def test_fils_sk_pmksa_caching_ctrl_ext(dev, apdev): """FILS SK and PMKSA caching with Cache Identifier and external management""" check_fils_capa(dev[0]) check_erp_capa(dev[0]) hapd_as = start_erp_as(apdev[1]) bssid = apdev[0]['bssid'] params = hostapd.wpa2_eap_params(ssid="fils") params['wpa_key_mgmt'] = "FILS-SHA384" params['auth_server_port'] = "18128" params['erp_send_reauth_start'] = '1' params['erp_domain'] = 'example.com' params['fils_realm'] = 'example.com' params['fils_cache_id'] = "ffee" hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].scan_for_bss(bssid, freq=2412) dev[0].request("ERP_FLUSH") id = dev[0].connect("fils", key_mgmt="FILS-SHA384", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", erp="1", scan_freq="2412") res1 = dev[0].request("PMKSA_GET %d" % id) logger.info("PMKSA_GET: " + res1) if "UNKNOWN COMMAND" in res1: raise HwsimSkip("PMKSA_GET not supported in the build") if bssid not in res1: raise Exception("PMKSA cache entry missing") if "ffee" not in res1: raise Exception("FILS Cache Identifier not seen in PMKSA cache entry") dev[0].request("DISCONNECT") dev[0].wait_disconnected() hapd_as.disable() dev[0].scan_for_bss(bssid, freq=2412) dev[0].request("PMKSA_FLUSH") dev[0].request("ERP_FLUSH") for entry in res1.splitlines(): if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)): raise Exception("Failed to add PMKSA entry") bssid2 = apdev[1]['bssid'] params = hostapd.wpa2_eap_params(ssid="fils") params['wpa_key_mgmt'] = "FILS-SHA384" params['auth_server_port'] = "18128" params['erp_send_reauth_start'] = '1' params['erp_domain'] = 'example.com' params['fils_realm'] = 'example.com' params['fils_cache_id'] = "ffee" hapd2 = hostapd.add_ap(apdev[1]['ifname'], params) dev[0].scan_for_bss(bssid2, freq=2412) dev[0].set_network(id, "bssid", bssid2) dev[0].select_network(id, freq=2412) ev = dev[0].wait_connected() if bssid2 not in ev: raise Exception("Unexpected BSS selected")
def test_pmksa_cache_preauth_vlan_enabled(dev, apdev): """RSN pre-authentication to generate PMKSA cache entry (dynamic_vlan optional but station without VLAN set)""" try: params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['bridge'] = 'ap-br0' params['dynamic_vlan'] = '1' hostapd.add_ap(apdev[0]['ifname'], params) subprocess.call(['brctl', 'setfd', 'ap-br0', '0']) subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up']) eap_connect(dev[0], apdev[0], "PAX", "*****@*****.**", password_hex="0123456789abcdef0123456789abcdef") params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['bridge'] = 'ap-br0' params['rsn_preauth'] = '1' params['rsn_preauth_interfaces'] = 'ap-br0' params['dynamic_vlan'] = '1' hostapd.add_ap(apdev[1]['ifname'], params) bssid1 = apdev[1]['bssid'] dev[0].scan(freq="2412") success = False status_seen = False for i in range(0, 50): if not status_seen: status = dev[0].request("STATUS") if "Pre-authentication EAPOL state machines:" in status: status_seen = True time.sleep(0.1) pmksa = dev[0].get_pmksa(bssid1) if pmksa: success = True break if not success: raise Exception("No PMKSA cache entry created from pre-authentication") if not status_seen: raise Exception("Pre-authentication EAPOL status was not available") dev[0].scan(freq="2412") if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"): raise Exception("Scan results missing RSN element info") dev[0].request("ROAM " + bssid1) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("Roaming with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange") pmksa2 = dev[0].get_pmksa(bssid1) if pmksa2 is None: raise Exception("No PMKSA cache entry") if pmksa['pmkid'] != pmksa2['pmkid']: raise Exception("Unexpected PMKID change") finally: subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down']) subprocess.call(['brctl', 'delbr', 'ap-br0'])
def test_fils_sk_erp_another_ssid(dev, apdev): """FILS SK using ERP and roam to another SSID""" check_fils_capa(dev[0]) check_erp_capa(dev[0]) start_erp_as(apdev[1]) bssid = apdev[0]['bssid'] params = hostapd.wpa2_eap_params(ssid="fils") params['wpa_key_mgmt'] = "FILS-SHA256" params['auth_server_port'] = "18128" params['erp_domain'] = 'example.com' params['fils_realm'] = 'example.com' params['disable_pmksa_caching'] = '1' hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].scan_for_bss(bssid, freq=2412) dev[0].request("ERP_FLUSH") id = dev[0].connect("fils", key_mgmt="FILS-SHA256", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", erp="1", scan_freq="2412") dev[0].request("DISCONNECT") dev[0].wait_disconnected() hapd.disable() dev[0].flush_scan_cache() if "FAIL" in dev[0].request("PMKSA_FLUSH"): raise Exception("PMKSA_FLUSH failed") params = hostapd.wpa2_eap_params(ssid="fils2") params['wpa_key_mgmt'] = "FILS-SHA256" params['auth_server_port'] = "18128" params['erp_domain'] = 'example.com' params['fils_realm'] = 'example.com' params['disable_pmksa_caching'] = '1' hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].scan_for_bss(bssid, freq=2412) dev[0].dump_monitor() id = dev[0].connect("fils2", key_mgmt="FILS-SHA256", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", erp="1", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "EVENT-ASSOC-REJECT", "CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("Connection using FILS/ERP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange") if "EVENT-ASSOC-REJECT" in ev: raise Exception("Association failed") hwsim_utils.test_connectivity(dev[0], hapd)
def test_ap_vlan_wpa2_radius_mixed(dev, apdev): """AP VLAN with WPA2-Enterprise and tagged+untagged VLANs""" ifname = 'wlan0.1' try: params = hostapd.wpa2_eap_params(ssid="test-vlan") params['dynamic_vlan'] = "1" params["vlan_naming"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("test-vlan", key_mgmt="WPA-EAP", eap="PAX", identity="vlan12mixed", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") # Add tagged VLAN interface to wpa_supplicant interface for testing subprocess.call(['ip', 'link', 'add', 'link', dev[0].ifname, 'name', ifname, 'type', 'vlan', 'id', '1']) subprocess.call(['ifconfig', ifname, 'up']) logger.info("Test connectivity in untagged VLAN 2") hwsim_utils.run_connectivity_test(dev[0], hapd, 0, ifname1=dev[0].ifname, ifname2="brvlan2") logger.info("Test connectivity in tagged VLAN 1") hwsim_utils.run_connectivity_test(dev[0], hapd, 0, ifname1=ifname, ifname2="brvlan1") finally: subprocess.call(['ifconfig', ifname, 'down']) subprocess.call(['ip', 'link', 'del', ifname])
def test_pmksa_cache_ap_expiration(dev, apdev): """PMKSA cache entry expiring on AP""" params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") hostapd.add_ap(apdev[0]['ifname'], params) bssid = apdev[0]['bssid'] dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk-user-session-timeout", password="******", scan_freq="2412") dev[0].request("DISCONNECT") time.sleep(5) dev[0].dump_monitor() dev[0].request("RECONNECT") ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=20) if ev is None: raise Exception("Roaming with the AP timed out") if "CTRL-EVENT-CONNECTED" in ev: raise Exception("EAP exchange missing") ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=20) if ev is None: raise Exception("Reassociation with the AP timed out") dev[0].dump_monitor() ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=20) if ev is None: raise Exception("Disconnection event timed out") ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=20) if ev is None: raise Exception("Reassociation with the AP timed out")
def test_ap_wpa2_eap_tls(dev, apdev): """WPA2-Enterprise connection using EAP-TLS""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", private_key="auth_serv/user.key")
def test_authsrv_testing_options(dev, apdev): """Authentication server and testing options""" params = authsrv_params() authsrv = hostapd.add_ap(apdev[1], params) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['auth_server_port'] = "18128" hapd = hostapd.add_ap(apdev[0], params) dev[0].scan_for_bss(hapd.own_addr(), 2412) # The first two would be fine to run with any server build; the rest are # actually supposed to fail, but they don't fail when using a server build # that does not support the TLS protocol tests. tests = [ "foo@test-unknown", "foo@test-tls-unknown", "foo@test-tls-1", "foo@test-tls-2", "foo@test-tls-3", "foo@test-tls-4", "foo@test-tls-5", "foo@test-tls-6", "foo@test-tls-7", "foo@test-tls-8" ] for t in tests: dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS", identity="user", anonymous_identity=t, password="******", ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", scan_freq="2412") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected()
def test_radius_ipv6(dev, apdev): """RADIUS connection over IPv6""" params = {} params["ssid"] = "as" params["beacon_int"] = "2000" params["radius_server_clients"] = "auth_serv/radius_clients_ipv6.conf" params["radius_server_ipv6"] = "1" params["radius_server_auth_port"] = "18129" params["radius_server_acct_port"] = "18139" params["eap_server"] = "1" params["eap_user_file"] = "auth_serv/eap_user.conf" params["ca_cert"] = "auth_serv/ca.pem" params["server_cert"] = "auth_serv/server.pem" params["private_key"] = "auth_serv/server.key" hostapd.add_ap(apdev[1]["ifname"], params) params = hostapd.wpa2_eap_params(ssid="radius-ipv6") params["auth_server_addr"] = "::0" params["auth_server_port"] = "18129" params["acct_server_addr"] = "::0" params["acct_server_port"] = "18139" params["acct_server_shared_secret"] = "radius" params["own_ip_addr"] = "::0" hostapd.add_ap(apdev[0]["ifname"], params) connect(dev[0], "radius-ipv6")
def test_pmksa_cache_ctrl_events(dev, apdev): """PMKSA cache control interface events""" params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["PMKSA-CACHE-ADDED"], timeout=15) if ev is None: raise Exception("No PMKSA-CACHE-ADDED event") dev[0].wait_connected() items = ev.split(' ') if items[1] != bssid: raise Exception("BSSID mismatch: " + ev) if int(items[2]) != id: raise Exception("network_id mismatch: " + ev) dev[0].request("PMKSA_FLUSH") ev = dev[0].wait_event(["PMKSA-CACHE-REMOVED"], timeout=15) if ev is None: raise Exception("No PMKSA-CACHE-REMOVED event") dev[0].wait_disconnected() dev[0].request("DISCONNECT") items = ev.split(' ') if items[1] != bssid: raise Exception("BSSID mismatch: " + ev) if int(items[2]) != id: raise Exception("network_id mismatch: " + ev)
def _test_pmksa_cache_size_limit(dev, apdev): params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412", only_add_network=True) for i in range(33): bssid = apdev[0]['bssid'][0:15] + "%02x" % i logger.info("Iteration with BSSID " + bssid) params['bssid'] = bssid hostapd.add_ap(apdev[0], params) dev[0].request("BSS_FLUSH 0") dev[0].scan_for_bss(bssid, freq=2412, only_new=True) dev[0].select_network(id) dev[0].wait_connected() dev[0].request("DISCONNECT") dev[0].wait_disconnected() dev[0].dump_monitor() entries = len(dev[0].request("PMKSA").splitlines()) - 1 if i == 32: if entries != 32: raise Exception("Unexpected number of PMKSA entries after expected removal of the oldest entry") elif i + 1 != entries: raise Exception("Unexpected number of PMKSA entries") hapd = hostapd.HostapdGlobal(apdev[0]) hapd.flush() hapd.remove(apdev[0]['ifname'])
def test_ap_vlan_wpa2_radius(dev, apdev): """AP VLAN with WPA2-Enterprise and RADIUS attributes""" params = hostapd.wpa2_eap_params(ssid="test-vlan") params["dynamic_vlan"] = "1" hapd = hostapd.add_ap(apdev[0]["ifname"], params) dev[0].connect( "test-vlan", key_mgmt="WPA-EAP", eap="PAX", identity="vlan1", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", ) dev[1].connect( "test-vlan", key_mgmt="WPA-EAP", eap="PAX", identity="vlan2", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", ) dev[2].connect( "test-vlan", key_mgmt="WPA-EAP", eap="PAX", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", ) hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1") hwsim_utils.test_connectivity_iface(dev[1], hapd, "brvlan2") hwsim_utils.test_connectivity(dev[2], hapd)
def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev): """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], apdev[0], "PEAP", "user", anonymous_identity="peap", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) eap_reauth(dev[0], "PEAP") dev[0].request("REMOVE_NETWORK all") eap_connect(dev[0], apdev[0], "PEAP", "user", anonymous_identity="peap", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", fragment_size="200") logger.info("Password as hash value") dev[0].request("REMOVE_NETWORK all") eap_connect(dev[0], apdev[0], "PEAP", "user", anonymous_identity="peap", password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") logger.info("Negative test with incorrect password") dev[0].request("REMOVE_NETWORK all") eap_connect(dev[0], apdev[0], "PEAP", "user", anonymous_identity="peap", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", expect_failure=True)
def test_radius_das_coa(dev, apdev): """RADIUS Dynamic Authorization Extensions - CoA""" try: import pyrad.client import pyrad.packet import pyrad.dictionary import radius_das except ImportError: raise HwsimSkip("No pyrad modules available") params = hostapd.wpa2_eap_params(ssid="radius-das") params['radius_das_port'] = "3799" params['radius_das_client'] = "127.0.0.1 secret" params['radius_das_require_event_timestamp'] = "1" hapd = hostapd.add_ap(apdev[0]['ifname'], params) connect(dev[0], "radius-das") addr = dev[0].p2p_interface_addr() sta = hapd.get_sta(addr) id = sta['dot1xAuthSessionId'] dict = pyrad.dictionary.Dictionary("dictionary.radius") srv = pyrad.client.Client(server="127.0.0.1", acctport=3799, secret="secret", dict=dict) srv.retries = 1 srv.timeout = 1 # hostapd does not currently support CoA-Request, so NAK is expected logger.info("CoA-Request with matching Acct-Session-Id") req = radius_das.CoAPacket(dict=dict, secret="secret", Acct_Session_Id=id, Event_Timestamp=int(time.time())) send_and_check_reply(srv, req, pyrad.packet.CoANAK, error_cause=405)
def test_radius_acct_unreachable3(dev, apdev): """RADIUS Accounting server initially unreachable, but then available""" require_under_vm() subprocess.call(['ip', 'ro', 'replace', 'blackhole', '192.168.213.18']) as_hapd = hostapd.Hostapd("as") as_mib_start = as_hapd.get_mib(param="radius_server") params = hostapd.wpa2_eap_params(ssid="radius-acct") params['acct_server_addr'] = "192.168.213.18" params['acct_server_port'] = "1813" params['acct_server_shared_secret'] = "radius" hostapd.add_ap(apdev[0]['ifname'], params) hapd = hostapd.Hostapd(apdev[0]['ifname']) connect(dev[0], "radius-acct") subprocess.call(['ip', 'ro', 'del', 'blackhole', '192.168.213.18']) time.sleep(0.1) dev[0].request("DISCONNECT") hapd.set('acct_server_addr_replace', '127.0.0.1') dev[0].request("RECONNECT") dev[0].wait_connected() time.sleep(1) as_mib_end = as_hapd.get_mib(param="radius_server") req_s = int(as_mib_start['radiusAccServTotalResponses']) req_e = int(as_mib_end['radiusAccServTotalResponses']) if req_e <= req_s: raise Exception("Unexpected RADIUS server acct MIB value")
def test_pmksa_cache_expiration_disconnect(dev, apdev): """PMKSA cache entry expiration (disconnect)""" params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") hapd = hostapd.add_ap(apdev[0]['ifname'], params) bssid = apdev[0]['bssid'] dev[0].request("SET dot11RSNAConfigPMKLifetime 2") dev[0].request("SET dot11RSNAConfigPMKReauthThreshold 100") dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") pmksa = dev[0].get_pmksa(bssid) if pmksa is None: raise Exception("No PMKSA cache entry created") hapd.request("SET auth_server_shared_secret incorrect") logger.info("Wait for PMKSA cache entry to expire") ev = dev[0].wait_event(["WPA: Key negotiation completed", "CTRL-EVENT-DISCONNECTED"], timeout=15) if ev is None: raise Exception("No EAP reauthentication seen") if "CTRL-EVENT-DISCONNECTED" not in ev: raise Exception("Missing disconnection") hapd.request("SET auth_server_shared_secret radius") ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=15) if ev is None: raise Exception("No EAP reauthentication seen") pmksa2 = dev[0].get_pmksa(bssid) if pmksa['pmkid'] == pmksa2['pmkid']: raise Exception("PMKID did not change")
def test_dbus_old_connect_eap(dev, apdev): """The old D-Bus interface - add an EAP network and connect""" (bus,wpas_obj,path,if_obj) = prepare_dbus(dev[0]) ssid = "test-wpa2-eap" params = hostapd.wpa2_eap_params(ssid=ssid) hapd = hostapd.add_ap(apdev[0]['ifname'], params) class TestDbusConnect(TestDbus): def __init__(self, bus): TestDbus.__init__(self, bus) self.connected = False self.certification_received = False def __enter__(self): gobject.timeout_add(1, self.run_connect) gobject.timeout_add(15000, self.timeout) self.add_signal(self.stateChange, WPAS_DBUS_OLD_IFACE, "StateChange") self.add_signal(self.certification, WPAS_DBUS_OLD_IFACE, "Certification") self.loop.run() return self def stateChange(self, new, old): logger.debug("stateChange: %s --> %s" % (old, new)) if new == "COMPLETED": self.connected = True self.loop.quit() def certification(self, depth, subject, hash, cert_hex): logger.debug("certification: depth={} subject={} hash={} cert_hex={}".format(depth, subject, hash, cert_hex)) self.certification_received = True def run_connect(self, *args): logger.debug("run_connect") path = if_obj.addNetwork(dbus_interface=WPAS_DBUS_OLD_IFACE) netw_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, path) params = dbus.Dictionary({ 'ssid': ssid, 'key_mgmt': 'WPA-EAP', 'eap': 'TTLS', 'anonymous_identity': 'ttls', 'identity': 'pap user', 'ca_cert': 'auth_serv/ca.pem', 'phase2': 'auth=PAP', 'password': '******', 'scan_freq': 2412 }, signature='sv') netw_obj.set(params, dbus_interface=WPAS_DBUS_OLD_NETWORK) netw_obj.enable(dbus_interface=WPAS_DBUS_OLD_NETWORK) self.path = path self.netw_obj = netw_obj return False def success(self): return self.connected and self.certification_received with TestDbusConnect(bus) as t: if not t.success(): raise Exception("Expected signals not seen")
def test_suite_b(dev, apdev): """WPA2-PSK/GCMP connection""" if "GCMP" not in dev[0].get_capability("pairwise"): return "skip" params = hostapd.wpa2_eap_params(ssid="test-suite-b") params["wpa_key_mgmt"] = "WPA-EAP-SUITE-B" params['rsn_pairwise'] = "GCMP" hapd = hostapd.add_ap(apdev[0]['ifname'], params) # TODO: Force Suite B configuration for TLS dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", eap="TLS", identity="tls user", ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", private_key="auth_serv/user.key", pairwise="GCMP", group="GCMP", scan_freq="2412") dev[0].request("DISCONNECT") ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=20) if ev is None: raise Exception("Disconnection event timed out") dev[0].dump_monitor() dev[0].request("RECONNECT") ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=20) if ev is None: raise Exception("Roaming with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange")
def test_ap_vlan_wpa2_radius_required(dev, apdev): """AP VLAN with WPA2-Enterprise and RADIUS attributes required""" params = hostapd.wpa2_eap_params(ssid="test-vlan") params["dynamic_vlan"] = "2" hostapd.add_ap(apdev[0]["ifname"], params) dev[0].connect( "test-vlan", key_mgmt="WPA-EAP", eap="PAX", identity="vlan1", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", ) dev[2].connect( "test-vlan", key_mgmt="WPA-EAP", eap="PAX", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False, ) ev = dev[2].wait_event(["CTRL-EVENT-CONNECTED", "CTRL-EVENT-DISCONNECTED"], timeout=20) if ev is None: raise Exception("Timeout on connection attempt") if "CTRL-EVENT-CONNECTED" in ev: raise Exception("Unexpected success without tunnel parameters")
def test_ap_wpa2_eap_eke(dev, apdev): """WPA2-Enterprise connection using EAP-EKE""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="******") eap_reauth(dev[0], "EKE") logger.info("Test forced algorithm selection") for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2", "dhgroup=4 encr=1 prf=2 mac=2", "dhgroup=3 encr=1 prf=2 mac=2", "dhgroup=3 encr=1 prf=1 mac=1" ]: dev[0].set_network_quoted(id, "phase1", phase1) ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) if ev is None: raise Exception("EAP success timed out") ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("Association with the AP timed out") logger.info("Test failed algorithm negotiation") dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9") ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) if ev is None: raise Exception("EAP failure timed out") logger.info("Negative test with incorrect password") dev[0].request("REMOVE_NETWORK all") eap_connect(dev[0], apdev[0], "EKE", "eke user", password="******", expect_failure=True)
def test_erp_radius(dev, apdev): """ERP enabled on RADIUS server and peer""" check_erp_capa(dev[0]) start_erp_as(apdev[1]) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['auth_server_port'] = "18128" params['erp_send_reauth_start'] = '1' params['erp_domain'] = 'example.com' params['disable_pmksa_caching'] = '1' hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].request("ERP_FLUSH") dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", erp="1", scan_freq="2412") for i in range(3): dev[0].request("DISCONNECT") dev[0].wait_disconnected(timeout=15) dev[0].request("RECONNECT") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) if ev is None: raise Exception("EAP success timed out") if "EAP re-authentication completed successfully" not in ev: raise Exception("Did not use ERP") dev[0].wait_connected(timeout=15, error="Reconnection timed out")
def test_radius_ipv6(dev, apdev): """RADIUS connection over IPv6""" params = {} params['ssid'] = 'as' params['beacon_int'] = '2000' params['radius_server_clients'] = 'auth_serv/radius_clients_ipv6.conf' params['radius_server_ipv6'] = '1' params['radius_server_auth_port'] = '18129' params['radius_server_acct_port'] = '18139' params['eap_server'] = '1' params['eap_user_file'] = 'auth_serv/eap_user.conf' params['ca_cert'] = 'auth_serv/ca.pem' params['server_cert'] = 'auth_serv/server.pem' params['private_key'] = 'auth_serv/server.key' hostapd.add_ap(apdev[1]['ifname'], params) params = hostapd.wpa2_eap_params(ssid="radius-ipv6") params['auth_server_addr'] = "::0" params['auth_server_port'] = "18129" params['acct_server_addr'] = "::0" params['acct_server_port'] = "18139" params['acct_server_shared_secret'] = "radius" params['own_ip_addr'] = "::0" hostapd.add_ap(apdev[0]['ifname'], params) connect(dev[0], "radius-ipv6")
def test_ap_wpa2_eap_gpsk(dev, apdev): """WPA2-Enterprise connection using EAP-GPSK""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user", password="******") eap_reauth(dev[0], "GPSK") logger.info("Test forced algorithm selection") for phase1 in [ "cipher=1", "cipher=2" ]: dev[0].set_network_quoted(id, "phase1", phase1) ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) if ev is None: raise Exception("EAP success timed out") ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("Association with the AP timed out") logger.info("Test failed algorithm negotiation") dev[0].set_network_quoted(id, "phase1", "cipher=9") ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) if ev is None: raise Exception("EAP failure timed out") logger.info("Negative test with incorrect password") dev[0].request("REMOVE_NETWORK all") eap_connect(dev[0], apdev[0], "GPSK", "gpsk user", password="******", expect_failure=True)
def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) hapd = hostapd.Hostapd(apdev[0]['ifname']) eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user", anonymous_identity="ttls", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", domain_suffix_match="w1.fi") hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) sta1 = hapd.get_sta(dev[0].p2p_interface_addr()) eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol") eap_reauth(dev[0], "TTLS") sta2 = hapd.get_sta(dev[0].p2p_interface_addr()) eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol") if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']): raise Exception("dot1xAuthEapolFramesRx did not increase") if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1: raise Exception("authAuthEapStartsWhileAuthenticated did not increase") if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']): raise Exception("backendAuthSuccesses did not increase") logger.info("Password as hash value") dev[0].request("REMOVE_NETWORK all") eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user", anonymous_identity="ttls", password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") logger.info("Negative test with incorrect password") dev[0].request("REMOVE_NETWORK all") eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user", anonymous_identity="ttls", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", expect_failure=True)
def test_ap_wpa2_eap_tls_ocsp(dev, apdev): """WPA2-Enterprise connection using EAP-TLS and verifying OCSP""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", private_key="auth_serv/user.pkcs12", private_key_passwd="whatever", ocsp=2)
def test_hostapd_oom_wpa2_eap(dev, apdev): """hostapd failing to setup WPA2-EAP mode due to OOM""" params = hostapd.wpa2_eap_params(ssid="test") params['acct_server_addr'] = "127.0.0.1" params['acct_server_port'] = "1813" params['acct_server_shared_secret'] = "radius" hostapd_oom_loop(apdev, params)
def test_hostapd_oom_wpa2_eap_radius(dev, apdev): """hostapd failing to setup WPA2-EAP mode due to OOM in RADIUS""" params = hostapd.wpa2_eap_params(ssid="test") params['acct_server_addr'] = "127.0.0.1" params['acct_server_port'] = "1813" params['acct_server_shared_secret'] = "radius" hostapd_oom_loop(apdev, params, start_func="accounting_init")
def _test_pmksa_cache_preauth_oom(dev, apdev): params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['bridge'] = 'ap-br0' hapd = hostapd.add_ap(apdev[0], params) hostapd.cmd_execute(apdev[0], ['brctl', 'setfd', 'ap-br0', '0']) hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev', 'ap-br0', 'up']) eap_connect(dev[0], hapd, "PAX", "*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", bssid=apdev[0]['bssid']) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['bridge'] = 'ap-br0' params['rsn_preauth'] = '1' params['rsn_preauth_interfaces'] = 'ap-br0' hapd = hostapd.add_ap(apdev[1], params) bssid1 = apdev[1]['bssid'] tests = [(1, "rsn_preauth_receive"), (2, "rsn_preauth_receive"), (1, "rsn_preauth_send"), (1, "wpa_auth_pmksa_add_preauth;rsn_preauth_finished")] for test in tests: hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff") with alloc_fail(hapd, test[0], test[1]): dev[0].scan_for_bss(bssid1, freq="2412") if "OK" not in dev[0].request("PREAUTH " + bssid1): raise Exception("PREAUTH failed") success = False count = 0 for i in range(50): time.sleep(0.1) pmksa = dev[0].get_pmksa(bssid1) if pmksa: success = True break state = hapd.request('GET_ALLOC_FAIL') if state.startswith('0:'): count += 1 if count > 2: break logger.info("PMKSA cache success: " + str(success)) dev[0].request("PMKSA_FLUSH") dev[0].wait_disconnected() dev[0].wait_connected() dev[0].dump_monitor()
def test_ap_wpa2_eap_ttls_chap(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/CHAP""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], "TTLS", "chap user", anonymous_identity="ttls", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=CHAP") hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev): """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], "PEAP", "user", anonymous_identity="ttls", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_dbus_old_scan(dev, apdev): """The old D-Bus interface - scanning""" (bus,wpas_obj,path,if_obj) = prepare_dbus(dev[0]) hapd = hostapd.add_ap(apdev[0]['ifname'], { "ssid": "open" }) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['wpa'] = '3' hapd2 = hostapd.add_ap(apdev[1]['ifname'], params) class TestDbusScan(TestDbus): def __init__(self, bus): TestDbus.__init__(self, bus) self.scan_completed = False def __enter__(self): gobject.timeout_add(1, self.run_scan) gobject.timeout_add(7000, self.timeout) self.add_signal(self.scanDone, WPAS_DBUS_OLD_IFACE, "ScanResultsAvailable") self.loop.run() return self def scanDone(self): logger.debug("scanDone") self.scan_completed = True self.loop.quit() def run_scan(self, *args): logger.debug("run_scan") if not if_obj.scan(dbus_interface=WPAS_DBUS_OLD_IFACE): raise Exception("Failed to trigger scan") return False def success(self): return self.scan_completed with TestDbusScan(bus) as t: if not t.success(): raise Exception("Expected signals not seen") res = if_obj.scanResults(dbus_interface=WPAS_DBUS_OLD_IFACE) if len(res) != 2: raise Exception("Unexpected number of scan results: " + str(res)) for i in range(2): logger.debug("Scan result BSS path: " + res[i]) bss_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[i]) bss = bss_obj.properties(dbus_interface=WPAS_DBUS_OLD_BSSID, byte_arrays=True) logger.debug("BSS: " + str(bss)) obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[0]) try: bss_obj.properties2(dbus_interface=WPAS_DBUS_OLD_BSSID) raise Exception("Unknown BSSID method accepted") except Exception, e: logger.debug("Unknown BSSID method exception: " + str(e))
def test_erp_radius_eap_methods(dev, apdev): """ERP enabled on RADIUS server and peer""" check_erp_capa(dev[0]) eap_methods = dev[0].get_capability("eap") start_erp_as() params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['auth_server_port'] = "18128" params['erp_send_reauth_start'] = '1' params['erp_domain'] = 'example.com' params['disable_pmksa_caching'] = '1' hapd = hostapd.add_ap(apdev[0], params) erp_test( dev[0], hapd, eap="AKA", identity="*****@*****.**", password= "******" ) erp_test( dev[0], hapd, reauth=True, eap="AKA", identity="*****@*****.**", password= "******" ) erp_test( dev[0], hapd, eap="AKA'", identity="*****@*****.**", password= "******" ) erp_test( dev[0], hapd, reauth=True, eap="AKA'", identity="*****@*****.**", password= "******" ) erp_test(dev[0], hapd, eap="EKE", identity="*****@*****.**", password="******") if "FAST" in eap_methods: erp_test(dev[0], hapd, eap="FAST", identity="*****@*****.**", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=GTC", phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth_erp") erp_test(dev[0], hapd, eap="GPSK", identity="*****@*****.**", password="******") erp_test(dev[0], hapd, eap="IKEV2", identity="*****@*****.**", password="******") erp_test(dev[0], hapd, eap="PAX", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef") if "MSCHAPV2" in eap_methods: erp_test(dev[0], hapd, eap="PEAP", identity="*****@*****.**", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") erp_test(dev[0], hapd, eap="TEAP", identity="*****@*****.**", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", pac_file="blob://teap_pac") erp_test(dev[0], hapd, eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef") if "PWD" in eap_methods: erp_test(dev[0], hapd, eap="PWD", identity="*****@*****.**", password="******") erp_test( dev[0], hapd, eap="SAKE", identity="*****@*****.**", password_hex= "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") erp_test( dev[0], hapd, eap="SIM", identity="*****@*****.**", password= "******") erp_test( dev[0], hapd, reauth=True, eap="SIM", identity="*****@*****.**", password= "******") erp_test(dev[0], hapd, eap="TLS", identity="*****@*****.**", ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", private_key="auth_serv/user.key") erp_test(dev[0], hapd, eap="TTLS", identity="*****@*****.**", password="******", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
def test_pmksa_cache_ctrl_ext(dev, apdev): """PMKSA cache control interface for external management""" params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") res1 = dev[0].request("PMKSA_GET %d" % id) logger.info("PMKSA_GET: " + res1) if "UNKNOWN COMMAND" in res1: raise HwsimSkip("PMKSA_GET not supported in the build") if bssid not in res1: raise Exception("PMKSA cache entry missing") hostapd.add_ap(apdev[1], params) bssid2 = apdev[1]['bssid'] dev[0].scan_for_bss(bssid2, freq=2412, force_scan=True) dev[0].request("ROAM " + bssid2) dev[0].wait_connected() res2 = dev[0].request("PMKSA_GET %d" % id) logger.info("PMKSA_GET: " + res2) if bssid not in res2: raise Exception("PMKSA cache entry 1 missing") if bssid2 not in res2: raise Exception("PMKSA cache entry 2 missing") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() dev[0].request("PMKSA_FLUSH") id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412", only_add_network=True) res3 = dev[0].request("PMKSA_GET %d" % id) if res3 != '': raise Exception("Unexpected PMKSA cache entry remains: " + res3) res4 = dev[0].request("PMKSA_GET %d" % (id + 1234)) if not res4.startswith('FAIL'): raise Exception("Unexpected PMKSA cache entry for unknown network: " + res4) for entry in res2.splitlines(): if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)): raise Exception("Failed to add PMKSA entry") dev[0].select_network(id) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=15) if ev is None: raise Exception("Connection with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception( "Unexpected EAP exchange after external PMKSA cache restore")
def test_pmksa_cache_on_roam_back(dev, apdev): """PMKSA cache to skip EAP on reassociation back to same AP""" params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") pmksa = dev[0].get_pmksa(bssid) if pmksa is None: raise Exception("No PMKSA cache entry created") if pmksa['opportunistic'] != '0': raise Exception("Unexpected opportunistic PMKSA cache entry") hostapd.add_ap(apdev[1], params) bssid2 = apdev[1]['bssid'] dev[0].dump_monitor() logger.info("Roam to AP2") # It can take some time for the second AP to become ready to reply to Probe # Request frames especially under heavy CPU load, so allow couple of rounds # of scanning to avoid reporting errors incorrectly just because of scans # not having seen the target AP. for i in range(0, 10): dev[0].scan(freq="2412") if dev[0].get_bss(bssid2) is not None: break logger.info("Scan again to find target AP") dev[0].request("ROAM " + bssid2) ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) if ev is None: raise Exception("EAP success timed out") dev[0].wait_connected(timeout=10, error="Roaming timed out") pmksa2 = dev[0].get_pmksa(bssid2) if pmksa2 is None: raise Exception("No PMKSA cache entry found") if pmksa2['opportunistic'] != '0': raise Exception("Unexpected opportunistic PMKSA cache entry") dev[0].dump_monitor() logger.info("Roam back to AP1") dev[0].scan(freq="2412") dev[0].request("ROAM " + bssid) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("Roaming with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange") pmksa1b = dev[0].get_pmksa(bssid) if pmksa1b is None: raise Exception("No PMKSA cache entry found") if pmksa['pmkid'] != pmksa1b['pmkid']: raise Exception("Unexpected PMKID change for AP1") dev[0].dump_monitor() if "FAIL" in dev[0].request("PMKSA_FLUSH"): raise Exception("PMKSA_FLUSH failed") if dev[0].get_pmksa(bssid) is not None or dev[0].get_pmksa( bssid2) is not None: raise Exception("PMKSA_FLUSH did not remove PMKSA entries") dev[0].wait_disconnected(timeout=5) dev[0].wait_connected(timeout=15, error="Reconnection timed out")
def generic_pmksa_cache_preauth(dev, apdev, extraparams, identity, databridge, force_disconnect=False): if not extraparams: extraparams = [{}, {}] try: params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['bridge'] = 'ap-br0' for key, value in extraparams[0].items(): params[key] = value hapd = hostapd.add_ap(apdev[0], params) hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0']) hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up']) eap_connect(dev[0], hapd, "PAX", identity, password_hex="0123456789abcdef0123456789abcdef") # Verify connectivity in the correct VLAN hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['bridge'] = 'ap-br0' params['rsn_preauth'] = '1' params['rsn_preauth_interfaces'] = databridge for key, value in extraparams[1].items(): params[key] = value hapd1 = hostapd.add_ap(apdev[1], params) bssid1 = apdev[1]['bssid'] dev[0].scan(freq="2412") success = False status_seen = False for i in range(0, 50): if not status_seen: status = dev[0].request("STATUS") if "Pre-authentication EAPOL state machines:" in status: status_seen = True time.sleep(0.1) pmksa = dev[0].get_pmksa(bssid1) if pmksa: success = True break if not success: raise Exception( "No PMKSA cache entry created from pre-authentication") if not status_seen: raise Exception( "Pre-authentication EAPOL status was not available") dev[0].scan(freq="2412") if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"): raise Exception("Scan results missing RSN element info") dev[0].request("ROAM " + bssid1) ev = dev[0].wait_event( ["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("Roaming with the AP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange") pmksa2 = dev[0].get_pmksa(bssid1) if pmksa2 is None: raise Exception("No PMKSA cache entry") if pmksa['pmkid'] != pmksa2['pmkid']: raise Exception("Unexpected PMKID change") hapd1.wait_sta() # Verify connectivity in the correct VLAN hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge) if not force_disconnect: return # Disconnect the STA from both APs to avoid forceful ifdown by the # test script on a VLAN that this has an associated STA. That used to # trigger a mac80211 warning. dev[0].request("DISCONNECT") hapd.request("DISABLE") finally: hostapd.cmd_execute( apdev[0], ['ip', 'link', 'set', 'dev', 'ap-br0', 'down', '2>', '/dev/null'], shell=True) hostapd.cmd_execute(apdev[0], ['brctl', 'delbr', 'ap-br0', '2>', '/dev/null'], shell=True)
def test_pmksa_cache_multiple_sta(dev, apdev): """PMKSA cache with multiple stations""" params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache") hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] for d in dev: d.flush_scan_cache() dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk-user-session-timeout", password="******", scan_freq="2412") dev[1].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") dev[2].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk-user-session-timeout", password="******", scan_freq="2412") wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') wpas.interface_add("wlan5") wpas.flush_scan_cache() wpas.connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") hostapd.add_ap(apdev[1], params) bssid2 = apdev[1]['bssid'] logger.info("Roam to AP2") for sta in [dev[1], dev[0], dev[2], wpas]: sta.dump_monitor() sta.scan_for_bss(bssid2, freq="2412") if "OK" not in sta.request("ROAM " + bssid2): raise Exception("ROAM command failed (" + sta.ifname + ")") ev = sta.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10) if ev is None: raise Exception("EAP success timed out") sta.wait_connected(timeout=10, error="Roaming timed out") sta.dump_monitor() logger.info("Roam back to AP1") for sta in [dev[1], wpas, dev[0], dev[2]]: sta.dump_monitor() sta.scan(freq="2412") sta.dump_monitor() sta.request("ROAM " + bssid) sta.wait_connected(timeout=10, error="Roaming timed out") sta.dump_monitor() time.sleep(4) logger.info("Roam back to AP2") for sta in [dev[1], wpas, dev[0], dev[2]]: sta.dump_monitor() sta.scan(freq="2412") sta.dump_monitor() sta.request("ROAM " + bssid2) sta.wait_connected(timeout=10, error="Roaming timed out") sta.dump_monitor()
def test_ap_wpa2_eap_eke(dev, apdev): """WPA2-Enterprise connection using EAP-EKE""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], "EKE", "eke user", password="******")
def generic_ap_vlan_wpa2_radius_id_change(dev, apdev, tagged): as_params = { "ssid": "as", "beacon_int": "2000", "radius_server_clients": "auth_serv/radius_clients.conf", "radius_server_auth_port": '18128', "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", "ca_cert": "auth_serv/ca.pem", "server_cert": "auth_serv/server.pem", "private_key": "auth_serv/server.key" } authserv = hostapd.add_ap(apdev[1], as_params) params = hostapd.wpa2_eap_params(ssid="test-vlan") params['dynamic_vlan'] = "1" params['auth_server_port'] = "18128" hapd = hostapd.add_ap(apdev[0], params) identity = "vlan1tagged" if tagged else "vlan1" dev[0].connect("test-vlan", key_mgmt="WPA-EAP", eap="PAX", identity=identity, password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") if tagged: hwsim_utils.run_connectivity_test(dev[0], hapd, 0, ifname1="wlan0.1", ifname2="brvlan1") else: hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1") logger.info("VLAN-ID -> 2") authserv.disable() authserv.set('eap_user_file', "auth_serv/eap_user_vlan.conf") authserv.enable() dev[0].dump_monitor() dev[0].request("REAUTHENTICATE") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) if ev is None: raise Exception("EAP reauthentication timed out") ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=5) if ev is None: raise Exception("4-way handshake after reauthentication timed out") state = dev[0].get_status_field('wpa_state') if state != "COMPLETED": raise Exception("Unexpected state after reauth: " + state) sta = hapd.get_sta(dev[0].own_addr()) if 'vlan_id' not in sta: raise Exception("No VLAN ID in STA info") if (not tagged) and (sta['vlan_id'] != '2'): raise Exception("Unexpected VLAN ID: " + sta['vlan_id']) if tagged: hwsim_utils.run_connectivity_test(dev[0], hapd, 0, ifname1="wlan0.2", ifname2="brvlan2") else: hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan2") logger.info("VLAN-ID -> 1") time.sleep(1) authserv.disable() authserv.set('eap_user_file', "auth_serv/eap_user.conf") authserv.enable() dev[0].dump_monitor() dev[0].request("REAUTHENTICATE") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) if ev is None: raise Exception("EAP reauthentication timed out") ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=5) if ev is None: raise Exception("4-way handshake after reauthentication timed out") state = dev[0].get_status_field('wpa_state') if state != "COMPLETED": raise Exception("Unexpected state after reauth: " + state) sta = hapd.get_sta(dev[0].own_addr()) if 'vlan_id' not in sta: raise Exception("No VLAN ID in STA info") if (not tagged) and (sta['vlan_id'] != '1'): raise Exception("Unexpected VLAN ID: " + sta['vlan_id']) time.sleep(0.2) try: if tagged: hwsim_utils.run_connectivity_test(dev[0], hapd, 0, ifname1="wlan0.1", ifname2="brvlan1") else: hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1") except Exception, e: # It is possible for new bridge setup to not be ready immediately, so # try again to avoid reporting issues related to that. logger.info("First VLAN-ID 1 data test failed - try again") if tagged: hwsim_utils.run_connectivity_test(dev[0], hapd, 0, ifname1="wlan0.1", ifname2="brvlan1") else: hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")
def test_fils_sk_multiple_realms(dev, apdev): """FILS SK and multiple realms""" check_fils_capa(dev[0]) check_erp_capa(dev[0]) start_erp_as(apdev[1]) bssid = apdev[0]['bssid'] params = hostapd.wpa2_eap_params(ssid="fils") params['wpa_key_mgmt'] = "FILS-SHA256" params['auth_server_port'] = "18128" params['erp_domain'] = 'example.com' fils_realms = [ 'r1.example.org', 'r2.EXAMPLE.org', 'r3.example.org', 'r4.example.org', 'r5.example.org', 'r6.example.org', 'r7.example.org', 'r8.example.org', 'example.com', 'r9.example.org', 'r10.example.org', 'r11.example.org', 'r12.example.org', 'r13.example.org', 'r14.example.org', 'r15.example.org', 'r16.example.org' ] params['fils_realm'] = fils_realms params['fils_cache_id'] = "1234" params['hessid'] = bssid hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].scan_for_bss(bssid, freq=2412) if "OK" not in dev[0].request("ANQP_GET " + bssid + " 275"): raise Exception("ANQP_GET command failed") ev = dev[0].wait_event(["GAS-QUERY-DONE"], timeout=10) if ev is None: raise Exception("GAS query timed out") bss = dev[0].get_bss(bssid) if 'fils_info' not in bss: raise Exception("FILS Indication element information missing") if bss['fils_info'] != '02b8': raise Exception("Unexpected FILS Information: " + bss['fils_info']) if 'fils_cache_id' not in bss: raise Exception("FILS Cache Identifier missing") if bss['fils_cache_id'] != '1234': raise Exception("Unexpected FILS Cache Identifier: " + bss['fils_cache_id']) if 'fils_realms' not in bss: raise Exception("FILS Realm Identifiers missing") expected = '' count = 0 for realm in fils_realms: hash = hashlib.sha256(realm.lower()).digest() expected += binascii.hexlify(hash[0:2]) count += 1 if count == 7: break if bss['fils_realms'] != expected: raise Exception("Unexpected FILS Realm Identifiers: " + bss['fils_realms']) if 'anqp_fils_realm_info' not in bss: raise Exception("FILS Realm Information ANQP-element not seen") info = bss['anqp_fils_realm_info']; expected = '' for realm in fils_realms: hash = hashlib.sha256(realm.lower()).digest() expected += binascii.hexlify(hash[0:2]) if info != expected: raise Exception("Unexpected FILS Realm Info ANQP-element: " + info) dev[0].request("ERP_FLUSH") id = dev[0].connect("fils", key_mgmt="FILS-SHA256", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", erp="1", scan_freq="2412") dev[0].request("DISCONNECT") dev[0].wait_disconnected() dev[0].dump_monitor() dev[0].select_network(id, freq=2412) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "EVENT-ASSOC-REJECT", "CTRL-EVENT-CONNECTED"], timeout=10) if ev is None: raise Exception("Connection using FILS/ERP timed out") if "CTRL-EVENT-EAP-STARTED" in ev: raise Exception("Unexpected EAP exchange") if "EVENT-ASSOC-REJECT" in ev: raise Exception("Association failed") hwsim_utils.test_connectivity(dev[0], hapd)
def test_dbus_old_scan(dev, apdev): """The old D-Bus interface - scanning""" (bus, wpas_obj, path, if_obj) = prepare_dbus(dev[0]) hapd = hostapd.add_ap(apdev[0], {"ssid": "open"}) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params['wpa'] = '3' hapd2 = hostapd.add_ap(apdev[1], params) class TestDbusScan(TestDbus): def __init__(self, bus): TestDbus.__init__(self, bus) self.scan_completed = False def __enter__(self): gobject.timeout_add(1, self.run_scan) gobject.timeout_add(7000, self.timeout) self.add_signal(self.scanDone, WPAS_DBUS_OLD_IFACE, "ScanResultsAvailable") self.loop.run() return self def scanDone(self): logger.debug("scanDone") self.scan_completed = True self.loop.quit() def run_scan(self, *args): logger.debug("run_scan") if not if_obj.scan(dbus_interface=WPAS_DBUS_OLD_IFACE): raise Exception("Failed to trigger scan") return False def success(self): return self.scan_completed with TestDbusScan(bus) as t: if not t.success(): raise Exception("Expected signals not seen") res = if_obj.scanResults(dbus_interface=WPAS_DBUS_OLD_IFACE) if len(res) != 2: raise Exception("Unexpected number of scan results: " + str(res)) for i in range(2): logger.debug("Scan result BSS path: " + res[i]) bss_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[i]) bss = bss_obj.properties(dbus_interface=WPAS_DBUS_OLD_BSSID, byte_arrays=True) logger.debug("BSS: " + str(bss)) obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, res[0]) try: bss_obj.properties2(dbus_interface=WPAS_DBUS_OLD_BSSID) raise Exception("Unknown BSSID method accepted") except Exception as e: logger.debug("Unknown BSSID method exception: " + str(e)) if not if_obj.flush(0, dbus_interface=WPAS_DBUS_OLD_IFACE): raise Exception("Failed to issue flush(0)") res = if_obj.scanResults(dbus_interface=WPAS_DBUS_OLD_IFACE) if len(res) != 0: raise Exception("Unexpected BSS entry after flush") if not if_obj.flush(1, dbus_interface=WPAS_DBUS_OLD_IFACE): raise Exception("Failed to issue flush(1)") try: if_obj.flush("foo", dbus_interface=WPAS_DBUS_OLD_IFACE) raise Exception("Invalid flush arguments accepted") except dbus.exceptions.DBusException as e: if not str(e).startswith( "fi.epitest.hostap.WPASupplicant.InvalidOptions"): raise Exception("Unexpected error message for invalid flush: " + str(e)) try: bss_obj.properties(dbus_interface=WPAS_DBUS_OLD_BSSID, byte_arrays=True) except dbus.exceptions.DBusException as e: if not str(e).startswith( "fi.epitest.hostap.WPASupplicant.Interface.InvalidBSSID"): raise Exception("Unexpected error message for invalid BSS: " + str(e))
def test_dbus_old_connect_eap(dev, apdev): """The old D-Bus interface - add an EAP network and connect""" (bus, wpas_obj, path, if_obj) = prepare_dbus(dev[0]) ssid = "test-wpa2-eap" params = hostapd.wpa2_eap_params(ssid=ssid) hapd = hostapd.add_ap(apdev[0], params) class TestDbusConnect(TestDbus): def __init__(self, bus): TestDbus.__init__(self, bus) self.connected = False self.certification_received = False def __enter__(self): gobject.timeout_add(1, self.run_connect) gobject.timeout_add(15000, self.timeout) self.add_signal(self.stateChange, WPAS_DBUS_OLD_IFACE, "StateChange") self.add_signal(self.certification, WPAS_DBUS_OLD_IFACE, "Certification") self.loop.run() return self def stateChange(self, new, old): logger.debug("stateChange: %s --> %s" % (old, new)) if new == "COMPLETED": self.connected = True self.loop.quit() def certification(self, depth, subject, hash, cert_hex): logger.debug( "certification: depth={} subject={} hash={} cert_hex={}". format(depth, subject, hash, cert_hex)) self.certification_received = True def run_connect(self, *args): logger.debug("run_connect") path = if_obj.addNetwork(dbus_interface=WPAS_DBUS_OLD_IFACE) netw_obj = bus.get_object(WPAS_DBUS_OLD_SERVICE, path) params = dbus.Dictionary( { 'ssid': ssid, 'key_mgmt': 'WPA-EAP', 'eap': 'TTLS', 'anonymous_identity': 'ttls', 'identity': 'pap user', 'ca_cert': 'auth_serv/ca.pem', 'phase2': 'auth=PAP', 'password': '******', 'scan_freq': 2412 }, signature='sv') netw_obj.set(params, dbus_interface=WPAS_DBUS_OLD_NETWORK) netw_obj.enable(dbus_interface=WPAS_DBUS_OLD_NETWORK) self.path = path self.netw_obj = netw_obj return False def success(self): return self.connected and self.certification_received with TestDbusConnect(bus) as t: if not t.success(): raise Exception("Expected signals not seen")
def test_ap_wpa2_eap_pwd(dev, apdev): """WPA2-Enterprise connection using EAP-pwd""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], "PWD", "pwd user", password="******")
def test_ap_wpa2_eap_ikev2(dev, apdev): """WPA2-Enterprise connection using EAP-IKEv2""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") hostapd.add_ap(apdev[0]['ifname'], params) eap_connect(dev[0], "IKEV2", "ikev2 user", password="******")