]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_ciphers.py
2 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
7 from remotehost
import remote_compatible
10 logger
= logging
.getLogger()
16 from utils
import HwsimSkip
, skip_with_fips
, require_under_vm
17 from wlantest
import Wlantest
18 from wpasupplicant
import WpaSupplicant
20 def check_cipher(dev
, ap
, cipher
, group_cipher
=None):
21 if cipher
not in dev
.get_capability("pairwise"):
22 raise HwsimSkip("Cipher %s not supported" % cipher
)
23 if group_cipher
and group_cipher
not in dev
.get_capability("group"):
24 raise HwsimSkip("Cipher %s not supported" % group_cipher
)
25 params
= { "ssid": "test-wpa2-psk",
26 "wpa_passphrase": "12345678",
28 "wpa_key_mgmt": "WPA-PSK",
29 "rsn_pairwise": cipher
}
31 params
["group_cipher"] = group_cipher
34 hapd
= hostapd
.add_ap(ap
, params
)
35 dev
.connect("test-wpa2-psk", psk
="12345678",
36 pairwise
=cipher
, group
=group_cipher
, scan_freq
="2412")
37 hwsim_utils
.test_connectivity(dev
, hapd
)
39 def check_group_mgmt_cipher(dev
, ap
, cipher
, sta_req_cipher
=None):
40 if cipher
not in dev
.get_capability("group_mgmt"):
41 raise HwsimSkip("Cipher %s not supported" % cipher
)
42 params
= { "ssid": "test-wpa2-psk-pmf",
43 "wpa_passphrase": "12345678",
46 "wpa_key_mgmt": "WPA-PSK-SHA256",
47 "rsn_pairwise": "CCMP",
48 "group_mgmt_cipher": cipher
}
49 hapd
= hostapd
.add_ap(ap
, params
)
54 wt
.add_passphrase("12345678")
56 dev
.connect("test-wpa2-psk-pmf", psk
="12345678", ieee80211w
="2",
57 key_mgmt
="WPA-PSK-SHA256", group_mgmt
=sta_req_cipher
,
58 pairwise
="CCMP", group
="CCMP", scan_freq
="2412")
59 hwsim_utils
.test_connectivity(dev
, hapd
)
60 hapd
.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
61 dev
.wait_disconnected()
62 if wt
.get_bss_counter('valid_bip_mmie', ap
['bssid']) < 1:
63 raise Exception("No valid BIP MMIE seen")
64 if wt
.get_bss_counter('bip_deauth', ap
['bssid']) < 1:
65 raise Exception("No valid BIP deauth seen")
67 if cipher
== "AES-128-CMAC":
71 res
= wt
.info_bss('group_mgmt', ap
['bssid']).strip()
73 raise Exception("Unexpected group mgmt cipher: " + res
)
76 def test_ap_cipher_tkip(dev
, apdev
):
77 """WPA2-PSK/TKIP connection"""
78 skip_with_fips(dev
[0])
79 check_cipher(dev
[0], apdev
[0], "TKIP")
82 def test_ap_cipher_tkip_countermeasures_ap(dev
, apdev
):
83 """WPA-PSK/TKIP countermeasures (detected by AP)"""
84 skip_with_fips(dev
[0])
85 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (dev
[0].get_driver_status_field("phyname"), dev
[0].ifname
)
86 if dev
[0].cmd_execute([ "ls", testfile
])[0] != 0:
87 raise HwsimSkip("tkip_mic_test not supported in mac80211")
89 params
= { "ssid": "tkip-countermeasures",
90 "wpa_passphrase": "12345678",
92 "wpa_key_mgmt": "WPA-PSK",
93 "wpa_pairwise": "TKIP" }
94 hapd
= hostapd
.add_ap(apdev
[0], params
)
96 dev
[0].connect("tkip-countermeasures", psk
="12345678",
97 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
100 dev
[0].cmd_execute([ "echo", "-n", apdev
[0]['bssid'], ">", testfile
],
102 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
104 raise Exception("Unexpected disconnection on first Michael MIC failure")
106 dev
[0].cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
108 ev
= dev
[0].wait_disconnected(timeout
=10,
109 error
="No disconnection after two Michael MIC failures")
110 if "reason=14" not in ev
:
111 raise Exception("Unexpected disconnection reason: " + ev
)
112 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
114 raise Exception("Unexpected connection during TKIP countermeasures")
116 def test_ap_cipher_tkip_countermeasures_ap_mixed_mode(dev
, apdev
):
117 """WPA+WPA2-PSK/TKIP countermeasures (detected by mixed mode AP)"""
118 skip_with_fips(dev
[0])
119 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (dev
[0].get_driver_status_field("phyname"), dev
[0].ifname
)
120 if dev
[0].cmd_execute([ "ls", testfile
])[0] != 0:
121 raise HwsimSkip("tkip_mic_test not supported in mac80211")
123 params
= { "ssid": "tkip-countermeasures",
124 "wpa_passphrase": "12345678",
126 "wpa_key_mgmt": "WPA-PSK",
127 "wpa_pairwise": "TKIP",
128 "rsn_pairwise": "CCMP" }
129 hapd
= hostapd
.add_ap(apdev
[0], params
)
131 dev
[0].connect("tkip-countermeasures", psk
="12345678",
132 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
133 dev
[1].connect("tkip-countermeasures", psk
="12345678",
134 pairwise
="CCMP", scan_freq
="2412")
136 dev
[0].dump_monitor()
137 dev
[0].cmd_execute([ "echo", "-n", apdev
[0]['bssid'], ">", testfile
],
139 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
141 raise Exception("Unexpected disconnection on first Michael MIC failure")
143 dev
[0].cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
146 ev
= dev
[0].wait_disconnected(timeout
=10,
147 error
="No disconnection after two Michael MIC failures")
148 if "reason=14" not in ev
:
149 raise Exception("Unexpected disconnection reason: " + ev
)
151 ev
= dev
[1].wait_disconnected(timeout
=10,
152 error
="No disconnection after two Michael MIC failures (2)")
153 if "reason=14" not in ev
:
154 raise Exception("Unexpected disconnection reason (2): " + ev
)
156 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
158 raise Exception("Unexpected connection during TKIP countermeasures (1)")
159 ev
= dev
[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
161 raise Exception("Unexpected connection during TKIP countermeasures (2)")
164 def test_ap_cipher_tkip_countermeasures_sta(dev
, apdev
):
165 """WPA-PSK/TKIP countermeasures (detected by STA)"""
166 skip_with_fips(dev
[0])
167 params
= { "ssid": "tkip-countermeasures",
168 "wpa_passphrase": "12345678",
170 "wpa_key_mgmt": "WPA-PSK",
171 "wpa_pairwise": "TKIP" }
172 hapd
= hostapd
.add_ap(apdev
[0], params
)
174 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd
.get_driver_status_field("phyname"), apdev
[0]['ifname'])
175 if hapd
.cmd_execute([ "ls", testfile
])[0] != 0:
176 raise HwsimSkip("tkip_mic_test not supported in mac80211")
178 dev
[0].connect("tkip-countermeasures", psk
="12345678",
179 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
181 dev
[0].dump_monitor()
182 hapd
.cmd_execute([ "echo", "-n", dev
[0].own_addr(), ">", testfile
],
184 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
186 raise Exception("Unexpected disconnection on first Michael MIC failure")
188 hapd
.cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
190 ev
= dev
[0].wait_disconnected(timeout
=10,
191 error
="No disconnection after two Michael MIC failures")
192 if "reason=14 locally_generated=1" not in ev
:
193 raise Exception("Unexpected disconnection reason: " + ev
)
194 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
196 raise Exception("Unexpected connection during TKIP countermeasures")
198 def test_ap_cipher_tkip_countermeasures_sta2(dev
, apdev
, params
):
199 """WPA-PSK/TKIP countermeasures (detected by two STAs) [long]"""
200 if not params
['long']:
201 raise HwsimSkip("Skip test case with long duration due to --long not specified")
202 skip_with_fips(dev
[0])
203 params
= { "ssid": "tkip-countermeasures",
204 "wpa_passphrase": "12345678",
206 "wpa_key_mgmt": "WPA-PSK",
207 "wpa_pairwise": "TKIP" }
208 hapd
= hostapd
.add_ap(apdev
[0], params
)
210 testfile
= "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd
.get_driver_status_field("phyname"), apdev
[0]['ifname'])
211 if hapd
.cmd_execute([ "ls", testfile
])[0] != 0:
212 raise HwsimSkip("tkip_mic_test not supported in mac80211")
214 dev
[0].connect("tkip-countermeasures", psk
="12345678",
215 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
216 dev
[0].dump_monitor()
217 id = dev
[1].connect("tkip-countermeasures", psk
="12345678",
218 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
219 dev
[1].dump_monitor()
221 hapd
.cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile
],
223 ev
= dev
[0].wait_disconnected(timeout
=10,
224 error
="No disconnection after two Michael MIC failure")
225 if "reason=14" not in ev
:
226 raise Exception("Unexpected disconnection reason: " + ev
)
227 ev
= dev
[1].wait_disconnected(timeout
=5,
228 error
="No disconnection after two Michael MIC failure")
229 if "reason=14" not in ev
:
230 raise Exception("Unexpected disconnection reason: " + ev
)
231 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
233 raise Exception("Unexpected connection during TKIP countermeasures")
234 ev
= dev
[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
236 raise Exception("Unexpected connection during TKIP countermeasures")
238 dev
[0].request("REMOVE_NETWORK all")
239 logger
.info("Waiting for TKIP countermeasures to end")
241 start
= os
.times()[4]
246 dev
[0].connect("tkip-countermeasures", psk
="12345678",
247 pairwise
="TKIP", group
="TKIP", scan_freq
="2412",
249 ev
= dev
[0].wait_event(["CTRL-EVENT-AUTH-REJECT",
250 "CTRL-EVENT-CONNECTED"], timeout
=10)
252 raise Exception("No connection result")
253 if "CTRL-EVENT-CONNECTED" in ev
:
256 if "status_code=1" not in ev
:
257 raise Exception("Unexpected connection failure reason during TKIP countermeasures: " + ev
)
258 dev
[0].request("REMOVE_NETWORK all")
260 dev
[0].dump_monitor()
261 dev
[1].dump_monitor()
263 raise Exception("No connection after TKIP countermeasures terminated")
265 ev
= dev
[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
267 dev
[1].request("DISCONNECT")
268 dev
[1].select_network(id)
269 dev
[1].wait_connected()
272 def test_ap_cipher_ccmp(dev
, apdev
):
273 """WPA2-PSK/CCMP connection"""
274 check_cipher(dev
[0], apdev
[0], "CCMP")
276 def test_ap_cipher_gcmp(dev
, apdev
):
277 """WPA2-PSK/GCMP connection"""
278 check_cipher(dev
[0], apdev
[0], "GCMP")
280 def test_ap_cipher_ccmp_256(dev
, apdev
):
281 """WPA2-PSK/CCMP-256 connection"""
282 check_cipher(dev
[0], apdev
[0], "CCMP-256")
284 def test_ap_cipher_gcmp_256(dev
, apdev
):
285 """WPA2-PSK/GCMP-256 connection"""
286 check_cipher(dev
[0], apdev
[0], "GCMP-256")
288 def test_ap_cipher_gcmp_256_group_gcmp_256(dev
, apdev
):
289 """WPA2-PSK/GCMP-256 connection with group cipher override GCMP-256"""
290 check_cipher(dev
[0], apdev
[0], "GCMP-256", "GCMP-256")
292 def test_ap_cipher_gcmp_256_group_gcmp(dev
, apdev
):
293 """WPA2-PSK/GCMP-256 connection with group cipher override GCMP"""
294 check_cipher(dev
[0], apdev
[0], "GCMP-256", "GCMP")
296 def test_ap_cipher_gcmp_256_group_ccmp_256(dev
, apdev
):
297 """WPA2-PSK/GCMP-256 connection with group cipher override CCMP-256"""
298 check_cipher(dev
[0], apdev
[0], "GCMP-256", "CCMP-256")
300 def test_ap_cipher_gcmp_256_group_ccmp(dev
, apdev
):
301 """WPA2-PSK/GCMP-256 connection with group cipher override CCMP"""
302 check_cipher(dev
[0], apdev
[0], "GCMP-256", "CCMP")
304 def test_ap_cipher_gcmp_ccmp(dev
, apdev
, params
):
305 """WPA2-PSK/GCMP/CCMP ciphers"""
306 config
= os
.path
.join(params
['logdir'], 'ap_cipher_gcmp_ccmp.conf')
308 for cipher
in [ "CCMP", "GCMP", "CCMP-256", "GCMP-256" ]:
309 if cipher
not in dev
[0].get_capability("pairwise"):
310 raise HwsimSkip("Cipher %s not supported" % cipher
)
311 if cipher
not in dev
[0].get_capability("group"):
312 raise HwsimSkip("Group cipher %s not supported" % cipher
)
314 params
= { "ssid": "test-wpa2-psk",
315 "wpa_passphrase": "12345678",
317 "wpa_key_mgmt": "WPA-PSK",
318 "rsn_pairwise": "CCMP GCMP CCMP-256 GCMP-256" }
319 hapd
= hostapd
.add_ap(apdev
[0], params
)
322 for cipher
in [ "CCMP", "GCMP", "CCMP-256", "GCMP-256" ]:
323 dev
[0].connect("test-wpa2-psk", psk
="12345678",
324 pairwise
=cipher
, group
="CCMP", scan_freq
="2412")
325 if dev
[0].get_status_field("group_cipher") != "CCMP":
326 raise Exception("Unexpected group_cipher")
327 if dev
[0].get_status_field("pairwise_cipher") != cipher
:
328 raise Exception("Unexpected pairwise_cipher")
329 dev
[0].request("REMOVE_NETWORK all")
330 dev
[0].wait_disconnected()
332 dev
[0].connect("test-wpa2-psk", psk
="12345678",
333 pairwise
="CCMP CCMP-256 GCMP GCMP-256",
334 group
="CCMP CCMP-256 GCMP GCMP-256", scan_freq
="2412")
335 if dev
[0].get_status_field("group_cipher") != "CCMP":
336 raise Exception("Unexpected group_cipher")
337 res
= dev
[0].get_status_field("pairwise_cipher")
338 if res
!= "CCMP-256" and res
!= "GCMP-256":
339 raise Exception("Unexpected pairwise_cipher")
342 with
open(config
, "w") as f
:
343 f
.write("network={\n" +
344 "\tssid=\"test-wpa2-psk\"\n" +
345 "\tkey_mgmt=WPA-PSK\n" +
346 "\tpsk=\"12345678\"\n" +
347 "\tpairwise=GCMP\n" +
349 "\tscan_freq=2412\n" +
352 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
353 wpas
.interface_add("wlan5", config
=config
)
354 wpas
.wait_connected()
355 if wpas
.get_status_field("group_cipher") != "CCMP":
356 raise Exception("Unexpected group_cipher")
357 if wpas
.get_status_field("pairwise_cipher") != "GCMP":
358 raise Exception("Unexpected pairwise_cipher")
363 def test_ap_cipher_mixed_wpa_wpa2(dev
, apdev
):
364 """WPA2-PSK/CCMP/ and WPA-PSK/TKIP mixed configuration"""
365 skip_with_fips(dev
[0])
366 ssid
= "test-wpa-wpa2-psk"
367 passphrase
= "12345678"
368 params
= { "ssid": ssid
,
369 "wpa_passphrase": passphrase
,
371 "wpa_key_mgmt": "WPA-PSK",
372 "rsn_pairwise": "CCMP",
373 "wpa_pairwise": "TKIP" }
374 hapd
= hostapd
.add_ap(apdev
[0], params
)
375 dev
[0].connect(ssid
, psk
=passphrase
, proto
="WPA2",
376 pairwise
="CCMP", group
="TKIP", scan_freq
="2412")
377 status
= dev
[0].get_status()
378 if status
['key_mgmt'] != 'WPA2-PSK':
379 raise Exception("Incorrect key_mgmt reported")
380 if status
['pairwise_cipher'] != 'CCMP':
381 raise Exception("Incorrect pairwise_cipher reported")
382 if status
['group_cipher'] != 'TKIP':
383 raise Exception("Incorrect group_cipher reported")
384 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
385 if bss
['ssid'] != ssid
:
386 raise Exception("Unexpected SSID in the BSS entry")
387 if "[WPA-PSK-TKIP]" not in bss
['flags']:
388 raise Exception("Missing BSS flag WPA-PSK-TKIP")
389 if "[WPA2-PSK-CCMP]" not in bss
['flags']:
390 raise Exception("Missing BSS flag WPA2-PSK-CCMP")
391 hwsim_utils
.test_connectivity(dev
[0], hapd
)
393 dev
[1].connect(ssid
, psk
=passphrase
, proto
="WPA",
394 pairwise
="TKIP", group
="TKIP", scan_freq
="2412")
395 status
= dev
[1].get_status()
396 if status
['key_mgmt'] != 'WPA-PSK':
397 raise Exception("Incorrect key_mgmt reported")
398 if status
['pairwise_cipher'] != 'TKIP':
399 raise Exception("Incorrect pairwise_cipher reported")
400 if status
['group_cipher'] != 'TKIP':
401 raise Exception("Incorrect group_cipher reported")
402 hwsim_utils
.test_connectivity(dev
[1], hapd
)
403 hwsim_utils
.test_connectivity(dev
[0], dev
[1])
406 def test_ap_cipher_bip(dev
, apdev
):
407 """WPA2-PSK with BIP"""
408 check_group_mgmt_cipher(dev
[0], apdev
[0], "AES-128-CMAC")
410 def test_ap_cipher_bip_req(dev
, apdev
):
411 """WPA2-PSK with BIP required"""
412 check_group_mgmt_cipher(dev
[0], apdev
[0], "AES-128-CMAC", "AES-128-CMAC")
414 def test_ap_cipher_bip_req2(dev
, apdev
):
415 """WPA2-PSK with BIP required (2)"""
416 check_group_mgmt_cipher(dev
[0], apdev
[0], "AES-128-CMAC",
417 "AES-128-CMAC BIP-GMAC-128 BIP-GMAC-256 BIP-CMAC-256")
419 def test_ap_cipher_bip_gmac_128(dev
, apdev
):
420 """WPA2-PSK with BIP-GMAC-128"""
421 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-128")
423 def test_ap_cipher_bip_gmac_128_req(dev
, apdev
):
424 """WPA2-PSK with BIP-GMAC-128 required"""
425 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-128", "BIP-GMAC-128")
427 def test_ap_cipher_bip_gmac_256(dev
, apdev
):
428 """WPA2-PSK with BIP-GMAC-256"""
429 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-256")
431 def test_ap_cipher_bip_gmac_256_req(dev
, apdev
):
432 """WPA2-PSK with BIP-GMAC-256 required"""
433 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-GMAC-256", "BIP-GMAC-256")
435 def test_ap_cipher_bip_cmac_256(dev
, apdev
):
436 """WPA2-PSK with BIP-CMAC-256"""
437 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-CMAC-256")
439 def test_ap_cipher_bip_cmac_256_req(dev
, apdev
):
440 """WPA2-PSK with BIP-CMAC-256 required"""
441 check_group_mgmt_cipher(dev
[0], apdev
[0], "BIP-CMAC-256", "BIP-CMAC-256")
443 def test_ap_cipher_bip_req_mismatch(dev
, apdev
):
444 """WPA2-PSK with BIP cipher mismatch"""
445 group_mgmt
= dev
[0].get_capability("group_mgmt")
446 for cipher
in [ "AES-128-CMAC", "BIP-GMAC-256" ]:
447 if cipher
not in group_mgmt
:
448 raise HwsimSkip("Cipher %s not supported" % cipher
)
450 params
= { "ssid": "test-wpa2-psk-pmf",
451 "wpa_passphrase": "12345678",
454 "wpa_key_mgmt": "WPA-PSK-SHA256",
455 "rsn_pairwise": "CCMP",
456 "group_mgmt_cipher": "AES-128-CMAC" }
457 hapd
= hostapd
.add_ap(apdev
[0], params
)
459 dev
[0].scan_for_bss(hapd
.own_addr(), 2412)
460 id = dev
[0].connect("test-wpa2-psk-pmf", psk
="12345678", ieee80211w
="2",
461 key_mgmt
="WPA-PSK-SHA256", group_mgmt
="BIP-GMAC-256",
462 pairwise
="CCMP", group
="CCMP", scan_freq
="2412",
464 ev
= dev
[0].wait_event(["CTRL-EVENT-NETWORK-NOT-FOUND",
465 "CTRL-EVENT-CONNECTED"], timeout
=10)
467 raise Exception("Network selection result not indicated")
468 if "CTRL-EVENT-CONNECTED" in ev
:
469 raise Exception("Unexpected connection")
471 dev
[0].request("DISCONNECT")
472 dev
[0].set_network(id, "group_mgmt", "AES-128-CMAC")
473 dev
[0].select_network(id)
474 dev
[0].wait_connected()
476 def get_rx_spec(phy
, gtk
=False):
477 keys
= "/sys/kernel/debug/ieee80211/%s/keys" % (phy
)
479 for key
in os
.listdir(keys
):
480 keydir
= keys
+ "/" + key
481 files
= os
.listdir(keydir
)
482 if not gtk
and "station" not in files
:
484 if gtk
and "station" in files
:
486 with
open(keydir
+ "/rx_spec") as f
:
489 raise HwsimSkip("debugfs not supported in mac80211")
492 def get_tk_replay_counter(phy
, gtk
=False):
493 keys
= "/sys/kernel/debug/ieee80211/%s/keys" % (phy
)
495 for key
in os
.listdir(keys
):
496 keydir
= keys
+ "/" + key
497 files
= os
.listdir(keydir
)
498 if not gtk
and "station" not in files
:
500 if gtk
and "station" in files
:
502 with
open(keydir
+ "/replays") as f
:
505 raise HwsimSkip("debugfs not supported in mac80211")
508 def test_ap_cipher_replay_protection_ap_ccmp(dev
, apdev
):
509 """CCMP replay protection on AP"""
510 run_ap_cipher_replay_protection_ap(dev
, apdev
, "CCMP")
512 def test_ap_cipher_replay_protection_ap_tkip(dev
, apdev
):
513 """TKIP replay protection on AP"""
514 run_ap_cipher_replay_protection_ap(dev
, apdev
, "TKIP")
516 def test_ap_cipher_replay_protection_ap_gcmp(dev
, apdev
):
517 """GCMP replay protection on AP"""
518 if "GCMP" not in dev
[0].get_capability("pairwise"):
519 raise HwsimSkip("GCMP not supported")
520 run_ap_cipher_replay_protection_ap(dev
, apdev
, "GCMP")
522 def run_ap_cipher_replay_protection_ap(dev
, apdev
, cipher
):
523 params
= { "ssid": "test-wpa2-psk",
524 "wpa_passphrase": "12345678",
526 "wpa_key_mgmt": "WPA-PSK",
527 "rsn_pairwise": cipher
}
528 hapd
= hostapd
.add_ap(apdev
[0], params
)
529 phy
= hapd
.get_driver_status_field("phyname")
534 wt
.add_passphrase("12345678")
536 dev
[0].connect("test-wpa2-psk", psk
="12345678",
537 pairwise
=cipher
, group
=cipher
, scan_freq
="2412")
540 replays
= get_tk_replay_counter(phy
)
542 raise Exception("Unexpected replay reported (1)")
545 hwsim_utils
.test_connectivity(dev
[0], hapd
)
548 replays
= get_tk_replay_counter(phy
)
550 raise Exception("Unexpected replay reported (2)")
552 if "OK" not in dev
[0].request("RESET_PN"):
553 raise Exception("RESET_PN failed")
555 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
556 success_expected
=False)
559 replays
= get_tk_replay_counter(phy
)
561 raise Exception("Replays not reported")
563 def test_ap_cipher_replay_protection_sta_ccmp(dev
, apdev
):
564 """CCMP replay protection on STA (TK)"""
565 run_ap_cipher_replay_protection_sta(dev
, apdev
, "CCMP")
567 def test_ap_cipher_replay_protection_sta_tkip(dev
, apdev
):
568 """TKIP replay protection on STA (TK)"""
569 run_ap_cipher_replay_protection_sta(dev
, apdev
, "TKIP")
571 def test_ap_cipher_replay_protection_sta_gcmp(dev
, apdev
):
572 """GCMP replay protection on STA (TK)"""
573 if "GCMP" not in dev
[0].get_capability("pairwise"):
574 raise HwsimSkip("GCMP not supported")
575 run_ap_cipher_replay_protection_sta(dev
, apdev
, "GCMP")
577 def test_ap_cipher_replay_protection_sta_gtk_ccmp(dev
, apdev
):
578 """CCMP replay protection on STA (GTK)"""
579 run_ap_cipher_replay_protection_sta(dev
, apdev
, "CCMP", gtk
=True)
581 def test_ap_cipher_replay_protection_sta_gtk_tkip(dev
, apdev
):
582 """TKIP replay protection on STA (GTK)"""
583 run_ap_cipher_replay_protection_sta(dev
, apdev
, "TKIP", gtk
=True)
585 def test_ap_cipher_replay_protection_sta_gtk_gcmp(dev
, apdev
):
586 """GCMP replay protection on STA (GTK)"""
587 if "GCMP" not in dev
[0].get_capability("pairwise"):
588 raise HwsimSkip("GCMP not supported")
589 run_ap_cipher_replay_protection_sta(dev
, apdev
, "GCMP", gtk
=True)
591 def run_ap_cipher_replay_protection_sta(dev
, apdev
, cipher
, gtk
=False):
592 params
= { "ssid": "test-wpa2-psk",
593 "wpa_passphrase": "12345678",
595 "wpa_key_mgmt": "WPA-PSK",
596 "rsn_pairwise": cipher
}
597 hapd
= hostapd
.add_ap(apdev
[0], params
)
602 wt
.add_passphrase("12345678")
604 phy
= dev
[0].get_driver_status_field("phyname")
605 dev
[0].connect("test-wpa2-psk", psk
="12345678",
606 pairwise
=cipher
, group
=cipher
, scan_freq
="2412")
609 replays
= get_tk_replay_counter(phy
, gtk
)
611 raise Exception("Unexpected replay reported (1)")
614 hwsim_utils
.test_connectivity(dev
[0], hapd
)
617 replays
= get_tk_replay_counter(phy
, gtk
)
619 raise Exception("Unexpected replay reported (2)")
621 addr
= "ff:ff:ff:ff:ff:ff" if gtk
else dev
[0].own_addr()
622 if "OK" not in hapd
.request("RESET_PN " + addr
):
623 raise Exception("RESET_PN failed")
625 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
626 success_expected
=False)
629 replays
= get_tk_replay_counter(phy
, gtk
)
631 raise Exception("Replays not reported")
633 def test_ap_wpa2_delayed_m3_retransmission(dev
, apdev
):
634 """Delayed M3 retransmission"""
637 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
638 stdout
=open('/dev/null', 'w'))
639 subprocess
.call(['sysctl', '-w',
640 'net.ipv6.conf.default.disable_ipv6=1'],
641 stdout
=open('/dev/null', 'w'))
642 run_ap_wpa2_delayed_m3_retransmission(dev
, apdev
)
644 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
645 stdout
=open('/dev/null', 'w'))
646 subprocess
.call(['sysctl', '-w',
647 'net.ipv6.conf.default.disable_ipv6=0'],
648 stdout
=open('/dev/null', 'w'))
650 def run_ap_wpa2_delayed_m3_retransmission(dev
, apdev
):
651 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
652 hapd
= hostapd
.add_ap(apdev
[0], params
)
657 wt
.add_passphrase("12345678")
659 phy
= dev
[0].get_driver_status_field("phyname")
660 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
663 hwsim_utils
.test_connectivity(dev
[0], hapd
)
666 before_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
667 before_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
668 addr
= dev
[0].own_addr()
669 if "OK" not in hapd
.request("RESEND_M3 " + addr
):
670 raise Exception("RESEND_M3 failed")
672 after_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
673 after_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
675 if "OK" not in hapd
.request("RESET_PN " + addr
):
676 raise Exception("RESET_PN failed")
678 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
679 success_expected
=False)
680 dev
[0].request("DISCONNECT")
681 dev
[0].wait_disconnected()
683 for i
in range(len(before_tk
)):
684 b
= int(before_tk
[i
], 16)
685 a
= int(after_tk
[i
], 16)
687 raise Exception("TK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
689 for i
in range(len(before_gtk
)):
690 b
= int(before_gtk
[i
], 16)
691 a
= int(after_gtk
[i
], 16)
693 raise Exception("GTK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
695 def test_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
):
696 """Delayed M1+M3 retransmission"""
699 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
700 stdout
=open('/dev/null', 'w'))
701 subprocess
.call(['sysctl', '-w',
702 'net.ipv6.conf.default.disable_ipv6=1'],
703 stdout
=open('/dev/null', 'w'))
704 run_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
)
706 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
707 stdout
=open('/dev/null', 'w'))
708 subprocess
.call(['sysctl', '-w',
709 'net.ipv6.conf.default.disable_ipv6=0'],
710 stdout
=open('/dev/null', 'w'))
712 def test_ap_wpa2_delayed_m1_m3_retransmission2(dev
, apdev
):
713 """Delayed M1+M3 retransmission (change M1 ANonce)"""
716 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
717 stdout
=open('/dev/null', 'w'))
718 subprocess
.call(['sysctl', '-w',
719 'net.ipv6.conf.default.disable_ipv6=1'],
720 stdout
=open('/dev/null', 'w'))
721 run_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
, True)
723 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
724 stdout
=open('/dev/null', 'w'))
725 subprocess
.call(['sysctl', '-w',
726 'net.ipv6.conf.default.disable_ipv6=0'],
727 stdout
=open('/dev/null', 'w'))
729 def run_ap_wpa2_delayed_m1_m3_retransmission(dev
, apdev
,
730 change_m1_anonce
=False):
731 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
732 hapd
= hostapd
.add_ap(apdev
[0], params
)
737 wt
.add_passphrase("12345678")
739 phy
= dev
[0].get_driver_status_field("phyname")
740 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
743 hwsim_utils
.test_connectivity(dev
[0], hapd
)
746 before_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
747 before_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
748 addr
= dev
[0].own_addr()
750 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " change-anonce"):
751 raise Exception("RESEND_M1 failed")
752 if "OK" not in hapd
.request("RESEND_M1 " + addr
):
753 raise Exception("RESEND_M1 failed")
754 if "OK" not in hapd
.request("RESEND_M3 " + addr
):
755 raise Exception("RESEND_M3 failed")
757 after_tk
= get_rx_spec(phy
, gtk
=False).splitlines()
758 after_gtk
= get_rx_spec(phy
, gtk
=True).splitlines()
760 if "OK" not in hapd
.request("RESET_PN " + addr
):
761 raise Exception("RESET_PN failed")
763 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
764 success_expected
=False)
765 dev
[0].request("DISCONNECT")
766 dev
[0].wait_disconnected()
768 for i
in range(len(before_tk
)):
769 b
= int(before_tk
[i
], 16)
770 a
= int(after_tk
[i
], 16)
772 raise Exception("TK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
774 for i
in range(len(before_gtk
)):
775 b
= int(before_gtk
[i
], 16)
776 a
= int(after_gtk
[i
], 16)
778 raise Exception("GTK RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
780 def test_ap_wpa2_delayed_group_m1_retransmission(dev
, apdev
):
781 """Delayed group M1 retransmission"""
784 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
785 stdout
=open('/dev/null', 'w'))
786 subprocess
.call(['sysctl', '-w',
787 'net.ipv6.conf.default.disable_ipv6=1'],
788 stdout
=open('/dev/null', 'w'))
789 run_ap_wpa2_delayed_group_m1_retransmission(dev
, apdev
)
791 subprocess
.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
792 stdout
=open('/dev/null', 'w'))
793 subprocess
.call(['sysctl', '-w',
794 'net.ipv6.conf.default.disable_ipv6=0'],
795 stdout
=open('/dev/null', 'w'))
797 def run_ap_wpa2_delayed_group_m1_retransmission(dev
, apdev
):
798 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
799 hapd
= hostapd
.add_ap(apdev
[0], params
)
804 wt
.add_passphrase("12345678")
806 phy
= dev
[0].get_driver_status_field("phyname")
807 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
810 hwsim_utils
.test_connectivity(dev
[0], hapd
)
813 before
= get_rx_spec(phy
, gtk
=True).splitlines()
814 addr
= dev
[0].own_addr()
815 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
):
816 raise Exception("RESEND_GROUP_M1 failed")
818 after
= get_rx_spec(phy
, gtk
=True).splitlines()
820 if "OK" not in hapd
.request("RESET_PN " + addr
):
821 raise Exception("RESET_PN failed")
823 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1,
824 success_expected
=False)
825 dev
[0].request("DISCONNECT")
826 dev
[0].wait_disconnected()
828 for i
in range(len(before
)):
829 b
= int(before
[i
], 16)
830 a
= int(after
[i
], 16)
832 raise Exception("RX counter decreased: idx=%d before=%d after=%d" % (i
, b
, a
))
834 def test_ap_wpa2_delayed_m1_m3_zero_tk(dev
, apdev
):
835 """Delayed M1+M3 retransmission and zero TK"""
836 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
837 hapd
= hostapd
.add_ap(apdev
[0], params
)
842 wt
.add_passphrase("12345678")
844 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
846 hwsim_utils
.test_connectivity(dev
[0], hapd
)
847 addr
= dev
[0].own_addr()
848 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " change-anonce"):
849 raise Exception("RESEND_M1 failed")
850 if "OK" not in hapd
.request("RESEND_M1 " + addr
):
851 raise Exception("RESEND_M1 failed")
852 if "OK" not in hapd
.request("RESEND_M3 " + addr
):
853 raise Exception("RESEND_M3 failed")
855 if "OK" not in hapd
.request("SET_KEY 3 %s %d %d %s %s" % (addr
, 0, 1, 6*"00", 16*"00")):
856 raise Exception("SET_KEY failed")
858 hwsim_utils
.test_connectivity(dev
[0], hapd
, timeout
=1, broadcast
=False,
859 success_expected
=False)
860 dev
[0].request("DISCONNECT")
861 dev
[0].wait_disconnected()
863 def test_ap_wpa2_plaintext_m1_m3(dev
, apdev
):
864 """Plaintext M1/M3 during PTK rekey"""
865 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
866 hapd
= hostapd
.add_ap(apdev
[0], params
)
871 wt
.add_passphrase("12345678")
873 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
876 addr
= dev
[0].own_addr()
877 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " plaintext"):
878 raise Exception("RESEND_M1 failed")
880 if "OK" not in hapd
.request("RESEND_M3 " + addr
+ " plaintext"):
881 raise Exception("RESEND_M3 failed")
884 def test_ap_wpa2_plaintext_m1_m3_pmf(dev
, apdev
):
885 """Plaintext M1/M3 during PTK rekey (PMF)"""
886 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
887 params
["ieee80211w"] = "2"
888 hapd
= hostapd
.add_ap(apdev
[0], params
)
893 wt
.add_passphrase("12345678")
895 dev
[0].connect("test-wpa2-psk", psk
="12345678", ieee80211w
="2",
899 addr
= dev
[0].own_addr()
900 if "OK" not in hapd
.request("RESEND_M1 " + addr
+ " plaintext"):
901 raise Exception("RESEND_M1 failed")
903 if "OK" not in hapd
.request("RESEND_M3 " + addr
+ " plaintext"):
904 raise Exception("RESEND_M3 failed")
907 def test_ap_wpa2_plaintext_m3(dev
, apdev
):
908 """Plaintext M3 during PTK rekey"""
909 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
910 hapd
= hostapd
.add_ap(apdev
[0], params
)
915 wt
.add_passphrase("12345678")
917 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
920 addr
= dev
[0].own_addr()
921 if "OK" not in hapd
.request("RESEND_M1 " + addr
):
922 raise Exception("RESEND_M1 failed")
924 if "OK" not in hapd
.request("RESEND_M3 " + addr
+ " plaintext"):
925 raise Exception("RESEND_M3 failed")
928 def test_ap_wpa2_plaintext_group_m1(dev
, apdev
):
929 """Plaintext group M1"""
930 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
931 hapd
= hostapd
.add_ap(apdev
[0], params
)
936 wt
.add_passphrase("12345678")
938 dev
[0].connect("test-wpa2-psk", psk
="12345678", scan_freq
="2412")
941 addr
= dev
[0].own_addr()
942 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
+ " plaintext"):
943 raise Exception("RESEND_GROUP_M1 failed")
945 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
):
946 raise Exception("RESEND_GROUP_M1 failed")
949 def test_ap_wpa2_plaintext_group_m1_pmf(dev
, apdev
):
950 """Plaintext group M1 (PMF)"""
951 params
= hostapd
.wpa2_params(ssid
="test-wpa2-psk", passphrase
="12345678")
952 params
["ieee80211w"] = "2"
953 hapd
= hostapd
.add_ap(apdev
[0], params
)
958 wt
.add_passphrase("12345678")
960 dev
[0].connect("test-wpa2-psk", psk
="12345678", ieee80211w
="2",
964 addr
= dev
[0].own_addr()
965 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
+ " plaintext"):
966 raise Exception("RESEND_GROUP_M1 failed")
968 if "OK" not in hapd
.request("RESEND_GROUP_M1 " + addr
):
969 raise Exception("RESEND_GROUP_M1 failed")