]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_ciphers.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Make ap_cipher_mixed_wpa_wpa2 more robust
[thirdparty/hostap.git] / tests / hwsim / test_ap_ciphers.py
1 # Cipher suite tests
2 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 from remotehost import remote_compatible
8 import time
9 import logging
10 logger = logging.getLogger()
11 import os
12 import subprocess
13
14 import hwsim_utils
15 import hostapd
16 from utils import HwsimSkip, skip_with_fips, require_under_vm
17 from wlantest import Wlantest
18 from wpasupplicant import WpaSupplicant
19
20 def check_cipher(dev, ap, cipher, group_cipher=None):
21 if cipher not in dev.get_capability("pairwise"):
22 raise HwsimSkip("Cipher %s not supported" % cipher)
23 if group_cipher and group_cipher not in dev.get_capability("group"):
24 raise HwsimSkip("Cipher %s not supported" % group_cipher)
25 params = {"ssid": "test-wpa2-psk",
26 "wpa_passphrase": "12345678",
27 "wpa": "2",
28 "wpa_key_mgmt": "WPA-PSK",
29 "rsn_pairwise": cipher}
30 if group_cipher:
31 params["group_cipher"] = group_cipher
32 else:
33 group_cipher = cipher
34 hapd = hostapd.add_ap(ap, params)
35 dev.connect("test-wpa2-psk", psk="12345678",
36 pairwise=cipher, group=group_cipher, scan_freq="2412")
37 hapd.wait_sta()
38 hwsim_utils.test_connectivity(dev, hapd)
39
40 def check_group_mgmt_cipher(dev, ap, cipher, sta_req_cipher=None):
41 if cipher not in dev.get_capability("group_mgmt"):
42 raise HwsimSkip("Cipher %s not supported" % cipher)
43 params = {"ssid": "test-wpa2-psk-pmf",
44 "wpa_passphrase": "12345678",
45 "wpa": "2",
46 "ieee80211w": "2",
47 "wpa_key_mgmt": "WPA-PSK-SHA256",
48 "rsn_pairwise": "CCMP",
49 "group_mgmt_cipher": cipher}
50 hapd = hostapd.add_ap(ap, params)
51
52 Wlantest.setup(hapd)
53 wt = Wlantest()
54 wt.flush()
55 wt.add_passphrase("12345678")
56
57 dev.connect("test-wpa2-psk-pmf", psk="12345678", ieee80211w="2",
58 key_mgmt="WPA-PSK-SHA256", group_mgmt=sta_req_cipher,
59 pairwise="CCMP", group="CCMP", scan_freq="2412")
60 hapd.wait_sta()
61 hwsim_utils.test_connectivity(dev, hapd)
62 hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
63 dev.wait_disconnected()
64 if wt.get_bss_counter('valid_bip_mmie', ap['bssid']) < 1:
65 raise Exception("No valid BIP MMIE seen")
66 if wt.get_bss_counter('bip_deauth', ap['bssid']) < 1:
67 raise Exception("No valid BIP deauth seen")
68
69 if cipher == "AES-128-CMAC":
70 group_mgmt = "BIP"
71 else:
72 group_mgmt = cipher
73 res = wt.info_bss('group_mgmt', ap['bssid']).strip()
74 if res != group_mgmt:
75 raise Exception("Unexpected group mgmt cipher: " + res)
76
77 @remote_compatible
78 def test_ap_cipher_tkip(dev, apdev):
79 """WPA2-PSK/TKIP connection"""
80 skip_with_fips(dev[0])
81 check_cipher(dev[0], apdev[0], "TKIP")
82
83 @remote_compatible
84 def test_ap_cipher_tkip_countermeasures_ap(dev, apdev):
85 """WPA-PSK/TKIP countermeasures (detected by AP)"""
86 skip_with_fips(dev[0])
87 testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (dev[0].get_driver_status_field("phyname"), dev[0].ifname)
88 if dev[0].cmd_execute(["ls", testfile])[0] != 0:
89 raise HwsimSkip("tkip_mic_test not supported in mac80211")
90
91 params = {"ssid": "tkip-countermeasures",
92 "wpa_passphrase": "12345678",
93 "wpa": "1",
94 "wpa_key_mgmt": "WPA-PSK",
95 "wpa_pairwise": "TKIP"}
96 hapd = hostapd.add_ap(apdev[0], params)
97
98 dev[0].connect("tkip-countermeasures", psk="12345678",
99 pairwise="TKIP", group="TKIP", scan_freq="2412")
100
101 dev[0].dump_monitor()
102 dev[0].cmd_execute(["echo", "-n", apdev[0]['bssid'], ">", testfile],
103 shell=True)
104 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
105 if ev is not None:
106 raise Exception("Unexpected disconnection on first Michael MIC failure")
107
108 dev[0].cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile],
109 shell=True)
110 ev = dev[0].wait_disconnected(timeout=10,
111 error="No disconnection after two Michael MIC failures")
112 if "reason=14" not in ev:
113 raise Exception("Unexpected disconnection reason: " + ev)
114 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
115 if ev is not None:
116 raise Exception("Unexpected connection during TKIP countermeasures")
117
118 def test_ap_cipher_tkip_countermeasures_ap_mixed_mode(dev, apdev):
119 """WPA+WPA2-PSK/TKIP countermeasures (detected by mixed mode AP)"""
120 skip_with_fips(dev[0])
121 testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (dev[0].get_driver_status_field("phyname"), dev[0].ifname)
122 if dev[0].cmd_execute(["ls", testfile])[0] != 0:
123 raise HwsimSkip("tkip_mic_test not supported in mac80211")
124
125 params = {"ssid": "tkip-countermeasures",
126 "wpa_passphrase": "12345678",
127 "wpa": "3",
128 "wpa_key_mgmt": "WPA-PSK",
129 "wpa_pairwise": "TKIP",
130 "rsn_pairwise": "CCMP"}
131 hapd = hostapd.add_ap(apdev[0], params)
132
133 dev[0].connect("tkip-countermeasures", psk="12345678",
134 pairwise="TKIP", group="TKIP", scan_freq="2412")
135 dev[1].connect("tkip-countermeasures", psk="12345678",
136 pairwise="CCMP", scan_freq="2412")
137
138 dev[0].dump_monitor()
139 dev[0].cmd_execute(["echo", "-n", apdev[0]['bssid'], ">", testfile],
140 shell=True)
141 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
142 if ev is not None:
143 raise Exception("Unexpected disconnection on first Michael MIC failure")
144
145 dev[0].cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile],
146 shell=True)
147
148 ev = dev[0].wait_disconnected(timeout=10,
149 error="No disconnection after two Michael MIC failures")
150 if "reason=14" not in ev:
151 raise Exception("Unexpected disconnection reason: " + ev)
152
153 ev = dev[1].wait_disconnected(timeout=10,
154 error="No disconnection after two Michael MIC failures (2)")
155 if "reason=14" not in ev:
156 raise Exception("Unexpected disconnection reason (2): " + ev)
157
158 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
159 if ev is not None:
160 raise Exception("Unexpected connection during TKIP countermeasures (1)")
161 ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
162 if ev is not None:
163 raise Exception("Unexpected connection during TKIP countermeasures (2)")
164
165 @remote_compatible
166 def test_ap_cipher_tkip_countermeasures_sta(dev, apdev):
167 """WPA-PSK/TKIP countermeasures (detected by STA)"""
168 skip_with_fips(dev[0])
169 params = {"ssid": "tkip-countermeasures",
170 "wpa_passphrase": "12345678",
171 "wpa": "1",
172 "wpa_key_mgmt": "WPA-PSK",
173 "wpa_pairwise": "TKIP"}
174 hapd = hostapd.add_ap(apdev[0], params)
175
176 testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd.get_driver_status_field("phyname"), apdev[0]['ifname'])
177 if hapd.cmd_execute(["ls", testfile])[0] != 0:
178 raise HwsimSkip("tkip_mic_test not supported in mac80211")
179
180 dev[0].connect("tkip-countermeasures", psk="12345678",
181 pairwise="TKIP", group="TKIP", scan_freq="2412")
182
183 dev[0].dump_monitor()
184 hapd.cmd_execute(["echo", "-n", dev[0].own_addr(), ">", testfile],
185 shell=True)
186 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
187 if ev is not None:
188 raise Exception("Unexpected disconnection on first Michael MIC failure")
189
190 hapd.cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile],
191 shell=True)
192 ev = dev[0].wait_disconnected(timeout=10,
193 error="No disconnection after two Michael MIC failures")
194 if "reason=14 locally_generated=1" not in ev:
195 raise Exception("Unexpected disconnection reason: " + ev)
196 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
197 if ev is not None:
198 raise Exception("Unexpected connection during TKIP countermeasures")
199
200 def test_ap_cipher_tkip_countermeasures_sta2(dev, apdev, params):
201 """WPA-PSK/TKIP countermeasures (detected by two STAs) [long]"""
202 if not params['long']:
203 raise HwsimSkip("Skip test case with long duration due to --long not specified")
204 skip_with_fips(dev[0])
205 params = {"ssid": "tkip-countermeasures",
206 "wpa_passphrase": "12345678",
207 "wpa": "1",
208 "wpa_key_mgmt": "WPA-PSK",
209 "wpa_pairwise": "TKIP"}
210 hapd = hostapd.add_ap(apdev[0], params)
211
212 testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd.get_driver_status_field("phyname"), apdev[0]['ifname'])
213 if hapd.cmd_execute(["ls", testfile])[0] != 0:
214 raise HwsimSkip("tkip_mic_test not supported in mac80211")
215
216 dev[0].connect("tkip-countermeasures", psk="12345678",
217 pairwise="TKIP", group="TKIP", scan_freq="2412")
218 dev[0].dump_monitor()
219 id = dev[1].connect("tkip-countermeasures", psk="12345678",
220 pairwise="TKIP", group="TKIP", scan_freq="2412")
221 dev[1].dump_monitor()
222
223 hapd.cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile],
224 shell=True)
225 ev = dev[0].wait_disconnected(timeout=10,
226 error="No disconnection after two Michael MIC failure")
227 if "reason=14" not in ev:
228 raise Exception("Unexpected disconnection reason: " + ev)
229 ev = dev[1].wait_disconnected(timeout=5,
230 error="No disconnection after two Michael MIC failure")
231 if "reason=14" not in ev:
232 raise Exception("Unexpected disconnection reason: " + ev)
233 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
234 if ev is not None:
235 raise Exception("Unexpected connection during TKIP countermeasures")
236 ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
237 if ev is not None:
238 raise Exception("Unexpected connection during TKIP countermeasures")
239
240 dev[0].request("REMOVE_NETWORK all")
241 logger.info("Waiting for TKIP countermeasures to end")
242 connected = False
243 start = os.times()[4]
244 while True:
245 now = os.times()[4]
246 if start + 70 < now:
247 break
248 dev[0].connect("tkip-countermeasures", psk="12345678",
249 pairwise="TKIP", group="TKIP", scan_freq="2412",
250 wait_connect=False)
251 ev = dev[0].wait_event(["CTRL-EVENT-AUTH-REJECT",
252 "CTRL-EVENT-CONNECTED"], timeout=10)
253 if ev is None:
254 raise Exception("No connection result")
255 if "CTRL-EVENT-CONNECTED" in ev:
256 connected = True
257 break
258 if "status_code=1" not in ev:
259 raise Exception("Unexpected connection failure reason during TKIP countermeasures: " + ev)
260 dev[0].request("REMOVE_NETWORK all")
261 time.sleep(1)
262 dev[0].dump_monitor()
263 dev[1].dump_monitor()
264 if not connected:
265 raise Exception("No connection after TKIP countermeasures terminated")
266
267 ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
268 if ev is None:
269 dev[1].request("DISCONNECT")
270 dev[1].select_network(id)
271 dev[1].wait_connected()
272
273 @remote_compatible
274 def test_ap_cipher_ccmp(dev, apdev):
275 """WPA2-PSK/CCMP connection"""
276 check_cipher(dev[0], apdev[0], "CCMP")
277
278 def test_ap_cipher_gcmp(dev, apdev):
279 """WPA2-PSK/GCMP connection"""
280 check_cipher(dev[0], apdev[0], "GCMP")
281
282 def test_ap_cipher_ccmp_256(dev, apdev):
283 """WPA2-PSK/CCMP-256 connection"""
284 check_cipher(dev[0], apdev[0], "CCMP-256")
285
286 def test_ap_cipher_gcmp_256(dev, apdev):
287 """WPA2-PSK/GCMP-256 connection"""
288 check_cipher(dev[0], apdev[0], "GCMP-256")
289
290 def test_ap_cipher_gcmp_256_group_gcmp_256(dev, apdev):
291 """WPA2-PSK/GCMP-256 connection with group cipher override GCMP-256"""
292 check_cipher(dev[0], apdev[0], "GCMP-256", "GCMP-256")
293
294 def test_ap_cipher_gcmp_256_group_gcmp(dev, apdev):
295 """WPA2-PSK/GCMP-256 connection with group cipher override GCMP"""
296 check_cipher(dev[0], apdev[0], "GCMP-256", "GCMP")
297
298 def test_ap_cipher_gcmp_256_group_ccmp_256(dev, apdev):
299 """WPA2-PSK/GCMP-256 connection with group cipher override CCMP-256"""
300 check_cipher(dev[0], apdev[0], "GCMP-256", "CCMP-256")
301
302 def test_ap_cipher_gcmp_256_group_ccmp(dev, apdev):
303 """WPA2-PSK/GCMP-256 connection with group cipher override CCMP"""
304 check_cipher(dev[0], apdev[0], "GCMP-256", "CCMP")
305
306 def test_ap_cipher_gcmp_ccmp(dev, apdev, params):
307 """WPA2-PSK/GCMP/CCMP ciphers"""
308 config = os.path.join(params['logdir'], 'ap_cipher_gcmp_ccmp.conf')
309
310 for cipher in ["CCMP", "GCMP", "CCMP-256", "GCMP-256"]:
311 if cipher not in dev[0].get_capability("pairwise"):
312 raise HwsimSkip("Cipher %s not supported" % cipher)
313 if cipher not in dev[0].get_capability("group"):
314 raise HwsimSkip("Group cipher %s not supported" % cipher)
315
316 params = {"ssid": "test-wpa2-psk",
317 "wpa_passphrase": "12345678",
318 "wpa": "2",
319 "wpa_key_mgmt": "WPA-PSK",
320 "rsn_pairwise": "CCMP GCMP CCMP-256 GCMP-256"}
321 hapd = hostapd.add_ap(apdev[0], params)
322
323
324 for cipher in ["CCMP", "GCMP", "CCMP-256", "GCMP-256"]:
325 dev[0].connect("test-wpa2-psk", psk="12345678",
326 pairwise=cipher, group="CCMP", scan_freq="2412")
327 if dev[0].get_status_field("group_cipher") != "CCMP":
328 raise Exception("Unexpected group_cipher")
329 if dev[0].get_status_field("pairwise_cipher") != cipher:
330 raise Exception("Unexpected pairwise_cipher")
331 dev[0].request("REMOVE_NETWORK all")
332 dev[0].wait_disconnected()
333
334 dev[0].connect("test-wpa2-psk", psk="12345678",
335 pairwise="CCMP CCMP-256 GCMP GCMP-256",
336 group="CCMP CCMP-256 GCMP GCMP-256", scan_freq="2412")
337 if dev[0].get_status_field("group_cipher") != "CCMP":
338 raise Exception("Unexpected group_cipher")
339 res = dev[0].get_status_field("pairwise_cipher")
340 if res != "CCMP-256" and res != "GCMP-256":
341 raise Exception("Unexpected pairwise_cipher")
342
343 try:
344 with open(config, "w") as f:
345 f.write("network={\n" +
346 "\tssid=\"test-wpa2-psk\"\n" +
347 "\tkey_mgmt=WPA-PSK\n" +
348 "\tpsk=\"12345678\"\n" +
349 "\tpairwise=GCMP\n" +
350 "\tgroup=CCMP\n" +
351 "\tscan_freq=2412\n" +
352 "}\n")
353
354 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
355 wpas.interface_add("wlan5", config=config)
356 wpas.wait_connected()
357 if wpas.get_status_field("group_cipher") != "CCMP":
358 raise Exception("Unexpected group_cipher")
359 if wpas.get_status_field("pairwise_cipher") != "GCMP":
360 raise Exception("Unexpected pairwise_cipher")
361 finally:
362 os.remove(config)
363
364 @remote_compatible
365 def test_ap_cipher_mixed_wpa_wpa2(dev, apdev):
366 """WPA2-PSK/CCMP/ and WPA-PSK/TKIP mixed configuration"""
367 skip_with_fips(dev[0])
368 ssid = "test-wpa-wpa2-psk"
369 passphrase = "12345678"
370 params = {"ssid": ssid,
371 "wpa_passphrase": passphrase,
372 "wpa": "3",
373 "wpa_key_mgmt": "WPA-PSK",
374 "rsn_pairwise": "CCMP",
375 "wpa_pairwise": "TKIP"}
376 hapd = hostapd.add_ap(apdev[0], params)
377 dev[0].flush_scan_cache()
378 dev[0].connect(ssid, psk=passphrase, proto="WPA2",
379 pairwise="CCMP", group="TKIP", scan_freq="2412")
380 status = dev[0].get_status()
381 if status['key_mgmt'] != 'WPA2-PSK':
382 raise Exception("Incorrect key_mgmt reported")
383 if status['pairwise_cipher'] != 'CCMP':
384 raise Exception("Incorrect pairwise_cipher reported")
385 if status['group_cipher'] != 'TKIP':
386 raise Exception("Incorrect group_cipher reported")
387 bss = dev[0].get_bss(apdev[0]['bssid'])
388 if bss['ssid'] != ssid:
389 raise Exception("Unexpected SSID in the BSS entry")
390 if "[WPA-PSK-TKIP]" not in bss['flags']:
391 raise Exception("Missing BSS flag WPA-PSK-TKIP")
392 if "[WPA2-PSK-CCMP]" not in bss['flags']:
393 raise Exception("Missing BSS flag WPA2-PSK-CCMP")
394 hapd.wait_sta()
395 hwsim_utils.test_connectivity(dev[0], hapd)
396
397 dev[1].connect(ssid, psk=passphrase, proto="WPA",
398 pairwise="TKIP", group="TKIP", scan_freq="2412")
399 status = dev[1].get_status()
400 if status['key_mgmt'] != 'WPA-PSK':
401 raise Exception("Incorrect key_mgmt reported")
402 if status['pairwise_cipher'] != 'TKIP':
403 raise Exception("Incorrect pairwise_cipher reported")
404 if status['group_cipher'] != 'TKIP':
405 raise Exception("Incorrect group_cipher reported")
406 hapd.wait_sta()
407 hwsim_utils.test_connectivity(dev[1], hapd)
408 hwsim_utils.test_connectivity(dev[0], dev[1])
409
410 @remote_compatible
411 def test_ap_cipher_bip(dev, apdev):
412 """WPA2-PSK with BIP"""
413 check_group_mgmt_cipher(dev[0], apdev[0], "AES-128-CMAC")
414
415 def test_ap_cipher_bip_req(dev, apdev):
416 """WPA2-PSK with BIP required"""
417 check_group_mgmt_cipher(dev[0], apdev[0], "AES-128-CMAC", "AES-128-CMAC")
418
419 def test_ap_cipher_bip_req2(dev, apdev):
420 """WPA2-PSK with BIP required (2)"""
421 check_group_mgmt_cipher(dev[0], apdev[0], "AES-128-CMAC",
422 "AES-128-CMAC BIP-GMAC-128 BIP-GMAC-256 BIP-CMAC-256")
423
424 def test_ap_cipher_bip_gmac_128(dev, apdev):
425 """WPA2-PSK with BIP-GMAC-128"""
426 check_group_mgmt_cipher(dev[0], apdev[0], "BIP-GMAC-128")
427
428 def test_ap_cipher_bip_gmac_128_req(dev, apdev):
429 """WPA2-PSK with BIP-GMAC-128 required"""
430 check_group_mgmt_cipher(dev[0], apdev[0], "BIP-GMAC-128", "BIP-GMAC-128")
431
432 def test_ap_cipher_bip_gmac_256(dev, apdev):
433 """WPA2-PSK with BIP-GMAC-256"""
434 check_group_mgmt_cipher(dev[0], apdev[0], "BIP-GMAC-256")
435
436 def test_ap_cipher_bip_gmac_256_req(dev, apdev):
437 """WPA2-PSK with BIP-GMAC-256 required"""
438 check_group_mgmt_cipher(dev[0], apdev[0], "BIP-GMAC-256", "BIP-GMAC-256")
439
440 def test_ap_cipher_bip_cmac_256(dev, apdev):
441 """WPA2-PSK with BIP-CMAC-256"""
442 check_group_mgmt_cipher(dev[0], apdev[0], "BIP-CMAC-256")
443
444 def test_ap_cipher_bip_cmac_256_req(dev, apdev):
445 """WPA2-PSK with BIP-CMAC-256 required"""
446 check_group_mgmt_cipher(dev[0], apdev[0], "BIP-CMAC-256", "BIP-CMAC-256")
447
448 def test_ap_cipher_bip_req_mismatch(dev, apdev):
449 """WPA2-PSK with BIP cipher mismatch"""
450 group_mgmt = dev[0].get_capability("group_mgmt")
451 for cipher in ["AES-128-CMAC", "BIP-GMAC-256"]:
452 if cipher not in group_mgmt:
453 raise HwsimSkip("Cipher %s not supported" % cipher)
454
455 params = {"ssid": "test-wpa2-psk-pmf",
456 "wpa_passphrase": "12345678",
457 "wpa": "2",
458 "ieee80211w": "2",
459 "wpa_key_mgmt": "WPA-PSK-SHA256",
460 "rsn_pairwise": "CCMP",
461 "group_mgmt_cipher": "AES-128-CMAC"}
462 hapd = hostapd.add_ap(apdev[0], params)
463
464 dev[0].scan_for_bss(hapd.own_addr(), 2412)
465 id = dev[0].connect("test-wpa2-psk-pmf", psk="12345678", ieee80211w="2",
466 key_mgmt="WPA-PSK-SHA256", group_mgmt="BIP-GMAC-256",
467 pairwise="CCMP", group="CCMP", scan_freq="2412",
468 wait_connect=False)
469 ev = dev[0].wait_event(["CTRL-EVENT-NETWORK-NOT-FOUND",
470 "CTRL-EVENT-CONNECTED"], timeout=10)
471 if ev is None:
472 raise Exception("Network selection result not indicated")
473 if "CTRL-EVENT-CONNECTED" in ev:
474 raise Exception("Unexpected connection")
475
476 dev[0].request("DISCONNECT")
477 dev[0].set_network(id, "group_mgmt", "AES-128-CMAC")
478 dev[0].select_network(id)
479 dev[0].wait_connected()
480
481 def get_rx_spec(phy, gtk=False):
482 keys = "/sys/kernel/debug/ieee80211/%s/keys" % (phy)
483 try:
484 for key in os.listdir(keys):
485 keydir = keys + "/" + key
486 files = os.listdir(keydir)
487 if not gtk and "station" not in files:
488 continue
489 if gtk and "station" in files:
490 continue
491 with open(keydir + "/rx_spec") as f:
492 return f.read()
493 except OSError as e:
494 raise HwsimSkip("debugfs not supported in mac80211")
495 return None
496
497 def get_tk_replay_counter(phy, gtk=False):
498 keys = "/sys/kernel/debug/ieee80211/%s/keys" % (phy)
499 try:
500 for key in os.listdir(keys):
501 keydir = keys + "/" + key
502 files = os.listdir(keydir)
503 if not gtk and "station" not in files:
504 continue
505 if gtk and "station" in files:
506 continue
507 with open(keydir + "/replays") as f:
508 return int(f.read())
509 except OSError as e:
510 raise HwsimSkip("debugfs not supported in mac80211")
511 return None
512
513 def test_ap_cipher_replay_protection_ap_ccmp(dev, apdev):
514 """CCMP replay protection on AP"""
515 run_ap_cipher_replay_protection_ap(dev, apdev, "CCMP")
516
517 def test_ap_cipher_replay_protection_ap_tkip(dev, apdev):
518 """TKIP replay protection on AP"""
519 run_ap_cipher_replay_protection_ap(dev, apdev, "TKIP")
520
521 def test_ap_cipher_replay_protection_ap_gcmp(dev, apdev):
522 """GCMP replay protection on AP"""
523 if "GCMP" not in dev[0].get_capability("pairwise"):
524 raise HwsimSkip("GCMP not supported")
525 run_ap_cipher_replay_protection_ap(dev, apdev, "GCMP")
526
527 def run_ap_cipher_replay_protection_ap(dev, apdev, cipher):
528 params = {"ssid": "test-wpa2-psk",
529 "wpa_passphrase": "12345678",
530 "wpa": "2",
531 "wpa_key_mgmt": "WPA-PSK",
532 "rsn_pairwise": cipher}
533 hapd = hostapd.add_ap(apdev[0], params)
534 phy = hapd.get_driver_status_field("phyname")
535
536 Wlantest.setup(hapd)
537 wt = Wlantest()
538 wt.flush()
539 wt.add_passphrase("12345678")
540
541 dev[0].connect("test-wpa2-psk", psk="12345678",
542 pairwise=cipher, group=cipher, scan_freq="2412")
543 hapd.wait_sta()
544
545 if cipher != "TKIP":
546 replays = get_tk_replay_counter(phy)
547 if replays != 0:
548 raise Exception("Unexpected replay reported (1)")
549
550 for i in range(5):
551 hwsim_utils.test_connectivity(dev[0], hapd)
552
553 if cipher != "TKIP":
554 replays = get_tk_replay_counter(phy)
555 if replays != 0:
556 raise Exception("Unexpected replay reported (2)")
557
558 if "OK" not in dev[0].request("RESET_PN"):
559 raise Exception("RESET_PN failed")
560 time.sleep(0.1)
561 hwsim_utils.test_connectivity(dev[0], hapd, timeout=1,
562 success_expected=False)
563
564 if cipher != "TKIP":
565 replays = get_tk_replay_counter(phy)
566 if replays < 1:
567 raise Exception("Replays not reported")
568
569 def test_ap_cipher_replay_protection_sta_ccmp(dev, apdev):
570 """CCMP replay protection on STA (TK)"""
571 run_ap_cipher_replay_protection_sta(dev, apdev, "CCMP")
572
573 def test_ap_cipher_replay_protection_sta_tkip(dev, apdev):
574 """TKIP replay protection on STA (TK)"""
575 run_ap_cipher_replay_protection_sta(dev, apdev, "TKIP")
576
577 def test_ap_cipher_replay_protection_sta_gcmp(dev, apdev):
578 """GCMP replay protection on STA (TK)"""
579 if "GCMP" not in dev[0].get_capability("pairwise"):
580 raise HwsimSkip("GCMP not supported")
581 run_ap_cipher_replay_protection_sta(dev, apdev, "GCMP")
582
583 def test_ap_cipher_replay_protection_sta_gtk_ccmp(dev, apdev):
584 """CCMP replay protection on STA (GTK)"""
585 run_ap_cipher_replay_protection_sta(dev, apdev, "CCMP", gtk=True)
586
587 def test_ap_cipher_replay_protection_sta_gtk_tkip(dev, apdev):
588 """TKIP replay protection on STA (GTK)"""
589 run_ap_cipher_replay_protection_sta(dev, apdev, "TKIP", gtk=True)
590
591 def test_ap_cipher_replay_protection_sta_gtk_gcmp(dev, apdev):
592 """GCMP replay protection on STA (GTK)"""
593 if "GCMP" not in dev[0].get_capability("pairwise"):
594 raise HwsimSkip("GCMP not supported")
595 run_ap_cipher_replay_protection_sta(dev, apdev, "GCMP", gtk=True)
596
597 def run_ap_cipher_replay_protection_sta(dev, apdev, cipher, gtk=False):
598 params = {"ssid": "test-wpa2-psk",
599 "wpa_passphrase": "12345678",
600 "wpa": "2",
601 "wpa_key_mgmt": "WPA-PSK",
602 "rsn_pairwise": cipher}
603 hapd = hostapd.add_ap(apdev[0], params)
604
605 Wlantest.setup(hapd)
606 wt = Wlantest()
607 wt.flush()
608 wt.add_passphrase("12345678")
609
610 phy = dev[0].get_driver_status_field("phyname")
611 dev[0].connect("test-wpa2-psk", psk="12345678",
612 pairwise=cipher, group=cipher, scan_freq="2412")
613 hapd.wait_sta()
614
615 if cipher != "TKIP":
616 replays = get_tk_replay_counter(phy, gtk)
617 if replays != 0:
618 raise Exception("Unexpected replay reported (1)")
619
620 for i in range(5):
621 hwsim_utils.test_connectivity(dev[0], hapd)
622
623 if cipher != "TKIP":
624 replays = get_tk_replay_counter(phy, gtk)
625 if replays != 0:
626 raise Exception("Unexpected replay reported (2)")
627
628 addr = "ff:ff:ff:ff:ff:ff" if gtk else dev[0].own_addr()
629 if "OK" not in hapd.request("RESET_PN " + addr):
630 raise Exception("RESET_PN failed")
631 time.sleep(0.1)
632 hwsim_utils.test_connectivity(dev[0], hapd, timeout=1,
633 success_expected=False)
634
635 if cipher != "TKIP":
636 replays = get_tk_replay_counter(phy, gtk)
637 if replays < 1:
638 raise Exception("Replays not reported")
639
640 def test_ap_wpa2_delayed_m3_retransmission(dev, apdev):
641 """Delayed M3 retransmission"""
642 require_under_vm()
643 try:
644 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
645 stdout=open('/dev/null', 'w'))
646 subprocess.call(['sysctl', '-w',
647 'net.ipv6.conf.default.disable_ipv6=1'],
648 stdout=open('/dev/null', 'w'))
649 run_ap_wpa2_delayed_m3_retransmission(dev, apdev)
650 finally:
651 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
652 stdout=open('/dev/null', 'w'))
653 subprocess.call(['sysctl', '-w',
654 'net.ipv6.conf.default.disable_ipv6=0'],
655 stdout=open('/dev/null', 'w'))
656
657 def run_ap_wpa2_delayed_m3_retransmission(dev, apdev):
658 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
659 hapd = hostapd.add_ap(apdev[0], params)
660
661 Wlantest.setup(hapd)
662 wt = Wlantest()
663 wt.flush()
664 wt.add_passphrase("12345678")
665
666 phy = dev[0].get_driver_status_field("phyname")
667 dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412")
668 hapd.wait_sta()
669
670 for i in range(5):
671 hwsim_utils.test_connectivity(dev[0], hapd)
672
673 time.sleep(0.1)
674 before_tk = get_rx_spec(phy, gtk=False).splitlines()
675 before_gtk = get_rx_spec(phy, gtk=True).splitlines()
676 addr = dev[0].own_addr()
677 if "OK" not in hapd.request("RESEND_M3 " + addr):
678 raise Exception("RESEND_M3 failed")
679 time.sleep(0.1)
680 after_tk = get_rx_spec(phy, gtk=False).splitlines()
681 after_gtk = get_rx_spec(phy, gtk=True).splitlines()
682
683 if "OK" not in hapd.request("RESET_PN " + addr):
684 raise Exception("RESET_PN failed")
685 time.sleep(0.1)
686 hwsim_utils.test_connectivity(dev[0], hapd, timeout=1,
687 success_expected=False)
688 dev[0].request("DISCONNECT")
689 dev[0].wait_disconnected()
690
691 for i in range(len(before_tk)):
692 b = int(before_tk[i], 16)
693 a = int(after_tk[i], 16)
694 if a < b:
695 raise Exception("TK RX counter decreased: idx=%d before=%d after=%d" % (i, b, a))
696
697 for i in range(len(before_gtk)):
698 b = int(before_gtk[i], 16)
699 a = int(after_gtk[i], 16)
700 if a < b:
701 raise Exception("GTK RX counter decreased: idx=%d before=%d after=%d" % (i, b, a))
702
703 def test_ap_wpa2_delayed_m1_m3_retransmission(dev, apdev):
704 """Delayed M1+M3 retransmission"""
705 require_under_vm()
706 try:
707 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
708 stdout=open('/dev/null', 'w'))
709 subprocess.call(['sysctl', '-w',
710 'net.ipv6.conf.default.disable_ipv6=1'],
711 stdout=open('/dev/null', 'w'))
712 run_ap_wpa2_delayed_m1_m3_retransmission(dev, apdev)
713 finally:
714 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
715 stdout=open('/dev/null', 'w'))
716 subprocess.call(['sysctl', '-w',
717 'net.ipv6.conf.default.disable_ipv6=0'],
718 stdout=open('/dev/null', 'w'))
719
720 def test_ap_wpa2_delayed_m1_m3_retransmission2(dev, apdev):
721 """Delayed M1+M3 retransmission (change M1 ANonce)"""
722 require_under_vm()
723 try:
724 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
725 stdout=open('/dev/null', 'w'))
726 subprocess.call(['sysctl', '-w',
727 'net.ipv6.conf.default.disable_ipv6=1'],
728 stdout=open('/dev/null', 'w'))
729 run_ap_wpa2_delayed_m1_m3_retransmission(dev, apdev, True)
730 finally:
731 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
732 stdout=open('/dev/null', 'w'))
733 subprocess.call(['sysctl', '-w',
734 'net.ipv6.conf.default.disable_ipv6=0'],
735 stdout=open('/dev/null', 'w'))
736
737 def run_ap_wpa2_delayed_m1_m3_retransmission(dev, apdev,
738 change_m1_anonce=False):
739 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
740 hapd = hostapd.add_ap(apdev[0], params)
741
742 Wlantest.setup(hapd)
743 wt = Wlantest()
744 wt.flush()
745 wt.add_passphrase("12345678")
746
747 phy = dev[0].get_driver_status_field("phyname")
748 dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412")
749 hapd.wait_sta()
750
751 for i in range(5):
752 hwsim_utils.test_connectivity(dev[0], hapd)
753
754 time.sleep(0.1)
755 before_tk = get_rx_spec(phy, gtk=False).splitlines()
756 before_gtk = get_rx_spec(phy, gtk=True).splitlines()
757 addr = dev[0].own_addr()
758 if change_m1_anonce:
759 if "OK" not in hapd.request("RESEND_M1 " + addr + " change-anonce"):
760 raise Exception("RESEND_M1 failed")
761 if "OK" not in hapd.request("RESEND_M1 " + addr):
762 raise Exception("RESEND_M1 failed")
763 if "OK" not in hapd.request("RESEND_M3 " + addr):
764 raise Exception("RESEND_M3 failed")
765 time.sleep(0.1)
766 after_tk = get_rx_spec(phy, gtk=False).splitlines()
767 after_gtk = get_rx_spec(phy, gtk=True).splitlines()
768
769 if "OK" not in hapd.request("RESET_PN " + addr):
770 raise Exception("RESET_PN failed")
771 time.sleep(0.1)
772 hwsim_utils.test_connectivity(dev[0], hapd, timeout=1,
773 success_expected=False)
774 dev[0].request("DISCONNECT")
775 dev[0].wait_disconnected()
776
777 for i in range(len(before_tk)):
778 b = int(before_tk[i], 16)
779 a = int(after_tk[i], 16)
780 if a < b:
781 raise Exception("TK RX counter decreased: idx=%d before=%d after=%d" % (i, b, a))
782
783 for i in range(len(before_gtk)):
784 b = int(before_gtk[i], 16)
785 a = int(after_gtk[i], 16)
786 if a < b:
787 raise Exception("GTK RX counter decreased: idx=%d before=%d after=%d" % (i, b, a))
788
789 def test_ap_wpa2_delayed_group_m1_retransmission(dev, apdev):
790 """Delayed group M1 retransmission"""
791 require_under_vm()
792 try:
793 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
794 stdout=open('/dev/null', 'w'))
795 subprocess.call(['sysctl', '-w',
796 'net.ipv6.conf.default.disable_ipv6=1'],
797 stdout=open('/dev/null', 'w'))
798 run_ap_wpa2_delayed_group_m1_retransmission(dev, apdev)
799 finally:
800 subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
801 stdout=open('/dev/null', 'w'))
802 subprocess.call(['sysctl', '-w',
803 'net.ipv6.conf.default.disable_ipv6=0'],
804 stdout=open('/dev/null', 'w'))
805
806 def run_ap_wpa2_delayed_group_m1_retransmission(dev, apdev):
807 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
808 hapd = hostapd.add_ap(apdev[0], params)
809
810 Wlantest.setup(hapd)
811 wt = Wlantest()
812 wt.flush()
813 wt.add_passphrase("12345678")
814
815 phy = dev[0].get_driver_status_field("phyname")
816 dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412")
817 hapd.wait_sta()
818
819 for i in range(5):
820 hwsim_utils.test_connectivity(dev[0], hapd)
821
822 time.sleep(0.1)
823 before = get_rx_spec(phy, gtk=True).splitlines()
824 addr = dev[0].own_addr()
825 if "OK" not in hapd.request("RESEND_GROUP_M1 " + addr):
826 raise Exception("RESEND_GROUP_M1 failed")
827 time.sleep(0.1)
828 after = get_rx_spec(phy, gtk=True).splitlines()
829
830 if "OK" not in hapd.request("RESET_PN " + addr):
831 raise Exception("RESET_PN failed")
832 time.sleep(0.1)
833 hwsim_utils.test_connectivity(dev[0], hapd, timeout=1,
834 success_expected=False)
835 dev[0].request("DISCONNECT")
836 dev[0].wait_disconnected()
837
838 for i in range(len(before)):
839 b = int(before[i], 16)
840 a = int(after[i], 16)
841 if a < b:
842 raise Exception("RX counter decreased: idx=%d before=%d after=%d" % (i, b, a))
843
844 def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
845 """Delayed M1+M3 retransmission and zero TK"""
846 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
847 hapd = hostapd.add_ap(apdev[0], params)
848
849 Wlantest.setup(hapd)
850 wt = Wlantest()
851 wt.flush()
852 wt.add_passphrase("12345678")
853
854 dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412")
855 hapd.wait_sta()
856
857 hwsim_utils.test_connectivity(dev[0], hapd)
858 addr = dev[0].own_addr()
859 if "OK" not in hapd.request("RESEND_M1 " + addr + " change-anonce"):
860 raise Exception("RESEND_M1 failed")
861 if "OK" not in hapd.request("RESEND_M1 " + addr):
862 raise Exception("RESEND_M1 failed")
863 if "OK" not in hapd.request("RESEND_M3 " + addr):
864 raise Exception("RESEND_M3 failed")
865
866 if "OK" not in hapd.request("SET_KEY 3 %s %d %d %s %s" % (addr, 0, 1, 6*"00", 16*"00")):
867 raise Exception("SET_KEY failed")
868 time.sleep(0.1)
869 hwsim_utils.test_connectivity(dev[0], hapd, timeout=1, broadcast=False,
870 success_expected=False)
871 dev[0].request("DISCONNECT")
872 dev[0].wait_disconnected()
873
874 def test_ap_wpa2_plaintext_m1_m3(dev, apdev):
875 """Plaintext M1/M3 during PTK rekey"""
876 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
877 hapd = hostapd.add_ap(apdev[0], params)
878
879 Wlantest.setup(hapd)
880 wt = Wlantest()
881 wt.flush()
882 wt.add_passphrase("12345678")
883
884 dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412")
885
886 time.sleep(0.1)
887 addr = dev[0].own_addr()
888 if "OK" not in hapd.request("RESEND_M1 " + addr + " plaintext"):
889 raise Exception("RESEND_M1 failed")
890 time.sleep(0.1)
891 if "OK" not in hapd.request("RESEND_M3 " + addr + " plaintext"):
892 raise Exception("RESEND_M3 failed")
893 time.sleep(0.1)
894
895 def test_ap_wpa2_plaintext_m1_m3_pmf(dev, apdev):
896 """Plaintext M1/M3 during PTK rekey (PMF)"""
897 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
898 params["ieee80211w"] = "2"
899 hapd = hostapd.add_ap(apdev[0], params)
900
901 Wlantest.setup(hapd)
902 wt = Wlantest()
903 wt.flush()
904 wt.add_passphrase("12345678")
905
906 dev[0].connect("test-wpa2-psk", psk="12345678", ieee80211w="2",
907 scan_freq="2412")
908
909 time.sleep(0.1)
910 addr = dev[0].own_addr()
911 if "OK" not in hapd.request("RESEND_M1 " + addr + " plaintext"):
912 raise Exception("RESEND_M1 failed")
913 time.sleep(0.1)
914 if "OK" not in hapd.request("RESEND_M3 " + addr + " plaintext"):
915 raise Exception("RESEND_M3 failed")
916 time.sleep(0.1)
917
918 def test_ap_wpa2_plaintext_m3(dev, apdev):
919 """Plaintext M3 during PTK rekey"""
920 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
921 hapd = hostapd.add_ap(apdev[0], params)
922
923 Wlantest.setup(hapd)
924 wt = Wlantest()
925 wt.flush()
926 wt.add_passphrase("12345678")
927
928 dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412")
929
930 time.sleep(0.1)
931 addr = dev[0].own_addr()
932 if "OK" not in hapd.request("RESEND_M1 " + addr):
933 raise Exception("RESEND_M1 failed")
934 time.sleep(0.1)
935 if "OK" not in hapd.request("RESEND_M3 " + addr + " plaintext"):
936 raise Exception("RESEND_M3 failed")
937 time.sleep(0.1)
938
939 def test_ap_wpa2_plaintext_group_m1(dev, apdev):
940 """Plaintext group M1"""
941 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
942 hapd = hostapd.add_ap(apdev[0], params)
943
944 Wlantest.setup(hapd)
945 wt = Wlantest()
946 wt.flush()
947 wt.add_passphrase("12345678")
948
949 dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412")
950
951 time.sleep(0.1)
952 addr = dev[0].own_addr()
953 if "OK" not in hapd.request("RESEND_GROUP_M1 " + addr + " plaintext"):
954 raise Exception("RESEND_GROUP_M1 failed")
955 time.sleep(0.2)
956 if "OK" not in hapd.request("RESEND_GROUP_M1 " + addr):
957 raise Exception("RESEND_GROUP_M1 failed")
958 time.sleep(0.1)
959
960 def test_ap_wpa2_plaintext_group_m1_pmf(dev, apdev):
961 """Plaintext group M1 (PMF)"""
962 params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
963 params["ieee80211w"] = "2"
964 hapd = hostapd.add_ap(apdev[0], params)
965
966 Wlantest.setup(hapd)
967 wt = Wlantest()
968 wt.flush()
969 wt.add_passphrase("12345678")
970
971 dev[0].connect("test-wpa2-psk", psk="12345678", ieee80211w="2",
972 scan_freq="2412")
973
974 time.sleep(0.1)
975 addr = dev[0].own_addr()
976 if "OK" not in hapd.request("RESEND_GROUP_M1 " + addr + " plaintext"):
977 raise Exception("RESEND_GROUP_M1 failed")
978 time.sleep(0.2)
979 if "OK" not in hapd.request("RESEND_GROUP_M1 " + addr):
980 raise Exception("RESEND_GROUP_M1 failed")
981 time.sleep(0.1)
Unnamed repository; edit this file 'description' to name the repository.