Exemplo n.º 1
0
def run_pmksa_cache_preauth_auto(dev, apdev):
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['bridge'] = 'ap-br0'
    params['rsn_preauth'] = '1'
    params['rsn_preauth_interfaces'] = 'ap-br0'

    hapd = hostapd.add_ap(apdev[0], params)
    hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
    hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
    hapd2 = hostapd.add_ap(apdev[1], params)

    eap_connect(dev[0],
                None,
                "PAX",
                "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef")

    found = False
    for i in range(20):
        time.sleep(0.5)
        res1 = dev[0].get_pmksa(apdev[0]['bssid'])
        res2 = dev[0].get_pmksa(apdev[1]['bssid'])
        if res1 and res2:
            found = True
            break
    if not found:
        raise Exception("The expected PMKSA cache entries not found")
Exemplo n.º 2
0
def test_eap_teap_client_cert(dev, apdev):
    """EAP-TEAP with client certificate in Phase 1"""
    check_eap_capa(dev[0], "TEAP")
    params = int_teap_server_params(eap_teap_auth="2")
    hapd = hostapd.add_ap(apdev[0], params)

    # verify server accept a client with certificate, but no Phase 2
    # configuration
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP",
                phase1="teap_provisioning=2",
                client_cert="auth_serv/user.pem",
                private_key="auth_serv/user.key",
                ca_cert="auth_serv/ca.pem",
                pac_file="blob://teap_pac")
    dev[0].dump_monitor()
    res = eap_reauth(dev[0], "TEAP")
    if res['tls_session_reused'] != '1':
        raise Exception("EAP-TEAP could not use PAC session ticket")

    # verify server accepts a client without certificate
    eap_connect(dev[1], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac")
Exemplo n.º 3
0
def test_pmksa_cache_preauth(dev, apdev):
    """RSN pre-authentication to generate PMKSA cache entry"""
    try:
        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        hostapd.add_ap(apdev[0]['ifname'], params)
        subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
        eap_connect(dev[0],
                    apdev[0],
                    "PAX",
                    "*****@*****.**",
                    password_hex="0123456789abcdef0123456789abcdef")

        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['rsn_preauth'] = '1'
        params['rsn_preauth_interfaces'] = 'ap-br0'
        hostapd.add_ap(apdev[1]['ifname'], params)
        bssid1 = apdev[1]['bssid']
        dev[0].scan(freq="2412")
        success = False
        status_seen = False
        for i in range(0, 50):
            if not status_seen:
                status = dev[0].request("STATUS")
                if "Pre-authentication EAPOL state machines:" in status:
                    status_seen = True
            time.sleep(0.1)
            pmksa = dev[0].get_pmksa(bssid1)
            if pmksa:
                success = True
                break
        if not success:
            raise Exception(
                "No PMKSA cache entry created from pre-authentication")
        if not status_seen:
            raise Exception(
                "Pre-authentication EAPOL status was not available")

        dev[0].scan(freq="2412")
        if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
            raise Exception("Scan results missing RSN element info")
        dev[0].request("ROAM " + bssid1)
        ev = dev[0].wait_event(
            ["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10)
        if ev is None:
            raise Exception("Roaming with the AP timed out")
        if "CTRL-EVENT-EAP-STARTED" in ev:
            raise Exception("Unexpected EAP exchange")
        pmksa2 = dev[0].get_pmksa(bssid1)
        if pmksa2 is None:
            raise Exception("No PMKSA cache entry")
        if pmksa['pmkid'] != pmksa2['pmkid']:
            raise Exception("Unexpected PMKID change")

    finally:
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
        subprocess.call(['brctl', 'delbr', 'ap-br0'])
Exemplo n.º 4
0
def test_eap_teap_basic_password_auth_no_password(dev, apdev):
    """EAP-TEAP with Basic-Password-Auth and no password configured"""
    check_eap_capa(dev[0], "TEAP")
    params = int_teap_server_params(eap_teap_auth="1")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP",
                ca_cert="auth_serv/ca.pem",
                pac_file="blob://teap_pac", expect_failure=True)
Exemplo n.º 5
0
def test_pmksa_cache_preauth_vlan_enabled(dev, apdev):
    """RSN pre-authentication to generate PMKSA cache entry (dynamic_vlan optional but station without VLAN set)"""
    try:
        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['dynamic_vlan'] = '1'
        hostapd.add_ap(apdev[0]['ifname'], params)
        subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
        eap_connect(dev[0], apdev[0], "PAX", "*****@*****.**",
                    password_hex="0123456789abcdef0123456789abcdef")

        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['rsn_preauth'] = '1'
        params['rsn_preauth_interfaces'] = 'ap-br0'
        params['dynamic_vlan'] = '1'
        hostapd.add_ap(apdev[1]['ifname'], params)
        bssid1 = apdev[1]['bssid']
        dev[0].scan(freq="2412")
        success = False
        status_seen = False
        for i in range(0, 50):
            if not status_seen:
                status = dev[0].request("STATUS")
                if "Pre-authentication EAPOL state machines:" in status:
                    status_seen = True
            time.sleep(0.1)
            pmksa = dev[0].get_pmksa(bssid1)
            if pmksa:
                success = True
                break
        if not success:
            raise Exception("No PMKSA cache entry created from pre-authentication")
        if not status_seen:
            raise Exception("Pre-authentication EAPOL status was not available")

        dev[0].scan(freq="2412")
        if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
            raise Exception("Scan results missing RSN element info")
        dev[0].request("ROAM " + bssid1)
        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
                                "CTRL-EVENT-CONNECTED"], timeout=10)
        if ev is None:
            raise Exception("Roaming with the AP timed out")
        if "CTRL-EVENT-EAP-STARTED" in ev:
            raise Exception("Unexpected EAP exchange")
        pmksa2 = dev[0].get_pmksa(bssid1)
        if pmksa2 is None:
            raise Exception("No PMKSA cache entry")
        if pmksa['pmkid'] != pmksa2['pmkid']:
            raise Exception("Unexpected PMKID change")

    finally:
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
        subprocess.call(['brctl', 'delbr', 'ap-br0'])
Exemplo n.º 6
0
def test_eap_teap_eap_vendor(dev, apdev):
    """EAP-TEAP with inner EAP-vendor"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "VENDOR-TEST")
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "vendor-test-2",
                anonymous_identity="TEAP",
                ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST",
                pac_file="blob://teap_pac")
Exemplo n.º 7
0
def test_eap_teap_eap_eke(dev, apdev):
    """EAP-TEAP with inner EAP-EKE"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "EKE")
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
                anonymous_identity="TEAP", password="******",
                ca_cert="auth_serv/ca.pem", phase2="auth=EKE",
                pac_file="blob://teap_pac")
Exemplo n.º 8
0
def run_eap_teap_eap_mschapv2_id(dev, apdev, eap_teap_id, failure=False):
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = int_teap_server_params(eap_teap_id=str(eap_teap_id))
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac",
                expect_failure=failure)
Exemplo n.º 9
0
def test_eap_teap_eap_mschapv2_separate_result(dev, apdev):
    """EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = int_teap_server_params(eap_teap_separate_result="1")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac")
Exemplo n.º 10
0
def test_eap_teap_peer_outer_tlvs(dev, apdev):
    """EAP-TEAP with peer Outer TLVs"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac", phase1="teap_test_outer_tlvs=1")
Exemplo n.º 11
0
def test_eap_teap_basic_password_auth_machine(dev, apdev):
    """EAP-TEAP with Basic-Password-Auth using machine credential"""
    check_eap_capa(dev[0], "TEAP")
    params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="2")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "",
                anonymous_identity="TEAP",
                machine_identity="machine", machine_password="******",
                ca_cert="auth_serv/ca.pem",
                pac_file="blob://teap_pac")
Exemplo n.º 12
0
def test_eap_teap_basic_password_auth_user_and_machine_no_machine(dev, apdev):
    """EAP-TEAP with Basic-Password-Auth using user and machine credentials (no machine)"""
    check_eap_capa(dev[0], "TEAP")
    params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user", password="******",
                anonymous_identity="TEAP",
                ca_cert="auth_serv/ca.pem",
                pac_file="blob://teap_pac",
                expect_failure=True)
Exemplo n.º 13
0
def test_eap_teap_fragmentation(dev, apdev):
    """EAP-TEAP with fragmentation"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac", fragment_size="100")
Exemplo n.º 14
0
def test_eap_teap_eap_mschapv2_user_and_machine_no_machine(dev, apdev):
    """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (no machine)"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = int_teap_server_params(eap_teap_id="5")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user", password="******",
                anonymous_identity="TEAP",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac",
                expect_failure=True)
Exemplo n.º 15
0
def test_eap_teap_eap_mschapv2_machine(dev, apdev):
    """EAP-TEAP with inner EAP-MSCHAPv2 using machine credential"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = int_teap_server_params(eap_teap_id="2")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "",
                anonymous_identity="TEAP",
                machine_identity="machine", machine_password="******",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac")
Exemplo n.º 16
0
def run_eap_teap_tls_cs(dev, apdev, cipher):
    check_eap_capa(dev[0], "TEAP")
    tls = dev[0].request("GET tls_library")
    if not tls.startswith("OpenSSL"):
        raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls)
    params = int_teap_server_params(eap_teap_auth="1")
    params['openssl_ciphers'] = cipher
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                ca_cert="auth_serv/ca.pem",
                pac_file="blob://teap_pac")
Exemplo n.º 17
0
def test_eap_teap_eap_eke_unauth_server_prov(dev, apdev):
    """EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "EKE")
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
                anonymous_identity="TEAP", password="******",
                phase1="teap_provisioning=1",
                phase2="auth=EKE", pac_file="blob://teap_pac")
    res = eap_reauth(dev[0], "TEAP")
    if res['tls_session_reused'] != '1':
        raise Exception("EAP-TEAP could not use PAC session ticket")
Exemplo n.º 18
0
def test_eap_teap_basic_password_auth_pac_binary(dev, apdev):
    """EAP-TEAP with Basic-Password-Auth and PAC (binary)"""
    check_eap_capa(dev[0], "TEAP")
    params = int_teap_server_params(eap_teap_auth="1")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                phase1="teap_provisioning=2 teap_max_pac_list_len=2 teap_pac_format=binary",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac_bin")
    res = eap_reauth(dev[0], "TEAP")
    if res['tls_session_reused'] != '1':
        raise Exception("EAP-TEAP could not use PAC session ticket")
Exemplo n.º 19
0
def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev, apdev):
    """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                phase1="teap_provisioning=2",
                phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac")
    res = eap_reauth(dev[0], "TEAP")
    if res['tls_session_reused'] == '1':
        raise Exception("Unexpected use of PAC session ticket")
Exemplo n.º 20
0
def _test_pmksa_cache_preauth_timeout(dev, apdev):
    dev[0].request("SET dot11RSNAConfigSATimeout 1")
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef",
                bssid=apdev[0]['bssid'])
    if "OK" not in dev[0].request("PREAUTH f2:11:22:33:44:55"):
        raise Exception("PREAUTH failed")
    ev = dev[0].wait_event(["RSN: pre-authentication with"], timeout=5)
    if ev is None:
        raise Exception("No timeout event seen")
    if "timed out" not in ev:
        raise Exception("Unexpected event: " + ev)
Exemplo n.º 21
0
def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev, apdev):
    """EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    params = int_teap_server_params(eap_teap_pac_no_inner="1")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user",
                anonymous_identity="TEAP", password="******",
                phase1="teap_provisioning=2",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                pac_file="blob://teap_pac")
    res = eap_reauth(dev[0], "TEAP")
    if res['tls_session_reused'] != '1':
        raise Exception("EAP-TEAP could not use PAC session ticket")
Exemplo n.º 22
0
def _test_pmksa_cache_preauth_oom(dev, apdev):
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['bridge'] = 'ap-br0'
    hapd = hostapd.add_ap(apdev[0], params)
    hostapd.cmd_execute(apdev[0], ['brctl', 'setfd', 'ap-br0', '0'])
    hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
    eap_connect(dev[0],
                hapd,
                "PAX",
                "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef",
                bssid=apdev[0]['bssid'])

    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['bridge'] = 'ap-br0'
    params['rsn_preauth'] = '1'
    params['rsn_preauth_interfaces'] = 'ap-br0'
    hapd = hostapd.add_ap(apdev[1], params)
    bssid1 = apdev[1]['bssid']

    tests = [(1, "rsn_preauth_receive"), (2, "rsn_preauth_receive"),
             (1, "rsn_preauth_send"),
             (1, "wpa_auth_pmksa_add_preauth;rsn_preauth_finished")]
    for test in tests:
        hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
        with alloc_fail(hapd, test[0], test[1]):
            dev[0].scan_for_bss(bssid1, freq="2412")
            if "OK" not in dev[0].request("PREAUTH " + bssid1):
                raise Exception("PREAUTH failed")

            success = False
            count = 0
            for i in range(50):
                time.sleep(0.1)
                pmksa = dev[0].get_pmksa(bssid1)
                if pmksa:
                    success = True
                    break
                state = hapd.request('GET_ALLOC_FAIL')
                if state.startswith('0:'):
                    count += 1
                    if count > 2:
                        break
            logger.info("PMKSA cache success: " + str(success))

            dev[0].request("PMKSA_FLUSH")
            dev[0].wait_disconnected()
            dev[0].wait_connected()
            dev[0].dump_monitor()
Exemplo n.º 23
0
def test_pmksa_cache_preauth_wpas_oom(dev, apdev):
    """RSN pre-authentication OOM in wpa_supplicant"""
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef",
                bssid=apdev[0]['bssid'])
    for i in range(1, 11):
        with alloc_fail(dev[0], i, "rsn_preauth_init"):
            res = dev[0].request("PREAUTH f2:11:22:33:44:55").strip()
            logger.info("Iteration %d - PREAUTH command results: %s" % (i, res))
            for j in range(10):
                state = dev[0].request('GET_ALLOC_FAIL')
                if state.startswith('0:'):
                    break
                time.sleep(0.05)
Exemplo n.º 24
0
def test_eap_teap_eap_mschapv2_user_and_eap_tls_machine(dev, apdev):
    """EAP-TEAP with inner EAP-MSCHAPv2 user and EAP-TLS machine credentials"""
    check_eap_capa(dev[0], "TEAP")
    check_eap_capa(dev[0], "MSCHAPV2")
    check_eap_capa(dev[0], "TLS")
    params = int_teap_server_params(eap_teap_id="5")
    hapd = hostapd.add_ap(apdev[0], params)
    eap_connect(dev[0], hapd, "TEAP", "user", password="******",
                anonymous_identity="TEAP",
                machine_identity="cert user",
                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                machine_phase2="auth=TLS",
                machine_ca_cert="auth_serv/ca.pem",
                machine_client_cert="auth_serv/user.pem",
                machine_private_key="auth_serv/user.key",
                pac_file="blob://teap_pac")
Exemplo n.º 25
0
def _test_pmksa_cache_preauth_oom(dev, apdev):
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['bridge'] = 'ap-br0'
    hapd = hostapd.add_ap(apdev[0], params)
    hostapd.cmd_execute(apdev[0], ['brctl', 'setfd', 'ap-br0', '0'])
    hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
    eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef",
                bssid=apdev[0]['bssid'])

    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['bridge'] = 'ap-br0'
    params['rsn_preauth'] = '1'
    params['rsn_preauth_interfaces'] = 'ap-br0'
    hapd = hostapd.add_ap(apdev[1], params)
    bssid1 = apdev[1]['bssid']

    tests = [(1, "rsn_preauth_receive"),
             (2, "rsn_preauth_receive"),
             (1, "rsn_preauth_send"),
             (1, "wpa_auth_pmksa_add_preauth;rsn_preauth_finished")]
    for test in tests:
        hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
        with alloc_fail(hapd, test[0], test[1]):
            dev[0].scan_for_bss(bssid1, freq="2412")
            if "OK" not in dev[0].request("PREAUTH " + bssid1):
                raise Exception("PREAUTH failed")

            success = False
            count = 0
            for i in range(50):
                time.sleep(0.1)
                pmksa = dev[0].get_pmksa(bssid1)
                if pmksa:
                    success = True
                    break
                state = hapd.request('GET_ALLOC_FAIL')
                if state.startswith('0:'):
                    count += 1
                    if count > 2:
                        break
            logger.info("PMKSA cache success: " + str(success))

            dev[0].request("PMKSA_FLUSH")
            dev[0].wait_disconnected()
            dev[0].wait_connected()
            dev[0].dump_monitor()
Exemplo n.º 26
0
def test_rsn_preauth_processing(dev, apdev):
    """RSN pre-authentication processing on AP"""
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['rsn_preauth'] = '1'
    params['rsn_preauth_interfaces'] = "lo"
    hapd = hostapd.add_ap(apdev[0], params)
    bssid = hapd.own_addr()
    _bssid = binascii.unhexlify(bssid.replace(':', ''))
    eap_connect(dev[0],
                hapd,
                "PAX",
                "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef")
    addr = dev[0].own_addr()
    _addr = binascii.unhexlify(addr.replace(':', ''))

    sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
                         socket.htons(0x88c7))
    sock.bind(("lo", socket.htons(0x88c7)))

    foreign = b"\x02\x03\x04\x05\x06\x07"
    proto = b"\x88\xc7"
    tests = []
    # RSN: too short pre-auth packet (len=14)
    tests += [_bssid + foreign + proto]
    # Not EAPOL-Start
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
    # RSN: pre-auth for foreign address 02:03:04:05:06:07
    tests += [foreign + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
    # RSN: pre-auth for already association STA 02:00:00:00:00:00
    tests += [_bssid + _addr + proto + struct.pack('>BBH', 0, 0, 0)]
    # New STA
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
    # IEEE 802.1X: received EAPOL-Start from STA
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 0)]
    # frame too short for this IEEE 802.1X packet
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
    # EAPOL-Key - Dropped key data from unauthorized Supplicant
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 3, 0)]
    # EAPOL-Encapsulated-ASF-Alert
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 4, 0)]
    # unknown IEEE 802.1X packet type
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 255, 0)]
    for t in tests:
        sock.send(t)
Exemplo n.º 27
0
def test_rsn_preauth_processing(dev, apdev):
    """RSN pre-authentication processing on AP"""
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['rsn_preauth'] = '1'
    params['rsn_preauth_interfaces'] = "lo"
    hapd = hostapd.add_ap(apdev[0], params)
    bssid = hapd.own_addr()
    _bssid = binascii.unhexlify(bssid.replace(':', ''))
    eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef")
    addr = dev[0].own_addr()
    _addr = binascii.unhexlify(addr.replace(':', ''))

    sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
                         socket.htons(0x88c7))
    sock.bind(("lo", socket.htons(0x88c7)))

    foreign = b"\x02\x03\x04\x05\x06\x07"
    proto = b"\x88\xc7"
    tests = []
    # RSN: too short pre-auth packet (len=14)
    tests += [_bssid + foreign + proto]
    # Not EAPOL-Start
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
    # RSN: pre-auth for foreign address 02:03:04:05:06:07
    tests += [foreign + foreign + proto + struct.pack('>BBH', 0, 0, 0)]
    # RSN: pre-auth for already association STA 02:00:00:00:00:00
    tests += [_bssid + _addr + proto + struct.pack('>BBH', 0, 0, 0)]
    # New STA
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
    # IEEE 802.1X: received EAPOL-Start from STA
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 0)]
    # frame too short for this IEEE 802.1X packet
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 0, 1, 1)]
    # EAPOL-Key - Dropped key data from unauthorized Supplicant
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 3, 0)]
    # EAPOL-Encapsulated-ASF-Alert
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 4, 0)]
    # unknown IEEE 802.1X packet type
    tests += [_bssid + foreign + proto + struct.pack('>BBH', 2, 255, 0)]
    for t in tests:
        sock.send(t)
Exemplo n.º 28
0
def run_pmksa_cache_preauth_auto(dev, apdev):
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['bridge'] = 'ap-br0'
    params['rsn_preauth'] = '1'
    params['rsn_preauth_interfaces'] = 'ap-br0'

    hapd = hostapd.add_ap(apdev[0], params)
    hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
    hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
    hapd2 = hostapd.add_ap(apdev[1], params)

    eap_connect(dev[0], hapd, "PAX", "*****@*****.**",
                password_hex="0123456789abcdef0123456789abcdef")

    found = False
    for i in range(20):
        time.sleep(0.5)
        res1 = dev[0].get_pmksa(apdev[0]['bssid'])
        res2 = dev[0].get_pmksa(apdev[1]['bssid'])
        if res1 and res2:
            found = True
            break
    if not found:
        raise Exception("The expected PMKSA cache entries not found")
Exemplo n.º 29
0
def generic_pmksa_cache_preauth(dev,
                                apdev,
                                extraparams,
                                identity,
                                databridge,
                                force_disconnect=False):
    if not extraparams:
        extraparams = [{}, {}]
    try:
        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        for key, value in extraparams[0].iteritems():
            params[key] = value

        hapd = hostapd.add_ap(apdev[0], params)
        hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
        hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
        eap_connect(dev[0],
                    hapd,
                    "PAX",
                    identity,
                    password_hex="0123456789abcdef0123456789abcdef")

        # Verify connectivity in the correct VLAN
        hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)

        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['rsn_preauth'] = '1'
        params['rsn_preauth_interfaces'] = databridge
        for key, value in extraparams[1].iteritems():
            params[key] = value
        hostapd.add_ap(apdev[1], params)
        bssid1 = apdev[1]['bssid']
        dev[0].scan(freq="2412")
        success = False
        status_seen = False
        for i in range(0, 50):
            if not status_seen:
                status = dev[0].request("STATUS")
                if "Pre-authentication EAPOL state machines:" in status:
                    status_seen = True
            time.sleep(0.1)
            pmksa = dev[0].get_pmksa(bssid1)
            if pmksa:
                success = True
                break
        if not success:
            raise Exception(
                "No PMKSA cache entry created from pre-authentication")
        if not status_seen:
            raise Exception(
                "Pre-authentication EAPOL status was not available")

        dev[0].scan(freq="2412")
        if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
            raise Exception("Scan results missing RSN element info")
        dev[0].request("ROAM " + bssid1)
        ev = dev[0].wait_event(
            ["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10)
        if ev is None:
            raise Exception("Roaming with the AP timed out")
        if "CTRL-EVENT-EAP-STARTED" in ev:
            raise Exception("Unexpected EAP exchange")
        pmksa2 = dev[0].get_pmksa(bssid1)
        if pmksa2 is None:
            raise Exception("No PMKSA cache entry")
        if pmksa['pmkid'] != pmksa2['pmkid']:
            raise Exception("Unexpected PMKID change")

        # Verify connectivity in the correct VLAN
        hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)

        if not force_disconnect:
            return

        # Disconnect the STA from both APs to avoid forceful ifdown by the
        # test script on a VLAN that this has an associated STA. That used to
        # trigger a mac80211 warning.
        dev[0].request("DISCONNECT")
        hapd.request("DISABLE")

    finally:
        hostapd.cmd_execute(
            apdev[0],
            ['ip', 'link', 'set', 'dev', 'ap-br0', 'down', '2>', '/dev/null'],
            shell=True)
        hostapd.cmd_execute(apdev[0],
                            ['brctl', 'delbr', 'ap-br0', '2>', '/dev/null'],
                            shell=True)
Exemplo n.º 30
0
def test_pmksa_cache_preauth_vlan_used(dev, apdev):
    """RSN pre-authentication to generate PMKSA cache entry (station with VLAN set)"""
    try:
        subprocess.call(['brctl', 'addbr', 'brvlan1'])
        subprocess.call(['brctl', 'setfd', 'brvlan1', '0'])
        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['dynamic_vlan'] = '1'
        params['vlan_file'] = 'hostapd.wlan3.vlan'
        hapd = hostapd.add_ap(apdev[0]['ifname'], params)
        subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
        eap_connect(dev[0], apdev[0], "PAX", "vlan1",
                    password_hex="0123456789abcdef0123456789abcdef")

        # Verify connectivity in the correct VLAN
        hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")

        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['rsn_preauth'] = '1'
        params['rsn_preauth_interfaces'] = 'brvlan1'
        params['dynamic_vlan'] = '1'
        params['vlan_file'] = 'hostapd.wlan4.vlan'
        hostapd.add_ap(apdev[1]['ifname'], params)
        bssid1 = apdev[1]['bssid']
        dev[0].scan(freq="2412")
        success = False
        status_seen = False
        for i in range(0, 50):
            if not status_seen:
                status = dev[0].request("STATUS")
                if "Pre-authentication EAPOL state machines:" in status:
                    status_seen = True
            time.sleep(0.1)
            pmksa = dev[0].get_pmksa(bssid1)
            if pmksa:
                success = True
                break
        if not success:
            raise Exception("No PMKSA cache entry created from pre-authentication")
        if not status_seen:
            raise Exception("Pre-authentication EAPOL status was not available")

        dev[0].scan(freq="2412")
        if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
            raise Exception("Scan results missing RSN element info")
        dev[0].request("ROAM " + bssid1)
        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
                                "CTRL-EVENT-CONNECTED"], timeout=10)
        if ev is None:
            raise Exception("Roaming with the AP timed out")
        if "CTRL-EVENT-EAP-STARTED" in ev:
            raise Exception("Unexpected EAP exchange")
        pmksa2 = dev[0].get_pmksa(bssid1)
        if pmksa2 is None:
            raise Exception("No PMKSA cache entry")
        if pmksa['pmkid'] != pmksa2['pmkid']:
            raise Exception("Unexpected PMKID change")

        # Verify connectivity in the correct VLAN
        hwsim_utils.test_connectivity_iface(dev[0], hapd, "brvlan1")

        # Disconnect the STA from both APs to avoid forceful ifdown by the
        # test script on a VLAN that this has an associated STA. That used to
        # trigger a mac80211 warning.
        dev[0].request("DISCONNECT")
        hapd.request("DISABLE")

    finally:
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['ip', 'link', 'set', 'dev', 'brvlan1', 'down'])
        subprocess.call(['ip', 'link', 'set', 'dev', 'wlan3.1', 'down'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['ip', 'link', 'set', 'dev', 'wlan4.1', 'down'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan3.1'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan4.1'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delbr', 'ap-br0'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delbr', 'brvlan1'])
Exemplo n.º 31
0
def generic_pmksa_cache_preauth(dev, apdev, extraparams, identity, databridge,
                                force_disconnect=False):
    if not extraparams:
        extraparams = [{}, {}]
    try:
        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        for key, value in extraparams[0].items():
            params[key] = value

        hapd = hostapd.add_ap(apdev[0], params)
        hapd.cmd_execute(['brctl', 'setfd', 'ap-br0', '0'])
        hapd.cmd_execute(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
        eap_connect(dev[0], hapd, "PAX", identity,
                    password_hex="0123456789abcdef0123456789abcdef")

        # Verify connectivity in the correct VLAN
        hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)

        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['rsn_preauth'] = '1'
        params['rsn_preauth_interfaces'] = databridge
        for key, value in extraparams[1].items():
            params[key] = value
        hostapd.add_ap(apdev[1], params)
        bssid1 = apdev[1]['bssid']
        dev[0].scan(freq="2412")
        success = False
        status_seen = False
        for i in range(0, 50):
            if not status_seen:
                status = dev[0].request("STATUS")
                if "Pre-authentication EAPOL state machines:" in status:
                    status_seen = True
            time.sleep(0.1)
            pmksa = dev[0].get_pmksa(bssid1)
            if pmksa:
                success = True
                break
        if not success:
            raise Exception("No PMKSA cache entry created from pre-authentication")
        if not status_seen:
            raise Exception("Pre-authentication EAPOL status was not available")

        dev[0].scan(freq="2412")
        if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
            raise Exception("Scan results missing RSN element info")
        dev[0].request("ROAM " + bssid1)
        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
                                "CTRL-EVENT-CONNECTED"], timeout=10)
        if ev is None:
            raise Exception("Roaming with the AP timed out")
        if "CTRL-EVENT-EAP-STARTED" in ev:
            raise Exception("Unexpected EAP exchange")
        pmksa2 = dev[0].get_pmksa(bssid1)
        if pmksa2 is None:
            raise Exception("No PMKSA cache entry")
        if pmksa['pmkid'] != pmksa2['pmkid']:
            raise Exception("Unexpected PMKID change")

        # Verify connectivity in the correct VLAN
        hwsim_utils.test_connectivity_iface(dev[0], hapd, databridge)

        if not force_disconnect:
            return

        # Disconnect the STA from both APs to avoid forceful ifdown by the
        # test script on a VLAN that this has an associated STA. That used to
        # trigger a mac80211 warning.
        dev[0].request("DISCONNECT")
        hapd.request("DISABLE")

    finally:
        hostapd.cmd_execute(apdev[0], ['ip', 'link', 'set', 'dev',
                                       'ap-br0', 'down', '2>', '/dev/null'],
                            shell=True)
        hostapd.cmd_execute(apdev[0], ['brctl', 'delbr', 'ap-br0',
                                       '2>', '/dev/null'], shell=True)
Exemplo n.º 32
0
def test_pmksa_cache_preauth_vlan_used(dev, apdev):
    """RSN pre-authentication to generate PMKSA cache entry (station with VLAN set)"""
    try:
        subprocess.call(['brctl', 'addbr', 'brvlan1'])
        subprocess.call(['brctl', 'setfd', 'brvlan1', '0'])
        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['dynamic_vlan'] = '1'
        params['vlan_file'] = 'hostapd.wlan3.vlan'
        hapd = hostapd.add_ap(apdev[0]['ifname'], params)
        subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
        eap_connect(dev[0],
                    apdev[0],
                    "PAX",
                    "vlan1",
                    password_hex="0123456789abcdef0123456789abcdef")

        params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
        params['bridge'] = 'ap-br0'
        params['rsn_preauth'] = '1'
        params['rsn_preauth_interfaces'] = 'brvlan1'
        params['dynamic_vlan'] = '1'
        params['vlan_file'] = 'hostapd.wlan4.vlan'
        hostapd.add_ap(apdev[1]['ifname'], params)
        bssid1 = apdev[1]['bssid']
        dev[0].scan(freq="2412")
        success = False
        status_seen = False
        for i in range(0, 50):
            if not status_seen:
                status = dev[0].request("STATUS")
                if "Pre-authentication EAPOL state machines:" in status:
                    status_seen = True
            time.sleep(0.1)
            pmksa = dev[0].get_pmksa(bssid1)
            if pmksa:
                success = True
                break
        if not success:
            raise Exception(
                "No PMKSA cache entry created from pre-authentication")
        if not status_seen:
            raise Exception(
                "Pre-authentication EAPOL status was not available")

        dev[0].scan(freq="2412")
        if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
            raise Exception("Scan results missing RSN element info")
        dev[0].request("ROAM " + bssid1)
        ev = dev[0].wait_event(
            ["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"], timeout=10)
        if ev is None:
            raise Exception("Roaming with the AP timed out")
        if "CTRL-EVENT-EAP-STARTED" in ev:
            raise Exception("Unexpected EAP exchange")
        pmksa2 = dev[0].get_pmksa(bssid1)
        if pmksa2 is None:
            raise Exception("No PMKSA cache entry")
        if pmksa['pmkid'] != pmksa2['pmkid']:
            raise Exception("Unexpected PMKID change")

        # Disconnect the STA from both APs to avoid forceful ifdown by the
        # test script on a VLAN that this has an associated STA. That used to
        # trigger a mac80211 warning.
        dev[0].request("DISCONNECT")
        hapd.request("DISABLE")

    finally:
        subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['ip', 'link', 'set', 'dev', 'brvlan1', 'down'])
        subprocess.call(['ip', 'link', 'set', 'dev', 'wlan3.1', 'down'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['ip', 'link', 'set', 'dev', 'wlan4.1', 'down'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan3.1'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan4.1'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delbr', 'ap-br0'],
                        stderr=open('/dev/null', 'w'))
        subprocess.call(['brctl', 'delbr', 'brvlan1'])