def test_radius_macacl(dev, apdev): """RADIUS MAC ACL""" params = hostapd.radius_params() params["ssid"] = "radius" params["macaddr_acl"] = "2" hostapd.add_ap(apdev[0]["ifname"], params) dev[0].connect("radius", key_mgmt="NONE", scan_freq="2412")
def test_ap_ft_mismatching_r0kh_id_pull_eap(dev, apdev): """WPA2-EAP-FT AP over DS with mismatching R0KH-ID (pull)""" ssid = "test-ft" passphrase="12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params["pmk_r1_push"] = "0" params["nas_identifier"] = "nas0.w1.fi" params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect(ssid, key_mgmt="FT-EAP", proto="WPA2", ieee80211w="1", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") params = ft_params2(ssid=ssid, passphrase=passphrase) params["pmk_r1_push"] = "0" params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hostapd.add_ap(apdev[1]['ifname'], params) dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412") dev[0].roam_over_ds(apdev[1]['bssid'], fail_test=True)
def test_ap_ft_eap(dev, apdev): """WPA2-EAP-FT AP""" ssid = "test-ft" passphrase="12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0]['ifname'], params) key_mgmt = hapd.get_config()['key_mgmt'] if key_mgmt.split(' ')[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) params = ft_params2(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hostapd.add_ap(apdev[1]['ifname'], params) run_roams(dev[0], apdev, ssid, passphrase, eap=True) if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"): raise Exception("Scan results missing RSN element info") check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"), ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3") ])
def test_ap_ft_internal_rrb_check(dev, apdev): """RRB internal delivery only to WPA enabled BSS""" ssid = "test-ft" passphrase="12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0], params) key_mgmt = hapd.get_config()['key_mgmt'] if key_mgmt.split(' ')[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) hapd1 = hostapd.add_ap(apdev[1], { "ssid" : ssid }) # Connect to WPA enabled AP dev[0].connect(ssid, key_mgmt="FT-EAP", proto="WPA2", ieee80211w="1", eap="GPSK", identity="gpsk user", password="******", scan_freq="2412") # Try over_ds roaming to non-WPA-enabled AP. # If hostapd does not check hapd->wpa_auth internally, it will crash now. dev[0].roam_over_ds(apdev[1]['bssid'], fail_test=True)
def test_ieee8021x_open(dev, apdev): """IEEE 802.1X connection using open network""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0]["ifname"], params) id = dev[0].connect( "ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", ) hwsim_utils.test_connectivity(dev[0], hapd) logger.info("Test EAPOL-Logoff") dev[0].request("LOGOFF") ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"]) if ev is None: raise Exception("Did not get disconnected") if "reason=23" not in ev: raise Exception("Unexpected disconnection reason") dev[0].request("LOGON") dev[0].connect_network(id) hwsim_utils.test_connectivity(dev[0], hapd)
def test_ieee8021x_eapol_start(dev, apdev): """IEEE 802.1X and EAPOL-Start retransmissions""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] addr0 = dev[0].own_addr() hapd.set("ext_eapol_frame_io", "1") try: dev[0].request("SET EAPOL::startPeriod 1") dev[0].request("SET EAPOL::maxStart 1") dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) held = False for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae == "HELD": mib = hapd.get_sta(addr0, info="eapol") if mib['auth_pae_state'] != 'AUTHENTICATING': raise Exception("Unexpected Auth PAE state: " + mib['auth_pae_state']) held = True break time.sleep(0.25) if not held: raise Exception("PAE state HELD not reached") dev[0].wait_disconnected() finally: dev[0].request("SET EAPOL::startPeriod 30") dev[0].request("SET EAPOL::maxStart 3")
def test_ieee8021x_proto(dev, apdev): """IEEE 802.1X and EAPOL supplicant protocol testing""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0]["ifname"], params) bssid = apdev[0]["bssid"] dev[1].request("SET ext_eapol_frame_io 1") dev[1].connect( "ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False, ) id = dev[0].connect( "ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", ) ev = dev[1].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) start = dev[0].get_mib() tests = [ "11", "11223344", "020000050a93000501", "020300050a93000501", "0203002c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "0203002c0100050000000000000000000000000000000000000000000000000000000000000000000000000000000000", "02aa00050a93000501", ] for frame in tests: res = dev[0].request("EAPOL_RX " + bssid + " " + frame) if "OK" not in res: raise Exception("EAPOL_RX to wpa_supplicant failed") dev[1].request("EAPOL_RX " + bssid + " " + frame) stop = dev[0].get_mib() logger.info("MIB before test frames: " + str(start)) logger.info("MIB after test frames: " + str(stop)) vals = ["dot1xSuppInvalidEapolFramesRx", "dot1xSuppEapLengthErrorFramesRx"] for val in vals: if int(stop[val]) <= int(start[val]): raise Exception(val + " did not increase")
def test_ieee8021x_reauth_wep(dev, apdev, params): """IEEE 802.1X and EAPOL_REAUTH request with WEP""" logdir = params['logdir'] params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "13" params["wep_key_len_unicast"] = "13" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd) hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) if ev is None: raise Exception("EAP authentication did not start") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd) out = run_tshark(os.path.join(logdir, "hwsim0.pcapng"), "llc.type == 0x888e", ["eapol.type", "eap.code"]) if out is None: raise Exception("Could not find EAPOL frames in capture") num_eapol_key = 0 num_eap_req = 0 num_eap_resp = 0 for line in out.splitlines(): vals = line.split() if vals[0] == '3': num_eapol_key += 1 if vals[0] == '0' and len(vals) == 2: if vals[1] == '1': num_eap_req += 1 elif vals[1] == '2': num_eap_resp += 1 logger.info("num_eapol_key: %d" % num_eapol_key) logger.info("num_eap_req: %d" % num_eap_req) logger.info("num_eap_resp: %d" % num_eap_resp) if num_eapol_key < 4: raise Exception("Did not see four unencrypted EAPOL-Key frames") if num_eap_req < 6: raise Exception("Did not see six unencrypted EAP-Request frames") if num_eap_resp < 6: raise Exception("Did not see six unencrypted EAP-Response frames")
def test_ieee8021x_wep40(dev, apdev): """IEEE 802.1X connection using dynamic WEP40""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "5" params["wep_key_len_unicast"] = "5" hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef") hwsim_utils.test_connectivity(dev[0], hapd)
def run_static_wep(dev, apdev, key): params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key0"] = key hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", wep_key0=key, eapol_flags="0", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd)
def test_ieee8021x_set_conf(dev, apdev): """IEEE 802.1X and EAPOL_SET command""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") addr0 = dev[0].own_addr() tests = [ "EAPOL_SET 1", "EAPOL_SET %sfoo bar" % addr0, "EAPOL_SET %s foo" % addr0, "EAPOL_SET %s foo bar" % addr0, "EAPOL_SET %s AdminControlledDirections bar" % addr0, "EAPOL_SET %s AdminControlledPortControl bar" % addr0, "EAPOL_SET %s reAuthEnabled bar" % addr0, "EAPOL_SET %s KeyTransmissionEnabled bar" % addr0, "EAPOL_SET 11:22:33:44:55:66 AdminControlledDirections Both" ] for t in tests: if "FAIL" not in hapd.request(t): raise Exception("Invalid EAPOL_SET command accepted: " + t) tests = [ ("AdminControlledDirections", "adminControlledDirections", "In"), ("AdminControlledDirections", "adminControlledDirections", "Both"), ("quietPeriod", "quietPeriod", "13"), ("serverTimeout", "serverTimeout", "7"), ("reAuthPeriod", "reAuthPeriod", "1234"), ("reAuthEnabled", "reAuthEnabled", "FALSE"), ("reAuthEnabled", "reAuthEnabled", "TRUE"), ("KeyTransmissionEnabled", "keyTxEnabled", "TRUE"), ("KeyTransmissionEnabled", "keyTxEnabled", "FALSE"), ("AdminControlledPortControl", "portControl", "ForceAuthorized"), ("AdminControlledPortControl", "portControl", "ForceUnauthorized"), ("AdminControlledPortControl", "portControl", "Auto") ] for param,mibparam,val in tests: if "OK" not in hapd.request("EAPOL_SET %s %s %s" % (addr0, param, val)): raise Exception("Failed to set %s %s" % (param, val)) mib = hapd.get_sta(addr0, info="eapol") if mib[mibparam] != val: raise Exception("Unexpected %s value: %s (expected %s)" % (param, mib[mibparam], val)) ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd)
def test_ieee8021x_auth_awhile(dev, apdev): """IEEE 802.1X and EAPOL Authenticator aWhile handling""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" params['auth_server_port'] = "18129" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] addr0 = dev[0].own_addr() params = {} params['ssid'] = 'as' params['beacon_int'] = '2000' params['radius_server_clients'] = 'auth_serv/radius_clients.conf' params['radius_server_auth_port'] = '18129' params['eap_server'] = '1' params['eap_user_file'] = 'auth_serv/eap_user.conf' params['ca_cert'] = 'auth_serv/ca.pem' params['server_cert'] = 'auth_serv/server.pem' params['private_key'] = 'auth_serv/server.key' hapd1 = hostapd.add_ap(apdev[1], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hapd1.disable() if "OK" not in hapd.request("EAPOL_SET %s serverTimeout 1" % addr0): raise Exception("Failed to set serverTimeout") hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) for i in range(40): mib = hapd.get_sta(addr0, info="eapol") val = int(mib['aWhile']) if val > 0: break time.sleep(1) if val == 0: raise Exception("aWhile did not increase") hapd.dump_monitor() for i in range(40): mib = hapd.get_sta(addr0, info="eapol") val = int(mib['aWhile']) if val < 5: break time.sleep(1) ev = hapd.wait_event(["CTRL-EVENT-EAP-PROPOSED"], timeout=10) if ev is None: raise Exception("Authentication restart not seen")
def test_ieee8021x_static_wep40(dev, apdev): """IEEE 802.1X connection using static WEP40""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key0"] = '"hello"' hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", wep_key0='"hello"', eapol_flags="0", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd)
def test_radius_macacl_acct(dev, apdev): """RADIUS MAC ACL and accounting enabled""" params = hostapd.radius_params() params["ssid"] = "radius" params["macaddr_acl"] = "2" params['acct_server_addr'] = "127.0.0.1" params['acct_server_port'] = "1813" params['acct_server_shared_secret'] = "radius" hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect("radius", key_mgmt="NONE", scan_freq="2412") dev[1].connect("radius", key_mgmt="NONE", scan_freq="2412") dev[1].request("DISCONNECT") dev[1].wait_disconnected() dev[1].request("RECONNECT")
def test_ieee8021x_wep_index_workaround(dev, apdev): """IEEE 802.1X and EAPOL-Key index workaround""" skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "5" params["eapol_key_index_workaround"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eapol_flags="1", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412")
def test_ieee8021x_and_wpa_enabled(dev, apdev): """IEEE 802.1X connection using dynamic WEP104 when WPA enabled""" skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "13" params["wep_key_len_unicast"] = "13" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X WPA-EAP", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd)
def test_ieee8021x_held(dev, apdev): """IEEE 802.1X and HELD state""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] hapd.set("ext_eapol_frame_io", "1") try: dev[0].request("SET EAPOL::startPeriod 1") dev[0].request("SET EAPOL::maxStart 0") dev[0].request("SET EAPOL::heldPeriod 1") dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) held = False for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae == "HELD": held = True break time.sleep(0.25) if not held: raise Exception("PAE state HELD not reached") hapd.set("ext_eapol_frame_io", "0") for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae != "HELD": held = False break time.sleep(0.25) if held: raise Exception("PAE state HELD not left") ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED", "CTRL-EVENT-DISCONNECTED"], timeout=10) if ev is None: raise Exception("Connection timed out") if "CTRL-EVENT-DISCONNECTED" in ev: raise Exception("Unexpected disconnection") finally: dev[0].request("SET EAPOL::startPeriod 30") dev[0].request("SET EAPOL::maxStart 3") dev[0].request("SET EAPOL::heldPeriod 60")
def test_ieee8021x_open_leap(dev, apdev): """IEEE 802.1X connection with LEAP included in configuration""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[1].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="LEAP", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK LEAP", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") ev = dev[1].wait_event(["CTRL-EVENT-AUTH-REJECT"], timeout=5) dev[1].request("DISCONNECT")
def run_static_wep(dev, apdev, key): check_wep_capa(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key0"] = key hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", wep_key0=key, eapol_flags="0", scan_freq="2412") hwsim_utils.test_connectivity(dev[0], hapd)
def test_ieee8021x_eapol_key(dev, apdev): """IEEE 802.1X connection and EAPOL-Key protocol tests""" check_wep_capa(dev[0]) skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "5" params["wep_key_len_unicast"] = "5" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="VENDOR-TEST", identity="vendor-test", scan_freq="2412") # Hardcoded MSK from VENDOR-TEST encrkey = "1111111111111111111111111111111111111111111111111111111111111111" signkey = "2222222222222222222222222222222222222222222222222222222222222222" # EAPOL-Key replay counter does not increase send_eapol_key( dev[0], bssid, signkey, "02030031" + "010005" + "0000000000000000" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30a4") # EAPOL-Key too large Key Length field value send_eapol_key( dev[0], bssid, signkey, "02030031" + "010021" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30a4") # EAPOL-Key too much key data send_eapol_key( dev[0], bssid, signkey, "0203004d" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", 33 * "ff") # EAPOL-Key too little key data send_eapol_key( dev[0], bssid, signkey, "02030030" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30") # EAPOL-Key with no key data and too long WEP key length send_eapol_key( dev[0], bssid, signkey, "0203002c" + "010020" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "")
def test_ieee8021x_held(dev, apdev): """IEEE 802.1X and HELD state""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] hapd.set("ext_eapol_frame_io", "1") try: dev[0].request("SET EAPOL::startPeriod 1") dev[0].request("SET EAPOL::maxStart 0") dev[0].request("SET EAPOL::heldPeriod 1") dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) held = False for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae == "HELD": held = True break time.sleep(0.25) if not held: raise Exception("PAE state HELD not reached") hapd.set("ext_eapol_frame_io", "0") for i in range(30): pae = dev[0].get_status_field('Supplicant PAE state') if pae != "HELD": held = False break time.sleep(0.25) if held: raise Exception("PAE state HELD not left") ev = dev[0].wait_event([ "CTRL-EVENT-CONNECTED", "CTRL-EVENT-DISCONNECTED" ], timeout=10) if ev is None: raise Exception("Connection timed out") if "CTRL-EVENT-DISCONNECTED" in ev: raise Exception("Unexpected disconnection") finally: dev[0].request("SET EAPOL::startPeriod 30") dev[0].request("SET EAPOL::maxStart 3") dev[0].request("SET EAPOL::heldPeriod 60")
def test_ieee8021x_proto(dev, apdev): """IEEE 802.1X and EAPOL supplicant protocol testing""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[1].request("SET ext_eapol_frame_io 1") dev[1].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412", wait_connect=False) id = dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") ev = dev[1].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) start = dev[0].get_mib() tests = [ "11", "11223344", "020000050a93000501", "020300050a93000501", "0203002c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "0203002c0100050000000000000000000000000000000000000000000000000000000000000000000000000000000000", "02aa00050a93000501" ] for frame in tests: res = dev[0].request("EAPOL_RX " + bssid + " " + frame) if "OK" not in res: raise Exception("EAPOL_RX to wpa_supplicant failed") dev[1].request("EAPOL_RX " + bssid + " " + frame) stop = dev[0].get_mib() logger.info("MIB before test frames: " + str(start)) logger.info("MIB after test frames: " + str(stop)) vals = [ 'dot1xSuppInvalidEapolFramesRx', 'dot1xSuppEapLengthErrorFramesRx' ] for val in vals: if int(stop[val]) <= int(start[val]): raise Exception(val + " did not increase")
def test_ap_ft_eap(dev, apdev): """WPA2-EAP-FT AP""" ssid = "test-ft" passphrase="12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hostapd.add_ap(apdev[0]['ifname'], params) params = ft_params2(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hostapd.add_ap(apdev[1]['ifname'], params) run_roams(dev[0], apdev, ssid, passphrase, eap=True)
def test_ieee8021x_force_unauth(dev, apdev): """IEEE 802.1X and FORCE_UNAUTH state""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") dev[0].request("SET EAPOL::portControl ForceUnauthorized") pae = dev[0].get_status_field('Supplicant PAE state') dev[0].wait_disconnected() dev[0].request("SET EAPOL::portControl Auto")
def test_ieee8021x_eapol_key(dev, apdev): """IEEE 802.1X connection and EAPOL-Key protocol tests""" skip_with_fips(dev[0]) params = hostapd.radius_params() params["ssid"] = "ieee8021x-wep" params["ieee8021x"] = "1" params["wep_key_len_broadcast"] = "5" params["wep_key_len_unicast"] = "5" hapd = hostapd.add_ap(apdev[0], params) bssid = apdev[0]['bssid'] dev[0].connect("ieee8021x-wep", key_mgmt="IEEE8021X", eap="VENDOR-TEST", identity="vendor-test", scan_freq="2412") # Hardcoded MSK from VENDOR-TEST encrkey = "1111111111111111111111111111111111111111111111111111111111111111" signkey = "2222222222222222222222222222222222222222222222222222222222222222" # EAPOL-Key replay counter does not increase send_eapol_key(dev[0], bssid, signkey, "02030031" + "010005" + "0000000000000000" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30a4") # EAPOL-Key too large Key Length field value send_eapol_key(dev[0], bssid, signkey, "02030031" + "010021" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30a4") # EAPOL-Key too much key data send_eapol_key(dev[0], bssid, signkey, "0203004d" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", 33*"ff") # EAPOL-Key too little key data send_eapol_key(dev[0], bssid, signkey, "02030030" + "010005" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "1c636a30") # EAPOL-Key with no key data and too long WEP key length send_eapol_key(dev[0], bssid, signkey, "0203002c" + "010020" + "ffffffffffffffff" + "056c22d109f29d4d9fb9b9ccbad33283" + "02", "")
def test_ap_ft_eap(dev, apdev): """WPA2-EAP-FT AP""" ssid = "test-ft" passphrase="12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0]['ifname'], params) key_mgmt = hapd.get_config()['key_mgmt'] if key_mgmt.split(' ')[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) params = ft_params2(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hostapd.add_ap(apdev[1]['ifname'], params) run_roams(dev[0], apdev, ssid, passphrase, eap=True)
def test_ieee8021x_reauth(dev, apdev): """IEEE 802.1X and EAPOL_REAUTH request""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hapd = hostapd.add_ap(apdev[0], params) dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef", scan_freq="2412") hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) if ev is None: raise Exception("EAP authentication did not start") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd)
def test_ap_ft_mismatching_rrb_r0kh_pull_eap(dev, apdev): """WPA2-EAP-FT AP over DS with mismatching R0KH key (pull)""" ssid = "test-ft" passphrase="12345678" radius = hostapd.radius_params() params = ft_params1_r0kh_mismatch(ssid=ssid, passphrase=passphrase) params["pmk_r1_push"] = "0" params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd0 = hostapd.add_ap(apdev[0]['ifname'], params) params = ft_params2(ssid=ssid, passphrase=passphrase) params["pmk_r1_push"] = "0" params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd1 = hostapd.add_ap(apdev[1]['ifname'], params) run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True, fail_test=True, eap=True)
def test_ap_ft_eap(dev, apdev): """WPA2-EAP-FT AP""" ssid = "test-ft" passphrase = "12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0], params) key_mgmt = hapd.get_config()['key_mgmt'] if key_mgmt.split(' ')[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) params = ft_params2(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd1 = hostapd.add_ap(apdev[1], params) run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True) if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"): raise Exception("Scan results missing RSN element info") check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"), ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3")]) # Verify EAPOL reauthentication after FT protocol if dev[0].get_status_field('bssid') == apdev[0]['bssid']: ap = hapd else: ap = hapd1 ap.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) if ev is None: raise Exception("EAP authentication did not start") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], ap)
def test_ap_ft_eap(dev, apdev): """WPA2-EAP-FT AP""" ssid = "test-ft" passphrase="12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0], params) key_mgmt = hapd.get_config()['key_mgmt'] if key_mgmt.split(' ')[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) params = ft_params2(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd1 = hostapd.add_ap(apdev[1], params) run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True) if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"): raise Exception("Scan results missing RSN element info") check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"), ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3") ]) # Verify EAPOL reauthentication after FT protocol if dev[0].get_status_field('bssid') == apdev[0]['bssid']: ap = hapd else: ap = hapd1 ap.request("EAPOL_REAUTH " + dev[0].own_addr()) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) if ev is None: raise Exception("EAP authentication did not start") ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) if ev is None: raise Exception("EAP authentication did not succeed") time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], ap)
def test_pasn_ft_eap_sha384(dev, apdev): """PASN authentication with FT-EAP-SHA-384""" check_pasn_capab(dev[0]) ssid = "test-pasn-ft-psk" passphrase = "12345678" identity = "gpsk user" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params["ieee80211w"] = "2" params['wpa_key_mgmt'] = "FT-EAP-SHA384 PASN" params["ieee8021x"] = "1" params = dict(list(radius.items()) + list(params.items())) hapd0 = hostapd.add_ap(apdev[0], params) params = ft_params2(ssid=ssid, passphrase=passphrase) params["ieee80211w"] = "2" params['wpa_key_mgmt'] = "FT-EAP-SHA384 PASN" params["ieee8021x"] = "1" params = dict(list(radius.items()) + list(params.items())) hapd1 = hostapd.add_ap(apdev[1], params) run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, eap=True, sha384=True) if dev[0].get_status_field('bssid') == apdev[0]['bssid']: pasn_hapd = hapd1 else: pasn_hapd = hapd0 check_pasn_akmp_cipher(dev[0], pasn_hapd, "FT-EAP-SHA384", "CCMP")
def test_ieee8021x_open(dev, apdev): """IEEE 802.1X connection using open network""" params = hostapd.radius_params() params["ssid"] = "ieee8021x-open" params["ieee8021x"] = "1" hostapd.add_ap(apdev[0]['ifname'], params) id = dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", eap="PSK", identity="*****@*****.**", password_hex="0123456789abcdef0123456789abcdef") hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) logger.info("Test EAPOL-Logoff") dev[0].request("LOGOFF") ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"]) if ev is None: raise Exception("Did not get disconnected") if "reason=23" not in ev: raise Exception("Unexpected disconnection reason") dev[0].request("LOGON") dev[0].connect_network(id) hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_ap_ft_eap(dev, apdev): """WPA2-EAP-FT AP""" ssid = "test-ft" passphrase = "12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0]['ifname'], params) key_mgmt = hapd.get_config()['key_mgmt'] if key_mgmt.split(' ')[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) params = ft_params2(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params = dict(radius.items() + params.items()) hostapd.add_ap(apdev[1]['ifname'], params) run_roams(dev[0], apdev, ssid, passphrase, eap=True) check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"), ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3")])
def test_ap_ft_eap_pull(dev, apdev): """WPA2-EAP-FT AP (pull PMK)""" ssid = "test-ft" passphrase = "12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params["pmk_r1_push"] = "0" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0], params) key_mgmt = hapd.get_config()['key_mgmt'] if key_mgmt.split(' ')[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) params = ft_params2(ssid=ssid, passphrase=passphrase) params['wpa_key_mgmt'] = "FT-EAP" params["ieee8021x"] = "1" params["pmk_r1_push"] = "0" params = dict(radius.items() + params.items()) hapd1 = hostapd.add_ap(apdev[1], params) run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True)
def test_ap_ft_eap_pull(dev, apdev): """WPA2-EAP-FT AP (pull PMK)""" ssid = "test-ft" passphrase = "12345678" radius = hostapd.radius_params() params = ft_params1(ssid=ssid, passphrase=passphrase) params["wpa_key_mgmt"] = "FT-EAP" params["ieee8021x"] = "1" params["pmk_r1_push"] = "0" params = dict(radius.items() + params.items()) hapd = hostapd.add_ap(apdev[0]["ifname"], params) key_mgmt = hapd.get_config()["key_mgmt"] if key_mgmt.split(" ")[0] != "FT-EAP": raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) params = ft_params2(ssid=ssid, passphrase=passphrase) params["wpa_key_mgmt"] = "FT-EAP" params["ieee8021x"] = "1" params["pmk_r1_push"] = "0" params = dict(radius.items() + params.items()) hapd1 = hostapd.add_ap(apdev[1]["ifname"], params) run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True)
def test_ap_vlan_wpa2_psk_radius_required(dev, apdev): """AP VLAN with WPA2-PSK and RADIUS attributes required""" try: import pyrad.server import pyrad.packet import pyrad.dictionary except ImportError: raise HwsimSkip("No pyrad modules available") class TestServer(pyrad.server.Server): def _HandleAuthPacket(self, pkt): pyrad.server.Server._HandleAuthPacket(self, pkt) logger.info("Received authentication request") reply = self.CreateReplyPacket(pkt) reply.code = pyrad.packet.AccessAccept secret = reply.secret if self.t_events['long'].is_set(): reply.AddAttribute("Tunnel-Type", 13) reply.AddAttribute("Tunnel-Medium-Type", 6) reply.AddAttribute("Tunnel-Private-Group-ID", "1") self.SendReplyPacket(pkt.fd, reply) def RunWithStop(self, t_events): self._poll = select.poll() self._fdmap = {} self._PrepareSockets() self.t_events = t_events while not t_events['stop'].is_set(): for (fd, event) in self._poll.poll(1000): if event == select.POLLIN: try: fdo = self._fdmap[fd] self._ProcessInput(fdo) except ServerPacketError as err: logger.info("pyrad server dropping packet: " + str(err)) except pyrad.packet.PacketError as err: logger.info( "pyrad server received invalid packet: " + str(err)) else: logger.error( "Unexpected event in pyrad server main loop") srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"), authport=18138, acctport=18139) srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1", "radius", "localhost") srv.BindToAddress("") t_events = {} t_events['stop'] = threading.Event() t_events['long'] = threading.Event() t = threading.Thread(target=run_pyrad_server, args=(srv, t_events)) t.start() try: ssid = "test-wpa2-psk" params = hostapd.radius_params() params['ssid'] = ssid params["wpa"] = "2" params["wpa_key_mgmt"] = "WPA-PSK" params["rsn_pairwise"] = "CCMP" params['macaddr_acl'] = '2' params['dynamic_vlan'] = "2" params['wpa_passphrase'] = '0123456789abcdefghi' params['auth_server_port'] = "18138" hapd = hostapd.add_ap(apdev[0]['ifname'], params) logger.info("connecting without VLAN") dev[0].connect(ssid, psk="0123456789abcdefghi", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event( ["CTRL-EVENT-CONNECTED", "CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=20) if ev is None: raise Exception("Timeout on connection attempt") if "CTRL-EVENT-CONNECTED" in ev: raise Exception("Unexpected success without vlan parameters") logger.info("connecting without VLAN failed as expected") t_events['long'].set() logger.info("connecting with VLAN") dev[2].connect(ssid, psk="0123456789abcdefghi", scan_freq="2412", wait_connect=False) ev = dev[2].wait_event( ["CTRL-EVENT-CONNECTED", "CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=20) if ev is None: raise Exception("Timeout on connection attempt") if "CTRL-EVENT-SSID-TEMP-DISABLED" in ev: raise Exception("Unexpected failure with vlan parameters") logger.info("connecting with VLAN succeeded as expected") finally: t_events['stop'].set() t.join()
def test_radius_psk(dev, apdev): """WPA2 with PSK from RADIUS""" try: import pyrad.server import pyrad.packet import pyrad.dictionary except ImportError: raise HwsimSkip("No pyrad modules available") class TestServer(pyrad.server.Server): def _HandleAuthPacket(self, pkt): pyrad.server.Server._HandleAuthPacket(self, pkt) logger.info("Received authentication request") reply = self.CreateReplyPacket(pkt) reply.code = pyrad.packet.AccessAccept a = "\xab\xcd" secret = reply.secret if self.t_events['long'].is_set(): p = b'\x10' + "0123456789abcdef" + 15 * b'\x00' b = hashlib.md5(secret + pkt.authenticator + a).digest() pp = bytearray(p[0:16]) bb = bytearray(b) cc = bytearray(pp[i] ^ bb[i] for i in range(len(bb))) b = hashlib.md5(reply.secret + bytes(cc)).digest() pp = bytearray(p[16:32]) bb = bytearray(b) cc += bytearray(pp[i] ^ bb[i] for i in range(len(bb))) data = '\x00' + a + bytes(cc) else: p = b'\x08' + "12345678" + 7 * b'\x00' b = hashlib.md5(secret + pkt.authenticator + a).digest() pp = bytearray(p) bb = bytearray(b) cc = bytearray(pp[i] ^ bb[i] for i in range(len(bb))) data = '\x00' + a + bytes(cc) reply.AddAttribute("Tunnel-Password", data) self.SendReplyPacket(pkt.fd, reply) def RunWithStop(self, t_events): self._poll = select.poll() self._fdmap = {} self._PrepareSockets() self.t_events = t_events while not t_events['stop'].is_set(): for (fd, event) in self._poll.poll(1000): if event == select.POLLIN: try: fdo = self._fdmap[fd] self._ProcessInput(fdo) except ServerPacketError as err: logger.info("pyrad server dropping packet: " + str(err)) except pyrad.packet.PacketError as err: logger.info( "pyrad server received invalid packet: " + str(err)) else: logger.error( "Unexpected event in pyrad server main loop") srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"), authport=18138, acctport=18139) srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1", "radius", "localhost") srv.BindToAddress("") t_events = {} t_events['stop'] = threading.Event() t_events['long'] = threading.Event() t = threading.Thread(target=run_pyrad_server, args=(srv, t_events)) t.start() try: ssid = "test-wpa2-psk" params = hostapd.radius_params() params['ssid'] = ssid params["wpa"] = "2" params["wpa_key_mgmt"] = "WPA-PSK" params["rsn_pairwise"] = "CCMP" params['macaddr_acl'] = '2' params['wpa_psk_radius'] = '2' params['auth_server_port'] = "18138" hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect(ssid, psk="12345678", scan_freq="2412") t_events['long'].set() dev[1].connect(ssid, psk="0123456789abcdef", scan_freq="2412") finally: t_events['stop'].set() t.join()
def test_radius_psk(dev, apdev): """WPA2 with PSK from RADIUS""" try: import pyrad.server import pyrad.packet import pyrad.dictionary except ImportError: raise HwsimSkip("No pyrad modules available") class TestServer(pyrad.server.Server): def _HandleAuthPacket(self, pkt): pyrad.server.Server._HandleAuthPacket(self, pkt) logger.info("Received authentication request") reply = self.CreateReplyPacket(pkt) reply.code = pyrad.packet.AccessAccept a = "\xab\xcd" secret = reply.secret if self.t_events['long'].is_set(): p = b'\x10' + "0123456789abcdef" + 15 * b'\x00' b = hashlib.md5(secret + pkt.authenticator + a).digest() pp = bytearray(p[0:16]) bb = bytearray(b) cc = bytearray(pp[i] ^ bb[i] for i in range(len(bb))) b = hashlib.md5(reply.secret + bytes(cc)).digest() pp = bytearray(p[16:32]) bb = bytearray(b) cc += bytearray(pp[i] ^ bb[i] for i in range(len(bb))) data = '\x00' + a + bytes(cc) else: p = b'\x08' + "12345678" + 7 * b'\x00' b = hashlib.md5(secret + pkt.authenticator + a).digest() pp = bytearray(p) bb = bytearray(b) cc = bytearray(pp[i] ^ bb[i] for i in range(len(bb))) data = '\x00' + a + bytes(cc) reply.AddAttribute("Tunnel-Password", data) self.SendReplyPacket(pkt.fd, reply) def RunWithStop(self, t_events): self._poll = select.poll() self._fdmap = {} self._PrepareSockets() self.t_events = t_events while not t_events['stop'].is_set(): for (fd, event) in self._poll.poll(1000): if event == select.POLLIN: try: fdo = self._fdmap[fd] self._ProcessInput(fdo) except ServerPacketError as err: logger.info("pyrad server dropping packet: " + str(err)) except pyrad.packet.PacketError as err: logger.info("pyrad server received invalid packet: " + str(err)) else: logger.error("Unexpected event in pyrad server main loop") srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"), authport=18138, acctport=18139) srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1", "radius", "localhost") srv.BindToAddress("") t_events = {} t_events['stop'] = threading.Event() t_events['long'] = threading.Event() t = threading.Thread(target=run_pyrad_server, args=(srv, t_events)) t.start() try: ssid = "test-wpa2-psk" params = hostapd.radius_params() params['ssid'] = ssid params["wpa"] = "2" params["wpa_key_mgmt"] = "WPA-PSK" params["rsn_pairwise"] = "CCMP" params['macaddr_acl'] = '2' params['wpa_psk_radius'] = '2' params['auth_server_port'] = "18138" hapd = hostapd.add_ap(apdev[0]['ifname'], params) dev[0].connect(ssid, psk="12345678", scan_freq="2412") t_events['long'].set() dev[1].connect(ssid, psk="0123456789abcdef", scan_freq="2412") finally: t_events['stop'].set() t.join()
def test_ap_vlan_wpa2_psk_radius_required(dev, apdev): """AP VLAN with WPA2-PSK and RADIUS attributes required""" try: import pyrad.server import pyrad.packet import pyrad.dictionary except ImportError: raise HwsimSkip("No pyrad modules available") class TestServer(pyrad.server.Server): def _HandleAuthPacket(self, pkt): pyrad.server.Server._HandleAuthPacket(self, pkt) logger.info("Received authentication request") reply = self.CreateReplyPacket(pkt) reply.code = pyrad.packet.AccessAccept secret = reply.secret if self.t_events['long'].is_set(): reply.AddAttribute("Tunnel-Type", 13) reply.AddAttribute("Tunnel-Medium-Type", 6) reply.AddAttribute("Tunnel-Private-Group-ID", "1") self.SendReplyPacket(pkt.fd, reply) def RunWithStop(self, t_events): self._poll = select.poll() self._fdmap = {} self._PrepareSockets() self.t_events = t_events while not t_events['stop'].is_set(): for (fd, event) in self._poll.poll(1000): if event == select.POLLIN: try: fdo = self._fdmap[fd] self._ProcessInput(fdo) except ServerPacketError as err: logger.info("pyrad server dropping packet: " + str(err)) except pyrad.packet.PacketError as err: logger.info("pyrad server received invalid packet: " + str(err)) else: logger.error("Unexpected event in pyrad server main loop") srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"), authport=18138, acctport=18139) srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1", "radius", "localhost") srv.BindToAddress("") t_events = {} t_events['stop'] = threading.Event() t_events['long'] = threading.Event() t = threading.Thread(target=run_pyrad_server, args=(srv, t_events)) t.start() try: ssid = "test-wpa2-psk" params = hostapd.radius_params() params['ssid'] = ssid params["wpa"] = "2" params["wpa_key_mgmt"] = "WPA-PSK" params["rsn_pairwise"] = "CCMP" params['macaddr_acl'] = '2' params['dynamic_vlan'] = "2" params['wpa_passphrase'] = '0123456789abcdefghi' params['auth_server_port'] = "18138" hapd = hostapd.add_ap(apdev[0]['ifname'], params) logger.info("connecting without VLAN") dev[0].connect(ssid, psk="0123456789abcdefghi", scan_freq="2412",wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED", "CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=20) if ev is None: raise Exception("Timeout on connection attempt") if "CTRL-EVENT-CONNECTED" in ev: raise Exception("Unexpected success without vlan parameters") logger.info("connecting without VLAN failed as expected") t_events['long'].set() logger.info("connecting with VLAN") dev[2].connect(ssid, psk="0123456789abcdefghi", scan_freq="2412",wait_connect=False) ev = dev[2].wait_event(["CTRL-EVENT-CONNECTED", "CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=20) if ev is None: raise Exception("Timeout on connection attempt") if "CTRL-EVENT-SSID-TEMP-DISABLED" in ev: raise Exception("Unexpected failure with vlan parameters") logger.info("connecting with VLAN succeeded as expected") finally: t_events['stop'].set() t.join()