_mgmt"):
raise HwsimSkip("OWE not supported")
pcapng = os.path.join(params['logdir'], "hwsim0.pcapng")
params = {
"ssid": "owe",
"wpa": "2",
"ieee80211w": "2",
"wpa_key_mgmt": "OWE",
"rsn_pairwise": "CCMP",
"owe_groups": "21"
}
hapd = hostapd.add_ap(apdev[0], params)
bssid = hapd.own_addr()
dev[0].scan_for_bss(bssid, freq="2412")
dev[0].connect("owe",
key_mgmt="OWE",
owe_group="19",
ieee80211w="2",
scan_freq="2412",
wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"], timeout=10)
dev[0].request("DISCONNECT")
if ev is None:
raise Exception("Association not rejected")
if "status_code=77" not in ev:
raise Exception("Unexpected rejection reason: " + ev)
dev[0].dump_monitor()
dev[0].connect("owe",
key_mgmt="OWE",
owe_group="20",
ieee80211w="2",
scan_freq="2412",
wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"], timeout=10)
dev[0].request("DISCONNECT")
if ev is None:
raise Exception("Association not rejected (2)")
if "status_code=77" not in ev:
raise Exception("Unexpected rejection reason (2): " + ev)
dev[0].dump_monitor()
dev[0].connect("owe",
key_mgmt="OWE",
owe_group="21",
ieee80211w="2",
scan_freq="2412")
dev[0].request("REMOVE_NETWORK all")
dev[0].wait_disconnected()
dev[0].dump_monitor()
out = run_tshark(pcapng,
"wlan.fc.type_subtype == 1",
display=['wlan_mgt.fixed.status_code'])
status = out.splitlines()
logger.info("Association Response frame status codes: " + str(status))
if len(status) != 3:
raise Exception("Unexpected number of Association Response frames")
if (int(status[0], base=0) != 77 or int(status[1], base=0) != 77
or int(status[2], base=0) != 0):
raise Exception("Unexpected Association Response frame status code")
