def check_group_mgmt_cipher(dev, ap, cipher): wt = Wlantest() wt.flush() wt.add_passphrase("12345678") if cipher not in dev.get_capability("group_mgmt"): raise HwsimSkip("Cipher %s not supported" % cipher) params = { "ssid": "test-wpa2-psk-pmf", "wpa_passphrase": "12345678", "wpa": "2", "ieee80211w": "2", "wpa_key_mgmt": "WPA-PSK-SHA256", "rsn_pairwise": "CCMP", "group_mgmt_cipher": cipher } hapd = hostapd.add_ap(ap['ifname'], params) dev.connect("test-wpa2-psk-pmf", psk="12345678", ieee80211w="2", key_mgmt="WPA-PSK-SHA256", pairwise="CCMP", group="CCMP", scan_freq="2412") hwsim_utils.test_connectivity(dev, hapd) hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff") dev.wait_disconnected() if wt.get_bss_counter('valid_bip_mmie', ap['bssid']) < 1: raise Exception("No valid BIP MMIE seen") if wt.get_bss_counter('bip_deauth', ap['bssid']) < 1: raise Exception("No valid BIP deauth seen") if cipher == "AES-128-CMAC": group_mgmt = "BIP" else: group_mgmt = cipher res = wt.info_bss('group_mgmt', ap['bssid']).strip() if res != group_mgmt: raise Exception("Unexpected group mgmt cipher: " + res)
def check_group_mgmt_cipher(dev, ap, cipher, sta_req_cipher=None): if cipher not in dev.get_capability("group_mgmt"): raise HwsimSkip("Cipher %s not supported" % cipher) params = { "ssid": "test-wpa2-psk-pmf", "wpa_passphrase": "12345678", "wpa": "2", "ieee80211w": "2", "wpa_key_mgmt": "WPA-PSK-SHA256", "rsn_pairwise": "CCMP", "group_mgmt_cipher": cipher } hapd = hostapd.add_ap(ap, params) Wlantest.setup(hapd) wt = Wlantest() wt.flush() wt.add_passphrase("12345678") dev.connect("test-wpa2-psk-pmf", psk="12345678", ieee80211w="2", key_mgmt="WPA-PSK-SHA256", group_mgmt=sta_req_cipher, pairwise="CCMP", group="CCMP", scan_freq="2412") hwsim_utils.test_connectivity(dev, hapd) hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff") dev.wait_disconnected() if wt.get_bss_counter('valid_bip_mmie', ap['bssid']) < 1: raise Exception("No valid BIP MMIE seen") if wt.get_bss_counter('bip_deauth', ap['bssid']) < 1: raise Exception("No valid BIP deauth seen") if cipher == "AES-128-CMAC": group_mgmt = "BIP" else: group_mgmt = cipher res = wt.info_bss('group_mgmt', ap['bssid']).strip() if res != group_mgmt: raise Exception("Unexpected group mgmt cipher: " + res)
def run_ap_pmf_beacon_protection(dev, apdev, cipher): ssid = "test-beacon-prot" params = hostapd.wpa2_params(ssid=ssid, passphrase="12345678") params["wpa_key_mgmt"] = "WPA-PSK-SHA256" params["ieee80211w"] = "2" params["beacon_prot"] = "1" params["group_mgmt_cipher"] = cipher try: hapd = hostapd.add_ap(apdev[0], params) except Exception as e: if "Failed to enable hostapd interface" in str(e): raise HwsimSkip("Beacon protection not supported") raise bssid = hapd.own_addr() Wlantest.setup(hapd) wt = Wlantest() wt.flush() wt.add_passphrase("12345678") # STA with Beacon protection enabled dev[0].connect(ssid, psk="12345678", ieee80211w="2", beacon_prot="1", key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412") # STA with Beacon protection disabled dev[1].connect(ssid, psk="12345678", ieee80211w="2", key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412") time.sleep(1) check_mac80211_bigtk(dev[0], hapd) valid_bip = wt.get_bss_counter('valid_bip_mmie', bssid) invalid_bip = wt.get_bss_counter('invalid_bip_mmie', bssid) missing_bip = wt.get_bss_counter('missing_bip_mmie', bssid) logger.info("wlantest BIP counters: valid=%d invalid=%d missing=%d" % (valid_bip, invalid_bip, missing_bip)) if valid_bip < 0 or invalid_bip > 0 or missing_bip > 0: raise Exception( "Unexpected wlantest BIP counters: valid=%d invalid=%d missing=%d" % (valid_bip, invalid_bip, missing_bip))
def run_ap_pmf_beacon_protection(dev, apdev, cipher): ssid = "test-beacon-prot" params = hostapd.wpa2_params(ssid=ssid, passphrase="12345678") params["wpa_key_mgmt"] = "WPA-PSK-SHA256" params["ieee80211w"] = "2" params["beacon_prot"] = "1" params["group_mgmt_cipher"] = cipher try: hapd = hostapd.add_ap(apdev[0], params) except Exception as e: if "Failed to enable hostapd interface" in str(e): raise HwsimSkip("Beacon protection not supported") raise bssid = hapd.own_addr() Wlantest.setup(hapd) wt = Wlantest() wt.flush() wt.add_passphrase("12345678") # STA with Beacon protection enabled dev[0].connect(ssid, psk="12345678", ieee80211w="2", beacon_prot="1", key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412") # STA with Beacon protection disabled dev[1].connect(ssid, psk="12345678", ieee80211w="2", key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412") time.sleep(1) sta_key = None ap_key = None phy = dev[0].get_driver_status_field("phyname") keys = "/sys/kernel/debug/ieee80211/%s/keys" % phy try: for key in os.listdir(keys): keydir = os.path.join(keys, key) vals = mac80211_read_key(keydir) keyidx = int(vals['keyidx']) if keyidx == 6 or keyidx == 7: sta_key = vals break except OSError as e: raise HwsimSkip("debugfs not supported in mac80211 (STA)") phy = hapd.get_driver_status_field("phyname") keys = "/sys/kernel/debug/ieee80211/%s/keys" % phy try: for key in os.listdir(keys): keydir = os.path.join(keys, key) vals = mac80211_read_key(keydir) keyidx = int(vals['keyidx']) if keyidx == 6 or keyidx == 7: ap_key = vals break except OSError as e: raise HwsimSkip("debugfs not supported in mac80211 (AP)") if not sta_key: raise Exception("Could not find STA key information from debugfs") logger.info("STA key: " + str(sta_key)) if not ap_key: raise Exception("Could not find AP key information from debugfs") logger.info("AP key: " + str(ap_key)) if sta_key['key'] != ap_key['key']: raise Exception("AP and STA BIGTK mismatch") if sta_key['keyidx'] != ap_key['keyidx']: raise Exception("AP and STA BIGTK keyidx mismatch") if sta_key['algorithm'] != ap_key['algorithm']: raise Exception("AP and STA BIGTK algorithm mismatch") replays = int(sta_key['replays']) icverrors = int(sta_key['icverrors']) if replays > 0 or icverrors > 0: raise Exception( "STA reported errors: replays=%d icverrors=%d" % replays, icverrors) rx_spec = int(sta_key['rx_spec'], base=16) if rx_spec < 3: raise Exception( "STA did not update BIGTK receive counter sufficiently") tx_spec = int(ap_key['tx_spec'], base=16) if tx_spec < 3: raise Exception("AP did not update BIGTK BIPN sufficiently") valid_bip = wt.get_bss_counter('valid_bip_mmie', bssid) invalid_bip = wt.get_bss_counter('invalid_bip_mmie', bssid) missing_bip = wt.get_bss_counter('missing_bip_mmie', bssid) logger.info("wlantest BIP counters: valid=%d invalid=%d missing=%d" % (valid_bip, invalid_bip, missing_bip)) if valid_bip < 0 or invalid_bip > 0 or missing_bip > 0: raise Exception( "Unexpected wlantest BIP counters: valid=%d invalid=%d missing=%d" % (valid_bip, invalid_bip, missing_bip))