]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_ft.py
projects / thirdparty / hostap.git / blob
? search:


d5721f415c61f9b17c4a5524145c7b8aaa8fb01a
[thirdparty/hostap.git] / tests / hwsim / test_ap_ft.py
1 # Fast BSS Transition tests
2 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 from remotehost import remote_compatible
8 import binascii
9 import os
10 import time
11 import logging
12 logger = logging.getLogger()
13 import signal
14 import struct
15 import subprocess
16
17 import hwsim_utils
18 from hwsim import HWSimRadio
19 import hostapd
20 from tshark import run_tshark
21 from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger, skip_with_fips, parse_ie
22 from wlantest import Wlantest
23 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
24 from test_rrm import check_beacon_req
25 from test_suite_b import check_suite_b_192_capa
26
27 def ft_base_rsn():
28 params = {"wpa": "2",
29 "wpa_key_mgmt": "FT-PSK",
30 "rsn_pairwise": "CCMP"}
31 return params
32
33 def ft_base_mixed():
34 params = {"wpa": "3",
35 "wpa_key_mgmt": "WPA-PSK FT-PSK",
36 "wpa_pairwise": "TKIP",
37 "rsn_pairwise": "CCMP"}
38 return params
39
40 def ft_params(rsn=True, ssid=None, passphrase=None):
41 if rsn:
42 params = ft_base_rsn()
43 else:
44 params = ft_base_mixed()
45 if ssid:
46 params["ssid"] = ssid
47 if passphrase:
48 params["wpa_passphrase"] = passphrase
49
50 params["mobility_domain"] = "a1b2"
51 params["r0_key_lifetime"] = "10000"
52 params["pmk_r1_push"] = "1"
53 params["reassociation_deadline"] = "1000"
54 return params
55
56 def ft_params1a(rsn=True, ssid=None, passphrase=None):
57 params = ft_params(rsn, ssid, passphrase)
58 params['nas_identifier'] = "nas1.w1.fi"
59 params['r1_key_holder'] = "000102030405"
60 return params
61
62 def ft_params1(rsn=True, ssid=None, passphrase=None, discovery=False):
63 params = ft_params1a(rsn, ssid, passphrase)
64 if discovery:
65 params['r0kh'] = "ff:ff:ff:ff:ff:ff * 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f"
66 params['r1kh'] = "00:00:00:00:00:00 00:00:00:00:00:00 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f"
67 else:
68 params['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f",
69 "02:00:00:00:04:00 nas2.w1.fi 300102030405060708090a0b0c0d0e0f300102030405060708090a0b0c0d0e0f"]
70 params['r1kh'] = "02:00:00:00:04:00 00:01:02:03:04:06 200102030405060708090a0b0c0d0e0f200102030405060708090a0b0c0d0e0f"
71 return params
72
73 def ft_params1_old_key(rsn=True, ssid=None, passphrase=None):
74 params = ft_params1a(rsn, ssid, passphrase)
75 params['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 100102030405060708090a0b0c0d0e0f",
76 "02:00:00:00:04:00 nas2.w1.fi 300102030405060708090a0b0c0d0e0f"]
77 params['r1kh'] = "02:00:00:00:04:00 00:01:02:03:04:06 200102030405060708090a0b0c0d0e0f"
78 return params
79
80 def ft_params2a(rsn=True, ssid=None, passphrase=None):
81 params = ft_params(rsn, ssid, passphrase)
82 params['nas_identifier'] = "nas2.w1.fi"
83 params['r1_key_holder'] = "000102030406"
84 return params
85
86 def ft_params2(rsn=True, ssid=None, passphrase=None, discovery=False):
87 params = ft_params2a(rsn, ssid, passphrase)
88 if discovery:
89 params['r0kh'] = "ff:ff:ff:ff:ff:ff * 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f"
90 params['r1kh'] = "00:00:00:00:00:00 00:00:00:00:00:00 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f"
91 else:
92 params['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0e0f200102030405060708090a0b0c0d0e0f",
93 "02:00:00:00:04:00 nas2.w1.fi 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f"]
94 params['r1kh'] = "02:00:00:00:03:00 00:01:02:03:04:05 300102030405060708090a0b0c0d0e0f300102030405060708090a0b0c0d0e0f"
95 return params
96
97 def ft_params2_old_key(rsn=True, ssid=None, passphrase=None):
98 params = ft_params2a(rsn, ssid, passphrase)
99 params['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0e0f",
100 "02:00:00:00:04:00 nas2.w1.fi 000102030405060708090a0b0c0d0e0f"]
101 params['r1kh'] = "02:00:00:00:03:00 00:01:02:03:04:05 300102030405060708090a0b0c0d0e0f"
102 return params
103
104 def ft_params1_r0kh_mismatch(rsn=True, ssid=None, passphrase=None):
105 params = ft_params(rsn, ssid, passphrase)
106 params['nas_identifier'] = "nas1.w1.fi"
107 params['r1_key_holder'] = "000102030405"
108 params['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f",
109 "12:00:00:00:04:00 nas2.w1.fi 300102030405060708090a0b0c0d0e0f300102030405060708090a0b0c0d0e0f"]
110 params['r1kh'] = "12:00:00:00:04:00 10:01:02:03:04:06 200102030405060708090a0b0c0d0e0f200102030405060708090a0b0c0d0e0f"
111 return params
112
113 def ft_params2_incorrect_rrb_key(rsn=True, ssid=None, passphrase=None):
114 params = ft_params(rsn, ssid, passphrase)
115 params['nas_identifier'] = "nas2.w1.fi"
116 params['r1_key_holder'] = "000102030406"
117 params['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0ef1200102030405060708090a0b0c0d0ef1",
118 "02:00:00:00:04:00 nas2.w1.fi 000102030405060708090a0b0c0d0ef2000102030405060708090a0b0c0d0ef2"]
119 params['r1kh'] = "02:00:00:00:03:00 00:01:02:03:04:05 300102030405060708090a0b0c0d0ef3300102030405060708090a0b0c0d0ef3"
120 return params
121
122 def ft_params2_r0kh_mismatch(rsn=True, ssid=None, passphrase=None):
123 params = ft_params(rsn, ssid, passphrase)
124 params['nas_identifier'] = "nas2.w1.fi"
125 params['r1_key_holder'] = "000102030406"
126 params['r0kh'] = ["12:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0e0f200102030405060708090a0b0c0d0e0f",
127 "02:00:00:00:04:00 nas2.w1.fi 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f"]
128 params['r1kh'] = "12:00:00:00:03:00 10:01:02:03:04:05 300102030405060708090a0b0c0d0e0f300102030405060708090a0b0c0d0e0f"
129 return params
130
131 def run_roams(dev, apdev, hapd0, hapd1, ssid, passphrase, over_ds=False,
132 sae=False, eap=False, fail_test=False, roams=1,
133 pairwise_cipher="CCMP", group_cipher="TKIP CCMP", ptk_rekey="0",
134 test_connectivity=True, eap_identity="gpsk user", conndev=False,
135 force_initial_conn_to_first_ap=False, sha384=False,
136 group_mgmt=None, ocv=None, sae_password=None,
137 sae_password_id=None, sae_and_psk=False, pmksa_caching=False,
138 roam_with_reassoc=False, also_non_ft=False, only_one_way=False,
139 wait_before_roam=0, return_after_initial=False, ieee80211w="1"):
140 logger.info("Connect to first AP")
141
142 copts = {}
143 copts["proto"] = "WPA2"
144 copts["ieee80211w"] = ieee80211w
145 copts["scan_freq"] = "2412"
146 copts["pairwise"] = pairwise_cipher
147 copts["group"] = group_cipher
148 copts["wpa_ptk_rekey"] = ptk_rekey
149 if group_mgmt:
150 copts["group_mgmt"] = group_mgmt
151 if ocv:
152 copts["ocv"] = ocv
153 if eap:
154 if pmksa_caching:
155 copts["ft_eap_pmksa_caching"] = "1"
156 if also_non_ft:
157 copts["key_mgmt"] = "WPA-EAP-SUITE-B-192 FT-EAP-SHA384" if sha384 else "WPA-EAP FT-EAP"
158 else:
159 copts["key_mgmt"] = "FT-EAP-SHA384" if sha384 else "FT-EAP"
160 copts["eap"] = "GPSK"
161 copts["identity"] = eap_identity
162 copts["password"] = "abcdefghijklmnop0123456789abcdef"
163 else:
164 if sae:
165 copts["key_mgmt"] = "SAE FT-SAE" if sae_and_psk else "FT-SAE"
166 else:
167 copts["key_mgmt"] = "FT-PSK"
168 if passphrase:
169 copts["psk"] = passphrase
170 if sae_password:
171 copts["sae_password"] = sae_password
172 if sae_password_id:
173 copts["sae_password_id"] = sae_password_id
174 if force_initial_conn_to_first_ap:
175 copts["bssid"] = apdev[0]['bssid']
176 netw = dev.connect(ssid, **copts)
177 if pmksa_caching:
178 if dev.get_status_field('bssid') == apdev[0]['bssid']:
179 hapd0.wait_sta()
180 else:
181 hapd1.wait_sta()
182 dev.request("DISCONNECT")
183 dev.wait_disconnected()
184 dev.request("RECONNECT")
185 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
186 "CTRL-EVENT-DISCONNECTED",
187 "CTRL-EVENT-EAP-STARTED"],
188 timeout=15)
189 if ev is None:
190 raise Exception("Reconnect timed out")
191 if "CTRL-EVENT-DISCONNECTED" in ev:
192 raise Exception("Unexpected disconnection after RECONNECT")
193 if "CTRL-EVENT-EAP-STARTED" in ev:
194 raise Exception("Unexpected EAP start after RECONNECT")
195
196 if dev.get_status_field('bssid') == apdev[0]['bssid']:
197 ap1 = apdev[0]
198 ap2 = apdev[1]
199 hapd1ap = hapd0
200 hapd2ap = hapd1
201 else:
202 ap1 = apdev[1]
203 ap2 = apdev[0]
204 hapd1ap = hapd1
205 hapd2ap = hapd0
206 if test_connectivity:
207 hapd1ap.wait_sta()
208 if conndev:
209 hwsim_utils.test_connectivity_iface(dev, hapd1ap, conndev)
210 else:
211 hwsim_utils.test_connectivity(dev, hapd1ap)
212
213 if return_after_initial:
214 return ap2['bssid']
215
216 if wait_before_roam:
217 time.sleep(wait_before_roam)
218 dev.scan_for_bss(ap2['bssid'], freq="2412")
219
220 for i in range(0, roams):
221 # Roaming artificially fast can make data test fail because the key is
222 # set later.
223 time.sleep(0.01)
224 logger.info("Roam to the second AP")
225 if roam_with_reassoc:
226 dev.set_network(netw, "bssid", ap2['bssid'])
227 dev.request("REASSOCIATE")
228 dev.wait_connected()
229 elif over_ds:
230 dev.roam_over_ds(ap2['bssid'], fail_test=fail_test)
231 else:
232 dev.roam(ap2['bssid'], fail_test=fail_test)
233 if fail_test:
234 return
235 if dev.get_status_field('bssid') != ap2['bssid']:
236 raise Exception("Did not connect to correct AP")
237 if (i == 0 or i == roams - 1) and test_connectivity:
238 hapd2ap.wait_sta()
239 if conndev:
240 hwsim_utils.test_connectivity_iface(dev, hapd2ap, conndev)
241 else:
242 hwsim_utils.test_connectivity(dev, hapd2ap)
243
244 if only_one_way:
245 return
246 # Roaming artificially fast can make data test fail because the key is
247 # set later.
248 time.sleep(0.01)
249 logger.info("Roam back to the first AP")
250 if roam_with_reassoc:
251 dev.set_network(netw, "bssid", ap1['bssid'])
252 dev.request("REASSOCIATE")
253 dev.wait_connected()
254 elif over_ds:
255 dev.roam_over_ds(ap1['bssid'])
256 else:
257 dev.roam(ap1['bssid'])
258 if dev.get_status_field('bssid') != ap1['bssid']:
259 raise Exception("Did not connect to correct AP")
260 if (i == 0 or i == roams - 1) and test_connectivity:
261 hapd1ap.wait_sta()
262 if conndev:
263 hwsim_utils.test_connectivity_iface(dev, hapd1ap, conndev)
264 else:
265 hwsim_utils.test_connectivity(dev, hapd1ap)
266
267 def test_ap_ft(dev, apdev):
268 """WPA2-PSK-FT AP"""
269 ssid = "test-ft"
270 passphrase = "12345678"
271
272 params = ft_params1(ssid=ssid, passphrase=passphrase)
273 hapd0 = hostapd.add_ap(apdev[0], params)
274 params = ft_params2(ssid=ssid, passphrase=passphrase)
275 hapd1 = hostapd.add_ap(apdev[1], params)
276
277 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase)
278 if "[WPA2-FT/PSK-CCMP]" not in dev[0].request("SCAN_RESULTS"):
279 raise Exception("Scan results missing RSN element info")
280
281 def test_ap_ft_old_key(dev, apdev):
282 """WPA2-PSK-FT AP (old key)"""
283 ssid = "test-ft"
284 passphrase = "12345678"
285
286 params = ft_params1_old_key(ssid=ssid, passphrase=passphrase)
287 hapd0 = hostapd.add_ap(apdev[0], params)
288 params = ft_params2_old_key(ssid=ssid, passphrase=passphrase)
289 hapd1 = hostapd.add_ap(apdev[1], params)
290
291 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase)
292
293 def test_ap_ft_multi_akm(dev, apdev):
294 """WPA2-PSK-FT AP with non-FT AKMs enabled"""
295 ssid = "test-ft"
296 passphrase = "12345678"
297
298 params = ft_params1(ssid=ssid, passphrase=passphrase)
299 params["wpa_key_mgmt"] = "FT-PSK WPA-PSK WPA-PSK-SHA256"
300 hapd0 = hostapd.add_ap(apdev[0], params)
301 params = ft_params2(ssid=ssid, passphrase=passphrase)
302 params["wpa_key_mgmt"] = "FT-PSK WPA-PSK WPA-PSK-SHA256"
303 hapd1 = hostapd.add_ap(apdev[1], params)
304
305 Wlantest.setup(hapd0)
306 wt = Wlantest()
307 wt.flush()
308 wt.add_passphrase(passphrase)
309
310 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase)
311 if "[WPA2-PSK+FT/PSK+PSK-SHA256-CCMP]" not in dev[0].request("SCAN_RESULTS"):
312 raise Exception("Scan results missing RSN element info")
313 dev[1].connect(ssid, psk=passphrase, scan_freq="2412")
314 dev[2].connect(ssid, psk=passphrase, key_mgmt="WPA-PSK-SHA256",
315 scan_freq="2412")
316
317 def test_ap_ft_local_key_gen(dev, apdev):
318 """WPA2-PSK-FT AP with local key generation (without pull/push)"""
319 ssid = "test-ft"
320 passphrase = "12345678"
321
322 params = ft_params1a(ssid=ssid, passphrase=passphrase)
323 params['ft_psk_generate_local'] = "1"
324 del params['pmk_r1_push']
325 hapd0 = hostapd.add_ap(apdev[0], params)
326 params = ft_params2a(ssid=ssid, passphrase=passphrase)
327 params['ft_psk_generate_local'] = "1"
328 del params['pmk_r1_push']
329 hapd1 = hostapd.add_ap(apdev[1], params)
330
331 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase)
332 if "[WPA2-FT/PSK-CCMP]" not in dev[0].request("SCAN_RESULTS"):
333 raise Exception("Scan results missing RSN element info")
334
335 def test_ap_ft_vlan(dev, apdev):
336 """WPA2-PSK-FT AP with VLAN"""
337 ssid = "test-ft"
338 passphrase = "12345678"
339 filename = hostapd.acl_file(dev, apdev, 'hostapd.accept')
340 hostapd.send_file(apdev[0], filename, filename)
341 hostapd.send_file(apdev[1], filename, filename)
342
343 params = ft_params1(ssid=ssid, passphrase=passphrase)
344 params['dynamic_vlan'] = "1"
345 params['accept_mac_file'] = filename
346 hapd0 = hostapd.add_ap(apdev[0]['ifname'], params)
347
348 params = ft_params2(ssid=ssid, passphrase=passphrase)
349 params['dynamic_vlan'] = "1"
350 params['accept_mac_file'] = filename
351 hapd1 = hostapd.add_ap(apdev[1]['ifname'], params)
352
353 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, conndev="brvlan1")
354 if "[WPA2-FT/PSK-CCMP]" not in dev[0].request("SCAN_RESULTS"):
355 raise Exception("Scan results missing RSN element info")
356
357 def test_ap_ft_vlan_disconnected(dev, apdev):
358 """WPA2-PSK-FT AP with VLAN and local key generation"""
359 ssid = "test-ft"
360 passphrase = "12345678"
361 filename = hostapd.acl_file(dev, apdev, 'hostapd.accept')
362 hostapd.send_file(apdev[0], filename, filename)
363 hostapd.send_file(apdev[1], filename, filename)
364
365 params = ft_params1a(ssid=ssid, passphrase=passphrase)
366 params['dynamic_vlan'] = "1"
367 params['accept_mac_file'] = filename
368 params['ft_psk_generate_local'] = "1"
369 hapd0 = hostapd.add_ap(apdev[0]['ifname'], params)
370
371 params = ft_params2a(ssid=ssid, passphrase=passphrase)
372 params['dynamic_vlan'] = "1"
373 params['accept_mac_file'] = filename
374 params['ft_psk_generate_local'] = "1"
375 hapd1 = hostapd.add_ap(apdev[1]['ifname'], params)
376
377 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, conndev="brvlan1")
378 if "[WPA2-FT/PSK-CCMP]" not in dev[0].request("SCAN_RESULTS"):
379 raise Exception("Scan results missing RSN element info")
380
381 def test_ap_ft_vlan_2(dev, apdev):
382 """WPA2-PSK-FT AP with VLAN and dest-AP does not have VLAN info locally"""
383 ssid = "test-ft"
384 passphrase = "12345678"
385 filename = hostapd.acl_file(dev, apdev, 'hostapd.accept')
386 hostapd.send_file(apdev[0], filename, filename)
387
388 params = ft_params1(ssid=ssid, passphrase=passphrase)
389 params['dynamic_vlan'] = "1"
390 params['accept_mac_file'] = filename
391 hapd0 = hostapd.add_ap(apdev[0]['ifname'], params)
392
393 params = ft_params2(ssid=ssid, passphrase=passphrase)
394 params['dynamic_vlan'] = "1"
395 hapd1 = hostapd.add_ap(apdev[1]['ifname'], params)
396
397 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, conndev="brvlan1",
398 force_initial_conn_to_first_ap=True)
399 if "[WPA2-FT/PSK-CCMP]" not in dev[0].request("SCAN_RESULTS"):
400 raise Exception("Scan results missing RSN element info")
401
402 def test_ap_ft_many(dev, apdev):
403 """WPA2-PSK-FT AP multiple times"""
404 ssid = "test-ft"
405 passphrase = "12345678"
406
407 params = ft_params1(ssid=ssid, passphrase=passphrase)
408 hapd0 = hostapd.add_ap(apdev[0], params)
409 params = ft_params2(ssid=ssid, passphrase=passphrase)
410 hapd1 = hostapd.add_ap(apdev[1], params)
411
412 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, roams=50)
413
414 def test_ap_ft_many_vlan(dev, apdev):
415 """WPA2-PSK-FT AP with VLAN multiple times"""
416 ssid = "test-ft"
417 passphrase = "12345678"
418 filename = hostapd.acl_file(dev, apdev, 'hostapd.accept')
419 hostapd.send_file(apdev[0], filename, filename)
420 hostapd.send_file(apdev[1], filename, filename)
421
422 params = ft_params1(ssid=ssid, passphrase=passphrase)
423 params['dynamic_vlan'] = "1"
424 params['accept_mac_file'] = filename
425 hapd0 = hostapd.add_ap(apdev[0]['ifname'], params)
426
427 params = ft_params2(ssid=ssid, passphrase=passphrase)
428 params['dynamic_vlan'] = "1"
429 params['accept_mac_file'] = filename
430 hapd1 = hostapd.add_ap(apdev[1]['ifname'], params)
431
432 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, roams=50,
433 conndev="brvlan1")
434
435 def test_ap_ft_mixed(dev, apdev):
436 """WPA2-PSK-FT mixed-mode AP"""
437 ssid = "test-ft-mixed"
438 passphrase = "12345678"
439
440 params = ft_params1(rsn=False, ssid=ssid, passphrase=passphrase)
441 hapd = hostapd.add_ap(apdev[0], params)
442 key_mgmt = hapd.get_config()['key_mgmt']
443 vals = key_mgmt.split(' ')
444 if vals[0] != "WPA-PSK" or vals[1] != "FT-PSK":
445 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
446 params = ft_params2(rsn=False, ssid=ssid, passphrase=passphrase)
447 hapd1 = hostapd.add_ap(apdev[1], params)
448
449 run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase)
450
451 def test_ap_ft_pmf(dev, apdev):
452 """WPA2-PSK-FT AP with PMF"""
453 run_ap_ft_pmf(dev, apdev, "1")
454
455 def test_ap_ft_pmf_over_ds(dev, apdev):
456 """WPA2-PSK-FT AP with PMF (over DS)"""
457 run_ap_ft_pmf(dev, apdev, "1", over_ds=True)
458
459 def test_ap_ft_pmf_required(dev, apdev):
460 """WPA2-PSK-FT AP with PMF required on STA"""
461 run_ap_ft_pmf(dev, apdev, "2")
462
463 def test_ap_ft_pmf_required_over_ds(dev, apdev):
464 """WPA2-PSK-FT AP with PMF required on STA (over DS)"""
465 run_ap_ft_pmf(dev, apdev, "2", over_ds=True)
466
467 def run_ap_ft_pmf(dev, apdev, ieee80211w, over_ds=False):
468 ssid = "test-ft"
469 passphrase = "12345678"
470
471 params = ft_params1(ssid=ssid, passphrase=passphrase)
472 params["ieee80211w"] = "2"
473 hapd0 = hostapd.add_ap(apdev[0], params)
474 params = ft_params2(ssid=ssid, passphrase=passphrase)
475 params["ieee80211w"] = "2"
476 hapd1 = hostapd.add_ap(apdev[1], params)
477
478 Wlantest.setup(hapd0)
479 wt = Wlantest()
480 wt.flush()
481 wt.add_passphrase(passphrase)
482
483 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase,
484 ieee80211w=ieee80211w, over_ds=over_ds)
485
486 def test_ap_ft_pmf_required_mismatch(dev, apdev):
487 """WPA2-PSK-FT AP with PMF required on STA but AP2 not enabling PMF"""
488 run_ap_ft_pmf_required_mismatch(dev, apdev)
489
490 def test_ap_ft_pmf_required_mismatch_over_ds(dev, apdev):
491 """WPA2-PSK-FT AP with PMF required on STA but AP2 not enabling PMF (over DS)"""
492 run_ap_ft_pmf_required_mismatch(dev, apdev, over_ds=True)
493
494 def run_ap_ft_pmf_required_mismatch(dev, apdev, over_ds=False):
495 ssid = "test-ft"
496 passphrase = "12345678"
497
498 params = ft_params1(ssid=ssid, passphrase=passphrase)
499 params["ieee80211w"] = "2"
500 hapd0 = hostapd.add_ap(apdev[0], params)
501 params = ft_params2(ssid=ssid, passphrase=passphrase)
502 params["ieee80211w"] = "0"
503 hapd1 = hostapd.add_ap(apdev[1], params)
504
505 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, ieee80211w="2",
506 force_initial_conn_to_first_ap=True, fail_test=True,
507 over_ds=over_ds)
508
509 def test_ap_ft_pmf_bip_cmac_128(dev, apdev):
510 """WPA2-PSK-FT AP with PMF/BIP-CMAC-128"""
511 run_ap_ft_pmf_bip(dev, apdev, "AES-128-CMAC")
512
513 def test_ap_ft_pmf_bip_gmac_128(dev, apdev):
514 """WPA2-PSK-FT AP with PMF/BIP-GMAC-128"""
515 run_ap_ft_pmf_bip(dev, apdev, "BIP-GMAC-128")
516
517 def test_ap_ft_pmf_bip_gmac_256(dev, apdev):
518 """WPA2-PSK-FT AP with PMF/BIP-GMAC-256"""
519 run_ap_ft_pmf_bip(dev, apdev, "BIP-GMAC-256")
520
521 def test_ap_ft_pmf_bip_cmac_256(dev, apdev):
522 """WPA2-PSK-FT AP with PMF/BIP-CMAC-256"""
523 run_ap_ft_pmf_bip(dev, apdev, "BIP-CMAC-256")
524
525 def run_ap_ft_pmf_bip(dev, apdev, cipher):
526 if cipher not in dev[0].get_capability("group_mgmt"):
527 raise HwsimSkip("Cipher %s not supported" % cipher)
528
529 ssid = "test-ft"
530 passphrase = "12345678"
531
532 params = ft_params1(ssid=ssid, passphrase=passphrase)
533 params["ieee80211w"] = "2"
534 params["group_mgmt_cipher"] = cipher
535 hapd0 = hostapd.add_ap(apdev[0], params)
536 params = ft_params2(ssid=ssid, passphrase=passphrase)
537 params["ieee80211w"] = "2"
538 params["group_mgmt_cipher"] = cipher
539 hapd1 = hostapd.add_ap(apdev[1], params)
540
541 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase,
542 group_mgmt=cipher)
543
544 def test_ap_ft_ocv(dev, apdev):
545 """WPA2-PSK-FT AP with OCV"""
546 ssid = "test-ft"
547 passphrase = "12345678"
548
549 params = ft_params1(ssid=ssid, passphrase=passphrase)
550 params["ieee80211w"] = "2"
551 params["ocv"] = "1"
552 try:
553 hapd0 = hostapd.add_ap(apdev[0], params)
554 except Exception as e:
555 if "Failed to set hostapd parameter ocv" in str(e):
556 raise HwsimSkip("OCV not supported")
557 raise
558 params = ft_params2(ssid=ssid, passphrase=passphrase)
559 params["ieee80211w"] = "2"
560 params["ocv"] = "1"
561 hapd1 = hostapd.add_ap(apdev[1], params)
562
563 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, ocv="1")
564
565 def test_ap_ft_over_ds(dev, apdev):
566 """WPA2-PSK-FT AP over DS"""
567 ssid = "test-ft"
568 passphrase = "12345678"
569
570 params = ft_params1(ssid=ssid, passphrase=passphrase)
571 hapd0 = hostapd.add_ap(apdev[0], params)
572 params = ft_params2(ssid=ssid, passphrase=passphrase)
573 hapd1 = hostapd.add_ap(apdev[1], params)
574
575 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True)
576 check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-4"),
577 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-4")])
578
579 def cleanup_ap_ft_separate_hostapd():
580 subprocess.call(["brctl", "delif", "br0ft", "veth0"],
581 stderr=open('/dev/null', 'w'))
582 subprocess.call(["brctl", "delif", "br1ft", "veth1"],
583 stderr=open('/dev/null', 'w'))
584 subprocess.call(["ip", "link", "del", "veth0"],
585 stderr=open('/dev/null', 'w'))
586 subprocess.call(["ip", "link", "del", "veth1"],
587 stderr=open('/dev/null', 'w'))
588 for ifname in ['br0ft', 'br1ft', 'br-ft']:
589 subprocess.call(['ip', 'link', 'set', 'dev', ifname, 'down'],
590 stderr=open('/dev/null', 'w'))
591 subprocess.call(['brctl', 'delbr', ifname],
592 stderr=open('/dev/null', 'w'))
593
594 def test_ap_ft_separate_hostapd(dev, apdev, params):
595 """WPA2-PSK-FT AP and separate hostapd process"""
596 try:
597 run_ap_ft_separate_hostapd(dev, apdev, params, False)
598 finally:
599 cleanup_ap_ft_separate_hostapd()
600
601 def test_ap_ft_over_ds_separate_hostapd(dev, apdev, params):
602 """WPA2-PSK-FT AP over DS and separate hostapd process"""
603 try:
604 run_ap_ft_separate_hostapd(dev, apdev, params, True)
605 finally:
606 cleanup_ap_ft_separate_hostapd()
607
608 def run_ap_ft_separate_hostapd(dev, apdev, params, over_ds):
609 ssid = "test-ft"
610 passphrase = "12345678"
611 logdir = params['logdir']
612 pidfile = os.path.join(logdir, 'ap_ft_over_ds_separate_hostapd.pid')
613 logfile = os.path.join(logdir, 'ap_ft_over_ds_separate_hostapd.hapd')
614 global_ctrl = '/var/run/hostapd-ft'
615 br_ifname = 'br-ft'
616
617 try:
618 subprocess.check_call(['brctl', 'addbr', br_ifname])
619 subprocess.check_call(['brctl', 'setfd', br_ifname, '0'])
620 subprocess.check_call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
621
622 subprocess.check_call(["ip", "link", "add", "veth0", "type", "veth",
623 "peer", "name", "veth0br"])
624 subprocess.check_call(["ip", "link", "add", "veth1", "type", "veth",
625 "peer", "name", "veth1br"])
626 subprocess.check_call(['ip', 'link', 'set', 'dev', 'veth0br', 'up'])
627 subprocess.check_call(['ip', 'link', 'set', 'dev', 'veth1br', 'up'])
628 subprocess.check_call(['brctl', 'addif', br_ifname, 'veth0br'])
629 subprocess.check_call(['brctl', 'addif', br_ifname, 'veth1br'])
630
631 subprocess.check_call(['brctl', 'addbr', 'br0ft'])
632 subprocess.check_call(['brctl', 'setfd', 'br0ft', '0'])
633 subprocess.check_call(['ip', 'link', 'set', 'dev', 'br0ft', 'up'])
634 subprocess.check_call(['ip', 'link', 'set', 'dev', 'veth0', 'up'])
635 subprocess.check_call(['brctl', 'addif', 'br0ft', 'veth0'])
636 subprocess.check_call(['brctl', 'addbr', 'br1ft'])
637 subprocess.check_call(['brctl', 'setfd', 'br1ft', '0'])
638 subprocess.check_call(['ip', 'link', 'set', 'dev', 'br1ft', 'up'])
639 subprocess.check_call(['ip', 'link', 'set', 'dev', 'veth1', 'up'])
640 subprocess.check_call(['brctl', 'addif', 'br1ft', 'veth1'])
641 except subprocess.CalledProcessError:
642 raise HwsimSkip("Bridge or veth not supported (kernel CONFIG_VETH)")
643
644 with HWSimRadio() as (radio, iface):
645 prg = os.path.join(logdir, 'alt-hostapd/hostapd/hostapd')
646 if not os.path.exists(prg):
647 prg = '../../hostapd/hostapd'
648 cmd = [prg, '-B', '-ddKt',
649 '-P', pidfile, '-f', logfile, '-g', global_ctrl]
650 subprocess.check_call(cmd)
651
652 hglobal = hostapd.HostapdGlobal(global_ctrl_override=global_ctrl)
653 apdev_ft = {'ifname': iface}
654 apdev2 = [apdev_ft, apdev[1]]
655
656 params = ft_params1(ssid=ssid, passphrase=passphrase)
657 params["r0kh"] = "ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
658 params["r1kh"] = "00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
659 params['bridge'] = 'br0ft'
660 hapd0 = hostapd.add_ap(apdev2[0], params,
661 global_ctrl_override=global_ctrl)
662 apdev2[0]['bssid'] = hapd0.own_addr()
663 params = ft_params2(ssid=ssid, passphrase=passphrase)
664 params["r0kh"] = "ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
665 params["r1kh"] = "00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
666 params['bridge'] = 'br1ft'
667 hapd1 = hostapd.add_ap(apdev2[1], params)
668
669 run_roams(dev[0], apdev2, hapd0, hapd1, ssid, passphrase,
670 over_ds=over_ds, test_connectivity=False)
671
672 hglobal.terminate()
673
674 if os.path.exists(pidfile):
675 with open(pidfile, 'r') as f:
676 pid = int(f.read())
677 f.close()
678 os.kill(pid, signal.SIGTERM)
679
680 def test_ap_ft_over_ds_ocv(dev, apdev):
681 """WPA2-PSK-FT AP over DS"""
682 ssid = "test-ft"
683 passphrase = "12345678"
684
685 params = ft_params1(ssid=ssid, passphrase=passphrase)
686 params["ieee80211w"] = "2"
687 params["ocv"] = "1"
688 try:
689 hapd0 = hostapd.add_ap(apdev[0], params)
690 except Exception as e:
691 if "Failed to set hostapd parameter ocv" in str(e):
692 raise HwsimSkip("OCV not supported")
693 raise
694 params = ft_params2(ssid=ssid, passphrase=passphrase)
695 params["ieee80211w"] = "2"
696 params["ocv"] = "1"
697 hapd1 = hostapd.add_ap(apdev[1], params)
698
699 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
700 ocv="1")
701
702 def test_ap_ft_over_ds_disabled(dev, apdev):
703 """WPA2-PSK-FT AP over DS disabled"""
704 ssid = "test-ft"
705 passphrase = "12345678"
706
707 params = ft_params1(ssid=ssid, passphrase=passphrase)
708 params['ft_over_ds'] = '0'
709 hapd0 = hostapd.add_ap(apdev[0], params)
710 params = ft_params2(ssid=ssid, passphrase=passphrase)
711 params['ft_over_ds'] = '0'
712 hapd1 = hostapd.add_ap(apdev[1], params)
713
714 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
715 fail_test=True)
716
717 def test_ap_ft_vlan_over_ds(dev, apdev):
718 """WPA2-PSK-FT AP over DS with VLAN"""
719 ssid = "test-ft"
720 passphrase = "12345678"
721 filename = hostapd.acl_file(dev, apdev, 'hostapd.accept')
722 hostapd.send_file(apdev[0], filename, filename)
723 hostapd.send_file(apdev[1], filename, filename)
724
725 params = ft_params1(ssid=ssid, passphrase=passphrase)
726 params['dynamic_vlan'] = "1"
727 params['accept_mac_file'] = filename
728 hapd0 = hostapd.add_ap(apdev[0]['ifname'], params)
729 params = ft_params2(ssid=ssid, passphrase=passphrase)
730 params['dynamic_vlan'] = "1"
731 params['accept_mac_file'] = filename
732 hapd1 = hostapd.add_ap(apdev[1]['ifname'], params)
733
734 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
735 conndev="brvlan1")
736 check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-4"),
737 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-4")])
738
739 def test_ap_ft_over_ds_many(dev, apdev):
740 """WPA2-PSK-FT AP over DS multiple times"""
741 ssid = "test-ft"
742 passphrase = "12345678"
743
744 params = ft_params1(ssid=ssid, passphrase=passphrase)
745 hapd0 = hostapd.add_ap(apdev[0], params)
746 params = ft_params2(ssid=ssid, passphrase=passphrase)
747 hapd1 = hostapd.add_ap(apdev[1], params)
748
749 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
750 roams=50)
751
752 def test_ap_ft_vlan_over_ds_many(dev, apdev):
753 """WPA2-PSK-FT AP over DS with VLAN multiple times"""
754 ssid = "test-ft"
755 passphrase = "12345678"
756 filename = hostapd.acl_file(dev, apdev, 'hostapd.accept')
757 hostapd.send_file(apdev[0], filename, filename)
758 hostapd.send_file(apdev[1], filename, filename)
759
760 params = ft_params1(ssid=ssid, passphrase=passphrase)
761 params['dynamic_vlan'] = "1"
762 params['accept_mac_file'] = filename
763 hapd0 = hostapd.add_ap(apdev[0]['ifname'], params)
764 params = ft_params2(ssid=ssid, passphrase=passphrase)
765 params['dynamic_vlan'] = "1"
766 params['accept_mac_file'] = filename
767 hapd1 = hostapd.add_ap(apdev[1]['ifname'], params)
768
769 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
770 roams=50, conndev="brvlan1")
771
772 @remote_compatible
773 def test_ap_ft_over_ds_unknown_target(dev, apdev):
774 """WPA2-PSK-FT AP"""
775 ssid = "test-ft"
776 passphrase = "12345678"
777
778 params = ft_params1(ssid=ssid, passphrase=passphrase)
779 hapd0 = hostapd.add_ap(apdev[0], params)
780
781 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
782 scan_freq="2412")
783 dev[0].roam_over_ds("02:11:22:33:44:55", fail_test=True)
784
785 @remote_compatible
786 def test_ap_ft_over_ds_unexpected(dev, apdev):
787 """WPA2-PSK-FT AP over DS and unexpected response"""
788 ssid = "test-ft"
789 passphrase = "12345678"
790
791 params = ft_params1(ssid=ssid, passphrase=passphrase)
792 hapd0 = hostapd.add_ap(apdev[0], params)
793 params = ft_params2(ssid=ssid, passphrase=passphrase)
794 hapd1 = hostapd.add_ap(apdev[1], params)
795
796 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
797 scan_freq="2412")
798 if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
799 ap1 = apdev[0]
800 ap2 = apdev[1]
801 hapd1ap = hapd0
802 hapd2ap = hapd1
803 else:
804 ap1 = apdev[1]
805 ap2 = apdev[0]
806 hapd1ap = hapd1
807 hapd2ap = hapd0
808
809 addr = dev[0].own_addr()
810 hapd1ap.set("ext_mgmt_frame_handling", "1")
811 logger.info("Foreign STA address")
812 msg = {}
813 msg['fc'] = 13 << 4
814 msg['da'] = addr
815 msg['sa'] = ap1['bssid']
816 msg['bssid'] = ap1['bssid']
817 msg['payload'] = binascii.unhexlify("06021122334455660102030405060000")
818 hapd1ap.mgmt_tx(msg)
819
820 logger.info("No over-the-DS in progress")
821 msg['payload'] = binascii.unhexlify("0602" + addr.replace(':', '') + "0102030405060000")
822 hapd1ap.mgmt_tx(msg)
823
824 logger.info("Non-zero status code")
825 msg['payload'] = binascii.unhexlify("0602" + addr.replace(':', '') + "0102030405060100")
826 hapd1ap.mgmt_tx(msg)
827
828 hapd1ap.dump_monitor()
829
830 dev[0].scan_for_bss(ap2['bssid'], freq="2412")
831 if "OK" not in dev[0].request("FT_DS " + ap2['bssid']):
832 raise Exception("FT_DS failed")
833
834 req = hapd1ap.mgmt_rx()
835
836 logger.info("Foreign Target AP")
837 msg['payload'] = binascii.unhexlify("0602" + addr.replace(':', '') + "0102030405060000")
838 hapd1ap.mgmt_tx(msg)
839
840 addrs = addr.replace(':', '') + ap2['bssid'].replace(':', '')
841
842 logger.info("No IEs")
843 msg['payload'] = binascii.unhexlify("0602" + addrs + "0000")
844 hapd1ap.mgmt_tx(msg)
845
846 logger.info("Invalid IEs (trigger parsing failure)")
847 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003700")
848 hapd1ap.mgmt_tx(msg)
849
850 logger.info("Too short MDIE")
851 msg['payload'] = binascii.unhexlify("0602" + addrs + "000036021122")
852 hapd1ap.mgmt_tx(msg)
853
854 logger.info("Mobility domain mismatch")
855 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003603112201")
856 hapd1ap.mgmt_tx(msg)
857
858 logger.info("No FTIE")
859 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003603a1b201")
860 hapd1ap.mgmt_tx(msg)
861
862 logger.info("FTIE SNonce mismatch")
863 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003603a1b201375e0000" + "00000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + "1000000000000000000000000000000000000000000000000000000000000001" + "030a6e6173322e77312e6669")
864 hapd1ap.mgmt_tx(msg)
865
866 logger.info("No R0KH-ID subelem in FTIE")
867 snonce = binascii.hexlify(req['payload'][111:111+32]).decode()
868 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003603a1b20137520000" + "00000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + snonce)
869 hapd1ap.mgmt_tx(msg)
870
871 logger.info("No R0KH-ID subelem mismatch in FTIE")
872 snonce = binascii.hexlify(req['payload'][111:111+32]).decode()
873 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003603a1b201375e0000" + "00000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + snonce + "030a11223344556677889900")
874 hapd1ap.mgmt_tx(msg)
875
876 logger.info("No R1KH-ID subelem in FTIE")
877 r0khid = binascii.hexlify(req['payload'][145:145+10]).decode()
878 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003603a1b201375e0000" + "00000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + snonce + "030a" + r0khid)
879 hapd1ap.mgmt_tx(msg)
880
881 logger.info("No RSNE")
882 r0khid = binascii.hexlify(req['payload'][145:145+10]).decode()
883 msg['payload'] = binascii.unhexlify("0602" + addrs + "00003603a1b20137660000" + "00000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + snonce + "030a" + r0khid + "0106000102030405")
884 hapd1ap.mgmt_tx(msg)
885
886 def test_ap_ft_pmf_over_ds(dev, apdev):
887 """WPA2-PSK-FT AP over DS with PMF"""
888 run_ap_ft_pmf_bip_over_ds(dev, apdev, None)
889
890 def test_ap_ft_pmf_bip_cmac_128_over_ds(dev, apdev):
891 """WPA2-PSK-FT AP over DS with PMF/BIP-CMAC-128"""
892 run_ap_ft_pmf_bip_over_ds(dev, apdev, "AES-128-CMAC")
893
894 def test_ap_ft_pmf_bip_gmac_128_over_ds(dev, apdev):
895 """WPA2-PSK-FT AP over DS with PMF/BIP-GMAC-128"""
896 run_ap_ft_pmf_bip_over_ds(dev, apdev, "BIP-GMAC-128")
897
898 def test_ap_ft_pmf_bip_gmac_256_over_ds(dev, apdev):
899 """WPA2-PSK-FT AP over DS with PMF/BIP-GMAC-256"""
900 run_ap_ft_pmf_bip_over_ds(dev, apdev, "BIP-GMAC-256")
901
902 def test_ap_ft_pmf_bip_cmac_256_over_ds(dev, apdev):
903 """WPA2-PSK-FT AP over DS with PMF/BIP-CMAC-256"""
904 run_ap_ft_pmf_bip_over_ds(dev, apdev, "BIP-CMAC-256")
905
906 def run_ap_ft_pmf_bip_over_ds(dev, apdev, cipher):
907 if cipher and cipher not in dev[0].get_capability("group_mgmt"):
908 raise HwsimSkip("Cipher %s not supported" % cipher)
909
910 ssid = "test-ft"
911 passphrase = "12345678"
912
913 params = ft_params1(ssid=ssid, passphrase=passphrase)
914 params["ieee80211w"] = "2"
915 if cipher:
916 params["group_mgmt_cipher"] = cipher
917 hapd0 = hostapd.add_ap(apdev[0], params)
918 params = ft_params2(ssid=ssid, passphrase=passphrase)
919 params["ieee80211w"] = "2"
920 if cipher:
921 params["group_mgmt_cipher"] = cipher
922 hapd1 = hostapd.add_ap(apdev[1], params)
923
924 Wlantest.setup(hapd0)
925 wt = Wlantest()
926 wt.flush()
927 wt.add_passphrase(passphrase)
928
929 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
930 group_mgmt=cipher)
931
932 def test_ap_ft_over_ds_pull(dev, apdev):
933 """WPA2-PSK-FT AP over DS (pull PMK)"""
934 ssid = "test-ft"
935 passphrase = "12345678"
936
937 params = ft_params1(ssid=ssid, passphrase=passphrase)
938 params["pmk_r1_push"] = "0"
939 hapd0 = hostapd.add_ap(apdev[0], params)
940 params = ft_params2(ssid=ssid, passphrase=passphrase)
941 params["pmk_r1_push"] = "0"
942 hapd1 = hostapd.add_ap(apdev[1], params)
943
944 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True)
945
946 def test_ap_ft_over_ds_pull_old_key(dev, apdev):
947 """WPA2-PSK-FT AP over DS (pull PMK; old key)"""
948 ssid = "test-ft"
949 passphrase = "12345678"
950
951 params = ft_params1_old_key(ssid=ssid, passphrase=passphrase)
952 params["pmk_r1_push"] = "0"
953 hapd0 = hostapd.add_ap(apdev[0], params)
954 params = ft_params2_old_key(ssid=ssid, passphrase=passphrase)
955 params["pmk_r1_push"] = "0"
956 hapd1 = hostapd.add_ap(apdev[1], params)
957
958 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True)
959
960 def test_ap_ft_over_ds_pull_vlan(dev, apdev):
961 """WPA2-PSK-FT AP over DS (pull PMK) with VLAN"""
962 ssid = "test-ft"
963 passphrase = "12345678"
964 filename = hostapd.acl_file(dev, apdev, 'hostapd.accept')
965 hostapd.send_file(apdev[0], filename, filename)
966 hostapd.send_file(apdev[1], filename, filename)
967
968 params = ft_params1(ssid=ssid, passphrase=passphrase)
969 params["pmk_r1_push"] = "0"
970 params['dynamic_vlan'] = "1"
971 params['accept_mac_file'] = filename
972 hapd0 = hostapd.add_ap(apdev[0]['ifname'], params)
973 params = ft_params2(ssid=ssid, passphrase=passphrase)
974 params["pmk_r1_push"] = "0"
975 params['dynamic_vlan'] = "1"
976 params['accept_mac_file'] = filename
977 hapd1 = hostapd.add_ap(apdev[1]['ifname'], params)
978
979 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
980 conndev="brvlan1")
981
982 def start_ft_sae(dev, apdev, wpa_ptk_rekey=None, sae_pwe=None):
983 if "SAE" not in dev.get_capability("auth_alg"):
984 raise HwsimSkip("SAE not supported")
985 ssid = "test-ft"
986 passphrase = "12345678"
987
988 params = ft_params1(ssid=ssid, passphrase=passphrase)
989 params['wpa_key_mgmt'] = "FT-SAE"
990 if wpa_ptk_rekey:
991 params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
992 if sae_pwe is not None:
993 params['sae_pwe'] = sae_pwe
994 hapd0 = hostapd.add_ap(apdev[0], params)
995 params = ft_params2(ssid=ssid, passphrase=passphrase)
996 params['wpa_key_mgmt'] = "FT-SAE"
997 if wpa_ptk_rekey:
998 params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
999 if sae_pwe is not None:
1000 params['sae_pwe'] = sae_pwe
1001 hapd1 = hostapd.add_ap(apdev[1], params)
1002 key_mgmt = hapd1.get_config()['key_mgmt']
1003 if key_mgmt.split(' ')[0] != "FT-SAE":
1004 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1005
1006 dev.request("SET sae_groups ")
1007 return hapd0, hapd1
1008
1009 def test_ap_ft_sae(dev, apdev):
1010 """WPA2-PSK-FT-SAE AP"""
1011 hapd0, hapd1 = start_ft_sae(dev[0], apdev)
1012 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True)
1013
1014 def test_ap_ft_sae_h2e(dev, apdev):
1015 """WPA2-PSK-FT-SAE AP (H2E)"""
1016 try:
1017 dev[0].set("sae_pwe", "2")
1018 hapd0, hapd1 = start_ft_sae(dev[0], apdev, sae_pwe="2")
1019 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True)
1020 finally:
1021 dev[0].set("sae_pwe", "0")
1022
1023 def test_ap_ft_sae_h2e_and_loop(dev, apdev):
1024 """WPA2-PSK-FT-SAE AP (AP H2E, STA loop)"""
1025 dev[0].set("sae_pwe", "0")
1026 hapd0, hapd1 = start_ft_sae(dev[0], apdev, sae_pwe="2")
1027 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True)
1028
1029 def test_ap_ft_sae_ptk_rekey0(dev, apdev):
1030 """WPA2-PSK-FT-SAE AP and PTK rekey triggered by station"""
1031 hapd0, hapd1 = start_ft_sae(dev[0], apdev)
1032 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
1033 ptk_rekey="1", roams=0)
1034 check_ptk_rekey(dev[0], hapd0, hapd1)
1035
1036 def test_ap_ft_sae_ptk_rekey1(dev, apdev):
1037 """WPA2-PSK-FT-SAE AP and PTK rekey triggered by station"""
1038 hapd0, hapd1 = start_ft_sae(dev[0], apdev)
1039 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
1040 ptk_rekey="1", only_one_way=True)
1041 check_ptk_rekey(dev[0], hapd0, hapd1)
1042
1043 def test_ap_ft_sae_ptk_rekey_ap(dev, apdev):
1044 """WPA2-PSK-FT-SAE AP and PTK rekey triggered by AP"""
1045 hapd0, hapd1 = start_ft_sae(dev[0], apdev, wpa_ptk_rekey=2)
1046 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
1047 only_one_way=True)
1048 check_ptk_rekey(dev[0], hapd0, hapd1)
1049
1050 def test_ap_ft_sae_over_ds(dev, apdev):
1051 """WPA2-PSK-FT-SAE AP over DS"""
1052 hapd0, hapd1 = start_ft_sae(dev[0], apdev)
1053 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
1054 over_ds=True)
1055
1056 def test_ap_ft_sae_over_ds_ptk_rekey0(dev, apdev):
1057 """WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by station"""
1058 hapd0, hapd1 = start_ft_sae(dev[0], apdev)
1059 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
1060 over_ds=True, ptk_rekey="1", roams=0)
1061 check_ptk_rekey(dev[0], hapd0, hapd1)
1062
1063 def test_ap_ft_sae_over_ds_ptk_rekey1(dev, apdev):
1064 """WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by station"""
1065 hapd0, hapd1 = start_ft_sae(dev[0], apdev)
1066 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
1067 over_ds=True, ptk_rekey="1", only_one_way=True)
1068 check_ptk_rekey(dev[0], hapd0, hapd1)
1069
1070 def test_ap_ft_sae_over_ds_ptk_rekey_ap(dev, apdev):
1071 """WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by AP"""
1072 hapd0, hapd1 = start_ft_sae(dev[0], apdev, wpa_ptk_rekey=2)
1073 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
1074 over_ds=True, only_one_way=True)
1075 check_ptk_rekey(dev[0], hapd0, hapd1)
1076
1077 def test_ap_ft_sae_pw_id(dev, apdev):
1078 """FT-SAE with Password Identifier"""
1079 if "SAE" not in dev[0].get_capability("auth_alg"):
1080 raise HwsimSkip("SAE not supported")
1081 ssid = "test-ft"
1082
1083 params = ft_params1(ssid=ssid)
1084 params["ieee80211w"] = "2"
1085 params['wpa_key_mgmt'] = "FT-SAE"
1086 params['sae_password'] = 'secret|id=pwid'
1087 hapd0 = hostapd.add_ap(apdev[0], params)
1088 params = ft_params2(ssid=ssid)
1089 params["ieee80211w"] = "2"
1090 params['wpa_key_mgmt'] = "FT-SAE"
1091 params['sae_password'] = 'secret|id=pwid'
1092 hapd = hostapd.add_ap(apdev[1], params)
1093
1094 dev[0].request("SET sae_groups ")
1095 run_roams(dev[0], apdev, hapd0, hapd, ssid, passphrase=None, sae=True,
1096 sae_password="secret", sae_password_id="pwid")
1097
1098 def test_ap_ft_sae_with_both_akms(dev, apdev):
1099 """SAE + FT-SAE configuration"""
1100 if "SAE" not in dev[0].get_capability("auth_alg"):
1101 raise HwsimSkip("SAE not supported")
1102 ssid = "test-ft"
1103 passphrase = "12345678"
1104
1105 params = ft_params1(ssid=ssid, passphrase=passphrase)
1106 params['wpa_key_mgmt'] = "FT-SAE SAE"
1107 hapd0 = hostapd.add_ap(apdev[0], params)
1108 params = ft_params2(ssid=ssid, passphrase=passphrase)
1109 params['wpa_key_mgmt'] = "FT-SAE SAE"
1110 hapd = hostapd.add_ap(apdev[1], params)
1111 key_mgmt = hapd.get_config()['key_mgmt']
1112 if key_mgmt.split(' ')[0] != "FT-SAE":
1113 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1114
1115 dev[0].request("SET sae_groups ")
1116 run_roams(dev[0], apdev, hapd0, hapd, ssid, passphrase, sae=True,
1117 sae_and_psk=True)
1118
1119 def test_ap_ft_sae_pmksa_caching(dev, apdev):
1120 """WPA2-FT-SAE AP and PMKSA caching for initial mobility domain association"""
1121 if "SAE" not in dev[0].get_capability("auth_alg"):
1122 raise HwsimSkip("SAE not supported")
1123 ssid = "test-ft"
1124 passphrase = "12345678"
1125
1126 params = ft_params1(ssid=ssid, passphrase=passphrase)
1127 params['wpa_key_mgmt'] = "FT-SAE"
1128 hapd0 = hostapd.add_ap(apdev[0], params)
1129 params = ft_params2(ssid=ssid, passphrase=passphrase)
1130 params['wpa_key_mgmt'] = "FT-SAE"
1131 hapd = hostapd.add_ap(apdev[1], params)
1132 key_mgmt = hapd.get_config()['key_mgmt']
1133 if key_mgmt.split(' ')[0] != "FT-SAE":
1134 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1135
1136 dev[0].request("SET sae_groups ")
1137 run_roams(dev[0], apdev, hapd0, hapd, ssid, passphrase, sae=True,
1138 pmksa_caching=True)
1139
1140 def test_ap_ft_sae_pmksa_caching_pwe(dev, apdev):
1141 """WPA2-FT-SAE AP and PMKSA caching for initial mobility domain association (STA PWE both)"""
1142 if "SAE" not in dev[0].get_capability("auth_alg"):
1143 raise HwsimSkip("SAE not supported")
1144 ssid = "test-ft"
1145 passphrase = "12345678"
1146
1147 params = ft_params1(ssid=ssid, passphrase=passphrase)
1148 params['wpa_key_mgmt'] = "FT-SAE"
1149 hapd0 = hostapd.add_ap(apdev[0], params)
1150 params = ft_params2(ssid=ssid, passphrase=passphrase)
1151 params['wpa_key_mgmt'] = "FT-SAE"
1152 hapd = hostapd.add_ap(apdev[1], params)
1153 key_mgmt = hapd.get_config()['key_mgmt']
1154 if key_mgmt.split(' ')[0] != "FT-SAE":
1155 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1156
1157 try:
1158 dev[0].request("SET sae_groups ")
1159 dev[0].set("sae_pwe", "2")
1160 run_roams(dev[0], apdev, hapd0, hapd, ssid, passphrase, sae=True,
1161 pmksa_caching=True)
1162 finally:
1163 dev[0].set("sae_groups", "")
1164 dev[0].set("sae_pwe", "0")
1165
1166 def test_ap_ft_sae_pmksa_caching_h2e(dev, apdev):
1167 """WPA2-FT-SAE AP and PMKSA caching for initial mobility domain association (H2E)"""
1168 if "SAE" not in dev[0].get_capability("auth_alg"):
1169 raise HwsimSkip("SAE not supported")
1170 ssid = "test-ft"
1171 passphrase = "12345678"
1172
1173 params = ft_params1(ssid=ssid, passphrase=passphrase)
1174 params['wpa_key_mgmt'] = "FT-SAE"
1175 params['sae_pwe'] = "1"
1176 hapd0 = hostapd.add_ap(apdev[0], params)
1177 params = ft_params2(ssid=ssid, passphrase=passphrase)
1178 params['wpa_key_mgmt'] = "FT-SAE"
1179 params['sae_pwe'] = "1"
1180 hapd = hostapd.add_ap(apdev[1], params)
1181 key_mgmt = hapd.get_config()['key_mgmt']
1182 if key_mgmt.split(' ')[0] != "FT-SAE":
1183 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1184
1185 try:
1186 dev[0].request("SET sae_groups ")
1187 dev[0].set("sae_pwe", "1")
1188 run_roams(dev[0], apdev, hapd0, hapd, ssid, passphrase, sae=True,
1189 pmksa_caching=True)
1190 finally:
1191 dev[0].set("sae_groups", "")
1192 dev[0].set("sae_pwe", "0")
1193
1194 def generic_ap_ft_eap(dev, apdev, vlan=False, cui=False, over_ds=False,
1195 discovery=False, roams=1, wpa_ptk_rekey=0,
1196 only_one_way=False):
1197 ssid = "test-ft"
1198 passphrase = "12345678"
1199 if vlan:
1200 identity = "gpsk-vlan1"
1201 conndev = "brvlan1"
1202 elif cui:
1203 identity = "gpsk-cui"
1204 conndev = False
1205 else:
1206 identity = "gpsk user"
1207 conndev = False
1208
1209 radius = hostapd.radius_params()
1210 params = ft_params1(ssid=ssid, passphrase=passphrase, discovery=discovery)
1211 params['wpa_key_mgmt'] = "FT-EAP"
1212 params["ieee8021x"] = "1"
1213 if vlan:
1214 params["dynamic_vlan"] = "1"
1215 params = dict(list(radius.items()) + list(params.items()))
1216 hapd = hostapd.add_ap(apdev[0], params)
1217 key_mgmt = hapd.get_config()['key_mgmt']
1218 if key_mgmt.split(' ')[0] != "FT-EAP":
1219 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1220 params = ft_params2(ssid=ssid, passphrase=passphrase, discovery=discovery)
1221 params['wpa_key_mgmt'] = "FT-EAP"
1222 params["ieee8021x"] = "1"
1223 if vlan:
1224 params["dynamic_vlan"] = "1"
1225 if wpa_ptk_rekey:
1226 params["wpa_ptk_rekey"] = str(wpa_ptk_rekey)
1227 params = dict(list(radius.items()) + list(params.items()))
1228 hapd1 = hostapd.add_ap(apdev[1], params)
1229
1230 run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True,
1231 over_ds=over_ds, roams=roams, eap_identity=identity,
1232 conndev=conndev, only_one_way=only_one_way)
1233 if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"):
1234 raise Exception("Scan results missing RSN element info")
1235 check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"),
1236 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3")])
1237 if only_one_way:
1238 return
1239
1240 # Verify EAPOL reauthentication after FT protocol
1241 if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
1242 ap = hapd
1243 else:
1244 ap = hapd1
1245 ap.request("EAPOL_REAUTH " + dev[0].own_addr())
1246 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
1247 if ev is None:
1248 raise Exception("EAP authentication did not start")
1249 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
1250 if ev is None:
1251 raise Exception("EAP authentication did not succeed")
1252 time.sleep(0.1)
1253 if conndev:
1254 hwsim_utils.test_connectivity_iface(dev[0], ap, conndev)
1255 else:
1256 hwsim_utils.test_connectivity(dev[0], ap)
1257
1258 def test_ap_ft_eap(dev, apdev):
1259 """WPA2-EAP-FT AP"""
1260 generic_ap_ft_eap(dev, apdev)
1261
1262 def test_ap_ft_eap_cui(dev, apdev):
1263 """WPA2-EAP-FT AP with CUI"""
1264 generic_ap_ft_eap(dev, apdev, vlan=False, cui=True)
1265
1266 def test_ap_ft_eap_vlan(dev, apdev):
1267 """WPA2-EAP-FT AP with VLAN"""
1268 generic_ap_ft_eap(dev, apdev, vlan=True)
1269
1270 def test_ap_ft_eap_vlan_multi(dev, apdev):
1271 """WPA2-EAP-FT AP with VLAN"""
1272 generic_ap_ft_eap(dev, apdev, vlan=True, roams=50)
1273
1274 def test_ap_ft_eap_over_ds(dev, apdev):
1275 """WPA2-EAP-FT AP using over-the-DS"""
1276 generic_ap_ft_eap(dev, apdev, over_ds=True)
1277
1278 def test_ap_ft_eap_dis(dev, apdev):
1279 """WPA2-EAP-FT AP with AP discovery"""
1280 generic_ap_ft_eap(dev, apdev, discovery=True)
1281
1282 def test_ap_ft_eap_dis_over_ds(dev, apdev):
1283 """WPA2-EAP-FT AP with AP discovery and over-the-DS"""
1284 generic_ap_ft_eap(dev, apdev, over_ds=True, discovery=True)
1285
1286 def test_ap_ft_eap_vlan(dev, apdev):
1287 """WPA2-EAP-FT AP with VLAN"""
1288 generic_ap_ft_eap(dev, apdev, vlan=True)
1289
1290 def test_ap_ft_eap_vlan_multi(dev, apdev):
1291 """WPA2-EAP-FT AP with VLAN"""
1292 generic_ap_ft_eap(dev, apdev, vlan=True, roams=50)
1293
1294 def test_ap_ft_eap_vlan_over_ds(dev, apdev):
1295 """WPA2-EAP-FT AP with VLAN + over_ds"""
1296 generic_ap_ft_eap(dev, apdev, vlan=True, over_ds=True)
1297
1298 def test_ap_ft_eap_vlan_over_ds_multi(dev, apdev):
1299 """WPA2-EAP-FT AP with VLAN + over_ds"""
1300 generic_ap_ft_eap(dev, apdev, vlan=True, over_ds=True, roams=50)
1301
1302 def generic_ap_ft_eap_pull(dev, apdev, vlan=False):
1303 """WPA2-EAP-FT AP (pull PMK)"""
1304 ssid = "test-ft"
1305 passphrase = "12345678"
1306 if vlan:
1307 identity = "gpsk-vlan1"
1308 conndev = "brvlan1"
1309 else:
1310 identity = "gpsk user"
1311 conndev = False
1312
1313 radius = hostapd.radius_params()
1314 params = ft_params1(ssid=ssid, passphrase=passphrase)
1315 params['wpa_key_mgmt'] = "FT-EAP"
1316 params["ieee8021x"] = "1"
1317 params["pmk_r1_push"] = "0"
1318 if vlan:
1319 params["dynamic_vlan"] = "1"
1320 params = dict(list(radius.items()) + list(params.items()))
1321 hapd = hostapd.add_ap(apdev[0], params)
1322 key_mgmt = hapd.get_config()['key_mgmt']
1323 if key_mgmt.split(' ')[0] != "FT-EAP":
1324 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1325 params = ft_params2(ssid=ssid, passphrase=passphrase)
1326 params['wpa_key_mgmt'] = "FT-EAP"
1327 params["ieee8021x"] = "1"
1328 params["pmk_r1_push"] = "0"
1329 if vlan:
1330 params["dynamic_vlan"] = "1"
1331 params = dict(list(radius.items()) + list(params.items()))
1332 hapd1 = hostapd.add_ap(apdev[1], params)
1333
1334 run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True,
1335 eap_identity=identity, conndev=conndev)
1336
1337 def test_ap_ft_eap_pull(dev, apdev):
1338 """WPA2-EAP-FT AP (pull PMK)"""
1339 generic_ap_ft_eap_pull(dev, apdev)
1340
1341 def test_ap_ft_eap_pull_vlan(dev, apdev):
1342 generic_ap_ft_eap_pull(dev, apdev, vlan=True)
1343
1344 def test_ap_ft_eap_pull_wildcard(dev, apdev):
1345 """WPA2-EAP-FT AP (pull PMK) - wildcard R0KH/R1KH"""
1346 ssid = "test-ft"
1347 passphrase = "12345678"
1348
1349 radius = hostapd.radius_params()
1350 params = ft_params1(ssid=ssid, passphrase=passphrase, discovery=True)
1351 params['wpa_key_mgmt'] = "WPA-EAP FT-EAP"
1352 params["ieee8021x"] = "1"
1353 params["pmk_r1_push"] = "0"
1354 params["r0kh"] = "ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1355 params["r1kh"] = "00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1356 params["ft_psk_generate_local"] = "1"
1357 params["eap_server"] = "0"
1358 params["rkh_pos_timeout"] = "100"
1359 params["rkh_neg_timeout"] = "50"
1360 params["rkh_pull_timeout"] = "1234"
1361 params["rkh_pull_retries"] = "10"
1362 params = dict(list(radius.items()) + list(params.items()))
1363 hapd = hostapd.add_ap(apdev[0], params)
1364 params = ft_params2(ssid=ssid, passphrase=passphrase, discovery=True)
1365 params['wpa_key_mgmt'] = "WPA-EAP FT-EAP"
1366 params["ieee8021x"] = "1"
1367 params["pmk_r1_push"] = "0"
1368 params["r0kh"] = "ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1369 params["r1kh"] = "00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1370 params["ft_psk_generate_local"] = "1"
1371 params["eap_server"] = "0"
1372 params = dict(list(radius.items()) + list(params.items()))
1373 hapd1 = hostapd.add_ap(apdev[1], params)
1374
1375 run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True)
1376
1377 def test_ap_ft_eap_pull_wildcard_multi_bss(dev, apdev, params):
1378 """WPA2-EAP-FT AP (pull PMK) - wildcard R0KH/R1KH with multiple BSSs"""
1379 bssconf = os.path.join(params['logdir'],
1380 'ap_ft_eap_pull_wildcard_multi_bss.bss.conf')
1381 ssid = "test-ft"
1382 passphrase = "12345678"
1383 radius = hostapd.radius_params()
1384
1385 params = ft_params1(ssid=ssid, passphrase=passphrase, discovery=True)
1386 params['wpa_key_mgmt'] = "WPA-EAP FT-EAP"
1387 params["ieee8021x"] = "1"
1388 params["pmk_r1_push"] = "0"
1389 params["r0kh"] = "ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1390 params["r1kh"] = "00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1391 params["eap_server"] = "0"
1392 params = dict(list(radius.items()) + list(params.items()))
1393 hapd = hostapd.add_ap(apdev[0], params)
1394 ifname2 = apdev[0]['ifname'] + "-2"
1395 bssid2 = "02:00:00:00:03:01"
1396 params['nas_identifier'] = "nas1b.w1.fi"
1397 params['r1_key_holder'] = "000102030415"
1398 with open(bssconf, 'w') as f:
1399 f.write("driver=nl80211\n")
1400 f.write("hw_mode=g\n")
1401 f.write("channel=1\n")
1402 f.write("ieee80211n=1\n")
1403 f.write("interface=%s\n" % ifname2)
1404 f.write("bssid=%s\n" % bssid2)
1405 f.write("ctrl_interface=/var/run/hostapd\n")
1406 for name, val in params.items():
1407 f.write("%s=%s\n" % (name, val))
1408 hapd2 = hostapd.add_bss(apdev[0], ifname2, bssconf)
1409
1410 params = ft_params2(ssid=ssid, passphrase=passphrase, discovery=True)
1411 params['wpa_key_mgmt'] = "WPA-EAP FT-EAP"
1412 params["ieee8021x"] = "1"
1413 params["pmk_r1_push"] = "0"
1414 params["r0kh"] = "ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1415 params["r1kh"] = "00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
1416 params["eap_server"] = "0"
1417 params = dict(list(radius.items()) + list(params.items()))
1418 hapd1 = hostapd.add_ap(apdev[1], params)
1419
1420 # The first iteration of the roaming test will use wildcard R0KH discovery
1421 # and RRB sequence number synchronization while the second iteration shows
1422 # the clean RRB exchange where those extra steps are not needed.
1423 for i in range(2):
1424 hapd.note("Test iteration %d" % i)
1425 dev[0].note("Test iteration %d" % i)
1426
1427 id = dev[0].connect(ssid, key_mgmt="FT-EAP", eap="GPSK",
1428 identity="gpsk user",
1429 password="abcdefghijklmnop0123456789abcdef",
1430 bssid=bssid2,
1431 scan_freq="2412")
1432 res = dev[0].get_status_field("bssid")
1433 if res != bssid2:
1434 raise Exception("Unexpected BSSID after initial connection: " + res)
1435
1436 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412")
1437 dev[0].set_network(id, "bssid", "00:00:00:00:00:00")
1438 dev[0].roam(apdev[1]['bssid'])
1439 res = dev[0].get_status_field("bssid")
1440 if res != apdev[1]['bssid']:
1441 raise Exception("Unexpected BSSID after first roam: " + res)
1442
1443 dev[0].scan_for_bss(apdev[0]['bssid'], freq="2412")
1444 dev[0].roam(apdev[0]['bssid'])
1445 res = dev[0].get_status_field("bssid")
1446 if res != apdev[0]['bssid']:
1447 raise Exception("Unexpected BSSID after second roam: " + res)
1448
1449 dev[0].request("REMOVE_NETWORK all")
1450 dev[0].wait_disconnected()
1451 dev[0].dump_monitor()
1452 hapd.dump_monitor()
1453 hapd2.dump_monitor()
1454
1455 @remote_compatible
1456 def test_ap_ft_mismatching_rrb_key_push(dev, apdev):
1457 """WPA2-PSK-FT AP over DS with mismatching RRB key (push)"""
1458 ssid = "test-ft"
1459 passphrase = "12345678"
1460
1461 params = ft_params1(ssid=ssid, passphrase=passphrase)
1462 params["ieee80211w"] = "2"
1463 hapd0 = hostapd.add_ap(apdev[0], params)
1464 params = ft_params2_incorrect_rrb_key(ssid=ssid, passphrase=passphrase)
1465 params["ieee80211w"] = "2"
1466 hapd1 = hostapd.add_ap(apdev[1], params)
1467
1468 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1469 fail_test=True)
1470
1471 @remote_compatible
1472 def test_ap_ft_mismatching_rrb_key_pull(dev, apdev):
1473 """WPA2-PSK-FT AP over DS with mismatching RRB key (pull)"""
1474 ssid = "test-ft"
1475 passphrase = "12345678"
1476
1477 params = ft_params1(ssid=ssid, passphrase=passphrase)
1478 params["pmk_r1_push"] = "0"
1479 hapd0 = hostapd.add_ap(apdev[0], params)
1480 params = ft_params2_incorrect_rrb_key(ssid=ssid, passphrase=passphrase)
1481 params["pmk_r1_push"] = "0"
1482 hapd1 = hostapd.add_ap(apdev[1], params)
1483
1484 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1485 fail_test=True)
1486
1487 @remote_compatible
1488 def test_ap_ft_mismatching_r0kh_id_pull(dev, apdev):
1489 """WPA2-PSK-FT AP over DS with mismatching R0KH-ID (pull)"""
1490 ssid = "test-ft"
1491 passphrase = "12345678"
1492
1493 params = ft_params1(ssid=ssid, passphrase=passphrase)
1494 params["pmk_r1_push"] = "0"
1495 params["nas_identifier"] = "nas0.w1.fi"
1496 hostapd.add_ap(apdev[0], params)
1497 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1498 scan_freq="2412")
1499
1500 params = ft_params2(ssid=ssid, passphrase=passphrase)
1501 params["pmk_r1_push"] = "0"
1502 hostapd.add_ap(apdev[1], params)
1503
1504 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412")
1505 dev[0].roam_over_ds(apdev[1]['bssid'], fail_test=True)
1506
1507 @remote_compatible
1508 def test_ap_ft_mismatching_rrb_r0kh_push(dev, apdev):
1509 """WPA2-PSK-FT AP over DS with mismatching R0KH key (push)"""
1510 ssid = "test-ft"
1511 passphrase = "12345678"
1512
1513 params = ft_params1(ssid=ssid, passphrase=passphrase)
1514 params["ieee80211w"] = "2"
1515 hapd0 = hostapd.add_ap(apdev[0], params)
1516 params = ft_params2_r0kh_mismatch(ssid=ssid, passphrase=passphrase)
1517 params["ieee80211w"] = "2"
1518 hapd1 = hostapd.add_ap(apdev[1], params)
1519
1520 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1521 fail_test=True)
1522
1523 @remote_compatible
1524 def test_ap_ft_mismatching_rrb_r0kh_pull(dev, apdev):
1525 """WPA2-PSK-FT AP over DS with mismatching R0KH key (pull)"""
1526 ssid = "test-ft"
1527 passphrase = "12345678"
1528
1529 params = ft_params1_r0kh_mismatch(ssid=ssid, passphrase=passphrase)
1530 params["pmk_r1_push"] = "0"
1531 hapd0 = hostapd.add_ap(apdev[0], params)
1532 params = ft_params2(ssid=ssid, passphrase=passphrase)
1533 params["pmk_r1_push"] = "0"
1534 hapd1 = hostapd.add_ap(apdev[1], params)
1535
1536 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1537 fail_test=True)
1538
1539 def test_ap_ft_mismatching_rrb_key_push_eap(dev, apdev):
1540 """WPA2-EAP-FT AP over DS with mismatching RRB key (push)"""
1541 ssid = "test-ft"
1542 passphrase = "12345678"
1543
1544 radius = hostapd.radius_params()
1545 params = ft_params1(ssid=ssid, passphrase=passphrase)
1546 params["ieee80211w"] = "2"
1547 params['wpa_key_mgmt'] = "FT-EAP"
1548 params["ieee8021x"] = "1"
1549 params = dict(list(radius.items()) + list(params.items()))
1550 hapd0 = hostapd.add_ap(apdev[0], params)
1551 params = ft_params2_incorrect_rrb_key(ssid=ssid, passphrase=passphrase)
1552 params["ieee80211w"] = "2"
1553 params['wpa_key_mgmt'] = "FT-EAP"
1554 params["ieee8021x"] = "1"
1555 params = dict(list(radius.items()) + list(params.items()))
1556 hapd1 = hostapd.add_ap(apdev[1], params)
1557
1558 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1559 fail_test=True, eap=True)
1560
1561 def test_ap_ft_mismatching_rrb_key_pull_eap(dev, apdev):
1562 """WPA2-EAP-FT AP over DS with mismatching RRB key (pull)"""
1563 ssid = "test-ft"
1564 passphrase = "12345678"
1565
1566 radius = hostapd.radius_params()
1567 params = ft_params1(ssid=ssid, passphrase=passphrase)
1568 params["pmk_r1_push"] = "0"
1569 params['wpa_key_mgmt'] = "FT-EAP"
1570 params["ieee8021x"] = "1"
1571 params = dict(list(radius.items()) + list(params.items()))
1572 hapd0 = hostapd.add_ap(apdev[0], params)
1573 params = ft_params2_incorrect_rrb_key(ssid=ssid, passphrase=passphrase)
1574 params["pmk_r1_push"] = "0"
1575 params['wpa_key_mgmt'] = "FT-EAP"
1576 params["ieee8021x"] = "1"
1577 params = dict(list(radius.items()) + list(params.items()))
1578 hapd1 = hostapd.add_ap(apdev[1], params)
1579
1580 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1581 fail_test=True, eap=True)
1582
1583 def test_ap_ft_mismatching_r0kh_id_pull_eap(dev, apdev):
1584 """WPA2-EAP-FT AP over DS with mismatching R0KH-ID (pull)"""
1585 ssid = "test-ft"
1586 passphrase = "12345678"
1587
1588 radius = hostapd.radius_params()
1589 params = ft_params1(ssid=ssid, passphrase=passphrase)
1590 params["pmk_r1_push"] = "0"
1591 params["nas_identifier"] = "nas0.w1.fi"
1592 params['wpa_key_mgmt'] = "FT-EAP"
1593 params["ieee8021x"] = "1"
1594 params = dict(list(radius.items()) + list(params.items()))
1595 hostapd.add_ap(apdev[0], params)
1596 dev[0].connect(ssid, key_mgmt="FT-EAP", proto="WPA2", ieee80211w="1",
1597 eap="GPSK", identity="gpsk user",
1598 password="abcdefghijklmnop0123456789abcdef",
1599 scan_freq="2412")
1600
1601 params = ft_params2(ssid=ssid, passphrase=passphrase)
1602 params["pmk_r1_push"] = "0"
1603 params['wpa_key_mgmt'] = "FT-EAP"
1604 params["ieee8021x"] = "1"
1605 params = dict(list(radius.items()) + list(params.items()))
1606 hostapd.add_ap(apdev[1], params)
1607
1608 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412")
1609 dev[0].roam_over_ds(apdev[1]['bssid'], fail_test=True)
1610
1611 def test_ap_ft_mismatching_rrb_r0kh_push_eap(dev, apdev):
1612 """WPA2-EAP-FT AP over DS with mismatching R0KH key (push)"""
1613 ssid = "test-ft"
1614 passphrase = "12345678"
1615
1616 radius = hostapd.radius_params()
1617 params = ft_params1(ssid=ssid, passphrase=passphrase)
1618 params["ieee80211w"] = "2"
1619 params['wpa_key_mgmt'] = "FT-EAP"
1620 params["ieee8021x"] = "1"
1621 params = dict(list(radius.items()) + list(params.items()))
1622 hapd0 = hostapd.add_ap(apdev[0], params)
1623 params = ft_params2_r0kh_mismatch(ssid=ssid, passphrase=passphrase)
1624 params["ieee80211w"] = "2"
1625 params['wpa_key_mgmt'] = "FT-EAP"
1626 params["ieee8021x"] = "1"
1627 params = dict(list(radius.items()) + list(params.items()))
1628 hapd1 = hostapd.add_ap(apdev[1], params)
1629
1630 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1631 fail_test=True, eap=True)
1632
1633 def test_ap_ft_mismatching_rrb_r0kh_pull_eap(dev, apdev):
1634 """WPA2-EAP-FT AP over DS with mismatching R0KH key (pull)"""
1635 ssid = "test-ft"
1636 passphrase = "12345678"
1637
1638 radius = hostapd.radius_params()
1639 params = ft_params1_r0kh_mismatch(ssid=ssid, passphrase=passphrase)
1640 params["pmk_r1_push"] = "0"
1641 params['wpa_key_mgmt'] = "FT-EAP"
1642 params["ieee8021x"] = "1"
1643 params = dict(list(radius.items()) + list(params.items()))
1644 hapd0 = hostapd.add_ap(apdev[0], params)
1645 params = ft_params2(ssid=ssid, passphrase=passphrase)
1646 params["pmk_r1_push"] = "0"
1647 params['wpa_key_mgmt'] = "FT-EAP"
1648 params["ieee8021x"] = "1"
1649 params = dict(list(radius.items()) + list(params.items()))
1650 hapd1 = hostapd.add_ap(apdev[1], params)
1651
1652 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
1653 fail_test=True, eap=True)
1654
1655 def test_ap_ft_gtk_rekey(dev, apdev):
1656 """WPA2-PSK-FT AP and GTK rekey"""
1657 ssid = "test-ft"
1658 passphrase = "12345678"
1659
1660 params = ft_params1(ssid=ssid, passphrase=passphrase)
1661 params['wpa_group_rekey'] = '1'
1662 hapd = hostapd.add_ap(apdev[0], params)
1663
1664 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1665 ieee80211w="1", scan_freq="2412")
1666
1667 ev = dev[0].wait_event(["WPA: Group rekeying completed"], timeout=2)
1668 if ev is None:
1669 raise Exception("GTK rekey timed out after initial association")
1670 hwsim_utils.test_connectivity(dev[0], hapd)
1671
1672 params = ft_params2(ssid=ssid, passphrase=passphrase)
1673 params['wpa_group_rekey'] = '1'
1674 hapd1 = hostapd.add_ap(apdev[1], params)
1675
1676 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412")
1677 dev[0].roam(apdev[1]['bssid'])
1678 if dev[0].get_status_field('bssid') != apdev[1]['bssid']:
1679 raise Exception("Did not connect to correct AP")
1680 hwsim_utils.test_connectivity(dev[0], hapd1)
1681
1682 ev = dev[0].wait_event(["WPA: Group rekeying completed"], timeout=2)
1683 if ev is None:
1684 raise Exception("GTK rekey timed out after FT protocol")
1685 hwsim_utils.test_connectivity(dev[0], hapd1)
1686
1687 def test_ft_psk_key_lifetime_in_memory(dev, apdev, params):
1688 """WPA2-PSK-FT and key lifetime in memory"""
1689 ssid = "test-ft"
1690 passphrase = "04c2726b4b8d5f1b4db9c07aa4d9e9d8f765cb5d25ec817e6cc4fcdd5255db0"
1691 psk = '93c90846ff67af9037ed83fb72b63dbeddaa81d47f926c20909b5886f1d9358d'
1692 pmk = binascii.unhexlify(psk)
1693 p = ft_params1(ssid=ssid, passphrase=passphrase)
1694 hapd0 = hostapd.add_ap(apdev[0], p)
1695 p = ft_params2(ssid=ssid, passphrase=passphrase)
1696 hapd1 = hostapd.add_ap(apdev[1], p)
1697
1698 pid = find_wpas_process(dev[0])
1699
1700 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1701 scan_freq="2412")
1702 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
1703 # event has been delivered, so verify that wpa_supplicant has returned to
1704 # eloop before reading process memory.
1705 time.sleep(1)
1706 dev[0].ping()
1707
1708 buf = read_process_memory(pid, pmk)
1709
1710 dev[0].request("DISCONNECT")
1711 dev[0].wait_disconnected()
1712
1713 dev[0].relog()
1714 pmkr0 = None
1715 pmkr1 = None
1716 ptk = None
1717 gtk = None
1718 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
1719 for l in f.readlines():
1720 if "FT: PMK-R0 - hexdump" in l:
1721 val = l.strip().split(':')[3].replace(' ', '')
1722 pmkr0 = binascii.unhexlify(val)
1723 if "FT: PMK-R1 - hexdump" in l:
1724 val = l.strip().split(':')[3].replace(' ', '')
1725 pmkr1 = binascii.unhexlify(val)
1726 if "FT: KCK - hexdump" in l:
1727 val = l.strip().split(':')[3].replace(' ', '')
1728 kck = binascii.unhexlify(val)
1729 if "FT: KEK - hexdump" in l:
1730 val = l.strip().split(':')[3].replace(' ', '')
1731 kek = binascii.unhexlify(val)
1732 if "FT: TK - hexdump" in l:
1733 val = l.strip().split(':')[3].replace(' ', '')
1734 tk = binascii.unhexlify(val)
1735 if "WPA: Group Key - hexdump" in l:
1736 val = l.strip().split(':')[3].replace(' ', '')
1737 gtk = binascii.unhexlify(val)
1738 if not pmkr0 or not pmkr1 or not kck or not kek or not tk or not gtk:
1739 raise Exception("Could not find keys from debug log")
1740 if len(gtk) != 16:
1741 raise Exception("Unexpected GTK length")
1742
1743 logger.info("Checking keys in memory while associated")
1744 get_key_locations(buf, pmk, "PMK")
1745 get_key_locations(buf, pmkr0, "PMK-R0")
1746 get_key_locations(buf, pmkr1, "PMK-R1")
1747 if pmk not in buf:
1748 raise HwsimSkip("PMK not found while associated")
1749 if pmkr0 not in buf:
1750 raise HwsimSkip("PMK-R0 not found while associated")
1751 if pmkr1 not in buf:
1752 raise HwsimSkip("PMK-R1 not found while associated")
1753 if kck not in buf:
1754 raise Exception("KCK not found while associated")
1755 if kek not in buf:
1756 raise Exception("KEK not found while associated")
1757 #if tk in buf:
1758 # raise Exception("TK found from memory")
1759
1760 logger.info("Checking keys in memory after disassociation")
1761 buf = read_process_memory(pid, pmk)
1762 get_key_locations(buf, pmk, "PMK")
1763 get_key_locations(buf, pmkr0, "PMK-R0")
1764 get_key_locations(buf, pmkr1, "PMK-R1")
1765
1766 # Note: PMK/PSK is still present in network configuration
1767
1768 fname = os.path.join(params['logdir'],
1769 'ft_psk_key_lifetime_in_memory.memctx-')
1770 verify_not_present(buf, pmkr0, fname, "PMK-R0")
1771 verify_not_present(buf, pmkr1, fname, "PMK-R1")
1772 verify_not_present(buf, kck, fname, "KCK")
1773 verify_not_present(buf, kek, fname, "KEK")
1774 verify_not_present(buf, tk, fname, "TK")
1775 if gtk in buf:
1776 get_key_locations(buf, gtk, "GTK")
1777 verify_not_present(buf, gtk, fname, "GTK")
1778
1779 dev[0].request("REMOVE_NETWORK all")
1780
1781 logger.info("Checking keys in memory after network profile removal")
1782 buf = read_process_memory(pid, pmk)
1783 get_key_locations(buf, pmk, "PMK")
1784 get_key_locations(buf, pmkr0, "PMK-R0")
1785 get_key_locations(buf, pmkr1, "PMK-R1")
1786
1787 verify_not_present(buf, pmk, fname, "PMK")
1788 verify_not_present(buf, pmkr0, fname, "PMK-R0")
1789 verify_not_present(buf, pmkr1, fname, "PMK-R1")
1790 verify_not_present(buf, kck, fname, "KCK")
1791 verify_not_present(buf, kek, fname, "KEK")
1792 verify_not_present(buf, tk, fname, "TK")
1793 verify_not_present(buf, gtk, fname, "GTK")
1794
1795 @remote_compatible
1796 def test_ap_ft_invalid_resp(dev, apdev):
1797 """WPA2-PSK-FT AP and invalid response IEs"""
1798 ssid = "test-ft"
1799 passphrase = "12345678"
1800
1801 params = ft_params1(ssid=ssid, passphrase=passphrase)
1802 hapd0 = hostapd.add_ap(apdev[0], params)
1803 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1804 scan_freq="2412")
1805
1806 params = ft_params2(ssid=ssid, passphrase=passphrase)
1807 hapd1 = hostapd.add_ap(apdev[1], params)
1808
1809 tests = [
1810 # Various IEs for test coverage. The last one is FTIE with invalid
1811 # R1KH-ID subelement.
1812 "020002000000" + "3800" + "38051122334455" + "3754000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010100",
1813 # FTIE with invalid R0KH-ID subelement (len=0).
1814 "020002000000" + "3754000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010300",
1815 # FTIE with invalid R0KH-ID subelement (len=49).
1816 "020002000000" + "378500010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001033101020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849",
1817 # Invalid RSNE.
1818 "020002000000" + "3000",
1819 # Required IEs missing from protected IE count.
1820 "020002000000" + "3603a1b201" + "375200010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001" + "3900",
1821 # RIC missing from protected IE count.
1822 "020002000000" + "3603a1b201" + "375200020203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001" + "3900",
1823 # Protected IE missing.
1824 "020002000000" + "3603a1b201" + "375200ff0203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001" + "3900" + "0000"]
1825 for t in tests:
1826 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412")
1827 hapd1.set("ext_mgmt_frame_handling", "1")
1828 hapd1.dump_monitor()
1829 if "OK" not in dev[0].request("ROAM " + apdev[1]['bssid']):
1830 raise Exception("ROAM failed")
1831 auth = None
1832 for i in range(20):
1833 msg = hapd1.mgmt_rx()
1834 if msg['subtype'] == 11:
1835 auth = msg
1836 break
1837 if not auth:
1838 raise Exception("Authentication frame not seen")
1839
1840 resp = {}
1841 resp['fc'] = auth['fc']
1842 resp['da'] = auth['sa']
1843 resp['sa'] = auth['da']
1844 resp['bssid'] = auth['bssid']
1845 resp['payload'] = binascii.unhexlify(t)
1846 hapd1.mgmt_tx(resp)
1847 hapd1.set("ext_mgmt_frame_handling", "0")
1848 dev[0].wait_disconnected()
1849
1850 dev[0].request("RECONNECT")
1851 dev[0].wait_connected()
1852
1853 def test_ap_ft_gcmp_256(dev, apdev):
1854 """WPA2-PSK-FT AP with GCMP-256 cipher"""
1855 if "GCMP-256" not in dev[0].get_capability("pairwise"):
1856 raise HwsimSkip("Cipher GCMP-256 not supported")
1857 ssid = "test-ft"
1858 passphrase = "12345678"
1859
1860 params = ft_params1(ssid=ssid, passphrase=passphrase)
1861 params['rsn_pairwise'] = "GCMP-256"
1862 hapd0 = hostapd.add_ap(apdev[0], params)
1863 params = ft_params2(ssid=ssid, passphrase=passphrase)
1864 params['rsn_pairwise'] = "GCMP-256"
1865 hapd1 = hostapd.add_ap(apdev[1], params)
1866
1867 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase,
1868 pairwise_cipher="GCMP-256", group_cipher="GCMP-256")
1869
1870 def setup_ap_ft_oom(dev, apdev):
1871 skip_with_fips(dev[0])
1872 ssid = "test-ft"
1873 passphrase = "12345678"
1874
1875 params = ft_params1(ssid=ssid, passphrase=passphrase)
1876 hapd0 = hostapd.add_ap(apdev[0], params)
1877 params = ft_params2(ssid=ssid, passphrase=passphrase)
1878 hapd1 = hostapd.add_ap(apdev[1], params)
1879
1880 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1881 scan_freq="2412")
1882 if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
1883 dst = apdev[1]['bssid']
1884 else:
1885 dst = apdev[0]['bssid']
1886
1887 dev[0].scan_for_bss(dst, freq="2412")
1888
1889 return dst
1890
1891 def test_ap_ft_oom(dev, apdev):
1892 """WPA2-PSK-FT and OOM"""
1893 dst = setup_ap_ft_oom(dev, apdev)
1894 with alloc_fail(dev[0], 1, "wpa_ft_gen_req_ies"):
1895 dev[0].roam(dst)
1896
1897 def test_ap_ft_oom2(dev, apdev):
1898 """WPA2-PSK-FT and OOM (2)"""
1899 dst = setup_ap_ft_oom(dev, apdev)
1900 with fail_test(dev[0], 1, "wpa_ft_mic"):
1901 dev[0].roam(dst, fail_test=True, assoc_reject_ok=True)
1902
1903 def test_ap_ft_oom3(dev, apdev):
1904 """WPA2-PSK-FT and OOM (3)"""
1905 dst = setup_ap_ft_oom(dev, apdev)
1906 with fail_test(dev[0], 1, "os_get_random;wpa_ft_prepare_auth_request"):
1907 dev[0].roam(dst)
1908
1909 def test_ap_ft_oom4(dev, apdev):
1910 """WPA2-PSK-FT and OOM (4)"""
1911 ssid = "test-ft"
1912 passphrase = "12345678"
1913 dst = setup_ap_ft_oom(dev, apdev)
1914 dev[0].request("REMOVE_NETWORK all")
1915 with alloc_fail(dev[0], 1, "=sme_update_ft_ies"):
1916 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1917 scan_freq="2412")
1918
1919 def test_ap_ft_ap_oom(dev, apdev):
1920 """WPA2-PSK-FT and AP OOM"""
1921 ssid = "test-ft"
1922 passphrase = "12345678"
1923
1924 params = ft_params1(ssid=ssid, passphrase=passphrase)
1925 hapd0 = hostapd.add_ap(apdev[0], params)
1926 bssid0 = hapd0.own_addr()
1927
1928 dev[0].scan_for_bss(bssid0, freq="2412")
1929 with alloc_fail(hapd0, 1, "wpa_ft_store_pmk_r0"):
1930 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1931 scan_freq="2412")
1932
1933 params = ft_params2(ssid=ssid, passphrase=passphrase)
1934 hapd1 = hostapd.add_ap(apdev[1], params)
1935 bssid1 = hapd1.own_addr()
1936 dev[0].scan_for_bss(bssid1, freq="2412")
1937 # This roam will fail due to missing PMK-R0 (OOM prevented storing it)
1938 dev[0].roam(bssid1)
1939
1940 def test_ap_ft_ap_oom2(dev, apdev):
1941 """WPA2-PSK-FT and AP OOM 2"""
1942 ssid = "test-ft"
1943 passphrase = "12345678"
1944
1945 params = ft_params1(ssid=ssid, passphrase=passphrase)
1946 hapd0 = hostapd.add_ap(apdev[0], params)
1947 bssid0 = hapd0.own_addr()
1948
1949 dev[0].scan_for_bss(bssid0, freq="2412")
1950 with alloc_fail(hapd0, 1, "wpa_ft_store_pmk_r1"):
1951 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1952 scan_freq="2412")
1953
1954 params = ft_params2(ssid=ssid, passphrase=passphrase)
1955 hapd1 = hostapd.add_ap(apdev[1], params)
1956 bssid1 = hapd1.own_addr()
1957 dev[0].scan_for_bss(bssid1, freq="2412")
1958 dev[0].roam(bssid1)
1959 if dev[0].get_status_field('bssid') != bssid1:
1960 raise Exception("Did not roam to AP1")
1961 # This roam will fail due to missing PMK-R1 (OOM prevented storing it)
1962 dev[0].roam(bssid0)
1963
1964 def test_ap_ft_ap_oom3(dev, apdev):
1965 """WPA2-PSK-FT and AP OOM 3"""
1966 ssid = "test-ft"
1967 passphrase = "12345678"
1968
1969 params = ft_params1(ssid=ssid, passphrase=passphrase)
1970 hapd0 = hostapd.add_ap(apdev[0], params)
1971 bssid0 = hapd0.own_addr()
1972
1973 dev[0].scan_for_bss(bssid0, freq="2412")
1974 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
1975 scan_freq="2412")
1976
1977 params = ft_params2(ssid=ssid, passphrase=passphrase)
1978 hapd1 = hostapd.add_ap(apdev[1], params)
1979 bssid1 = hapd1.own_addr()
1980 dev[0].scan_for_bss(bssid1, freq="2412")
1981 with alloc_fail(hapd1, 1, "wpa_ft_pull_pmk_r1"):
1982 # This will fail due to not being able to send out PMK-R1 pull request
1983 dev[0].roam(bssid1)
1984
1985 with fail_test(hapd1, 2, "os_get_random;wpa_ft_pull_pmk_r1"):
1986 # This will fail due to not being able to send out PMK-R1 pull request
1987 dev[0].roam(bssid1)
1988
1989 with fail_test(hapd1, 2, "aes_siv_encrypt;wpa_ft_pull_pmk_r1"):
1990 # This will fail due to not being able to send out PMK-R1 pull request
1991 dev[0].roam(bssid1)
1992
1993 def test_ap_ft_ap_oom3b(dev, apdev):
1994 """WPA2-PSK-FT and AP OOM 3b"""
1995 ssid = "test-ft"
1996 passphrase = "12345678"
1997
1998 params = ft_params1(ssid=ssid, passphrase=passphrase)
1999 hapd0 = hostapd.add_ap(apdev[0], params)
2000 bssid0 = hapd0.own_addr()
2001
2002 dev[0].scan_for_bss(bssid0, freq="2412")
2003 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2004 scan_freq="2412")
2005
2006 params = ft_params2(ssid=ssid, passphrase=passphrase)
2007 hapd1 = hostapd.add_ap(apdev[1], params)
2008 bssid1 = hapd1.own_addr()
2009 dev[0].scan_for_bss(bssid1, freq="2412")
2010 with fail_test(hapd1, 1, "os_get_random;wpa_ft_pull_pmk_r1"):
2011 # This will fail due to not being able to send out PMK-R1 pull request
2012 dev[0].roam(bssid1)
2013
2014 def test_ap_ft_ap_oom4(dev, apdev):
2015 """WPA2-PSK-FT and AP OOM 4"""
2016 ssid = "test-ft"
2017 passphrase = "12345678"
2018
2019 params = ft_params1(ssid=ssid, passphrase=passphrase)
2020 hapd0 = hostapd.add_ap(apdev[0], params)
2021 bssid0 = hapd0.own_addr()
2022
2023 dev[0].scan_for_bss(bssid0, freq="2412")
2024 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2025 scan_freq="2412")
2026
2027 params = ft_params2(ssid=ssid, passphrase=passphrase)
2028 hapd1 = hostapd.add_ap(apdev[1], params)
2029 bssid1 = hapd1.own_addr()
2030 dev[0].scan_for_bss(bssid1, freq="2412")
2031 with alloc_fail(hapd1, 1, "wpa_ft_gtk_subelem"):
2032 dev[0].roam(bssid1)
2033 if dev[0].get_status_field('bssid') != bssid1:
2034 raise Exception("Did not roam to AP1")
2035
2036 with fail_test(hapd0, 1, "i802_get_seqnum;wpa_ft_gtk_subelem"):
2037 dev[0].roam(bssid0)
2038 if dev[0].get_status_field('bssid') != bssid0:
2039 raise Exception("Did not roam to AP0")
2040
2041 with fail_test(hapd0, 1, "aes_wrap;wpa_ft_gtk_subelem"):
2042 dev[0].roam(bssid1)
2043 if dev[0].get_status_field('bssid') != bssid1:
2044 raise Exception("Did not roam to AP1")
2045
2046 def test_ap_ft_ap_oom5(dev, apdev):
2047 """WPA2-PSK-FT and AP OOM 5"""
2048 ssid = "test-ft"
2049 passphrase = "12345678"
2050
2051 params = ft_params1(ssid=ssid, passphrase=passphrase)
2052 hapd0 = hostapd.add_ap(apdev[0], params)
2053 bssid0 = hapd0.own_addr()
2054
2055 dev[0].scan_for_bss(bssid0, freq="2412")
2056 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2057 scan_freq="2412")
2058
2059 params = ft_params2(ssid=ssid, passphrase=passphrase)
2060 hapd1 = hostapd.add_ap(apdev[1], params)
2061 bssid1 = hapd1.own_addr()
2062 dev[0].scan_for_bss(bssid1, freq="2412")
2063 with alloc_fail(hapd1, 1, "=wpa_ft_process_auth_req"):
2064 # This will fail to roam
2065 dev[0].roam(bssid1)
2066
2067 with fail_test(hapd1, 1, "os_get_random;wpa_ft_process_auth_req"):
2068 # This will fail to roam
2069 dev[0].roam(bssid1)
2070
2071 with fail_test(hapd1, 1, "sha256_prf_bits;wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
2072 # This will fail to roam
2073 dev[0].roam(bssid1)
2074
2075 with fail_test(hapd1, 3, "wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
2076 # This will fail to roam
2077 dev[0].roam(bssid1)
2078
2079 with fail_test(hapd1, 1, "wpa_derive_pmk_r1_name;wpa_ft_process_auth_req"):
2080 # This will fail to roam
2081 dev[0].roam(bssid1)
2082
2083 def test_ap_ft_ap_oom6(dev, apdev):
2084 """WPA2-PSK-FT and AP OOM 6"""
2085 ssid = "test-ft"
2086 passphrase = "12345678"
2087
2088 params = ft_params1(ssid=ssid, passphrase=passphrase)
2089 hapd0 = hostapd.add_ap(apdev[0], params)
2090 bssid0 = hapd0.own_addr()
2091
2092 dev[0].scan_for_bss(bssid0, freq="2412")
2093 with fail_test(hapd0, 1, "wpa_derive_pmk_r0;wpa_auth_derive_ptk_ft"):
2094 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2095 scan_freq="2412")
2096 dev[0].request("REMOVE_NETWORK all")
2097 dev[0].wait_disconnected()
2098 with fail_test(hapd0, 1, "wpa_derive_pmk_r1;wpa_auth_derive_ptk_ft"):
2099 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2100 scan_freq="2412")
2101 dev[0].request("REMOVE_NETWORK all")
2102 dev[0].wait_disconnected()
2103 with fail_test(hapd0, 1, "wpa_pmk_r1_to_ptk;wpa_auth_derive_ptk_ft"):
2104 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2105 scan_freq="2412")
2106
2107 def test_ap_ft_ap_oom7a(dev, apdev):
2108 """WPA2-PSK-FT and AP OOM 7a"""
2109 ssid = "test-ft"
2110 passphrase = "12345678"
2111
2112 params = ft_params1(ssid=ssid, passphrase=passphrase)
2113 params["ieee80211w"] = "2"
2114 hapd0 = hostapd.add_ap(apdev[0], params)
2115 bssid0 = hapd0.own_addr()
2116
2117 dev[0].scan_for_bss(bssid0, freq="2412")
2118 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2119 ieee80211w="2", scan_freq="2412")
2120
2121 params = ft_params2(ssid=ssid, passphrase=passphrase)
2122 params["ieee80211w"] = "2"
2123 hapd1 = hostapd.add_ap(apdev[1], params)
2124 bssid1 = hapd1.own_addr()
2125 dev[0].scan_for_bss(bssid1, freq="2412")
2126 with alloc_fail(hapd1, 1, "wpa_ft_igtk_subelem"):
2127 # This will fail to roam
2128 dev[0].roam(bssid1)
2129
2130 def test_ap_ft_ap_oom7b(dev, apdev):
2131 """WPA2-PSK-FT and AP OOM 7b"""
2132 ssid = "test-ft"
2133 passphrase = "12345678"
2134
2135 params = ft_params1(ssid=ssid, passphrase=passphrase)
2136 params["ieee80211w"] = "2"
2137 hapd0 = hostapd.add_ap(apdev[0], params)
2138 bssid0 = hapd0.own_addr()
2139
2140 dev[0].scan_for_bss(bssid0, freq="2412")
2141 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2142 ieee80211w="2", scan_freq="2412")
2143
2144 params = ft_params2(ssid=ssid, passphrase=passphrase)
2145 params["ieee80211w"] = "2"
2146 hapd1 = hostapd.add_ap(apdev[1], params)
2147 bssid1 = hapd1.own_addr()
2148 dev[0].scan_for_bss(bssid1, freq="2412")
2149 with fail_test(hapd1, 1, "aes_wrap;wpa_ft_igtk_subelem"):
2150 # This will fail to roam
2151 dev[0].roam(bssid1)
2152
2153 def test_ap_ft_ap_oom7c(dev, apdev):
2154 """WPA2-PSK-FT and AP OOM 7c"""
2155 ssid = "test-ft"
2156 passphrase = "12345678"
2157
2158 params = ft_params1(ssid=ssid, passphrase=passphrase)
2159 params["ieee80211w"] = "2"
2160 hapd0 = hostapd.add_ap(apdev[0], params)
2161 bssid0 = hapd0.own_addr()
2162
2163 dev[0].scan_for_bss(bssid0, freq="2412")
2164 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2165 ieee80211w="2", scan_freq="2412")
2166
2167 params = ft_params2(ssid=ssid, passphrase=passphrase)
2168 params["ieee80211w"] = "2"
2169 hapd1 = hostapd.add_ap(apdev[1], params)
2170 bssid1 = hapd1.own_addr()
2171 dev[0].scan_for_bss(bssid1, freq="2412")
2172 with alloc_fail(hapd1, 1, "=wpa_sm_write_assoc_resp_ies"):
2173 # This will fail to roam
2174 dev[0].roam(bssid1)
2175
2176 def test_ap_ft_ap_oom7d(dev, apdev):
2177 """WPA2-PSK-FT and AP OOM 7d"""
2178 ssid = "test-ft"
2179 passphrase = "12345678"
2180
2181 params = ft_params1(ssid=ssid, passphrase=passphrase)
2182 params["ieee80211w"] = "2"
2183 hapd0 = hostapd.add_ap(apdev[0], params)
2184 bssid0 = hapd0.own_addr()
2185
2186 dev[0].scan_for_bss(bssid0, freq="2412")
2187 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2188 ieee80211w="2", scan_freq="2412")
2189
2190 params = ft_params2(ssid=ssid, passphrase=passphrase)
2191 params["ieee80211w"] = "2"
2192 hapd1 = hostapd.add_ap(apdev[1], params)
2193 bssid1 = hapd1.own_addr()
2194 dev[0].scan_for_bss(bssid1, freq="2412")
2195 with fail_test(hapd1, 1, "wpa_ft_mic;wpa_sm_write_assoc_resp_ies"):
2196 # This will fail to roam
2197 dev[0].roam(bssid1)
2198
2199 def test_ap_ft_ap_oom8(dev, apdev):
2200 """WPA2-PSK-FT and AP OOM 8"""
2201 ssid = "test-ft"
2202 passphrase = "12345678"
2203
2204 params = ft_params1(ssid=ssid, passphrase=passphrase)
2205 params['ft_psk_generate_local'] = "1"
2206 hapd0 = hostapd.add_ap(apdev[0], params)
2207 bssid0 = hapd0.own_addr()
2208
2209 dev[0].scan_for_bss(bssid0, freq="2412")
2210 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2211 scan_freq="2412")
2212
2213 params = ft_params2(ssid=ssid, passphrase=passphrase)
2214 params['ft_psk_generate_local'] = "1"
2215 hapd1 = hostapd.add_ap(apdev[1], params)
2216 bssid1 = hapd1.own_addr()
2217 dev[0].scan_for_bss(bssid1, freq="2412")
2218 with fail_test(hapd1, 1, "wpa_derive_pmk_r0;wpa_ft_psk_pmk_r1"):
2219 # This will fail to roam
2220 dev[0].roam(bssid1)
2221 with fail_test(hapd1, 1, "wpa_derive_pmk_r1;wpa_ft_psk_pmk_r1"):
2222 # This will fail to roam
2223 dev[0].roam(bssid1)
2224
2225 def test_ap_ft_ap_oom9(dev, apdev):
2226 """WPA2-PSK-FT and AP OOM 9"""
2227 ssid = "test-ft"
2228 passphrase = "12345678"
2229
2230 params = ft_params1(ssid=ssid, passphrase=passphrase)
2231 hapd0 = hostapd.add_ap(apdev[0], params)
2232 bssid0 = hapd0.own_addr()
2233
2234 dev[0].scan_for_bss(bssid0, freq="2412")
2235 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2236 scan_freq="2412")
2237
2238 params = ft_params2(ssid=ssid, passphrase=passphrase)
2239 hapd1 = hostapd.add_ap(apdev[1], params)
2240 bssid1 = hapd1.own_addr()
2241 dev[0].scan_for_bss(bssid1, freq="2412")
2242
2243 with alloc_fail(hapd0, 1, "wpa_ft_action_rx"):
2244 # This will fail to roam
2245 if "OK" not in dev[0].request("FT_DS " + bssid1):
2246 raise Exception("FT_DS failed")
2247 wait_fail_trigger(hapd0, "GET_ALLOC_FAIL")
2248
2249 with alloc_fail(hapd1, 1, "wpa_ft_rrb_rx_request"):
2250 # This will fail to roam
2251 if "OK" not in dev[0].request("FT_DS " + bssid1):
2252 raise Exception("FT_DS failed")
2253 wait_fail_trigger(hapd1, "GET_ALLOC_FAIL")
2254
2255 with alloc_fail(hapd1, 1, "wpa_ft_send_rrb_auth_resp"):
2256 # This will fail to roam
2257 if "OK" not in dev[0].request("FT_DS " + bssid1):
2258 raise Exception("FT_DS failed")
2259 wait_fail_trigger(hapd1, "GET_ALLOC_FAIL")
2260
2261 def test_ap_ft_ap_oom10(dev, apdev):
2262 """WPA2-PSK-FT and AP OOM 10"""
2263 ssid = "test-ft"
2264 passphrase = "12345678"
2265
2266 params = ft_params1(ssid=ssid, passphrase=passphrase)
2267 hapd0 = hostapd.add_ap(apdev[0], params)
2268 bssid0 = hapd0.own_addr()
2269
2270 dev[0].scan_for_bss(bssid0, freq="2412")
2271 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2272 scan_freq="2412")
2273
2274 params = ft_params2(ssid=ssid, passphrase=passphrase)
2275 hapd1 = hostapd.add_ap(apdev[1], params)
2276 bssid1 = hapd1.own_addr()
2277 dev[0].scan_for_bss(bssid1, freq="2412")
2278
2279 with fail_test(hapd0, 1, "aes_siv_decrypt;wpa_ft_rrb_rx_pull"):
2280 # This will fail to roam
2281 if "OK" not in dev[0].request("FT_DS " + bssid1):
2282 raise Exception("FT_DS failed")
2283 wait_fail_trigger(hapd0, "GET_FAIL")
2284
2285 with fail_test(hapd0, 1, "wpa_derive_pmk_r1;wpa_ft_rrb_rx_pull"):
2286 # This will fail to roam
2287 if "OK" not in dev[0].request("FT_DS " + bssid1):
2288 raise Exception("FT_DS failed")
2289 wait_fail_trigger(hapd0, "GET_FAIL")
2290
2291 with fail_test(hapd0, 1, "aes_siv_encrypt;wpa_ft_rrb_rx_pull"):
2292 # This will fail to roam
2293 if "OK" not in dev[0].request("FT_DS " + bssid1):
2294 raise Exception("FT_DS failed")
2295 wait_fail_trigger(hapd0, "GET_FAIL")
2296
2297 with fail_test(hapd1, 1, "aes_siv_decrypt;wpa_ft_rrb_rx_resp"):
2298 # This will fail to roam
2299 if "OK" not in dev[0].request("FT_DS " + bssid1):
2300 raise Exception("FT_DS failed")
2301 wait_fail_trigger(hapd1, "GET_FAIL")
2302
2303 def test_ap_ft_ap_oom11(dev, apdev):
2304 """WPA2-PSK-FT and AP OOM 11"""
2305 ssid = "test-ft"
2306 passphrase = "12345678"
2307
2308 params = ft_params1(ssid=ssid, passphrase=passphrase)
2309 hapd0 = hostapd.add_ap(apdev[0], params)
2310 bssid0 = hapd0.own_addr()
2311
2312 dev[0].scan_for_bss(bssid0, freq="2412")
2313 with fail_test(hapd0, 1, "wpa_derive_pmk_r1;wpa_ft_generate_pmk_r1"):
2314 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2315 scan_freq="2412")
2316 wait_fail_trigger(hapd0, "GET_FAIL")
2317
2318 dev[1].scan_for_bss(bssid0, freq="2412")
2319 with fail_test(hapd0, 1, "aes_siv_encrypt;wpa_ft_generate_pmk_r1"):
2320 dev[1].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2321 scan_freq="2412")
2322 wait_fail_trigger(hapd0, "GET_FAIL")
2323
2324 def test_ap_ft_over_ds_proto_ap(dev, apdev):
2325 """WPA2-PSK-FT AP over DS protocol testing for AP processing"""
2326 ssid = "test-ft"
2327 passphrase = "12345678"
2328
2329 params = ft_params1(ssid=ssid, passphrase=passphrase)
2330 hapd0 = hostapd.add_ap(apdev[0], params)
2331 bssid0 = hapd0.own_addr()
2332 _bssid0 = bssid0.replace(':', '')
2333 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2334 scan_freq="2412")
2335 addr = dev[0].own_addr()
2336 _addr = addr.replace(':', '')
2337
2338 params = ft_params2(ssid=ssid, passphrase=passphrase)
2339 hapd1 = hostapd.add_ap(apdev[1], params)
2340 bssid1 = hapd1.own_addr()
2341 _bssid1 = bssid1.replace(':', '')
2342
2343 hapd0.set("ext_mgmt_frame_handling", "1")
2344 hdr = "d0003a01" + _bssid0 + _addr + _bssid0 + "1000"
2345 valid = "0601" + _addr + _bssid1
2346 tests = ["0601",
2347 "0601" + _addr,
2348 "0601" + _addr + _bssid0,
2349 "0601" + _addr + "ffffffffffff",
2350 "0601" + _bssid0 + _bssid0,
2351 valid,
2352 valid + "01",
2353 valid + "3700",
2354 valid + "3600",
2355 valid + "3603ffffff",
2356 valid + "3603a1b2ff",
2357 valid + "3603a1b2ff" + "3700",
2358 valid + "3603a1b2ff" + "37520000" + 16*"00" + 32*"00" + 32*"00",
2359 valid + "3603a1b2ff" + "37520001" + 16*"00" + 32*"00" + 32*"00",
2360 valid + "3603a1b2ff" + "37550000" + 16*"00" + 32*"00" + 32*"00" + "0301aa",
2361 valid + "3603a1b2ff" + "37550000" + 16*"00" + 32*"00" + 32*"00" + "0301aa" + "3000",
2362 valid + "3603a1b2ff" + "37550000" + 16*"00" + 32*"00" + 32*"00" + "0301aa" + "30260100000fac040100000fac040100000facff00000100a225368fe0983b5828a37a0acb37f253",
2363 valid + "3603a1b2ff" + "37550000" + 16*"00" + 32*"00" + 32*"00" + "0301aa" + "30260100000fac040100000fac030100000fac0400000100a225368fe0983b5828a37a0acb37f253",
2364 valid + "3603a1b2ff" + "37550000" + 16*"00" + 32*"00" + 32*"00" + "0301aa" + "30260100000fac040100000fac040100000fac0400000100a225368fe0983b5828a37a0acb37f253",
2365 valid + "0001"]
2366 for t in tests:
2367 hapd0.dump_monitor()
2368 if "OK" not in hapd0.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + t):
2369 raise Exception("MGMT_RX_PROCESS failed")
2370
2371 hapd0.set("ext_mgmt_frame_handling", "0")
2372
2373 def test_ap_ft_over_ds_proto(dev, apdev):
2374 """WPA2-PSK-FT AP over DS protocol testing"""
2375 ssid = "test-ft"
2376 passphrase = "12345678"
2377
2378 params = ft_params1(ssid=ssid, passphrase=passphrase)
2379 hapd0 = hostapd.add_ap(apdev[0], params)
2380 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2381 scan_freq="2412")
2382
2383 # FT Action Response while no FT-over-DS in progress
2384 msg = {}
2385 msg['fc'] = 13 << 4
2386 msg['da'] = dev[0].own_addr()
2387 msg['sa'] = apdev[0]['bssid']
2388 msg['bssid'] = apdev[0]['bssid']
2389 msg['payload'] = binascii.unhexlify("06020200000000000200000004000000")
2390 hapd0.mgmt_tx(msg)
2391
2392 params = ft_params2(ssid=ssid, passphrase=passphrase)
2393 hapd1 = hostapd.add_ap(apdev[1], params)
2394 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412")
2395 hapd0.set("ext_mgmt_frame_handling", "1")
2396 hapd0.dump_monitor()
2397 dev[0].request("FT_DS " + apdev[1]['bssid'])
2398 for i in range(0, 10):
2399 req = hapd0.mgmt_rx()
2400 if req is None:
2401 raise Exception("MGMT RX wait timed out")
2402 if req['subtype'] == 13:
2403 break
2404 req = None
2405 if not req:
2406 raise Exception("FT Action frame not received")
2407
2408 # FT Action Response for unexpected Target AP
2409 msg['payload'] = binascii.unhexlify("0602020000000000" + "f20000000400" + "0000")
2410 hapd0.mgmt_tx(msg)
2411
2412 # FT Action Response without MDIE
2413 msg['payload'] = binascii.unhexlify("0602020000000000" + "020000000400" + "0000")
2414 hapd0.mgmt_tx(msg)
2415
2416 # FT Action Response without FTIE
2417 msg['payload'] = binascii.unhexlify("0602020000000000" + "020000000400" + "0000" + "3603a1b201")
2418 hapd0.mgmt_tx(msg)
2419
2420 # FT Action Response with FTIE SNonce mismatch
2421 msg['payload'] = binascii.unhexlify("0602020000000000" + "020000000400" + "0000" + "3603a1b201" + "3766000000000000000000000000000000000000c4e67ac1999bebd00ff4ae4d5dcaf87896bb060b469f7c78d49623fb395c3455ffffff6b693fe6f8d8c5dfac0a22344750775bd09437f98b238c9f87b97f790c0106000102030406030a6e6173312e77312e6669")
2422 hapd0.mgmt_tx(msg)
2423
2424 @remote_compatible
2425 def test_ap_ft_rrb(dev, apdev):
2426 """WPA2-PSK-FT RRB protocol testing"""
2427 ssid = "test-ft"
2428 passphrase = "12345678"
2429
2430 params = ft_params1(ssid=ssid, passphrase=passphrase)
2431 hapd0 = hostapd.add_ap(apdev[0], params)
2432
2433 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2434 scan_freq="2412")
2435
2436 _dst_ll = binascii.unhexlify(apdev[0]['bssid'].replace(':', ''))
2437 _src_ll = binascii.unhexlify(dev[0].own_addr().replace(':', ''))
2438 proto = b'\x89\x0d'
2439 ehdr = _dst_ll + _src_ll + proto
2440
2441 # Too short RRB frame
2442 pkt = ehdr + b'\x01'
2443 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2444 raise Exception("DATA_TEST_FRAME failed")
2445
2446 # RRB discarded frame wikth unrecognized type
2447 pkt = ehdr + b'\x02' + b'\x02' + b'\x01\x00' + _src_ll
2448 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2449 raise Exception("DATA_TEST_FRAME failed")
2450
2451 # RRB frame too short for action frame
2452 pkt = ehdr + b'\x01' + b'\x02' + b'\x01\x00' + _src_ll
2453 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2454 raise Exception("DATA_TEST_FRAME failed")
2455
2456 # Too short RRB frame (not enough room for Action Frame body)
2457 pkt = ehdr + b'\x01' + b'\x02' + b'\x00\x00' + _src_ll
2458 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2459 raise Exception("DATA_TEST_FRAME failed")
2460
2461 # Unexpected Action frame category
2462 pkt = ehdr + b'\x01' + b'\x02' + b'\x0e\x00' + _src_ll + b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2463 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2464 raise Exception("DATA_TEST_FRAME failed")
2465
2466 # Unexpected Action in RRB Request
2467 pkt = ehdr + b'\x01' + b'\x00' + b'\x0e\x00' + _src_ll + b'\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2468 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2469 raise Exception("DATA_TEST_FRAME failed")
2470
2471 # Target AP address in RRB Request does not match with own address
2472 pkt = ehdr + b'\x01' + b'\x00' + b'\x0e\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2473 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2474 raise Exception("DATA_TEST_FRAME failed")
2475
2476 # Not enough room for status code in RRB Response
2477 pkt = ehdr + b'\x01' + b'\x01' + b'\x0e\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2478 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2479 raise Exception("DATA_TEST_FRAME failed")
2480
2481 # RRB discarded frame with unknown packet_type
2482 pkt = ehdr + b'\x01' + b'\x02' + b'\x0e\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2483 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2484 raise Exception("DATA_TEST_FRAME failed")
2485
2486 # RRB Response with non-zero status code; no STA match
2487 pkt = ehdr + b'\x01' + b'\x01' + b'\x10\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + b'\xff\xff'
2488 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2489 raise Exception("DATA_TEST_FRAME failed")
2490
2491 # RRB Response with zero status code and extra data; STA match
2492 pkt = ehdr + b'\x01' + b'\x01' + b'\x11\x00' + _src_ll + b'\x06\x01' + _src_ll + b'\x00\x00\x00\x00\x00\x00' + b'\x00\x00' + b'\x00'
2493 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2494 raise Exception("DATA_TEST_FRAME failed")
2495
2496 # Too short PMK-R1 pull
2497 pkt = ehdr + b'\x01' + b'\xc8' + b'\x0e\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2498 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2499 raise Exception("DATA_TEST_FRAME failed")
2500
2501 # Too short PMK-R1 resp
2502 pkt = ehdr + b'\x01' + b'\xc9' + b'\x0e\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2503 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2504 raise Exception("DATA_TEST_FRAME failed")
2505
2506 # Too short PMK-R1 push
2507 pkt = ehdr + b'\x01' + b'\xca' + b'\x0e\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
2508 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2509 raise Exception("DATA_TEST_FRAME failed")
2510
2511 # No matching R0KH address found for PMK-R0 pull response
2512 pkt = ehdr + b'\x01' + b'\xc9' + b'\x5a\x00' + _src_ll + b'\x06\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + 76 * b'\00'
2513 if "OK" not in dev[0].request("DATA_TEST_FRAME " + binascii.hexlify(pkt).decode()):
2514 raise Exception("DATA_TEST_FRAME failed")
2515
2516 @remote_compatible
2517 def test_rsn_ie_proto_ft_psk_sta(dev, apdev):
2518 """RSN element protocol testing for FT-PSK + PMF cases on STA side"""
2519 bssid = apdev[0]['bssid']
2520 ssid = "test-ft"
2521 passphrase = "12345678"
2522
2523 params = ft_params1(ssid=ssid, passphrase=passphrase)
2524 params["ieee80211w"] = "1"
2525 # This is the RSN element used normally by hostapd
2526 params['own_ie_override'] = '30140100000fac040100000fac040100000fac048c00' + '3603a1b201'
2527 hapd = hostapd.add_ap(apdev[0], params)
2528 id = dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2529 ieee80211w="1", scan_freq="2412",
2530 pairwise="CCMP", group="CCMP")
2531
2532 tests = [('PMKIDCount field included',
2533 '30160100000fac040100000fac040100000fac048c000000' + '3603a1b201'),
2534 ('Extra IE before RSNE',
2535 'dd0400000000' + '30140100000fac040100000fac040100000fac048c00' + '3603a1b201'),
2536 ('PMKIDCount and Group Management Cipher suite fields included',
2537 '301a0100000fac040100000fac040100000fac048c000000000fac06' + '3603a1b201'),
2538 ('Extra octet after defined fields (future extensibility)',
2539 '301b0100000fac040100000fac040100000fac048c000000000fac0600' + '3603a1b201'),
2540 ('No RSN Capabilities field (PMF disabled in practice)',
2541 '30120100000fac040100000fac040100000fac04' + '3603a1b201')]
2542 for txt, ie in tests:
2543 dev[0].request("DISCONNECT")
2544 dev[0].wait_disconnected()
2545 logger.info(txt)
2546 hapd.disable()
2547 hapd.set('own_ie_override', ie)
2548 hapd.enable()
2549 dev[0].request("BSS_FLUSH 0")
2550 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
2551 dev[0].select_network(id, freq=2412)
2552 dev[0].wait_connected()
2553
2554 dev[0].request("DISCONNECT")
2555 dev[0].wait_disconnected()
2556
2557 logger.info('Invalid RSNE causing internal hostapd error')
2558 hapd.disable()
2559 hapd.set('own_ie_override', '30130100000fac040100000fac040100000fac048c' + '3603a1b201')
2560 hapd.enable()
2561 dev[0].request("BSS_FLUSH 0")
2562 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
2563 dev[0].select_network(id, freq=2412)
2564 # hostapd fails to generate EAPOL-Key msg 3/4, so this connection cannot
2565 # complete.
2566 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
2567 if ev is not None:
2568 raise Exception("Unexpected connection")
2569 dev[0].request("DISCONNECT")
2570
2571 def start_ft(apdev, wpa_ptk_rekey=None):
2572 ssid = "test-ft"
2573 passphrase = "12345678"
2574
2575 params = ft_params1(ssid=ssid, passphrase=passphrase)
2576 if wpa_ptk_rekey:
2577 params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
2578 hapd0 = hostapd.add_ap(apdev[0], params)
2579 params = ft_params2(ssid=ssid, passphrase=passphrase)
2580 if wpa_ptk_rekey:
2581 params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
2582 hapd1 = hostapd.add_ap(apdev[1], params)
2583
2584 return hapd0, hapd1
2585
2586 def check_ptk_rekey(dev, hapd0=None, hapd1=None):
2587 ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED",
2588 "WPA: Key negotiation completed"], timeout=5)
2589 if ev is None:
2590 raise Exception("No event received after roam")
2591 if "CTRL-EVENT-DISCONNECTED" in ev:
2592 raise Exception("Unexpected disconnection after roam")
2593
2594 if not hapd0 or not hapd1:
2595 return
2596 if dev.get_status_field('bssid') == hapd0.own_addr():
2597 hapd = hapd0
2598 else:
2599 hapd = hapd1
2600 time.sleep(0.1)
2601 hwsim_utils.test_connectivity(dev, hapd)
2602
2603 def test_ap_ft_ptk_rekey(dev, apdev):
2604 """WPA2-PSK-FT PTK rekeying triggered by station after roam"""
2605 hapd0, hapd1 = start_ft(apdev)
2606 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", ptk_rekey="1")
2607 check_ptk_rekey(dev[0], hapd0, hapd1)
2608
2609 def test_ap_ft_ptk_rekey2(dev, apdev):
2610 """WPA2-PSK-FT PTK rekeying triggered by station after one roam"""
2611 hapd0, hapd1 = start_ft(apdev)
2612 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", ptk_rekey="1",
2613 only_one_way=True)
2614 check_ptk_rekey(dev[0], hapd0, hapd1)
2615
2616 def test_ap_ft_ptk_rekey_ap(dev, apdev):
2617 """WPA2-PSK-FT PTK rekeying triggered by AP after roam"""
2618 hapd0, hapd1 = start_ft(apdev, wpa_ptk_rekey=2)
2619 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678")
2620 check_ptk_rekey(dev[0], hapd0, hapd1)
2621
2622 def test_ap_ft_ptk_rekey_ap2(dev, apdev):
2623 """WPA2-PSK-FT PTK rekeying triggered by AP after one roam"""
2624 hapd0, hapd1 = start_ft(apdev, wpa_ptk_rekey=2)
2625 run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678",
2626 only_one_way=True)
2627 check_ptk_rekey(dev[0], hapd0, hapd1)
2628
2629 def test_ap_ft_eap_ptk_rekey_ap(dev, apdev):
2630 """WPA2-EAP-FT PTK rekeying triggered by AP"""
2631 generic_ap_ft_eap(dev, apdev, only_one_way=True, wpa_ptk_rekey=2)
2632 check_ptk_rekey(dev[0])
2633
2634 def test_ap_ft_internal_rrb_check(dev, apdev):
2635 """RRB internal delivery only to WPA enabled BSS"""
2636 ssid = "test-ft"
2637 passphrase = "12345678"
2638
2639 radius = hostapd.radius_params()
2640 params = ft_params1(ssid=ssid, passphrase=passphrase)
2641 params['wpa_key_mgmt'] = "FT-EAP"
2642 params["ieee8021x"] = "1"
2643 params = dict(list(radius.items()) + list(params.items()))
2644 hapd = hostapd.add_ap(apdev[0], params)
2645 key_mgmt = hapd.get_config()['key_mgmt']
2646 if key_mgmt.split(' ')[0] != "FT-EAP":
2647 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
2648
2649 hapd1 = hostapd.add_ap(apdev[1], {"ssid": ssid})
2650
2651 # Connect to WPA enabled AP
2652 dev[0].connect(ssid, key_mgmt="FT-EAP", proto="WPA2", ieee80211w="1",
2653 eap="GPSK", identity="gpsk user",
2654 password="abcdefghijklmnop0123456789abcdef",
2655 scan_freq="2412")
2656
2657 # Try over_ds roaming to non-WPA-enabled AP.
2658 # If hostapd does not check hapd->wpa_auth internally, it will crash now.
2659 dev[0].roam_over_ds(apdev[1]['bssid'], fail_test=True)
2660
2661 def test_ap_ft_extra_ie(dev, apdev):
2662 """WPA2-PSK-FT AP with WPA2-PSK enabled and unexpected MDE"""
2663 ssid = "test-ft"
2664 passphrase = "12345678"
2665
2666 params = ft_params1(ssid=ssid, passphrase=passphrase)
2667 params["wpa_key_mgmt"] = "WPA-PSK FT-PSK"
2668 hapd0 = hostapd.add_ap(apdev[0], params)
2669 dev[1].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2670 scan_freq="2412")
2671 dev[2].connect(ssid, psk=passphrase, key_mgmt="WPA-PSK", proto="WPA2",
2672 scan_freq="2412")
2673 try:
2674 # Add Mobility Domain element to test AP validation code.
2675 dev[0].request("VENDOR_ELEM_ADD 13 3603a1b201")
2676 dev[0].connect(ssid, psk=passphrase, key_mgmt="WPA-PSK", proto="WPA2",
2677 scan_freq="2412", wait_connect=False)
2678 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2679 "CTRL-EVENT-ASSOC-REJECT"], timeout=10)
2680 if ev is None:
2681 raise Exception("No connection result")
2682 if "CTRL-EVENT-CONNECTED" in ev:
2683 raise Exception("Non-FT association accepted with MDE")
2684 if "status_code=43" not in ev:
2685 raise Exception("Unexpected status code: " + ev)
2686 dev[0].request("DISCONNECT")
2687 finally:
2688 dev[0].request("VENDOR_ELEM_REMOVE 13 *")
2689
2690 def test_ap_ft_ric(dev, apdev):
2691 """WPA2-PSK-FT AP and RIC"""
2692 ssid = "test-ft"
2693 passphrase = "12345678"
2694
2695 params = ft_params1(ssid=ssid, passphrase=passphrase)
2696 hapd0 = hostapd.add_ap(apdev[0], params)
2697 params = ft_params2(ssid=ssid, passphrase=passphrase)
2698 hapd1 = hostapd.add_ap(apdev[1], params)
2699
2700 dev[0].set("ric_ies", "")
2701 dev[0].set("ric_ies", '""')
2702 if "FAIL" not in dev[0].request("SET ric_ies q"):
2703 raise Exception("Invalid ric_ies value accepted")
2704
2705 tests = ["3900",
2706 "3900ff04eeeeeeee",
2707 "390400000000",
2708 "390400000000" + "390400000000",
2709 "390400000000" + "dd050050f20202",
2710 "390400000000" + "dd3d0050f2020201" + 55*"00",
2711 "390400000000" + "dd3d0050f2020201aa300010270000000000000000000000000000000000000000000000000000ffffff7f00000000000000000000000040420f00ffff0000",
2712 "390401010000" + "dd3d0050f2020201aa3000dc050000000000000000000000000000000000000000000000000000dc050000000000000000000000000000808d5b0028230000"]
2713 for t in tests:
2714 dev[0].set("ric_ies", t)
2715 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase,
2716 test_connectivity=False)
2717 dev[0].request("REMOVE_NETWORK all")
2718 dev[0].wait_disconnected()
2719 dev[0].dump_monitor()
2720
2721 def ie_hex(ies, id):
2722 return binascii.hexlify(struct.pack('BB', id, len(ies[id])) + ies[id]).decode()
2723
2724 def test_ap_ft_reassoc_proto(dev, apdev):
2725 """WPA2-PSK-FT AP Reassociation Request frame parsing"""
2726 ssid = "test-ft"
2727 passphrase = "12345678"
2728
2729 params = ft_params1(ssid=ssid, passphrase=passphrase)
2730 hapd0 = hostapd.add_ap(apdev[0], params)
2731 params = ft_params2(ssid=ssid, passphrase=passphrase)
2732 hapd1 = hostapd.add_ap(apdev[1], params)
2733
2734 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2735 ieee80211w="1", scan_freq="2412")
2736 if dev[0].get_status_field('bssid') == hapd0.own_addr():
2737 hapd1ap = hapd0
2738 hapd2ap = hapd1
2739 else:
2740 hapd1ap = hapd1
2741 hapd2ap = hapd0
2742
2743 dev[0].scan_for_bss(hapd2ap.own_addr(), freq="2412")
2744 hapd2ap.set("ext_mgmt_frame_handling", "1")
2745 dev[0].request("ROAM " + hapd2ap.own_addr())
2746
2747 while True:
2748 req = hapd2ap.mgmt_rx()
2749 hapd2ap.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii.hexlify(req['frame']).decode())
2750 if req['subtype'] == 11:
2751 break
2752
2753 while True:
2754 req = hapd2ap.mgmt_rx()
2755 if req['subtype'] == 2:
2756 break
2757 hapd2ap.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii.hexlify(req['frame']).decode())
2758
2759 # IEEE 802.11 header + fixed fields before IEs
2760 hdr = binascii.hexlify(req['frame'][0:34]).decode()
2761 ies = parse_ie(binascii.hexlify(req['frame'][34:]))
2762 # First elements: SSID, Supported Rates, Extended Supported Rates
2763 ies1 = ie_hex(ies, 0) + ie_hex(ies, 1) + ie_hex(ies, 50)
2764
2765 rsne = ie_hex(ies, 48)
2766 mde = ie_hex(ies, 54)
2767 fte = ie_hex(ies, 55)
2768 tests = []
2769 # RSN: Trying to use FT, but MDIE not included
2770 tests += [rsne]
2771 # RSN: Attempted to use unknown MDIE
2772 tests += [rsne + "3603000000"]
2773 # Invalid RSN pairwise cipher
2774 tests += ["30260100000fac040100000fac030100000fac040000010029208a42cd25c85aa571567dce10dae3"]
2775 # FT: No PMKID in RSNIE
2776 tests += ["30160100000fac040100000fac040100000fac0400000000" + ie_hex(ies, 54)]
2777 # FT: Invalid FTIE
2778 tests += [rsne + mde]
2779 # FT: RIC IE(s) in the frame, but not included in protected IE count
2780 # FT: Failed to parse FT IEs
2781 tests += [rsne + mde + fte + "3900"]
2782 # FT: SNonce mismatch in FTIE
2783 tests += [rsne + mde + "37520000" + 16*"00" + 32*"00" + 32*"00"]
2784 # FT: ANonce mismatch in FTIE
2785 tests += [rsne + mde + fte[0:40] + 32*"00" + fte[104:]]
2786 # FT: No R0KH-ID subelem in FTIE
2787 tests += [rsne + mde + "3752" + fte[4:168]]
2788 # FT: R0KH-ID in FTIE did not match with the current R0KH-ID
2789 tests += [rsne + mde + "3755" + fte[4:168] + "0301ff"]
2790 # FT: No R1KH-ID subelem in FTIE
2791 tests += [rsne + mde + "375e" + fte[4:168] + "030a" + binascii.hexlify(b"nas1.w1.fi").decode()]
2792 # FT: Unknown R1KH-ID used in ReassocReq
2793 tests += [rsne + mde + "3766" + fte[4:168] + "030a" + binascii.hexlify(b"nas1.w1.fi").decode() + "0106000000000000"]
2794 # FT: PMKID in Reassoc Req did not match with the PMKR1Name derived from auth request
2795 tests += [rsne[:-32] + 16*"00" + mde + fte]
2796 # Invalid MIC in FTIE
2797 tests += [rsne + mde + fte[0:8] + 16*"00" + fte[40:]]
2798 for t in tests:
2799 hapd2ap.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + ies1 + t)
2800
2801 def test_ap_ft_reassoc_local_fail(dev, apdev):
2802 """WPA2-PSK-FT AP Reassociation Request frame and local failure"""
2803 ssid = "test-ft"
2804 passphrase = "12345678"
2805
2806 params = ft_params1(ssid=ssid, passphrase=passphrase)
2807 hapd0 = hostapd.add_ap(apdev[0], params)
2808 params = ft_params2(ssid=ssid, passphrase=passphrase)
2809 hapd1 = hostapd.add_ap(apdev[1], params)
2810
2811 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2812 ieee80211w="1", scan_freq="2412")
2813 if dev[0].get_status_field('bssid') == hapd0.own_addr():
2814 hapd1ap = hapd0
2815 hapd2ap = hapd1
2816 else:
2817 hapd1ap = hapd1
2818 hapd2ap = hapd0
2819
2820 dev[0].scan_for_bss(hapd2ap.own_addr(), freq="2412")
2821 # FT: Failed to calculate MIC
2822 with fail_test(hapd2ap, 1, "wpa_ft_validate_reassoc"):
2823 dev[0].request("ROAM " + hapd2ap.own_addr())
2824 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"], timeout=10)
2825 dev[0].request("DISCONNECT")
2826 if ev is None:
2827 raise Exception("Association reject not seen")
2828
2829 def test_ap_ft_reassoc_replay(dev, apdev, params):
2830 """WPA2-PSK-FT AP and replayed Reassociation Request frame"""
2831 capfile = os.path.join(params['logdir'], "hwsim0.pcapng")
2832 ssid = "test-ft"
2833 passphrase = "12345678"
2834
2835 params = ft_params1(ssid=ssid, passphrase=passphrase)
2836 hapd0 = hostapd.add_ap(apdev[0], params)
2837 params = ft_params2(ssid=ssid, passphrase=passphrase)
2838 hapd1 = hostapd.add_ap(apdev[1], params)
2839
2840 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2841 scan_freq="2412")
2842 if dev[0].get_status_field('bssid') == hapd0.own_addr():
2843 hapd1ap = hapd0
2844 hapd2ap = hapd1
2845 else:
2846 hapd1ap = hapd1
2847 hapd2ap = hapd0
2848
2849 dev[0].scan_for_bss(hapd2ap.own_addr(), freq="2412")
2850 hapd2ap.set("ext_mgmt_frame_handling", "1")
2851 dev[0].dump_monitor()
2852 if "OK" not in dev[0].request("ROAM " + hapd2ap.own_addr()):
2853 raise Exception("ROAM failed")
2854
2855 reassocreq = None
2856 count = 0
2857 while count < 100:
2858 req = hapd2ap.mgmt_rx()
2859 count += 1
2860 hapd2ap.dump_monitor()
2861 hapd2ap.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii.hexlify(req['frame']).decode())
2862 if req['subtype'] == 2:
2863 reassocreq = req
2864 ev = hapd2ap.wait_event(["MGMT-TX-STATUS"], timeout=5)
2865 if ev is None:
2866 raise Exception("No TX status seen")
2867 cmd = "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev.split(' ')[1:4]))
2868 if "OK" not in hapd2ap.request(cmd):
2869 raise Exception("MGMT_TX_STATUS_PROCESS failed")
2870 break
2871 hapd2ap.set("ext_mgmt_frame_handling", "0")
2872 if reassocreq is None:
2873 raise Exception("No Reassociation Request frame seen")
2874 dev[0].wait_connected()
2875 dev[0].dump_monitor()
2876 hapd2ap.dump_monitor()
2877
2878 hwsim_utils.test_connectivity(dev[0], hapd2ap)
2879
2880 logger.info("Replay the last Reassociation Request frame")
2881 hapd2ap.dump_monitor()
2882 hapd2ap.set("ext_mgmt_frame_handling", "1")
2883 hapd2ap.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii.hexlify(req['frame']).decode())
2884 ev = hapd2ap.wait_event(["MGMT-TX-STATUS"], timeout=5)
2885 if ev is None:
2886 raise Exception("No TX status seen")
2887 cmd = "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev.split(' ')[1:4]))
2888 if "OK" not in hapd2ap.request(cmd):
2889 raise Exception("MGMT_TX_STATUS_PROCESS failed")
2890 hapd2ap.set("ext_mgmt_frame_handling", "0")
2891
2892 try:
2893 hwsim_utils.test_connectivity(dev[0], hapd2ap)
2894 ok = True
2895 except:
2896 ok = False
2897
2898 ap = hapd2ap.own_addr()
2899 sta = dev[0].own_addr()
2900 filt = "wlan.fc.type == 2 && " + \
2901 "wlan.da == " + sta + " && " + \
2902 "wlan.sa == " + ap + " && " + \
2903 "wlan.fc.protected == 1"
2904 fields = ["wlan.ccmp.extiv"]
2905 res = run_tshark(capfile, filt, fields)
2906 vals = res.splitlines()
2907 logger.info("CCMP PN: " + str(vals))
2908 if len(vals) < 2:
2909 raise Exception("Could not find all CCMP protected frames from capture")
2910 if len(set(vals)) < len(vals):
2911 raise Exception("Duplicate CCMP PN used")
2912
2913 if not ok:
2914 raise Exception("The second hwsim connectivity test failed")
2915
2916 def test_ap_ft_psk_file(dev, apdev):
2917 """WPA2-PSK-FT AP with PSK from a file"""
2918 ssid = "test-ft"
2919 passphrase = "12345678"
2920
2921 params = ft_params1a(ssid=ssid, passphrase=passphrase)
2922 params['wpa_psk_file'] = 'hostapd.wpa_psk'
2923 hapd = hostapd.add_ap(apdev[0], params)
2924
2925 dev[1].connect(ssid, psk="very secret",
2926 key_mgmt="FT-PSK", proto="WPA2", ieee80211w="1",
2927 scan_freq="2412", wait_connect=False)
2928 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
2929 ieee80211w="1", scan_freq="2412")
2930 dev[0].request("REMOVE_NETWORK all")
2931 dev[0].wait_disconnected()
2932 dev[0].connect(ssid, psk="very secret", key_mgmt="FT-PSK", proto="WPA2",
2933 ieee80211w="1", scan_freq="2412")
2934 dev[0].request("REMOVE_NETWORK all")
2935 dev[0].wait_disconnected()
2936 dev[0].connect(ssid, psk="secret passphrase",
2937 key_mgmt="FT-PSK", proto="WPA2", ieee80211w="1",
2938 scan_freq="2412")
2939 dev[2].connect(ssid, psk="another passphrase for all STAs",
2940 key_mgmt="FT-PSK", proto="WPA2", ieee80211w="1",
2941 scan_freq="2412")
2942 ev = dev[1].wait_event(["WPA: 4-Way Handshake failed"], timeout=10)
2943 if ev is None:
2944 raise Exception("Timed out while waiting for failure report")
2945 dev[1].request("REMOVE_NETWORK all")
2946
2947 def test_ap_ft_eap_ap_config_change(dev, apdev):
2948 """WPA2-EAP-FT AP changing from 802.1X-only to FT-only"""
2949 ssid = "test-ft"
2950 passphrase = "12345678"
2951 bssid = apdev[0]['bssid']
2952
2953 radius = hostapd.radius_params()
2954 params = ft_params1(ssid=ssid, passphrase=passphrase, discovery=True)
2955 params['wpa_key_mgmt'] = "WPA-EAP"
2956 params["ieee8021x"] = "1"
2957 params["pmk_r1_push"] = "0"
2958 params["r0kh"] = "ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
2959 params["r1kh"] = "00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
2960 params["eap_server"] = "0"
2961 params = dict(list(radius.items()) + list(params.items()))
2962 hapd = hostapd.add_ap(apdev[0], params)
2963
2964 dev[0].connect(ssid, key_mgmt="FT-EAP WPA-EAP", proto="WPA2",
2965 eap="GPSK", identity="gpsk user",
2966 password="abcdefghijklmnop0123456789abcdef",
2967 scan_freq="2412")
2968 dev[0].request("DISCONNECT")
2969 dev[0].wait_disconnected()
2970 dev[0].dump_monitor()
2971
2972 hapd.disable()
2973 hapd.set('wpa_key_mgmt', "FT-EAP")
2974 hapd.enable()
2975
2976 dev[0].request("BSS_FLUSH 0")
2977 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
2978
2979 dev[0].request("RECONNECT")
2980 dev[0].wait_connected()
2981
2982 def test_ap_ft_eap_sha384(dev, apdev):
2983 """WPA2-EAP-FT with SHA384"""
2984 ssid = "test-ft"
2985 passphrase = "12345678"
2986
2987 radius = hostapd.radius_params()
2988 params = ft_params1(ssid=ssid, passphrase=passphrase)
2989 params["ieee80211w"] = "2"
2990 params['wpa_key_mgmt'] = "FT-EAP-SHA384"
2991 params["ieee8021x"] = "1"
2992 params = dict(list(radius.items()) + list(params.items()))
2993 hapd0 = hostapd.add_ap(apdev[0], params)
2994 params = ft_params2(ssid=ssid, passphrase=passphrase)
2995 params["ieee80211w"] = "2"
2996 params['wpa_key_mgmt'] = "FT-EAP-SHA384"
2997 params["ieee8021x"] = "1"
2998 params = dict(list(radius.items()) + list(params.items()))
2999 hapd1 = hostapd.add_ap(apdev[1], params)
3000
3001 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, eap=True,
3002 sha384=True)
3003
3004 def test_ap_ft_eap_sha384_reassoc(dev, apdev):
3005 """WPA2-EAP-FT with SHA384 using REASSOCIATE"""
3006 check_suite_b_192_capa(dev)
3007 ssid = "test-ft"
3008 passphrase = "12345678"
3009
3010 radius = hostapd.radius_params()
3011 params = ft_params1(ssid=ssid, passphrase=passphrase)
3012 params["ieee80211w"] = "2"
3013 params['wpa_key_mgmt'] = "WPA-EAP-SUITE-B-192 FT-EAP-SHA384"
3014 params["ieee8021x"] = "1"
3015 params = dict(list(radius.items()) + list(params.items()))
3016 hapd0 = hostapd.add_ap(apdev[0], params)
3017 params = ft_params2(ssid=ssid, passphrase=passphrase)
3018 params["ieee80211w"] = "2"
3019 params['wpa_key_mgmt'] = "WPA-EAP-SUITE-B-192 FT-EAP-SHA384"
3020 params["ieee8021x"] = "1"
3021 params = dict(list(radius.items()) + list(params.items()))
3022 hapd1 = hostapd.add_ap(apdev[1], params)
3023
3024 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, eap=True,
3025 sha384=True, also_non_ft=True, roam_with_reassoc=True)
3026
3027 def test_ap_ft_eap_sha384_over_ds(dev, apdev):
3028 """WPA2-EAP-FT with SHA384 over DS"""
3029 ssid = "test-ft"
3030 passphrase = "12345678"
3031
3032 radius = hostapd.radius_params()
3033 params = ft_params1(ssid=ssid, passphrase=passphrase)
3034 params["ieee80211w"] = "2"
3035 params['wpa_key_mgmt'] = "FT-EAP-SHA384"
3036 params["ieee8021x"] = "1"
3037 params = dict(list(radius.items()) + list(params.items()))
3038 hapd0 = hostapd.add_ap(apdev[0], params)
3039 params = ft_params2(ssid=ssid, passphrase=passphrase)
3040 params["ieee80211w"] = "2"
3041 params['wpa_key_mgmt'] = "FT-EAP-SHA384"
3042 params["ieee8021x"] = "1"
3043 params = dict(list(radius.items()) + list(params.items()))
3044 hapd1 = hostapd.add_ap(apdev[1], params)
3045
3046 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
3047 eap=True, sha384=True)
3048
3049 def test_ap_ft_roam_rrm(dev, apdev):
3050 """WPA2-PSK-FT AP and radio measurement request"""
3051 ssid = "test-ft"
3052 passphrase = "12345678"
3053
3054 params = ft_params1(ssid=ssid, passphrase=passphrase)
3055 params["rrm_beacon_report"] = "1"
3056 hapd0 = hostapd.add_ap(apdev[0], params)
3057 bssid0 = hapd0.own_addr()
3058
3059 addr = dev[0].own_addr()
3060 dev[0].connect(ssid, psk=passphrase, key_mgmt="FT-PSK", proto="WPA2",
3061 scan_freq="2412")
3062 check_beacon_req(hapd0, addr, 1)
3063
3064 params = ft_params2(ssid=ssid, passphrase=passphrase)
3065 params["rrm_beacon_report"] = "1"
3066 hapd1 = hostapd.add_ap(apdev[1], params)
3067 bssid1 = hapd1.own_addr()
3068
3069 dev[0].scan_for_bss(bssid1, freq=2412)
3070 dev[0].roam(bssid1)
3071 check_beacon_req(hapd1, addr, 2)
3072
3073 dev[0].scan_for_bss(bssid0, freq=2412)
3074 dev[0].roam(bssid0)
3075 check_beacon_req(hapd0, addr, 3)
3076
3077 def test_ap_ft_pmksa_caching(dev, apdev):
3078 """FT-EAP and PMKSA caching for initial mobility domain association"""
3079 ssid = "test-ft"
3080 identity = "gpsk user"
3081
3082 radius = hostapd.radius_params()
3083 params = ft_params1(ssid=ssid)
3084 params['wpa_key_mgmt'] = "FT-EAP"
3085 params["ieee8021x"] = "1"
3086 params["mobility_domain"] = "c3d4"
3087 params = dict(list(radius.items()) + list(params.items()))
3088 hapd = hostapd.add_ap(apdev[0], params)
3089
3090 params = ft_params2(ssid=ssid)
3091 params['wpa_key_mgmt'] = "FT-EAP"
3092 params["ieee8021x"] = "1"
3093 params["mobility_domain"] = "c3d4"
3094 params = dict(list(radius.items()) + list(params.items()))
3095 hapd1 = hostapd.add_ap(apdev[1], params)
3096
3097 run_roams(dev[0], apdev, hapd, hapd1, ssid, None, eap=True,
3098 eap_identity=identity, pmksa_caching=True)
3099
3100 def test_ap_ft_pmksa_caching_sha384(dev, apdev):
3101 """FT-EAP-SHA384 and PMKSA caching for initial mobility domain association"""
3102 ssid = "test-ft"
3103 identity = "gpsk user"
3104
3105 radius = hostapd.radius_params()
3106 params = ft_params1(ssid=ssid)
3107 params['wpa_key_mgmt'] = "FT-EAP-SHA384"
3108 params["ieee8021x"] = "1"
3109 params["mobility_domain"] = "c3d4"
3110 params = dict(list(radius.items()) + list(params.items()))
3111 hapd = hostapd.add_ap(apdev[0], params)
3112
3113 params = ft_params2(ssid=ssid)
3114 params['wpa_key_mgmt'] = "FT-EAP-SHA384"
3115 params["ieee8021x"] = "1"
3116 params["mobility_domain"] = "c3d4"
3117 params = dict(list(radius.items()) + list(params.items()))
3118 hapd1 = hostapd.add_ap(apdev[1], params)
3119
3120 run_roams(dev[0], apdev, hapd, hapd1, ssid, None, eap=True,
3121 eap_identity=identity, pmksa_caching=True, sha384=True)
3122
3123 def test_ap_ft_r1_key_expiration(dev, apdev):
3124 """WPA2-PSK-FT and PMK-R1 expiration"""
3125 ssid = "test-ft"
3126 passphrase = "12345678"
3127
3128 params = ft_params1(ssid=ssid, passphrase=passphrase)
3129 params['r1_max_key_lifetime'] = "2"
3130 hapd0 = hostapd.add_ap(apdev[0], params)
3131 params = ft_params2(ssid=ssid, passphrase=passphrase)
3132 params['r1_max_key_lifetime'] = "2"
3133 hapd1 = hostapd.add_ap(apdev[1], params)
3134
3135 # This succeeds, but results in having to run another PMK-R1 pull before the
3136 # second AP can complete FT protocol.
3137 run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, wait_before_roam=4)
3138
3139 def test_ap_ft_r0_key_expiration(dev, apdev):
3140 """WPA2-PSK-FT and PMK-R0 expiration"""
3141 ssid = "test-ft"
3142 passphrase = "12345678"
3143
3144 params = ft_params1(ssid=ssid, passphrase=passphrase)
3145 params['ft_r0_key_lifetime'] = "2"
3146 hapd0 = hostapd.add_ap(apdev[0], params)
3147 params = ft_params2(ssid=ssid, passphrase=passphrase)
3148 params['ft_r0_key_lifetime'] = "2"
3149 hapd1 = hostapd.add_ap(apdev[1], params)
3150
3151 bssid2 = run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase,
3152 return_after_initial=True)
3153 time.sleep(4)
3154 dev[0].scan_for_bss(bssid2, freq="2412")
3155 if "OK" not in dev[0].request("ROAM " + bssid2):
3156 raise Exception("ROAM failed")
3157 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
3158 "CTRL-EVENT-AUTH-REJECT",
3159 "CTRL-EVENT-ASSOC-REJECT"], timeout=5)
3160 dev[0].request("DISCONNECT")
3161 if ev is None or "CTRL-EVENT-AUTH-REJECT" not in ev:
3162 raise Exception("FT protocol failure not reported")
3163 if "status_code=53" not in ev:
3164 raise Exception("Unexpected status in FT protocol failure: " + ev)
3165
3166 # Generate a new PMK-R0
3167 dev[0].dump_monitor()
3168 dev[0].request("RECONNECT")
3169 dev[0].wait_connected()
Unnamed repository; edit this file 'description' to name the repository.