]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_ciphers.py
2 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
7 from remotehost
import remote_compatible
10 logger
= logging
.getLogger()
16 from utils
import HwsimSkip
, skip_with_fips
, require_under_vm
17 from wlantest
import Wlantest
18 from wpasupplicant
import WpaSupplicant
20 def check_cipher(dev
, ap
, cipher
, group_cipher
=None):
21 if cipher
not in dev
.get_capability("pairwise"):
22 raise HwsimSkip("Cipher %s not supported" % cipher
)
23 if group_cipher
and group_cipher
not in dev
.get_capability("group"):
24 raise HwsimSkip("Cipher %s not supported" % group_cipher
)
25 params
= {"ssid": "test-wpa2-psk",
26 "wpa_passphrase": "12345678",
28 "wpa_key_mgmt": "WPA-PSK",
29 "rsn_pairwise": cipher
}
31 params
["group_cipher"] = group_cipher
34 hapd
= hostapd
.add_ap(ap
, params
)
35 dev
.connect("test-wpa2-psk", psk
="12345678",
36 pairwise
=cipher
, group
=group_cipher
, scan_freq
="2412")
38 hwsim_utils
.test_connectivity(dev
, hapd
)
40 def check_group_mgmt_cipher(dev
, ap
, cipher
, sta_req_cipher
=None):
41 if cipher
not in dev
.get_capability("group_mgmt"):
42 raise HwsimSkip("Cipher %s not supported" % cipher
)
43 params
= {"ssid": "test-wpa2-psk-pmf",
44 "wpa_passphrase": "12345678",
47 "wpa_key_mgmt": "WPA-PSK-SHA256",
48 "rsn_pairwise": "CCMP",
49 "group_mgmt_cipher": cipher
}
50 hapd
= hostapd
.add_ap(ap
, params
)
55 wt
.add_passphrase("12345678")
57 dev
.connect("test-wpa2-psk-pmf", psk
="12345678", ieee80211w
="2",
58 key_mgmt
="WPA-PSK-SHA256", group_mgmt
=sta_req_cipher
,
59 pairwise
="CCMP", group
="CCMP", scan_freq
="2412")
61 hwsim_utils
.test_connectivity(dev
, hapd
)
62 hapd
.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
63 dev
.wait_disconnected()
64 if wt
.get_bss_counter('valid_bip_mmie', ap
['bssid']) < 1:
65 raise Exception("No valid BIP MMIE seen")
66 if wt
.get_bss_counter('bip_deauth', ap
['bssid']) < 1:
67 raise Exception("No valid BIP deauth seen")
69 if cipher
== "AES-128-CMAC":
73 res
= wt
.info_bss('group_mgmt', ap
['bssid']).strip()
75 raise Exception("Unexpected group mgmt cipher: " + res
)
78 def test_ap_cipher_tkip(dev
, apdev
):
79 """WPA2-PSK/TKIP connection"""
80 skip_with_fips(dev
[0])
81 check_cipher(dev
[0], apdev
[0], "TKIP")
84 def test_ap_cipher_tkip_countermeasures_ap(dev
, apdev
):
85 """WPA-PSK/TKIP countermeasures (detected by AP)"""
86 skip_with_fips(dev
[0])
87 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (dev
[0].get_driver_status_field("phyname"), dev
[0].ifname
)
88 if dev
[0].cmd_execute(["ls", testfile
])[0] != 0:
89 raise HwsimSkip("tkip_mic_test not supported in mac80211")
91 params
= {"ssid": "tkip-countermeasures",
92 "wpa_passphrase": "12345678",
94 "wpa_key_mgmt": "WPA-PSK",
95 "wpa_pairwise": "TKIP"}
96 hapd
= hostapd
.add_ap(apdev
[0], params
)
98 dev
[0].connect("tkip-countermeasures", psk
="12345678",
99 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
101 dev
[0].dump_monitor()
102 dev
[0].cmd_execute(["echo", "-n", apdev
[0]['bssid'], ">", testfile
],
104 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
106 raise Exception("Unexpected disconnection on first Michael MIC failure")
108 dev
[0].cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
110 ev
= dev
[0].wait_disconnected(timeout
=10,
111 error
="No disconnection after two Michael MIC failures")
112 if "reason=14" not in ev
:
113 raise Exception("Unexpected disconnection reason: " + ev
)
114 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
116 raise Exception("Unexpected connection during TKIP countermeasures")
118 def test_ap_cipher_tkip_countermeasures_ap_mixed_mode(dev
, apdev
):
119 """WPA+WPA2-PSK/TKIP countermeasures (detected by mixed mode AP)"""
120 skip_with_fips(dev
[0])
121 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (dev
[0].get_driver_status_field("phyname"), dev
[0].ifname
)
122 if dev
[0].cmd_execute(["ls", testfile
])[0] != 0:
123 raise HwsimSkip("tkip_mic_test not supported in mac80211")
125 params
= {"ssid": "tkip-countermeasures",
126 "wpa_passphrase": "12345678",
128 "wpa_key_mgmt": "WPA-PSK",
129 "wpa_pairwise": "TKIP",
130 "rsn_pairwise": "CCMP"}
131 hapd
= hostapd
.add_ap(apdev
[0], params
)
133 dev
[0].connect("tkip-countermeasures", psk
="12345678",
134 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
135 dev
[1].connect("tkip-countermeasures", psk
="12345678",
136 pairwise
="CCMP", scan_freq
="2412")
138 dev
[0].dump_monitor()
139 dev
[0].cmd_execute(["echo", "-n", apdev
[0]['bssid'], ">", testfile
],
141 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
143 raise Exception("Unexpected disconnection on first Michael MIC failure")
145 dev
[0].cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
148 ev
= dev
[0].wait_disconnected(timeout
=10,
149 error
="No disconnection after two Michael MIC failures")
150 if "reason=14" not in ev
:
151 raise Exception("Unexpected disconnection reason: " + ev
)
153 ev
= dev
[1].wait_disconnected(timeout
=10,
154 error
="No disconnection after two Michael MIC failures (2)")
155 if "reason=14" not in ev
:
156 raise Exception("Unexpected disconnection reason (2): " + ev
)
158 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
160 raise Exception("Unexpected connection during TKIP countermeasures (1)")
161 ev
= dev
[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
163 raise Exception("Unexpected connection during TKIP countermeasures (2)")
166 def test_ap_cipher_tkip_countermeasures_sta(dev
, apdev
):
167 """WPA-PSK/TKIP countermeasures (detected by STA)"""
168 skip_with_fips(dev
[0])
169 params
= {"ssid": "tkip-countermeasures",
170 "wpa_passphrase": "12345678",
172 "wpa_key_mgmt": "WPA-PSK",
173 "wpa_pairwise": "TKIP"}
174 hapd
= hostapd
.add_ap(apdev
[0], params
)
176 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd
.get_driver_status_field("phyname"), apdev
[0]['ifname'])
177 if hapd
.cmd_execute(["ls", testfile
])[0] != 0:
178 raise HwsimSkip("tkip_mic_test not supported in mac80211")
180 dev
[0].connect("tkip-countermeasures", psk
="12345678",
181 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
183 dev
[0].dump_monitor()
184 hapd
.cmd_execute(["echo", "-n", dev
[0].own_addr(), ">", testfile
],
186 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
188 raise Exception("Unexpected disconnection on first Michael MIC failure")
190 hapd
.cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
192 ev
= dev
[0].wait_disconnected(timeout
=10,
193 error
="No disconnection after two Michael MIC failures")
194 if "reason=14 locally_generated=1" not in ev
:
195 raise Exception("Unexpected disconnection reason: " + ev
)
196 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
198 raise Exception("Unexpected connection during TKIP countermeasures")
200 def test_ap_cipher_tkip_countermeasures_sta2(dev
, apdev
, params
):
201 """WPA-PSK/TKIP countermeasures (detected by two STAs) [long]"""
202 if not params
['long']:
203 raise HwsimSkip("Skip test case with long duration due to --long not specified")
204 skip_with_fips(dev
[0])
205 params
= {"ssid": "tkip-countermeasures",
206 "wpa_passphrase": "12345678",
208 "wpa_key_mgmt": "WPA-PSK",
209 "wpa_pairwise": "TKIP"}
210 hapd
= hostapd
.add_ap(apdev
[0], params
)
212 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd
.get_driver_status_field("phyname"), apdev
[0]['ifname'])
213 if hapd
.cmd_execute(["ls", testfile
])[0] != 0:
214 raise HwsimSkip("tkip_mic_test not supported in mac80211")
216 dev
[0].connect("tkip-countermeasures", psk
="12345678",
217 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
218 dev
[0].dump_monitor()
219 id = dev
[1].connect("tkip-countermeasures", psk
="12345678",
220 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
221 dev
[1].dump_monitor()
223 hapd
.cmd_execute(["echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
225 ev
= dev
[0].wait_disconnected(timeout
=10,
226 error
="No disconnection after two Michael MIC failure")
227 if "reason=14" not in ev
:
228 raise Exception("Unexpected disconnection reason: " + ev
)
229 ev
= dev
[1].wait_disconnected(timeout
=5,
230 error
="No disconnection after two Michael MIC failure")
231 if "reason=14" not in ev
:
232 raise Exception("Unexpected disconnection reason: " + ev
)
233 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
235 raise Exception("Unexpected connection during TKIP countermeasures")
236 ev
= dev
[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
238 raise Exception("Unexpected connection during TKIP countermeasures")
240 dev
[0].request("REMOVE_NETWORK all")
241 logger
.info("Waiting for TKIP countermeasures to end")
243 start
= os
.times()[4]
248 dev
[0].connect("tkip-countermeasures", psk
="12345678",
249 pairwise
="TKIP", group
="TKIP", scan_freq
="2412",
251 ev
= dev
[0].wait_event(["CTRL-EVENT-AUTH-REJECT",
252 "CTRL-EVENT-CONNECTED"], timeout
=10)
254 raise Exception("No connection result")
255 if "CTRL-EVENT-CONNECTED" in ev
:
258 if "status_code=1" not in ev
:
259 raise Exception("Unexpected connection failure reason during TKIP countermeasures: " + ev
)
260 dev
[0].request("REMOVE_NETWORK all")
262 dev
[0].dump_monitor()
263 dev
[1].dump_monitor()
265 raise Exception("No connection after TKIP countermeasures terminated")
267 ev
= dev
[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
269 dev
[1].request("DISCONNECT")
270 dev
[1].select_network(id)
271 dev
[1].wait_connected()
274 def test_ap_cipher_ccmp(dev
, apdev
):
275 """WPA2-PSK/CCMP connection"""
276 check_cipher(dev
[0], apdev
[0], "CCMP")
278 def test_ap_cipher_gcmp(dev
, apdev
):
279 """WPA2-PSK/GCMP connection"""
280 check_cipher(dev
[0], apdev
[0], "GCMP")
282 def test_ap_cipher_ccmp_256(dev
, apdev
):
283 """WPA2-PSK/CCMP-256 connection"""
284 check_cipher(dev
[0], apdev
[0], "CCMP-256")
286 def test_ap_cipher_gcmp_256(dev
, apdev
):
287 """WPA2-PSK/GCMP-256 connection"""
288 check_cipher(dev
[0], apdev
[0], "GCMP-256")
290 def test_ap_cipher_gcmp_256_group_gcmp_256(dev
, apdev
):
291 """WPA2-PSK/GCMP-256 connection with group cipher override GCMP-256"""
292 check_cipher(dev
[0], apdev
[0], "GCMP-256", "GCMP-256")
294 def test_ap_cipher_gcmp_256_group_gcmp(dev
, apdev
):
295 """WPA2-PSK/GCMP-256 connection with group cipher override GCMP"""
296 check_cipher(dev
[0], apdev
[0], "GCMP-256", "GCMP")
298 def test_ap_cipher_gcmp_256_group_ccmp_256(dev
, apdev
):
299 """WPA2-PSK/GCMP-256 connection with group cipher override CCMP-256"""
300 check_cipher(dev
[0], apdev
[0], "GCMP-256", "CCMP-256")
302 def test_ap_cipher_gcmp_256_group_ccmp(dev
, apdev
):
303 """WPA2-PSK/GCMP-256 connection with group cipher override CCMP"""
304 check_cipher(dev
[0], apdev
[0], "GCMP-256", "CCMP")
306 def test_ap_cipher_gcmp_ccmp(dev
, apdev
, params
):
307 """WPA2-PSK/GCMP/CCMP ciphers"""
308 config
= os
.path
.join(params
['logdir'], 'ap_cipher_gcmp_ccmp.conf')
310 for cipher
in ["CCMP", "GCMP", "CCMP-256", "GCMP-256"]:
311 if cipher
not in dev
[0].get_capability("pairwise"):
312 raise HwsimSkip("Cipher %s not supported" % cipher
)
313 if cipher
not in dev
[0].get_capability("group"):
314 raise HwsimSkip("Group cipher %s not supported" % cipher
)
316 params
= {"ssid": "test-wpa2-psk",
317 "wpa_passphrase": "12345678",
319 "wpa_key_mgmt": "WPA-PSK",
320 "rsn_pairwise": "CCMP GCMP CCMP-256 GCMP-256"}
321 hapd
= hostapd
.add_ap(apdev
[0], params
)
324 for cipher
in ["CCMP", "GCMP", "CCMP-256", "GCMP-256"]:
325 dev
[0].connect("test-wpa2-psk", psk
="12345678",
326 pairwise
=cipher
, group
="CCMP", scan_freq
="2412")
327 if dev
[0].get_status_field("group_cipher") != "CCMP":
328 raise Exception("Unexpected group_cipher")
329 if dev
[0].get_status_field("pairwise_cipher") != cipher
:
330 raise Exception("Unexpected pairwise_cipher")
331 dev
[0].request("REMOVE_NETWORK all")
332 dev
[0].wait_disconnected()
334 dev
[0].connect("test-wpa2-psk", psk
="12345678",
335 pairwise
="CCMP CCMP-256 GCMP GCMP-256",
336 group
="CCMP CCMP-256 GCMP GCMP-256", scan_freq
="2412")
337 if dev
[0].get_status_field("group_cipher") != "CCMP":
338 raise Exception("Unexpected group_cipher")
339 res
= dev
[0].get_status_field("pairwise_cipher")
340 if res
!= "CCMP-256" and res
!= "GCMP-256":
341 raise Exception("Unexpected pairwise_cipher")
344 with
open(config
, "w") as f
:
345 f
.write("network={\n" +
346 "\tssid=\"test-wpa2-psk\"\n" +
347 "\tkey_mgmt=WPA-PSK\n" +
348 "\tpsk=\"12345678\"\n" +
349 "\tpairwise=GCMP\n" +
351 "\tscan_freq=2412\n" +
354 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
355 wpas
.interface_add("wlan5", config
=config
)
356 wpas
.wait_connected()
357 if wpas
.get_status_field("group_cipher") != "CCMP":
358 raise Exception("Unexpected group_cipher")
359 if wpas
.get_status_field("pairwise_cipher") != "GCMP":
360 raise Exception("Unexpected pairwise_cipher")
365 def test_ap_cipher_mixed_wpa_wpa2(dev
, apdev
):
366 """WPA2-PSK/CCMP/ and WPA-PSK/TKIP mixed configuration"""
367 skip_with_fips(dev
[0])
368 ssid
= "test-wpa-wpa2-psk"
369 passphrase
= "12345678"
370 params
= {"ssid": ssid
,
371 "wpa_passphrase": passphrase
,
373 "wpa_key_mgmt": "WPA-PSK",
374 "rsn_pairwise": "CCMP",
375 "wpa_pairwise": "TKIP"}
376 hapd
= hostapd
.add_ap(apdev
[0], params
)
377 dev
[0].flush_scan_cache()
378 dev
[0].connect(ssid
, psk
=passphrase
, proto
="WPA2",
379 pairwise
="CCMP", group
="TKIP", scan_freq
="2412")
380 status
= dev
[0].get_status()
381 if status
['key_mgmt'] != 'WPA2-PSK':
382 raise Exception("Incorrect key_mgmt reported")
383 if status
['pairwise_cipher'] != 'CCMP':
384 raise Exception("Incorrect pairwise_cipher reported")
385 if status
['group_cipher'] != 'TKIP':
386 raise Exception("Incorrect group_cipher reported")
387 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
388 if bss
['ssid'] != ssid
:
389 raise Exception("Unexpected SSID in the BSS entry")
390 if "[WPA-PSK-TKIP]" not in bss
['flags']:
391 raise Exception("Missing BSS flag WPA-PSK-TKIP")
392 if "[WPA2-PSK-CCMP]" not in bss
['flags']:
393 raise Exception("Missing BSS flag WPA2-PSK-CCMP")
395 hwsim_utils
.test_connectivity(dev
[0], hapd
)
397 dev
[1].connect(ssid
, psk
=passphrase
, proto
="WPA",
398 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
399 status
= dev
[1].get_status()
400 if status
['key_mgmt'] != 'WPA-PSK':
401 raise Exception("Incorrect key_mgmt reported")
402 if status
['pairwise_cipher'] != 'TKIP':
403 raise Exception("Incorrect pairwise_cipher reported")
404 if status
['group_cipher'] != 'TKIP':
405 raise Exception("Incorrect group_cipher reported")
407 hwsim_utils
.test_connectivity(dev
[1], hapd
)
408 hwsim_utils
.test_connectivity(dev
[0], dev
[1])
411 def test_ap_cipher_bip(dev
, apdev
):
412 """WPA2-PSK with BIP"""
413 check_group_mgmt_cipher(dev
[0], apdev
[0], "AES-128-CMAC")
415 def test_ap_cipher_bip_req(dev
, apdev
):
416 """WPA2-PSK with BIP required"""
417 check_group_mgmt_cipher(dev
[0], apdev
[0], "AES-128-CMAC", "AES-128-CMAC")
419 def test_ap_cipher_bip_req2(dev
, apdev
):
420 """WPA2-PSK with BIP required (2)"""
421 check_group_mgmt_cipher(dev
[0], apdev
[0], "AES-128-CMAC",
422 "AES-128-CMAC BIP-GMAC-128 BIP-GMAC-256 BIP-CMAC-256")
424 def test_ap_cipher_bip_gmac_128(dev
, apdev
):
425 """WPA2-PSK with BIP-GMAC-128"""
426 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-128")
428 def test_ap_cipher_bip_gmac_128_req(dev
, apdev
):
429 """WPA2-PSK with BIP-GMAC-128 required"""
430 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-128", "BIP-GMAC-128")
432 def test_ap_cipher_bip_gmac_256(dev
, apdev
):
433 """WPA2-PSK with BIP-GMAC-256"""
434 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-256")
436 def test_ap_cipher_bip_gmac_256_req(dev
, apdev
):
437 """WPA2-PSK with BIP-GMAC-256 required"""
438 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-256", "BIP-GMAC-256")
440 def test_ap_cipher_bip_cmac_256(dev
, apdev
):
441 """WPA2-PSK with BIP-CMAC-256"""
442 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-CMAC-256")
444 def test_ap_cipher_bip_cmac_256_req(dev
, apdev
):
445 """WPA2-PSK with BIP-CMAC-256 required"""
446 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-CMAC-256", "BIP-CMAC-256")
448 def test_ap_cipher_bip_req_mismatch(dev
, apdev
):
449 """WPA2-PSK with BIP cipher mismatch"""
450 group_mgmt
= dev
[0].get_capability("group_mgmt")
451 for cipher
in ["AES-128-CMAC", "BIP-GMAC-256"]:
452 if cipher
not in group_mgmt
:
453 raise HwsimSkip("Cipher %s not supported" % cipher
)
455 params
= {"ssid": "test-wpa2-psk-pmf",
456 "wpa_passphrase": "12345678",
459 "wpa_key_mgmt": "WPA-PSK-SHA256",
460 "rsn_pairwise": "CCMP",
461 "group_mgmt_cipher": "AES-128-CMAC"}
462 hapd
= hostapd
.add_ap(apdev
[0], params
)
464 dev
[0].scan_for_bss(hapd
.own_addr(), 2412)
465 id = dev
[0].connect("test-wpa2-psk-pmf", psk
="12345678", ieee80211w
="2",
466 key_mgmt
="WPA-PSK-SHA256", group_mgmt
="BIP-GMAC-256",
467 pairwise
="CCMP", group
="CCMP", scan_freq
="2412",
469 ev
= dev
[0].wait_event(["CTRL-EVENT-NETWORK-NOT-FOUND",
470 "CTRL-EVENT-CONNECTED"], timeout
=10)
472 raise Exception("Network selection result not indicated")
473 if "CTRL-EVENT-CONNECTED" in ev
:
474 raise Exception("Unexpected connection")
476 dev
[0].request("DISCONNECT")
477 dev
[0].set_network(id, "group_mgmt", "AES-128-CMAC")
478 dev
[0].select_network(id)
479 dev
[0].wait_connected()
481 def get_rx_spec(phy
, gtk
=False):
482 keys
= "/sys/kernel/debug/ieee80211/%s/keys" % (phy
)
484 for key
in os
.listdir(keys
):
485 keydir
= keys
+ "/" + key
486 files
= os
.listdir(keydir
)
487 if not gtk
and "station" not in files
:
489 if gtk
and "station" in files
:
491 with
open(keydir
+ "/rx_spec") as f
:
494 raise HwsimSkip("debugfs not supported in mac80211")
497 def get_tk_replay_counter(phy
, gtk
=False):
498 keys
= "/sys/kernel/debug/ieee80211/%s/keys" % (phy
)
500 for key
in os
.listdir(keys
):
501 keydir
= keys
+ "/" + key
502 files
= os
.listdir(keydir
)
503 if not gtk
and "station" not in files
:
505 if gtk
and "station" in files
:
507 with
open(keydir
+ "/replays") as f
:
510 raise HwsimSkip("debugfs not supported in mac80211")
513 def test_ap_cipher_replay_protection_ap_ccmp(dev
, apdev
):
514 """CCMP replay protection on AP"""
515 run_ap_cipher_replay_protection_ap(dev
, apdev
, "CCMP")
517 def test_ap_cipher_replay_protection_ap_tkip(dev
, apdev
):
518 """TKIP replay protection on AP"""
519 run_ap_cipher_replay_protection_ap(dev
, apdev
, "TKIP")
521 def test_ap_cipher_replay_protection_ap_gcmp(dev
, apdev
):
522 """GCMP replay protection on AP"""
523 if "GCMP" not in dev
[0].get_capability("pairwise"):
524 raise HwsimSkip("GCMP not supported")
525 run_ap_cipher_replay_protection_ap(dev
, apdev
, "GCMP")
527 def run_ap_cipher_replay_protection_ap(dev
, apdev
, cipher
):
528 params
= {"ssid": "test-wpa2-psk",
529 "wpa_passphrase": "12345678",
531 "wpa_key_mgmt": "WPA-PSK",
532 "rsn_pairwise": cipher
}
533 hapd
= hostapd
.add_ap(apdev
[0], params
)
534 phy
= hapd
.get_driver_status_field("phyname")
539 wt
.add_passphrase("12345678")
541 dev
[0].connect("test-wpa2-psk", psk
="12345678",
542 pairwise
=cipher
, group
=cipher
, scan_freq
="2412")
546 replays
= get_tk_replay_counter(phy
)
548 raise Exception("Unexpected replay reported (1)")
551 hwsim_utils
.test_connectivity(dev
[0], hapd
)
554 replays
= get_tk_replay_counter(phy
)
556 raise Exception("Unexpected replay reported (2)")
558 if "OK" not in dev
[0].request("RESET_PN"):
559 raise Exception("RESET_PN failed")
561 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
562 success_expected
=False)
565 replays
= get_tk_replay_counter(phy
)
567 raise Exception("Replays not reported")
569 def test_ap_cipher_replay_protection_sta_ccmp(dev
, apdev
):
570 """CCMP replay protection on STA (TK)"""
571 run_ap_cipher_replay_protection_sta(dev
, apdev
, "CCMP")
573 def test_ap_cipher_replay_protection_sta_tkip(dev
, apdev
):
574 """TKIP replay protection on STA (TK)"""
575 run_ap_cipher_replay_protection_sta(dev
, apdev
, "TKIP")
577 def test_ap_cipher_replay_protection_sta_gcmp(dev
, apdev
):
578 """GCMP replay protection on STA (TK)"""
579 if "GCMP" not in dev
[0].get_capability("pairwise"):
580 raise HwsimSkip("GCMP not supported")
581 run_ap_cipher_replay_protection_sta(dev
, apdev
, "GCMP")
583 def test_ap_cipher_replay_protection_sta_gtk_ccmp(dev
, apdev
):
584 """CCMP replay protection on STA (GTK)"""
585 run_ap_cipher_replay_protection_sta(dev
, apdev
, "CCMP", gtk
=True)
587 def test_ap_cipher_replay_protection_sta_gtk_tkip(dev
, apdev
):
588 """TKIP replay protection on STA (GTK)"""
589 run_ap_cipher_replay_protection_sta(dev
, apdev
, "TKIP", gtk
=True)
591 def test_ap_cipher_replay_protection_sta_gtk_gcmp(dev
, apdev
):
592 """GCMP replay protection on STA (GTK)"""
593 if "GCMP" not in dev
[0].get_capability("pairwise"):
594 raise HwsimSkip("GCMP not supported")
595 run_ap_cipher_replay_protection_sta(dev
, apdev
, "GCMP", gtk
=True)
597 def run_ap_cipher_replay_protection_sta(dev
, apdev
, cipher
, gtk
=False):
598 params
= {"ssid": "test-wpa2-psk",
599 "wpa_passphrase": "12345678",
601 "wpa_key_mgmt": "WPA-PSK",
602 "rsn_pairwise": cipher
}
603 hapd
= hostapd
.add_ap(apdev
[0], params
)
608 wt
.add_passphrase("12345678")
610 phy
= dev
[0].get_driver_status_field("phyname")
611 dev
[0].connect("test-wpa2-psk", psk
="12345678",
612 pairwise
=cipher
, group
=cipher
, scan_freq
="2412")
616 replays
= get_tk_replay_counter(phy
, gtk
)
618 raise Exception("Unexpected replay reported (1)")
621 hwsim_utils
.test_connectivity(dev
[0], hapd
)
624 replays
= get_tk_replay_counter(phy
, gtk
)
626 raise Exception("Unexpected replay reported (2)")
628 addr
= "ff:ff:ff:ff:ff:ff" if gtk
else dev
[0].own_addr()
629 if "OK" not in hapd
.request("RESET_PN " + addr
):
630 raise Exception("RESET_PN failed")
632 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
633 success_expected
=False)
636 replays
= get_tk_replay_counter(phy
, gtk
)
638 raise Exception("Replays not reported")
640 def test_ap_wpa2_delayed_m3_retransmission(dev
, apdev
):
641 """Delayed M3 retransmission"""
644 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
645 stdout
=open('/dev/null', 'w'))
646 subprocess
.call(['sysctl', '-w',
647 'net.ipv6.conf.default.disable_ipv6=1'],
648 stdout
=open('/dev/null', 'w'))
649 run_ap_wpa2_delayed_m3_retransmission(dev
, apdev
)
651 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
652 stdout
=open('/dev/null', 'w'))
653 subprocess
.call(['sysctl', '-w',
654 'net.ipv6.conf.default.disable_ipv6=0'],
655 stdout
=open('/dev/null', 'w'))
657 def run_ap_wpa2_delayed_m3_retransmission(dev
, apdev
):
658 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
659 hapd
= hostapd
.add_ap(apdev
[0], params
)
664 wt
.add_passphrase("12345678")
666 phy
= dev
[0].get_driver_status_field("phyname")
667 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
671 hwsim_utils
.test_connectivity(dev
[0], hapd
)
674 before_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
675 before_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
676 addr
= dev
[0].own_addr()
677 if "OK" not in hapd
.request("RESEND_M3 " + addr
):
678 raise Exception("RESEND_M3 failed")
680 after_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
681 after_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
683 if "OK" not in hapd
.request("RESET_PN " + addr
):
684 raise Exception("RESET_PN failed")
686 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
687 success_expected
=False)
688 dev
[0].request("DISCONNECT")
689 dev
[0].wait_disconnected()
691 for i
in range(len(before_tk
)):
692 b
= int(before_tk
[i
], 16)
693 a
= int(after_tk
[i
], 16)
695 raise Exception("TK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
697 for i
in range(len(before_gtk
)):
698 b
= int(before_gtk
[i
], 16)
699 a
= int(after_gtk
[i
], 16)
701 raise Exception("GTK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
703 def test_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
):
704 """Delayed M1+M3 retransmission"""
707 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
708 stdout
=open('/dev/null', 'w'))
709 subprocess
.call(['sysctl', '-w',
710 'net.ipv6.conf.default.disable_ipv6=1'],
711 stdout
=open('/dev/null', 'w'))
712 run_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
)
714 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
715 stdout
=open('/dev/null', 'w'))
716 subprocess
.call(['sysctl', '-w',
717 'net.ipv6.conf.default.disable_ipv6=0'],
718 stdout
=open('/dev/null', 'w'))
720 def test_ap_wpa2_delayed_m1_m3_retransmission2(dev
, apdev
):
721 """Delayed M1+M3 retransmission (change M1 ANonce)"""
724 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
725 stdout
=open('/dev/null', 'w'))
726 subprocess
.call(['sysctl', '-w',
727 'net.ipv6.conf.default.disable_ipv6=1'],
728 stdout
=open('/dev/null', 'w'))
729 run_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
, True)
731 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
732 stdout
=open('/dev/null', 'w'))
733 subprocess
.call(['sysctl', '-w',
734 'net.ipv6.conf.default.disable_ipv6=0'],
735 stdout
=open('/dev/null', 'w'))
737 def run_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
,
738 change_m1_anonce
=False):
739 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
740 hapd
= hostapd
.add_ap(apdev
[0], params
)
745 wt
.add_passphrase("12345678")
747 phy
= dev
[0].get_driver_status_field("phyname")
748 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
752 hwsim_utils
.test_connectivity(dev
[0], hapd
)
755 before_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
756 before_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
757 addr
= dev
[0].own_addr()
759 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " change-anonce"):
760 raise Exception("RESEND_M1 failed")
761 if "OK" not in hapd
.request("RESEND_M1 " + addr
):
762 raise Exception("RESEND_M1 failed")
763 if "OK" not in hapd
.request("RESEND_M3 " + addr
):
764 raise Exception("RESEND_M3 failed")
766 after_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
767 after_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
769 if "OK" not in hapd
.request("RESET_PN " + addr
):
770 raise Exception("RESET_PN failed")
772 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
773 success_expected
=False)
774 dev
[0].request("DISCONNECT")
775 dev
[0].wait_disconnected()
777 for i
in range(len(before_tk
)):
778 b
= int(before_tk
[i
], 16)
779 a
= int(after_tk
[i
], 16)
781 raise Exception("TK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
783 for i
in range(len(before_gtk
)):
784 b
= int(before_gtk
[i
], 16)
785 a
= int(after_gtk
[i
], 16)
787 raise Exception("GTK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
789 def test_ap_wpa2_delayed_group_m1_retransmission(dev
, apdev
):
790 """Delayed group M1 retransmission"""
793 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
794 stdout
=open('/dev/null', 'w'))
795 subprocess
.call(['sysctl', '-w',
796 'net.ipv6.conf.default.disable_ipv6=1'],
797 stdout
=open('/dev/null', 'w'))
798 run_ap_wpa2_delayed_group_m1_retransmission(dev
, apdev
)
800 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
801 stdout
=open('/dev/null', 'w'))
802 subprocess
.call(['sysctl', '-w',
803 'net.ipv6.conf.default.disable_ipv6=0'],
804 stdout
=open('/dev/null', 'w'))
806 def run_ap_wpa2_delayed_group_m1_retransmission(dev
, apdev
):
807 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
808 hapd
= hostapd
.add_ap(apdev
[0], params
)
813 wt
.add_passphrase("12345678")
815 phy
= dev
[0].get_driver_status_field("phyname")
816 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
820 hwsim_utils
.test_connectivity(dev
[0], hapd
)
823 before
= get_rx_spec(phy
, gtk
=True).splitlines()
824 addr
= dev
[0].own_addr()
825 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
):
826 raise Exception("RESEND_GROUP_M1 failed")
828 after
= get_rx_spec(phy
, gtk
=True).splitlines()
830 if "OK" not in hapd
.request("RESET_PN " + addr
):
831 raise Exception("RESET_PN failed")
833 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
834 success_expected
=False)
835 dev
[0].request("DISCONNECT")
836 dev
[0].wait_disconnected()
838 for i
in range(len(before
)):
839 b
= int(before
[i
], 16)
840 a
= int(after
[i
], 16)
842 raise Exception("RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
844 def test_ap_wpa2_delayed_m1_m3_zero_tk(dev
, apdev
):
845 """Delayed M1+M3 retransmission and zero TK"""
846 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
847 hapd
= hostapd
.add_ap(apdev
[0], params
)
852 wt
.add_passphrase("12345678")
854 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
857 hwsim_utils
.test_connectivity(dev
[0], hapd
)
858 addr
= dev
[0].own_addr()
859 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " change-anonce"):
860 raise Exception("RESEND_M1 failed")
861 if "OK" not in hapd
.request("RESEND_M1 " + addr
):
862 raise Exception("RESEND_M1 failed")
863 if "OK" not in hapd
.request("RESEND_M3 " + addr
):
864 raise Exception("RESEND_M3 failed")
866 if "OK" not in hapd
.request("SET_KEY 3 %s %d %d %s %s" % (addr
, 0, 1, 6*"00", 16*"00")):
867 raise Exception("SET_KEY failed")
869 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1, broadcast
=False,
870 success_expected
=False)
871 dev
[0].request("DISCONNECT")
872 dev
[0].wait_disconnected()
874 def test_ap_wpa2_plaintext_m1_m3(dev
, apdev
):
875 """Plaintext M1/M3 during PTK rekey"""
876 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
877 hapd
= hostapd
.add_ap(apdev
[0], params
)
882 wt
.add_passphrase("12345678")
884 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
887 addr
= dev
[0].own_addr()
888 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " plaintext"):
889 raise Exception("RESEND_M1 failed")
891 if "OK" not in hapd
.request("RESEND_M3 " + addr
+ " plaintext"):
892 raise Exception("RESEND_M3 failed")
895 def test_ap_wpa2_plaintext_m1_m3_pmf(dev
, apdev
):
896 """Plaintext M1/M3 during PTK rekey (PMF)"""
897 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
898 params
["ieee80211w"] = "2"
899 hapd
= hostapd
.add_ap(apdev
[0], params
)
904 wt
.add_passphrase("12345678")
906 dev
[0].connect("test-wpa2-psk", psk
="12345678", ieee80211w
="2",
910 addr
= dev
[0].own_addr()
911 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " plaintext"):
912 raise Exception("RESEND_M1 failed")
914 if "OK" not in hapd
.request("RESEND_M3 " + addr
+ " plaintext"):
915 raise Exception("RESEND_M3 failed")
918 def test_ap_wpa2_plaintext_m3(dev
, apdev
):
919 """Plaintext M3 during PTK rekey"""
920 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
921 hapd
= hostapd
.add_ap(apdev
[0], params
)
926 wt
.add_passphrase("12345678")
928 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
931 addr
= dev
[0].own_addr()
932 if "OK" not in hapd
.request("RESEND_M1 " + addr
):
933 raise Exception("RESEND_M1 failed")
935 if "OK" not in hapd
.request("RESEND_M3 " + addr
+ " plaintext"):
936 raise Exception("RESEND_M3 failed")
939 def test_ap_wpa2_plaintext_group_m1(dev
, apdev
):
940 """Plaintext group M1"""
941 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
942 hapd
= hostapd
.add_ap(apdev
[0], params
)
947 wt
.add_passphrase("12345678")
949 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
952 addr
= dev
[0].own_addr()
953 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
+ " plaintext"):
954 raise Exception("RESEND_GROUP_M1 failed")
956 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
):
957 raise Exception("RESEND_GROUP_M1 failed")
960 def test_ap_wpa2_plaintext_group_m1_pmf(dev
, apdev
):
961 """Plaintext group M1 (PMF)"""
962 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
963 params
["ieee80211w"] = "2"
964 hapd
= hostapd
.add_ap(apdev
[0], params
)
969 wt
.add_passphrase("12345678")
971 dev
[0].connect("test-wpa2-psk", psk
="12345678", ieee80211w
="2",
975 addr
= dev
[0].own_addr()
976 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
+ " plaintext"):
977 raise Exception("RESEND_GROUP_M1 failed")
979 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
):
980 raise Exception("RESEND_GROUP_M1 failed")