]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_fils.py
2 # Copyright (c) 2015-2017, Qualcomm Atheros, Inc.
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
10 logger
= logging
.getLogger()
17 from tshark
import run_tshark
18 from wpasupplicant
import WpaSupplicant
20 from utils
import HwsimSkip
, alloc_fail
21 from test_erp
import check_erp_capa
, start_erp_as
22 from test_ap_hs20
import ip_checksum
24 def check_fils_capa(dev
):
25 capa
= dev
.get_capability("fils")
26 if capa
is None or "FILS" not in capa
:
27 raise HwsimSkip("FILS not supported")
29 def check_fils_sk_pfs_capa(dev
):
30 capa
= dev
.get_capability("fils")
31 if capa
is None or "FILS-SK-PFS" not in capa
:
32 raise HwsimSkip("FILS-SK-PFS not supported")
34 def test_fils_sk_full_auth(dev
, apdev
, params
):
35 """FILS SK full authentication"""
36 check_fils_capa(dev
[0])
37 check_erp_capa(dev
[0])
39 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
41 bssid
= apdev
[0]['bssid']
42 params
= hostapd
.wpa2_eap_params(ssid
="fils")
43 params
['wpa_key_mgmt'] = "FILS-SHA256"
44 params
['auth_server_port'] = "18128"
45 params
['erp_send_reauth_start'] = '1'
46 params
['erp_domain'] = 'example.com'
47 params
['fils_realm'] = 'example.com'
48 params
['wpa_group_rekey'] = '1'
49 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
51 dev
[0].scan_for_bss(bssid
, freq
=2412)
52 bss
= dev
[0].get_bss(bssid
)
53 logger
.debug("BSS: " + str(bss
))
54 if "[FILS]" not in bss
['flags']:
55 raise Exception("[FILS] flag not indicated")
56 if "[WPA2-FILS-SHA256-CCMP]" not in bss
['flags']:
57 raise Exception("[WPA2-FILS-SHA256-CCMP] flag not indicated")
59 res
= dev
[0].request("SCAN_RESULTS")
60 logger
.debug("SCAN_RESULTS: " + res
)
61 if "[FILS]" not in res
:
62 raise Exception("[FILS] flag not indicated")
63 if "[WPA2-FILS-SHA256-CCMP]" not in res
:
64 raise Exception("[WPA2-FILS-SHA256-CCMP] flag not indicated")
66 dev
[0].request("ERP_FLUSH")
67 dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
68 eap
="PSK", identity
="psk.user@example.com",
69 password_hex
="0123456789abcdef0123456789abcdef",
70 erp
="1", scan_freq
="2412")
71 hwsim_utils
.test_connectivity(dev
[0], hapd
)
73 ev
= dev
[0].wait_event(["WPA: Group rekeying completed"], timeout
=2)
75 raise Exception("GTK rekey timed out")
76 hwsim_utils
.test_connectivity(dev
[0], hapd
)
78 conf
= hapd
.get_config()
79 if conf
['key_mgmt'] != 'FILS-SHA256':
80 raise Exception("Unexpected config key_mgmt: " + conf
['key_mgmt'])
82 def test_fils_sk_sha384_full_auth(dev
, apdev
, params
):
83 """FILS SK full authentication (SHA384)"""
84 check_fils_capa(dev
[0])
85 check_erp_capa(dev
[0])
87 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
89 bssid
= apdev
[0]['bssid']
90 params
= hostapd
.wpa2_eap_params(ssid
="fils")
91 params
['wpa_key_mgmt'] = "FILS-SHA384"
92 params
['auth_server_port'] = "18128"
93 params
['erp_send_reauth_start'] = '1'
94 params
['erp_domain'] = 'example.com'
95 params
['fils_realm'] = 'example.com'
96 params
['wpa_group_rekey'] = '1'
97 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
99 dev
[0].scan_for_bss(bssid
, freq
=2412)
100 bss
= dev
[0].get_bss(bssid
)
101 logger
.debug("BSS: " + str(bss
))
102 if "[FILS]" not in bss
['flags']:
103 raise Exception("[FILS] flag not indicated")
104 if "[WPA2-FILS-SHA384-CCMP]" not in bss
['flags']:
105 raise Exception("[WPA2-FILS-SHA384-CCMP] flag not indicated")
107 res
= dev
[0].request("SCAN_RESULTS")
108 logger
.debug("SCAN_RESULTS: " + res
)
109 if "[FILS]" not in res
:
110 raise Exception("[FILS] flag not indicated")
111 if "[WPA2-FILS-SHA384-CCMP]" not in res
:
112 raise Exception("[WPA2-FILS-SHA384-CCMP] flag not indicated")
114 dev
[0].request("ERP_FLUSH")
115 dev
[0].connect("fils", key_mgmt
="FILS-SHA384",
116 eap
="PSK", identity
="psk.user@example.com",
117 password_hex
="0123456789abcdef0123456789abcdef",
118 erp
="1", scan_freq
="2412")
119 hwsim_utils
.test_connectivity(dev
[0], hapd
)
121 ev
= dev
[0].wait_event(["WPA: Group rekeying completed"], timeout
=2)
123 raise Exception("GTK rekey timed out")
124 hwsim_utils
.test_connectivity(dev
[0], hapd
)
126 conf
= hapd
.get_config()
127 if conf
['key_mgmt'] != 'FILS-SHA384':
128 raise Exception("Unexpected config key_mgmt: " + conf
['key_mgmt'])
130 def test_fils_sk_pmksa_caching(dev
, apdev
, params
):
131 """FILS SK and PMKSA caching"""
132 check_fils_capa(dev
[0])
133 check_erp_capa(dev
[0])
135 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
137 bssid
= apdev
[0]['bssid']
138 params
= hostapd
.wpa2_eap_params(ssid
="fils")
139 params
['wpa_key_mgmt'] = "FILS-SHA256"
140 params
['auth_server_port'] = "18128"
141 params
['erp_domain'] = 'example.com'
142 params
['fils_realm'] = 'example.com'
143 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
145 dev
[0].scan_for_bss(bssid
, freq
=2412)
146 dev
[0].request("ERP_FLUSH")
147 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
148 eap
="PSK", identity
="psk.user@example.com",
149 password_hex
="0123456789abcdef0123456789abcdef",
150 erp
="1", scan_freq
="2412")
151 pmksa
= dev
[0].get_pmksa(bssid
)
153 raise Exception("No PMKSA cache entry created")
155 dev
[0].request("DISCONNECT")
156 dev
[0].wait_disconnected()
158 dev
[0].dump_monitor()
159 dev
[0].select_network(id, freq
=2412)
160 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
161 "CTRL-EVENT-CONNECTED"], timeout
=10)
163 raise Exception("Connection using PMKSA caching timed out")
164 if "CTRL-EVENT-EAP-STARTED" in ev
:
165 raise Exception("Unexpected EAP exchange")
166 hwsim_utils
.test_connectivity(dev
[0], hapd
)
167 pmksa2
= dev
[0].get_pmksa(bssid
)
169 raise Exception("No PMKSA cache entry found")
170 if pmksa
['pmkid'] != pmksa2
['pmkid']:
171 raise Exception("Unexpected PMKID change")
173 # Verify EAPOL reauthentication after FILS authentication
174 hapd
.request("EAPOL_REAUTH " + dev
[0].own_addr())
175 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=5)
177 raise Exception("EAP authentication did not start")
178 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
180 raise Exception("EAP authentication did not succeed")
182 hwsim_utils
.test_connectivity(dev
[0], hapd
)
184 def test_fils_sk_pmksa_caching_ocv(dev
, apdev
, params
):
185 """FILS SK and PMKSA caching with OCV"""
186 check_fils_capa(dev
[0])
187 check_erp_capa(dev
[0])
189 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
191 bssid
= apdev
[0]['bssid']
192 params
= hostapd
.wpa2_eap_params(ssid
="fils")
193 params
['wpa_key_mgmt'] = "FILS-SHA256"
194 params
['auth_server_port'] = "18128"
195 params
['erp_domain'] = 'example.com'
196 params
['fils_realm'] = 'example.com'
197 params
['ieee80211w'] = '1'
200 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
201 except Exception as e
:
202 if "Failed to set hostapd parameter ocv" in str(e
):
203 raise HwsimSkip("OCV not supported")
206 dev
[0].scan_for_bss(bssid
, freq
=2412)
207 dev
[0].request("ERP_FLUSH")
208 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
209 eap
="PSK", identity
="psk.user@example.com",
210 password_hex
="0123456789abcdef0123456789abcdef",
211 erp
="1", scan_freq
="2412", ieee80211w
="1", ocv
="1")
212 pmksa
= dev
[0].get_pmksa(bssid
)
214 raise Exception("No PMKSA cache entry created")
216 dev
[0].request("DISCONNECT")
217 dev
[0].wait_disconnected()
219 dev
[0].dump_monitor()
220 dev
[0].select_network(id, freq
=2412)
221 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
222 "CTRL-EVENT-CONNECTED"], timeout
=10)
224 raise Exception("Connection using PMKSA caching timed out")
225 if "CTRL-EVENT-EAP-STARTED" in ev
:
226 raise Exception("Unexpected EAP exchange")
227 hwsim_utils
.test_connectivity(dev
[0], hapd
)
228 pmksa2
= dev
[0].get_pmksa(bssid
)
230 raise Exception("No PMKSA cache entry found")
231 if pmksa
['pmkid'] != pmksa2
['pmkid']:
232 raise Exception("Unexpected PMKID change")
234 # Verify EAPOL reauthentication after FILS authentication
235 hapd
.request("EAPOL_REAUTH " + dev
[0].own_addr())
236 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=5)
238 raise Exception("EAP authentication did not start")
239 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
241 raise Exception("EAP authentication did not succeed")
243 hwsim_utils
.test_connectivity(dev
[0], hapd
)
245 def test_fils_sk_pmksa_caching_and_cache_id(dev
, apdev
):
246 """FILS SK and PMKSA caching with Cache Identifier"""
247 check_fils_capa(dev
[0])
248 check_erp_capa(dev
[0])
250 bssid
= apdev
[0]['bssid']
251 params
= hostapd
.wpa2_eap_params(ssid
="fils")
252 params
['wpa_key_mgmt'] = "FILS-SHA256"
253 params
['auth_server_port'] = "18128"
254 params
['erp_domain'] = 'example.com'
255 params
['fils_realm'] = 'example.com'
256 params
['fils_cache_id'] = "abcd"
257 params
["radius_server_clients"] = "auth_serv/radius_clients.conf"
258 params
["radius_server_auth_port"] = '18128'
259 params
["eap_server"] = "1"
260 params
["eap_user_file"] = "auth_serv/eap_user.conf"
261 params
["ca_cert"] = "auth_serv/ca.pem"
262 params
["server_cert"] = "auth_serv/server.pem"
263 params
["private_key"] = "auth_serv/server.key"
264 params
["eap_sim_db"] = "unix:/tmp/hlr_auc_gw.sock"
265 params
["dh_file"] = "auth_serv/dh.conf"
266 params
["pac_opaque_encr_key"] = "000102030405060708090a0b0c0d0e0f"
267 params
["eap_fast_a_id"] = "101112131415161718191a1b1c1d1e1f"
268 params
["eap_fast_a_id_info"] = "test server"
269 params
["eap_server_erp"] = "1"
270 params
["erp_domain"] = "example.com"
271 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
273 dev
[0].scan_for_bss(bssid
, freq
=2412)
274 dev
[0].request("ERP_FLUSH")
275 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
276 eap
="PSK", identity
="psk.user@example.com",
277 password_hex
="0123456789abcdef0123456789abcdef",
278 erp
="1", scan_freq
="2412")
279 res
= dev
[0].request("PMKSA")
280 if "FILS Cache Identifier" not in res
:
281 raise Exception("PMKSA list does not include FILS Cache Identifier")
282 pmksa
= dev
[0].get_pmksa(bssid
)
284 raise Exception("No PMKSA cache entry created")
285 if "cache_id" not in pmksa
:
286 raise Exception("No FILS Cache Identifier listed")
287 if pmksa
["cache_id"] != "abcd":
288 raise Exception("The configured FILS Cache Identifier not seen in PMKSA")
290 bssid2
= apdev
[1]['bssid']
291 params
= hostapd
.wpa2_eap_params(ssid
="fils")
292 params
['wpa_key_mgmt'] = "FILS-SHA256"
293 params
['auth_server_port'] = "18128"
294 params
['erp_domain'] = 'example.com'
295 params
['fils_realm'] = 'example.com'
296 params
['fils_cache_id'] = "abcd"
297 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
299 dev
[0].scan_for_bss(bssid2
, freq
=2412)
301 dev
[0].dump_monitor()
302 if "OK" not in dev
[0].request("ROAM " + bssid2
):
303 raise Exception("ROAM failed")
305 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
306 "CTRL-EVENT-CONNECTED"], timeout
=10)
308 raise Exception("Connection using PMKSA caching timed out")
309 if "CTRL-EVENT-EAP-STARTED" in ev
:
310 raise Exception("Unexpected EAP exchange")
312 raise Exception("Failed to connect to the second AP")
314 hwsim_utils
.test_connectivity(dev
[0], hapd2
)
315 pmksa2
= dev
[0].get_pmksa(bssid2
)
317 raise Exception("Unexpected extra PMKSA cache added")
318 pmksa2
= dev
[0].get_pmksa(bssid
)
320 raise Exception("Original PMKSA cache entry removed")
321 if pmksa
['pmkid'] != pmksa2
['pmkid']:
322 raise Exception("Unexpected PMKID change")
324 def test_fils_sk_pmksa_caching_ctrl_ext(dev
, apdev
, params
):
325 """FILS SK and PMKSA caching with Cache Identifier and external management"""
326 check_fils_capa(dev
[0])
327 check_erp_capa(dev
[0])
329 hapd_as
= start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
331 bssid
= apdev
[0]['bssid']
332 params
= hostapd
.wpa2_eap_params(ssid
="fils")
333 params
['wpa_key_mgmt'] = "FILS-SHA384"
334 params
['auth_server_port'] = "18128"
335 params
['erp_send_reauth_start'] = '1'
336 params
['erp_domain'] = 'example.com'
337 params
['fils_realm'] = 'example.com'
338 params
['fils_cache_id'] = "ffee"
339 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
341 dev
[0].scan_for_bss(bssid
, freq
=2412)
342 dev
[0].request("ERP_FLUSH")
343 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA384",
344 eap
="PSK", identity
="psk.user@example.com",
345 password_hex
="0123456789abcdef0123456789abcdef",
346 erp
="1", scan_freq
="2412")
348 res1
= dev
[0].request("PMKSA_GET %d" % id)
349 logger
.info("PMKSA_GET: " + res1
)
350 if "UNKNOWN COMMAND" in res1
:
351 raise HwsimSkip("PMKSA_GET not supported in the build")
352 if bssid
not in res1
:
353 raise Exception("PMKSA cache entry missing")
354 if "ffee" not in res1
:
355 raise Exception("FILS Cache Identifier not seen in PMKSA cache entry")
357 dev
[0].request("DISCONNECT")
358 dev
[0].wait_disconnected()
361 dev
[0].scan_for_bss(bssid
, freq
=2412)
362 dev
[0].request("PMKSA_FLUSH")
363 dev
[0].request("ERP_FLUSH")
364 for entry
in res1
.splitlines():
365 if "OK" not in dev
[0].request("PMKSA_ADD %d %s" % (id, entry
)):
366 raise Exception("Failed to add PMKSA entry")
368 bssid2
= apdev
[1]['bssid']
369 params
= hostapd
.wpa2_eap_params(ssid
="fils")
370 params
['wpa_key_mgmt'] = "FILS-SHA384"
371 params
['auth_server_port'] = "18128"
372 params
['erp_send_reauth_start'] = '1'
373 params
['erp_domain'] = 'example.com'
374 params
['fils_realm'] = 'example.com'
375 params
['fils_cache_id'] = "ffee"
376 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
378 dev
[0].scan_for_bss(bssid2
, freq
=2412)
379 dev
[0].set_network(id, "bssid", bssid2
)
380 dev
[0].select_network(id, freq
=2412)
381 ev
= dev
[0].wait_connected()
383 raise Exception("Unexpected BSS selected")
385 def test_fils_sk_erp(dev
, apdev
, params
):
386 """FILS SK using ERP"""
387 run_fils_sk_erp(dev
, apdev
, "FILS-SHA256", params
)
389 def test_fils_sk_erp_sha384(dev
, apdev
, params
):
390 """FILS SK using ERP and SHA384"""
391 run_fils_sk_erp(dev
, apdev
, "FILS-SHA384", params
)
393 def run_fils_sk_erp(dev
, apdev
, key_mgmt
, params
):
394 check_fils_capa(dev
[0])
395 check_erp_capa(dev
[0])
397 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
399 bssid
= apdev
[0]['bssid']
400 params
= hostapd
.wpa2_eap_params(ssid
="fils")
401 params
['wpa_key_mgmt'] = key_mgmt
402 params
['auth_server_port'] = "18128"
403 params
['erp_domain'] = 'example.com'
404 params
['fils_realm'] = 'example.com'
405 params
['disable_pmksa_caching'] = '1'
406 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
408 dev
[0].scan_for_bss(bssid
, freq
=2412)
409 dev
[0].request("ERP_FLUSH")
410 id = dev
[0].connect("fils", key_mgmt
=key_mgmt
,
411 eap
="PSK", identity
="psk.user@example.com",
412 password_hex
="0123456789abcdef0123456789abcdef",
413 erp
="1", scan_freq
="2412")
415 dev
[0].request("DISCONNECT")
416 dev
[0].wait_disconnected()
418 dev
[0].dump_monitor()
419 dev
[0].select_network(id, freq
=2412)
420 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
421 "EVENT-ASSOC-REJECT",
422 "CTRL-EVENT-CONNECTED"], timeout
=10)
424 raise Exception("Connection using FILS/ERP timed out")
425 if "CTRL-EVENT-EAP-STARTED" in ev
:
426 raise Exception("Unexpected EAP exchange")
427 if "EVENT-ASSOC-REJECT" in ev
:
428 raise Exception("Association failed")
429 hwsim_utils
.test_connectivity(dev
[0], hapd
)
431 def test_fils_sk_erp_followed_by_pmksa_caching(dev
, apdev
, params
):
432 """FILS SK ERP following by PMKSA caching"""
433 check_fils_capa(dev
[0])
434 check_erp_capa(dev
[0])
436 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
438 bssid
= apdev
[0]['bssid']
439 params
= hostapd
.wpa2_eap_params(ssid
="fils")
440 params
['wpa_key_mgmt'] = "FILS-SHA256"
441 params
['auth_server_port'] = "18128"
442 params
['erp_domain'] = 'example.com'
443 params
['fils_realm'] = 'example.com'
444 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
446 dev
[0].scan_for_bss(bssid
, freq
=2412)
447 dev
[0].request("ERP_FLUSH")
448 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
449 eap
="PSK", identity
="psk.user@example.com",
450 password_hex
="0123456789abcdef0123456789abcdef",
451 erp
="1", scan_freq
="2412")
453 dev
[0].request("DISCONNECT")
454 dev
[0].wait_disconnected()
456 # Force the second connection to use ERP by deleting the PMKSA entry.
457 dev
[0].request("PMKSA_FLUSH")
459 dev
[0].dump_monitor()
460 dev
[0].select_network(id, freq
=2412)
461 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
462 "EVENT-ASSOC-REJECT",
463 "CTRL-EVENT-CONNECTED"], timeout
=10)
465 raise Exception("Connection using FILS/ERP timed out")
466 if "CTRL-EVENT-EAP-STARTED" in ev
:
467 raise Exception("Unexpected EAP exchange")
468 if "EVENT-ASSOC-REJECT" in ev
:
469 raise Exception("Association failed")
470 hwsim_utils
.test_connectivity(dev
[0], hapd
)
472 pmksa
= dev
[0].get_pmksa(bssid
)
474 raise Exception("No PMKSA cache entry created")
476 dev
[0].request("DISCONNECT")
477 dev
[0].wait_disconnected()
479 # The third connection is expected to use PMKSA caching for FILS
481 dev
[0].dump_monitor()
482 dev
[0].select_network(id, freq
=2412)
483 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
484 "EVENT-ASSOC-REJECT",
485 "CTRL-EVENT-CONNECTED"], timeout
=10)
487 raise Exception("Connection using PMKSA caching timed out")
488 if "CTRL-EVENT-EAP-STARTED" in ev
:
489 raise Exception("Unexpected EAP exchange")
490 if "EVENT-ASSOC-REJECT" in ev
:
491 raise Exception("Association failed")
492 hwsim_utils
.test_connectivity(dev
[0], hapd
)
494 pmksa2
= dev
[0].get_pmksa(bssid
)
496 raise Exception("No PMKSA cache entry found")
497 if pmksa
['pmkid'] != pmksa2
['pmkid']:
498 raise Exception("Unexpected PMKID change")
500 def test_fils_sk_erp_another_ssid(dev
, apdev
, params
):
501 """FILS SK using ERP and roam to another SSID"""
502 check_fils_capa(dev
[0])
503 check_erp_capa(dev
[0])
505 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
507 bssid
= apdev
[0]['bssid']
508 params
= hostapd
.wpa2_eap_params(ssid
="fils")
509 params
['wpa_key_mgmt'] = "FILS-SHA256"
510 params
['auth_server_port'] = "18128"
511 params
['erp_domain'] = 'example.com'
512 params
['fils_realm'] = 'example.com'
513 params
['disable_pmksa_caching'] = '1'
514 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
516 dev
[0].scan_for_bss(bssid
, freq
=2412)
517 dev
[0].request("ERP_FLUSH")
518 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
519 eap
="PSK", identity
="psk.user@example.com",
520 password_hex
="0123456789abcdef0123456789abcdef",
521 erp
="1", scan_freq
="2412")
523 dev
[0].request("DISCONNECT")
524 dev
[0].wait_disconnected()
526 dev
[0].flush_scan_cache()
527 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
528 raise Exception("PMKSA_FLUSH failed")
530 params
= hostapd
.wpa2_eap_params(ssid
="fils2")
531 params
['wpa_key_mgmt'] = "FILS-SHA256"
532 params
['auth_server_port'] = "18128"
533 params
['erp_domain'] = 'example.com'
534 params
['fils_realm'] = 'example.com'
535 params
['disable_pmksa_caching'] = '1'
536 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
538 dev
[0].scan_for_bss(bssid
, freq
=2412)
539 dev
[0].dump_monitor()
540 id = dev
[0].connect("fils2", key_mgmt
="FILS-SHA256",
541 eap
="PSK", identity
="psk.user@example.com",
542 password_hex
="0123456789abcdef0123456789abcdef",
543 erp
="1", scan_freq
="2412", wait_connect
=False)
545 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
546 "EVENT-ASSOC-REJECT",
547 "CTRL-EVENT-CONNECTED"], timeout
=10)
549 raise Exception("Connection using FILS/ERP timed out")
550 if "CTRL-EVENT-EAP-STARTED" in ev
:
551 raise Exception("Unexpected EAP exchange")
552 if "EVENT-ASSOC-REJECT" in ev
:
553 raise Exception("Association failed")
554 hwsim_utils
.test_connectivity(dev
[0], hapd
)
556 def test_fils_sk_multiple_realms(dev
, apdev
, params
):
557 """FILS SK and multiple realms"""
558 check_fils_capa(dev
[0])
559 check_erp_capa(dev
[0])
561 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
563 bssid
= apdev
[0]['bssid']
564 params
= hostapd
.wpa2_eap_params(ssid
="fils")
565 params
['wpa_key_mgmt'] = "FILS-SHA256"
566 params
['auth_server_port'] = "18128"
567 params
['erp_domain'] = 'example.com'
568 fils_realms
= ['r1.example.org', 'r2.EXAMPLE.org', 'r3.example.org',
569 'r4.example.org', 'r5.example.org', 'r6.example.org',
570 'r7.example.org', 'r8.example.org',
572 'r9.example.org', 'r10.example.org', 'r11.example.org',
573 'r12.example.org', 'r13.example.org', 'r14.example.org',
574 'r15.example.org', 'r16.example.org']
575 params
['fils_realm'] = fils_realms
576 params
['fils_cache_id'] = "1234"
577 params
['hessid'] = bssid
578 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
580 dev
[0].scan_for_bss(bssid
, freq
=2412)
582 if "OK" not in dev
[0].request("ANQP_GET " + bssid
+ " 275"):
583 raise Exception("ANQP_GET command failed")
584 ev
= dev
[0].wait_event(["GAS-QUERY-DONE"], timeout
=10)
586 raise Exception("GAS query timed out")
587 bss
= dev
[0].get_bss(bssid
)
589 if 'fils_info' not in bss
:
590 raise Exception("FILS Indication element information missing")
591 if bss
['fils_info'] != '02b8':
592 raise Exception("Unexpected FILS Information: " + bss
['fils_info'])
594 if 'fils_cache_id' not in bss
:
595 raise Exception("FILS Cache Identifier missing")
596 if bss
['fils_cache_id'] != '1234':
597 raise Exception("Unexpected FILS Cache Identifier: " + bss
['fils_cache_id'])
599 if 'fils_realms' not in bss
:
600 raise Exception("FILS Realm Identifiers missing")
603 for realm
in fils_realms
:
604 hash = hashlib
.sha256(realm
.lower().encode()).digest()
605 expected
+= binascii
.hexlify(hash[0:2]).decode()
609 if bss
['fils_realms'] != expected
:
610 raise Exception("Unexpected FILS Realm Identifiers: " + bss
['fils_realms'])
612 if 'anqp_fils_realm_info' not in bss
:
613 raise Exception("FILS Realm Information ANQP-element not seen")
614 info
= bss
['anqp_fils_realm_info']
616 for realm
in fils_realms
:
617 hash = hashlib
.sha256(realm
.lower().encode()).digest()
618 expected
+= binascii
.hexlify(hash[0:2]).decode()
620 raise Exception("Unexpected FILS Realm Info ANQP-element: " + info
)
622 dev
[0].request("ERP_FLUSH")
623 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
624 eap
="PSK", identity
="psk.user@example.com",
625 password_hex
="0123456789abcdef0123456789abcdef",
626 erp
="1", scan_freq
="2412")
628 dev
[0].request("DISCONNECT")
629 dev
[0].wait_disconnected()
631 dev
[0].dump_monitor()
632 dev
[0].select_network(id, freq
=2412)
633 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
634 "EVENT-ASSOC-REJECT",
635 "CTRL-EVENT-CONNECTED"], timeout
=10)
637 raise Exception("Connection using FILS/ERP timed out")
638 if "CTRL-EVENT-EAP-STARTED" in ev
:
639 raise Exception("Unexpected EAP exchange")
640 if "EVENT-ASSOC-REJECT" in ev
:
641 raise Exception("Association failed")
642 hwsim_utils
.test_connectivity(dev
[0], hapd
)
644 # DHCP message op codes
649 OPT_DHCP_MESSAGE_TYPE
= 53
650 OPT_RAPID_COMMIT
= 80
662 def build_dhcp(req
, dhcp_msg
, chaddr
, giaddr
="0.0.0.0",
663 ip_src
="0.0.0.0", ip_dst
="255.255.255.255",
664 rapid_commit
=True, override_op
=None, magic_override
=None,
665 opt_end
=True, extra_op
=None):
666 proto
= b
'\x08\x00' # IPv4
667 _ip_src
= socket
.inet_pton(socket
.AF_INET
, ip_src
)
668 _ip_dst
= socket
.inet_pton(socket
.AF_INET
, ip_dst
)
670 _ciaddr
= b
'\x00\x00\x00\x00'
671 _yiaddr
= b
'\x00\x00\x00\x00'
672 _siaddr
= b
'\x00\x00\x00\x00'
673 _giaddr
= socket
.inet_pton(socket
.AF_INET
, giaddr
)
674 _chaddr
= binascii
.unhexlify(chaddr
.replace(':', '')) + 10 * b
'\x00'
675 htype
= 1 # Hardware address type; 1 = Ethernet
676 hlen
= 6 # Hardware address length
689 if override_op
is not None:
691 payload
= struct
.pack('>BBBBLHH', op
, htype
, hlen
, hops
, xid
, secs
, flags
)
694 payload
+= _ciaddr
+ _yiaddr
+ _siaddr
+ _giaddr
+ _chaddr
+ sname
+ file
696 if magic_override
is not None:
697 payload
+= magic_override
699 payload
+= b
'\x63\x82\x53\x63'
700 # Option: DHCP Message Type
701 if dhcp_msg
is not None:
702 payload
+= struct
.pack('BBB', OPT_DHCP_MESSAGE_TYPE
, 1, dhcp_msg
)
704 # Option: Rapid Commit
705 payload
+= struct
.pack('BB', OPT_RAPID_COMMIT
, 0)
710 payload
+= struct
.pack('B', OPT_END
)
712 udp
= struct
.pack('>HHHH', src_port
, dst_port
,
713 8 + len(payload
), 0) + payload
715 tot_len
= 20 + len(udp
)
716 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 17)
717 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
718 csum
= ip_checksum(ipv4
)
719 ipv4
= start
+ csum
+ _ip_src
+ _ip_dst
721 return proto
+ ipv4
+ udp
723 def fils_hlp_config(fils_hlp_wait_time
=10000):
724 params
= hostapd
.wpa2_eap_params(ssid
="fils")
725 params
['wpa_key_mgmt'] = "FILS-SHA256"
726 params
['auth_server_port'] = "18128"
727 params
['erp_domain'] = 'example.com'
728 params
['fils_realm'] = 'example.com'
729 params
['disable_pmksa_caching'] = '1'
730 params
['own_ip_addr'] = '127.0.0.3'
731 params
['dhcp_server'] = '127.0.0.2'
732 params
['fils_hlp_wait_time'] = str(fils_hlp_wait_time
)
735 def test_fils_sk_hlp(dev
, apdev
, params
):
736 """FILS SK HLP (rapid commit server)"""
737 run_fils_sk_hlp(dev
, apdev
, True, params
)
739 def test_fils_sk_hlp_no_rapid_commit(dev
, apdev
, params
):
740 """FILS SK HLP (no rapid commit server)"""
741 run_fils_sk_hlp(dev
, apdev
, False, params
)
743 def run_fils_sk_hlp(dev
, apdev
, rapid_commit_server
, params
):
744 check_fils_capa(dev
[0])
745 check_erp_capa(dev
[0])
747 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
749 sock
= socket
.socket(socket
.AF_INET
, socket
.SOCK_DGRAM
, socket
.IPPROTO_UDP
)
750 sock
.setsockopt(socket
.SOL_SOCKET
, socket
.SO_REUSEADDR
, 1)
752 sock
.bind(("127.0.0.2", 67))
754 bssid
= apdev
[0]['bssid']
755 params
= fils_hlp_config()
756 params
['fils_hlp_wait_time'] = '10000'
757 if not rapid_commit_server
:
758 params
['dhcp_rapid_commit_proxy'] = '1'
759 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
761 dev
[0].scan_for_bss(bssid
, freq
=2412)
762 dev
[0].request("ERP_FLUSH")
763 if "OK" not in dev
[0].request("FILS_HLP_REQ_FLUSH"):
764 raise Exception("Failed to flush pending FILS HLP requests")
768 "ff:ff:ff:ff:ff:ff q"]
770 if "FAIL" not in dev
[0].request("FILS_HLP_REQ_ADD " + t
):
771 raise Exception("Invalid FILS_HLP_REQ_ADD accepted: " + t
)
772 dhcpdisc
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
773 chaddr
=dev
[0].own_addr())
774 tests
= ["ff:ff:ff:ff:ff:ff aabb",
775 "ff:ff:ff:ff:ff:ff " + 255*'cc',
776 hapd
.own_addr() + " ddee010203040506070809",
777 "ff:ff:ff:ff:ff:ff " + binascii
.hexlify(dhcpdisc
).decode()]
779 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD " + t
):
780 raise Exception("FILS_HLP_REQ_ADD failed: " + t
)
781 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
782 eap
="PSK", identity
="psk.user@example.com",
783 password_hex
="0123456789abcdef0123456789abcdef",
784 erp
="1", scan_freq
="2412")
786 dev
[0].request("DISCONNECT")
787 dev
[0].wait_disconnected()
789 dev
[0].dump_monitor()
790 dev
[0].select_network(id, freq
=2412)
792 (msg
, addr
) = sock
.recvfrom(1000)
793 logger
.debug("Received DHCP message from %s" % str(addr
))
794 if rapid_commit_server
:
795 # TODO: Proper rapid commit response
796 dhcpdisc
= build_dhcp(req
=False, dhcp_msg
=DHCPACK
,
797 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
798 sock
.sendto(dhcpdisc
[2+20+8:], addr
)
800 dhcpdisc
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
801 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
802 sock
.sendto(dhcpdisc
[2+20+8:], addr
)
803 (msg
, addr
) = sock
.recvfrom(1000)
804 logger
.debug("Received DHCP message from %s" % str(addr
))
805 dhcpdisc
= build_dhcp(req
=False, dhcp_msg
=DHCPACK
, rapid_commit
=False,
806 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
807 sock
.sendto(dhcpdisc
[2+20+8:], addr
)
808 ev
= dev
[0].wait_event(["FILS-HLP-RX"], timeout
=10)
810 raise Exception("FILS HLP response not reported")
812 frame
= binascii
.unhexlify(vals
[3].split('=')[1])
813 proto
, = struct
.unpack('>H', frame
[0:2])
815 raise Exception("Unexpected ethertype in HLP response: %d" % proto
)
818 if ip_checksum(ip
) != b
'\x00\x00':
819 raise Exception("IP header checksum mismatch in HLP response")
823 sport
, dport
, ulen
, ucheck
= struct
.unpack('>HHHH', udp
)
824 if sport
!= 67 or dport
!= 68:
825 raise Exception("Unexpected UDP port in HLP response")
828 op
, htype
, hlen
, hops
, xid
, secs
, flags
, ciaddr
, yiaddr
, siaddr
, giaddr
= struct
.unpack('>4BL2H4L', dhcp
)
836 if options
[0:4] != b
'\x63\x82\x53\x63':
837 raise Exception("No DHCP magic seen in HLP response")
838 options
= options
[4:]
839 # TODO: fully parse and validate DHCPACK options
840 if struct
.pack('BBB', OPT_DHCP_MESSAGE_TYPE
, 1, DHCPACK
) not in options
:
841 raise Exception("DHCPACK not in HLP response")
843 dev
[0].wait_connected()
845 dev
[0].request("FILS_HLP_REQ_FLUSH")
847 def test_fils_sk_hlp_timeout(dev
, apdev
, params
):
848 """FILS SK HLP (rapid commit server timeout)"""
849 check_fils_capa(dev
[0])
850 check_erp_capa(dev
[0])
852 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
854 sock
= socket
.socket(socket
.AF_INET
, socket
.SOCK_DGRAM
, socket
.IPPROTO_UDP
)
855 sock
.setsockopt(socket
.SOL_SOCKET
, socket
.SO_REUSEADDR
, 1)
857 sock
.bind(("127.0.0.2", 67))
859 bssid
= apdev
[0]['bssid']
860 params
= fils_hlp_config(fils_hlp_wait_time
=30)
861 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
863 dev
[0].scan_for_bss(bssid
, freq
=2412)
864 dev
[0].request("ERP_FLUSH")
865 if "OK" not in dev
[0].request("FILS_HLP_REQ_FLUSH"):
866 raise Exception("Failed to flush pending FILS HLP requests")
867 dhcpdisc
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
868 chaddr
=dev
[0].own_addr())
869 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii
.hexlify(dhcpdisc
).decode()):
870 raise Exception("FILS_HLP_REQ_ADD failed")
871 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
872 eap
="PSK", identity
="psk.user@example.com",
873 password_hex
="0123456789abcdef0123456789abcdef",
874 erp
="1", scan_freq
="2412")
876 dev
[0].request("DISCONNECT")
877 dev
[0].wait_disconnected()
879 dev
[0].dump_monitor()
880 dev
[0].select_network(id, freq
=2412)
882 (msg
, addr
) = sock
.recvfrom(1000)
883 logger
.debug("Received DHCP message from %s" % str(addr
))
884 # Wait for HLP wait timeout to hit
885 # FILS: HLP response timeout - continue with association response
886 dev
[0].wait_connected()
888 dev
[0].request("FILS_HLP_REQ_FLUSH")
890 def test_fils_sk_hlp_oom(dev
, apdev
, params
):
891 """FILS SK HLP and hostapd OOM"""
892 check_fils_capa(dev
[0])
893 check_erp_capa(dev
[0])
895 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
897 sock
= socket
.socket(socket
.AF_INET
, socket
.SOCK_DGRAM
, socket
.IPPROTO_UDP
)
898 sock
.setsockopt(socket
.SOL_SOCKET
, socket
.SO_REUSEADDR
, 1)
900 sock
.bind(("127.0.0.2", 67))
902 bssid
= apdev
[0]['bssid']
903 params
= fils_hlp_config(fils_hlp_wait_time
=500)
904 params
['dhcp_rapid_commit_proxy'] = '1'
905 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
907 dev
[0].scan_for_bss(bssid
, freq
=2412)
908 dev
[0].request("ERP_FLUSH")
909 if "OK" not in dev
[0].request("FILS_HLP_REQ_FLUSH"):
910 raise Exception("Failed to flush pending FILS HLP requests")
911 dhcpdisc
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
912 chaddr
=dev
[0].own_addr())
913 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii
.hexlify(dhcpdisc
).decode()):
914 raise Exception("FILS_HLP_REQ_ADD failed")
915 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
916 eap
="PSK", identity
="psk.user@example.com",
917 password_hex
="0123456789abcdef0123456789abcdef",
918 erp
="1", scan_freq
="2412")
920 dev
[0].request("DISCONNECT")
921 dev
[0].wait_disconnected()
923 dev
[0].dump_monitor()
924 with
alloc_fail(hapd
, 1, "fils_process_hlp"):
925 dev
[0].select_network(id, freq
=2412)
926 dev
[0].wait_connected()
927 dev
[0].request("DISCONNECT")
928 dev
[0].wait_disconnected()
930 dev
[0].dump_monitor()
931 with
alloc_fail(hapd
, 1, "fils_process_hlp_dhcp"):
932 dev
[0].select_network(id, freq
=2412)
933 dev
[0].wait_connected()
934 dev
[0].request("DISCONNECT")
935 dev
[0].wait_disconnected()
937 dev
[0].dump_monitor()
938 with
alloc_fail(hapd
, 1, "wpabuf_alloc;fils_process_hlp_dhcp"):
939 dev
[0].select_network(id, freq
=2412)
940 dev
[0].wait_connected()
941 dev
[0].request("DISCONNECT")
942 dev
[0].wait_disconnected()
944 dev
[0].dump_monitor()
945 with
alloc_fail(hapd
, 1, "wpabuf_alloc;fils_dhcp_handler"):
946 dev
[0].select_network(id, freq
=2412)
947 (msg
, addr
) = sock
.recvfrom(1000)
948 logger
.debug("Received DHCP message from %s" % str(addr
))
949 dhcpdisc
= build_dhcp(req
=False, dhcp_msg
=DHCPACK
,
950 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
951 sock
.sendto(dhcpdisc
[2+20+8:], addr
)
952 dev
[0].wait_connected()
953 dev
[0].request("DISCONNECT")
954 dev
[0].wait_disconnected()
956 dev
[0].dump_monitor()
957 with
alloc_fail(hapd
, 1, "wpabuf_resize;fils_dhcp_handler"):
958 dev
[0].select_network(id, freq
=2412)
959 (msg
, addr
) = sock
.recvfrom(1000)
960 logger
.debug("Received DHCP message from %s" % str(addr
))
961 dhcpdisc
= build_dhcp(req
=False, dhcp_msg
=DHCPACK
,
962 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
963 sock
.sendto(dhcpdisc
[2+20+8:], addr
)
964 dev
[0].wait_connected()
965 dev
[0].request("DISCONNECT")
966 dev
[0].wait_disconnected()
968 dev
[0].dump_monitor()
969 dev
[0].select_network(id, freq
=2412)
970 (msg
, addr
) = sock
.recvfrom(1000)
971 logger
.debug("Received DHCP message from %s" % str(addr
))
972 dhcpoffer
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
973 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
974 with
alloc_fail(hapd
, 1, "wpabuf_resize;fils_dhcp_request"):
975 sock
.sendto(dhcpoffer
[2+20+8:], addr
)
976 dev
[0].wait_connected()
977 dev
[0].request("DISCONNECT")
978 dev
[0].wait_disconnected()
980 dev
[0].request("FILS_HLP_REQ_FLUSH")
982 def test_fils_sk_hlp_req_parsing(dev
, apdev
, params
):
983 """FILS SK HLP request parsing"""
984 check_fils_capa(dev
[0])
985 check_erp_capa(dev
[0])
987 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
989 bssid
= apdev
[0]['bssid']
990 params
= fils_hlp_config(fils_hlp_wait_time
=30)
991 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
993 dev
[0].scan_for_bss(bssid
, freq
=2412)
994 dev
[0].request("ERP_FLUSH")
995 if "OK" not in dev
[0].request("FILS_HLP_REQ_FLUSH"):
996 raise Exception("Failed to flush pending FILS HLP requests")
999 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 17)
1000 _ip_src
= b
'\x00\x00\x00\x00'
1001 _ip_dst
= b
'\x00\x00\x00\x00'
1002 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
1003 csum
= ip_checksum(ipv4
)
1004 ipv4_overflow
= start
+ csum
+ _ip_src
+ _ip_dst
1007 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 123)
1008 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
1009 csum
= ip_checksum(ipv4
)
1010 ipv4_unknown_proto
= start
+ csum
+ _ip_src
+ _ip_dst
1013 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 17)
1014 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
1015 csum
= ip_checksum(ipv4
)
1016 ipv4_missing_udp_hdr
= start
+ csum
+ _ip_src
+ _ip_dst
1020 udp
= struct
.pack('>HHHH', src_port
, dst_port
, 8 + 1, 0)
1021 tot_len
= 20 + len(udp
)
1022 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 17)
1023 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
1024 csum
= ip_checksum(ipv4
)
1025 udp_overflow
= start
+ csum
+ _ip_src
+ _ip_dst
+ udp
1027 udp
= struct
.pack('>HHHH', src_port
, dst_port
, 7, 0)
1028 tot_len
= 20 + len(udp
)
1029 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 17)
1030 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
1031 csum
= ip_checksum(ipv4
)
1032 udp_underflow
= start
+ csum
+ _ip_src
+ _ip_dst
+ udp
1036 udp
= struct
.pack('>HHHH', src_port
, dst_port
, 8, 0)
1037 tot_len
= 20 + len(udp
)
1038 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 17)
1039 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
1040 csum
= ip_checksum(ipv4
)
1041 udp_unknown_port
= start
+ csum
+ _ip_src
+ _ip_dst
+ udp
1045 udp
= struct
.pack('>HHHH', src_port
, dst_port
, 8, 0)
1046 tot_len
= 20 + len(udp
)
1047 start
= struct
.pack('>BBHHBBBB', 0x45, 0, tot_len
, 0, 0, 0, 128, 17)
1048 ipv4
= start
+ b
'\x00\x00' + _ip_src
+ _ip_dst
1049 csum
= ip_checksum(ipv4
)
1050 dhcp_missing_data
= start
+ csum
+ _ip_src
+ _ip_dst
+ udp
1052 dhcp_not_req
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
1053 chaddr
=dev
[0].own_addr(), override_op
=BOOTREPLY
)
1054 dhcp_no_magic
= build_dhcp(req
=True, dhcp_msg
=None,
1055 chaddr
=dev
[0].own_addr(), magic_override
=b
'',
1056 rapid_commit
=False, opt_end
=False)
1057 dhcp_unknown_magic
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
1058 chaddr
=dev
[0].own_addr(),
1059 magic_override
=b
'\x00\x00\x00\x00')
1060 dhcp_opts
= build_dhcp(req
=True, dhcp_msg
=DHCPNAK
,
1061 chaddr
=dev
[0].own_addr(),
1062 extra_op
=b
'\x00\x11', opt_end
=False)
1063 dhcp_opts2
= build_dhcp(req
=True, dhcp_msg
=DHCPNAK
,
1064 chaddr
=dev
[0].own_addr(),
1065 extra_op
=b
'\x11\x01', opt_end
=False)
1066 dhcp_valid
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
1067 chaddr
=dev
[0].own_addr())
1072 "0800" + binascii
.hexlify(ipv4_overflow
).decode(),
1073 "0800" + binascii
.hexlify(ipv4_unknown_proto
).decode(),
1074 "0800" + binascii
.hexlify(ipv4_missing_udp_hdr
).decode(),
1075 "0800" + binascii
.hexlify(udp_overflow
).decode(),
1076 "0800" + binascii
.hexlify(udp_underflow
).decode(),
1077 "0800" + binascii
.hexlify(udp_unknown_port
).decode(),
1078 "0800" + binascii
.hexlify(dhcp_missing_data
).decode(),
1079 binascii
.hexlify(dhcp_not_req
).decode(),
1080 binascii
.hexlify(dhcp_no_magic
).decode(),
1081 binascii
.hexlify(dhcp_unknown_magic
).decode()]
1083 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD ff:ff:ff:ff:ff:ff " + t
):
1084 raise Exception("FILS_HLP_REQ_ADD failed: " + t
)
1085 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1086 eap
="PSK", identity
="psk.user@example.com",
1087 password_hex
="0123456789abcdef0123456789abcdef",
1088 erp
="1", scan_freq
="2412")
1090 dev
[0].request("DISCONNECT")
1091 dev
[0].wait_disconnected()
1093 dev
[0].dump_monitor()
1094 dev
[0].select_network(id, freq
=2412)
1095 dev
[0].wait_connected()
1096 dev
[0].request("DISCONNECT")
1097 dev
[0].wait_disconnected()
1099 dev
[0].request("FILS_HLP_REQ_FLUSH")
1100 tests
= [binascii
.hexlify(dhcp_opts
).decode(),
1101 binascii
.hexlify(dhcp_opts2
).decode()]
1103 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD ff:ff:ff:ff:ff:ff " + t
):
1104 raise Exception("FILS_HLP_REQ_ADD failed: " + t
)
1106 dev
[0].dump_monitor()
1107 dev
[0].select_network(id, freq
=2412)
1108 dev
[0].wait_connected()
1109 dev
[0].request("DISCONNECT")
1110 dev
[0].wait_disconnected()
1112 dev
[0].request("FILS_HLP_REQ_FLUSH")
1113 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD ff:ff:ff:ff:ff:ff " + binascii
.hexlify(dhcp_valid
).decode()):
1114 raise Exception("FILS_HLP_REQ_ADD failed")
1115 hapd
.set("own_ip_addr", "0.0.0.0")
1116 dev
[0].select_network(id, freq
=2412)
1117 dev
[0].wait_connected()
1118 dev
[0].request("DISCONNECT")
1119 dev
[0].wait_disconnected()
1121 hapd
.set("dhcp_server", "0.0.0.0")
1122 dev
[0].select_network(id, freq
=2412)
1123 dev
[0].wait_connected()
1124 dev
[0].request("DISCONNECT")
1125 dev
[0].wait_disconnected()
1127 # FILS: Failed to bind DHCP socket: Address already in use
1128 sock
= socket
.socket(socket
.AF_INET
, socket
.SOCK_DGRAM
, socket
.IPPROTO_UDP
)
1129 sock
.setsockopt(socket
.SOL_SOCKET
, socket
.SO_REUSEADDR
, 1)
1131 sock
.bind(("127.0.0.2", 67))
1132 hapd
.set("own_ip_addr", "127.0.0.2")
1133 hapd
.set("dhcp_server", "127.0.0.2")
1134 dev
[0].select_network(id, freq
=2412)
1135 dev
[0].wait_connected()
1136 dev
[0].request("DISCONNECT")
1137 dev
[0].wait_disconnected()
1139 # FILS: DHCP sendto failed: Invalid argument
1140 hapd
.set("own_ip_addr", "127.0.0.3")
1141 hapd
.set("dhcp_server", "127.0.0.2")
1142 hapd
.set("dhcp_relay_port", "0")
1143 hapd
.set("dhcp_server_port", "0")
1144 dev
[0].select_network(id, freq
=2412)
1145 dev
[0].wait_connected()
1146 dev
[0].request("DISCONNECT")
1147 dev
[0].wait_disconnected()
1149 dev
[0].request("FILS_HLP_REQ_FLUSH")
1151 def test_fils_sk_hlp_dhcp_parsing(dev
, apdev
, params
):
1152 """FILS SK HLP and DHCP response parsing"""
1153 check_fils_capa(dev
[0])
1154 check_erp_capa(dev
[0])
1156 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1158 sock
= socket
.socket(socket
.AF_INET
, socket
.SOCK_DGRAM
, socket
.IPPROTO_UDP
)
1159 sock
.setsockopt(socket
.SOL_SOCKET
, socket
.SO_REUSEADDR
, 1)
1161 sock
.bind(("127.0.0.2", 67))
1163 bssid
= apdev
[0]['bssid']
1164 params
= fils_hlp_config(fils_hlp_wait_time
=30)
1165 params
['dhcp_rapid_commit_proxy'] = '1'
1166 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1168 dev
[0].scan_for_bss(bssid
, freq
=2412)
1169 dev
[0].request("ERP_FLUSH")
1170 if "OK" not in dev
[0].request("FILS_HLP_REQ_FLUSH"):
1171 raise Exception("Failed to flush pending FILS HLP requests")
1172 dhcpdisc
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
1173 chaddr
=dev
[0].own_addr())
1174 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii
.hexlify(dhcpdisc
).decode()):
1175 raise Exception("FILS_HLP_REQ_ADD failed")
1176 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1177 eap
="PSK", identity
="psk.user@example.com",
1178 password_hex
="0123456789abcdef0123456789abcdef",
1179 erp
="1", scan_freq
="2412")
1181 dev
[0].request("DISCONNECT")
1182 dev
[0].wait_disconnected()
1184 dev
[0].dump_monitor()
1185 with
alloc_fail(hapd
, 1, "fils_process_hlp"):
1186 dev
[0].select_network(id, freq
=2412)
1187 dev
[0].wait_connected()
1188 dev
[0].request("DISCONNECT")
1189 dev
[0].wait_disconnected()
1191 dev
[0].dump_monitor()
1192 dev
[0].select_network(id, freq
=2412)
1193 (msg
, addr
) = sock
.recvfrom(1000)
1194 logger
.debug("Received DHCP message from %s" % str(addr
))
1195 dhcpdisc
= build_dhcp(req
=False, dhcp_msg
=DHCPACK
,
1196 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
1197 #sock.sendto(dhcpdisc[2+20+8:], addr)
1198 chaddr
= binascii
.unhexlify(dev
[0].own_addr().replace(':', '')) + 10*b
'\x00'
1200 b
"\x02" + 500 * b
"\x00",
1201 b
"\x02\x00\x00\x00" + 20*b
"\x00" + b
"\x7f\x00\x00\x03" + 500*b
"\x00",
1202 b
"\x02\x00\x00\x00" + 20*b
"\x00" + b
"\x7f\x00\x00\x03" + 16*b
"\x00" + 64*b
"\x00" + 128*b
"\x00" + b
"\x63\x82\x53\x63",
1203 b
"\x02\x00\x00\x00" + 20*b
"\x00" + b
"\x7f\x00\x00\x03" + 16*b
"\x00" + 64*b
"\x00" + 128*b
"\x00" + b
"\x63\x82\x53\x63" + b
"\x00\x11",
1204 b
"\x02\x00\x00\x00" + 20*b
"\x00" + b
"\x7f\x00\x00\x03" + 16*b
"\x00" + 64*b
"\x00" + 128*b
"\x00" + b
"\x63\x82\x53\x63" + b
"\x11\x01",
1205 b
"\x02\x00\x00\x00" + 20*b
"\x00" + b
"\x7f\x00\x00\x03" + chaddr
+ 64*b
"\x00" + 128*b
"\x00" + b
"\x63\x82\x53\x63" + b
"\x35\x00\xff",
1206 b
"\x02\x00\x00\x00" + 20*b
"\x00" + b
"\x7f\x00\x00\x03" + chaddr
+ 64*b
"\x00" + 128*b
"\x00" + b
"\x63\x82\x53\x63" + b
"\x35\x01\x00\xff",
1209 sock
.sendto(t
, addr
)
1210 dev
[0].wait_connected()
1211 dev
[0].request("DISCONNECT")
1212 dev
[0].wait_disconnected()
1214 # FILS: DHCP sendto failed: Invalid argument for second DHCP TX in proxy
1215 dev
[0].dump_monitor()
1216 dev
[0].select_network(id, freq
=2412)
1217 (msg
, addr
) = sock
.recvfrom(1000)
1218 logger
.debug("Received DHCP message from %s" % str(addr
))
1219 hapd
.set("dhcp_server_port", "0")
1220 dhcpoffer
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
1221 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3")
1222 sock
.sendto(dhcpoffer
[2+20+8:], addr
)
1223 dev
[0].wait_connected()
1224 dev
[0].request("DISCONNECT")
1225 dev
[0].wait_disconnected()
1226 hapd
.set("dhcp_server_port", "67")
1228 # Options in DHCPOFFER
1229 dev
[0].dump_monitor()
1230 dev
[0].select_network(id, freq
=2412)
1231 (msg
, addr
) = sock
.recvfrom(1000)
1232 logger
.debug("Received DHCP message from %s" % str(addr
))
1233 dhcpoffer
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
1234 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3",
1235 extra_op
=b
"\x00\x11", opt_end
=False)
1236 sock
.sendto(dhcpoffer
[2+20+8:], addr
)
1237 (msg
, addr
) = sock
.recvfrom(1000)
1238 logger
.debug("Received DHCP message from %s" % str(addr
))
1239 dev
[0].wait_connected()
1240 dev
[0].request("DISCONNECT")
1241 dev
[0].wait_disconnected()
1243 # Options in DHCPOFFER (2)
1244 dev
[0].dump_monitor()
1245 dev
[0].select_network(id, freq
=2412)
1246 (msg
, addr
) = sock
.recvfrom(1000)
1247 logger
.debug("Received DHCP message from %s" % str(addr
))
1248 dhcpoffer
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
1249 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3",
1250 extra_op
=b
"\x11\x01", opt_end
=False)
1251 sock
.sendto(dhcpoffer
[2+20+8:], addr
)
1252 (msg
, addr
) = sock
.recvfrom(1000)
1253 logger
.debug("Received DHCP message from %s" % str(addr
))
1254 dev
[0].wait_connected()
1255 dev
[0].request("DISCONNECT")
1256 dev
[0].wait_disconnected()
1258 # Server ID in DHCPOFFER
1259 dev
[0].dump_monitor()
1260 dev
[0].select_network(id, freq
=2412)
1261 (msg
, addr
) = sock
.recvfrom(1000)
1262 logger
.debug("Received DHCP message from %s" % str(addr
))
1263 dhcpoffer
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
1264 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3",
1265 extra_op
=b
"\x36\x01\x30")
1266 sock
.sendto(dhcpoffer
[2+20+8:], addr
)
1267 (msg
, addr
) = sock
.recvfrom(1000)
1268 logger
.debug("Received DHCP message from %s" % str(addr
))
1269 dev
[0].wait_connected()
1270 dev
[0].request("DISCONNECT")
1271 dev
[0].wait_disconnected()
1273 # FILS: Could not update DHCPDISCOVER
1274 dev
[0].request("FILS_HLP_REQ_FLUSH")
1275 dhcpdisc
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
1276 chaddr
=dev
[0].own_addr(),
1277 extra_op
=b
"\x00\x11", opt_end
=False)
1278 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii
.hexlify(dhcpdisc
).decode()):
1279 raise Exception("FILS_HLP_REQ_ADD failed")
1280 dev
[0].dump_monitor()
1281 dev
[0].select_network(id, freq
=2412)
1282 (msg
, addr
) = sock
.recvfrom(1000)
1283 logger
.debug("Received DHCP message from %s" % str(addr
))
1284 dhcpoffer
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
1285 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3",
1286 extra_op
=b
"\x36\x01\x30")
1287 sock
.sendto(dhcpoffer
[2+20+8:], addr
)
1288 dev
[0].wait_connected()
1289 dev
[0].request("DISCONNECT")
1290 dev
[0].wait_disconnected()
1292 # FILS: Could not update DHCPDISCOVER (2)
1293 dev
[0].request("FILS_HLP_REQ_FLUSH")
1294 dhcpdisc
= build_dhcp(req
=True, dhcp_msg
=DHCPDISCOVER
,
1295 chaddr
=dev
[0].own_addr(),
1296 extra_op
=b
"\x11\x01", opt_end
=False)
1297 if "OK" not in dev
[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii
.hexlify(dhcpdisc
).decode()):
1298 raise Exception("FILS_HLP_REQ_ADD failed")
1299 dev
[0].dump_monitor()
1300 dev
[0].select_network(id, freq
=2412)
1301 (msg
, addr
) = sock
.recvfrom(1000)
1302 logger
.debug("Received DHCP message from %s" % str(addr
))
1303 dhcpoffer
= build_dhcp(req
=False, dhcp_msg
=DHCPOFFER
, rapid_commit
=False,
1304 chaddr
=dev
[0].own_addr(), giaddr
="127.0.0.3",
1305 extra_op
=b
"\x36\x01\x30")
1306 sock
.sendto(dhcpoffer
[2+20+8:], addr
)
1307 dev
[0].wait_connected()
1308 dev
[0].request("DISCONNECT")
1309 dev
[0].wait_disconnected()
1311 dev
[0].request("FILS_HLP_REQ_FLUSH")
1313 def test_fils_sk_erp_and_reauth(dev
, apdev
, params
):
1314 """FILS SK using ERP and AP going away"""
1315 check_fils_capa(dev
[0])
1316 check_erp_capa(dev
[0])
1318 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1320 bssid
= apdev
[0]['bssid']
1321 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1322 params
['wpa_key_mgmt'] = "FILS-SHA256"
1323 params
['auth_server_port'] = "18128"
1324 params
['erp_domain'] = 'example.com'
1325 params
['fils_realm'] = 'example.com'
1326 params
['disable_pmksa_caching'] = '1'
1327 params
['broadcast_deauth'] = '0'
1328 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1330 dev
[0].scan_for_bss(bssid
, freq
=2412)
1331 dev
[0].request("ERP_FLUSH")
1332 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1333 eap
="PSK", identity
="psk.user@example.com",
1334 password_hex
="0123456789abcdef0123456789abcdef",
1335 erp
="1", scan_freq
="2412")
1338 dev
[0].wait_disconnected()
1339 dev
[0].dump_monitor()
1342 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1343 "EVENT-ASSOC-REJECT",
1344 "CTRL-EVENT-CONNECTED"], timeout
=10)
1346 raise Exception("Reconnection using FILS/ERP timed out")
1347 if "CTRL-EVENT-EAP-STARTED" in ev
:
1348 raise Exception("Unexpected EAP exchange")
1349 if "EVENT-ASSOC-REJECT" in ev
:
1350 raise Exception("Association failed")
1352 def test_fils_sk_erp_sim(dev
, apdev
, params
):
1353 """FILS SK using ERP with SIM"""
1354 check_fils_capa(dev
[0])
1355 check_erp_capa(dev
[0])
1357 realm
= 'wlan.mnc001.mcc232.3gppnetwork.org'
1358 start_erp_as(erp_domain
=realm
,
1359 msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1361 bssid
= apdev
[0]['bssid']
1362 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1363 params
['wpa_key_mgmt'] = "FILS-SHA256"
1364 params
['auth_server_port'] = "18128"
1365 params
['fils_realm'] = realm
1366 params
['disable_pmksa_caching'] = '1'
1367 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1369 dev
[0].scan_for_bss(bssid
, freq
=2412)
1370 dev
[0].request("ERP_FLUSH")
1371 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1372 eap
="SIM", identity
="1232010000000000@" + realm
,
1373 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1374 erp
="1", scan_freq
="2412")
1377 dev
[0].wait_disconnected()
1378 dev
[0].dump_monitor()
1381 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1382 "EVENT-ASSOC-REJECT",
1383 "CTRL-EVENT-CONNECTED"], timeout
=10)
1385 raise Exception("Reconnection using FILS/ERP timed out")
1386 if "CTRL-EVENT-EAP-STARTED" in ev
:
1387 raise Exception("Unexpected EAP exchange")
1388 if "EVENT-ASSOC-REJECT" in ev
:
1389 raise Exception("Association failed")
1391 def test_fils_sk_pfs_19(dev
, apdev
, params
):
1392 """FILS SK with PFS (DH group 19)"""
1393 run_fils_sk_pfs(dev
, apdev
, "19", params
)
1395 def test_fils_sk_pfs_20(dev
, apdev
, params
):
1396 """FILS SK with PFS (DH group 20)"""
1397 run_fils_sk_pfs(dev
, apdev
, "20", params
)
1399 def test_fils_sk_pfs_21(dev
, apdev
, params
):
1400 """FILS SK with PFS (DH group 21)"""
1401 run_fils_sk_pfs(dev
, apdev
, "21", params
)
1403 def test_fils_sk_pfs_25(dev
, apdev
, params
):
1404 """FILS SK with PFS (DH group 25)"""
1405 run_fils_sk_pfs(dev
, apdev
, "25", params
)
1407 def test_fils_sk_pfs_26(dev
, apdev
, params
):
1408 """FILS SK with PFS (DH group 26)"""
1409 run_fils_sk_pfs(dev
, apdev
, "26", params
)
1411 def test_fils_sk_pfs_27(dev
, apdev
, params
):
1412 """FILS SK with PFS (DH group 27)"""
1413 run_fils_sk_pfs(dev
, apdev
, "27", params
)
1415 def test_fils_sk_pfs_28(dev
, apdev
, params
):
1416 """FILS SK with PFS (DH group 28)"""
1417 run_fils_sk_pfs(dev
, apdev
, "28", params
)
1419 def test_fils_sk_pfs_29(dev
, apdev
, params
):
1420 """FILS SK with PFS (DH group 29)"""
1421 run_fils_sk_pfs(dev
, apdev
, "29", params
)
1423 def test_fils_sk_pfs_30(dev
, apdev
, params
):
1424 """FILS SK with PFS (DH group 30)"""
1425 run_fils_sk_pfs(dev
, apdev
, "30", params
)
1427 def run_fils_sk_pfs(dev
, apdev
, group
, params
):
1428 check_fils_sk_pfs_capa(dev
[0])
1429 check_erp_capa(dev
[0])
1431 tls
= dev
[0].request("GET tls_library")
1432 if int(group
) in [25]:
1433 if not (tls
.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls
or "build=OpenSSL 1.1" in tls
) and ("run=OpenSSL 1.0.2" in tls
or "run=OpenSSL 1.1" in tls
)):
1434 raise HwsimSkip("EC group not supported")
1435 if int(group
) in [27, 28, 29, 30]:
1436 if not (tls
.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls
or "build=OpenSSL 1.1" in tls
) and ("run=OpenSSL 1.0.2" in tls
or "run=OpenSSL 1.1" in tls
)):
1437 raise HwsimSkip("Brainpool EC group not supported")
1439 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1441 bssid
= apdev
[0]['bssid']
1442 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1443 params
['wpa_key_mgmt'] = "FILS-SHA256"
1444 params
['auth_server_port'] = "18128"
1445 params
['erp_domain'] = 'example.com'
1446 params
['fils_realm'] = 'example.com'
1447 params
['disable_pmksa_caching'] = '1'
1448 params
['fils_dh_group'] = group
1449 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1451 dev
[0].scan_for_bss(bssid
, freq
=2412)
1452 dev
[0].request("ERP_FLUSH")
1453 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1454 eap
="PSK", identity
="psk.user@example.com",
1455 password_hex
="0123456789abcdef0123456789abcdef",
1456 erp
="1", fils_dh_group
=group
, scan_freq
="2412")
1458 dev
[0].request("DISCONNECT")
1459 dev
[0].wait_disconnected()
1461 dev
[0].dump_monitor()
1462 dev
[0].select_network(id, freq
=2412)
1463 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1464 "EVENT-ASSOC-REJECT",
1465 "CTRL-EVENT-CONNECTED"], timeout
=10)
1467 raise Exception("Connection using FILS/ERP timed out")
1468 if "CTRL-EVENT-EAP-STARTED" in ev
:
1469 raise Exception("Unexpected EAP exchange")
1470 if "EVENT-ASSOC-REJECT" in ev
:
1471 raise Exception("Association failed")
1472 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1474 def test_fils_sk_pfs_group_mismatch(dev
, apdev
, params
):
1475 """FILS SK PFS DH group mismatch"""
1476 check_fils_sk_pfs_capa(dev
[0])
1477 check_erp_capa(dev
[0])
1479 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1481 bssid
= apdev
[0]['bssid']
1482 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1483 params
['wpa_key_mgmt'] = "FILS-SHA256"
1484 params
['auth_server_port'] = "18128"
1485 params
['erp_domain'] = 'example.com'
1486 params
['fils_realm'] = 'example.com'
1487 params
['disable_pmksa_caching'] = '1'
1488 params
['fils_dh_group'] = "20"
1489 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1491 dev
[0].scan_for_bss(bssid
, freq
=2412)
1492 dev
[0].request("ERP_FLUSH")
1493 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1494 eap
="PSK", identity
="psk.user@example.com",
1495 password_hex
="0123456789abcdef0123456789abcdef",
1496 erp
="1", fils_dh_group
="19", scan_freq
="2412")
1498 dev
[0].request("DISCONNECT")
1499 dev
[0].wait_disconnected()
1501 dev
[0].dump_monitor()
1502 dev
[0].select_network(id, freq
=2412)
1503 ev
= dev
[0].wait_event(["CTRL-EVENT-AUTH-REJECT"], timeout
=10)
1504 dev
[0].request("DISCONNECT")
1506 raise Exception("Authentication rejection not seen")
1507 if "auth_type=5 auth_transaction=2 status_code=77" not in ev
:
1508 raise Exception("Unexpected auth reject value: " + ev
)
1510 def test_fils_sk_pfs_pmksa_caching(dev
, apdev
, params
):
1511 """FILS SK with PFS and PMKSA caching"""
1512 check_fils_sk_pfs_capa(dev
[0])
1513 check_erp_capa(dev
[0])
1515 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1517 bssid
= apdev
[0]['bssid']
1518 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1519 params
['wpa_key_mgmt'] = "FILS-SHA256"
1520 params
['auth_server_port'] = "18128"
1521 params
['erp_domain'] = 'example.com'
1522 params
['fils_realm'] = 'example.com'
1523 params
['fils_dh_group'] = "19"
1524 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1526 dev
[0].scan_for_bss(bssid
, freq
=2412)
1527 dev
[0].request("ERP_FLUSH")
1528 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1529 eap
="PSK", identity
="psk.user@example.com",
1530 password_hex
="0123456789abcdef0123456789abcdef",
1531 erp
="1", fils_dh_group
="19", scan_freq
="2412")
1532 pmksa
= dev
[0].get_pmksa(bssid
)
1534 raise Exception("No PMKSA cache entry created")
1536 dev
[0].request("DISCONNECT")
1537 dev
[0].wait_disconnected()
1539 # FILS authentication with PMKSA caching and PFS
1540 dev
[0].dump_monitor()
1541 dev
[0].select_network(id, freq
=2412)
1542 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1543 "CTRL-EVENT-CONNECTED"], timeout
=10)
1545 raise Exception("Connection using PMKSA caching timed out")
1546 if "CTRL-EVENT-EAP-STARTED" in ev
:
1547 raise Exception("Unexpected EAP exchange")
1548 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1549 pmksa2
= dev
[0].get_pmksa(bssid
)
1551 raise Exception("No PMKSA cache entry found")
1552 if pmksa
['pmkid'] != pmksa2
['pmkid']:
1553 raise Exception("Unexpected PMKID change")
1555 # Verify EAPOL reauthentication after FILS authentication
1556 hapd
.request("EAPOL_REAUTH " + dev
[0].own_addr())
1557 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=5)
1559 raise Exception("EAP authentication did not start")
1560 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1562 raise Exception("EAP authentication did not succeed")
1564 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1566 dev
[0].request("DISCONNECT")
1567 dev
[0].wait_disconnected()
1569 # FILS authentication with ERP and PFS
1570 dev
[0].request("PMKSA_FLUSH")
1571 dev
[0].dump_monitor()
1572 dev
[0].select_network(id, freq
=2412)
1573 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1574 "CTRL-EVENT-EAP-SUCCESS",
1575 "CTRL-EVENT-CONNECTED"], timeout
=10)
1577 raise Exception("Connection using ERP and PFS timed out")
1578 if "CTRL-EVENT-EAP-STARTED" in ev
:
1579 raise Exception("Unexpected EAP exchange")
1580 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
1581 raise Exception("ERP success not reported")
1582 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1583 "SME: Trying to authenticate",
1584 "CTRL-EVENT-CONNECTED"], timeout
=10)
1586 raise Exception("Connection using ERP and PFS timed out")
1587 if "CTRL-EVENT-EAP-STARTED" in ev
:
1588 raise Exception("Unexpected EAP exchange")
1589 if "SME: Trying to authenticate" in ev
:
1590 raise Exception("Unexpected extra authentication round with ERP and PFS")
1591 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1592 pmksa3
= dev
[0].get_pmksa(bssid
)
1594 raise Exception("No PMKSA cache entry found")
1595 if pmksa2
['pmkid'] == pmksa3
['pmkid']:
1596 raise Exception("PMKID did not change")
1598 dev
[0].request("DISCONNECT")
1599 dev
[0].wait_disconnected()
1601 # FILS authentication with PMKSA caching and PFS
1602 dev
[0].dump_monitor()
1603 dev
[0].select_network(id, freq
=2412)
1604 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1605 "CTRL-EVENT-CONNECTED"], timeout
=10)
1607 raise Exception("Connection using PMKSA caching timed out")
1608 if "CTRL-EVENT-EAP-STARTED" in ev
:
1609 raise Exception("Unexpected EAP exchange")
1610 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1611 pmksa4
= dev
[0].get_pmksa(bssid
)
1613 raise Exception("No PMKSA cache entry found")
1614 if pmksa3
['pmkid'] != pmksa4
['pmkid']:
1615 raise Exception("Unexpected PMKID change (2)")
1617 def test_fils_sk_auth_mismatch(dev
, apdev
, params
):
1618 """FILS SK authentication type mismatch (PFS not supported)"""
1619 check_fils_sk_pfs_capa(dev
[0])
1620 check_erp_capa(dev
[0])
1622 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1624 bssid
= apdev
[0]['bssid']
1625 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1626 params
['wpa_key_mgmt'] = "FILS-SHA256"
1627 params
['auth_server_port'] = "18128"
1628 params
['erp_domain'] = 'example.com'
1629 params
['fils_realm'] = 'example.com'
1630 params
['disable_pmksa_caching'] = '1'
1631 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1633 dev
[0].scan_for_bss(bssid
, freq
=2412)
1634 dev
[0].request("ERP_FLUSH")
1635 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1636 eap
="PSK", identity
="psk.user@example.com",
1637 password_hex
="0123456789abcdef0123456789abcdef",
1638 erp
="1", fils_dh_group
="19", scan_freq
="2412")
1640 dev
[0].request("DISCONNECT")
1641 dev
[0].wait_disconnected()
1644 dev
[0].dump_monitor()
1645 dev
[0].select_network(id, freq
=2412)
1646 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1647 "EVENT-ASSOC-REJECT",
1648 "CTRL-EVENT-CONNECTED"], timeout
=10)
1650 raise Exception("Connection using FILS/ERP timed out")
1651 if "CTRL-EVENT-EAP-STARTED" not in ev
:
1652 raise Exception("No EAP exchange seen")
1653 dev
[0].wait_connected()
1655 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1657 def setup_fils_rekey(dev
, apdev
, params
, wpa_ptk_rekey
=0, wpa_group_rekey
=0,
1658 pmksa_caching
=True):
1659 check_fils_capa(dev
[0])
1660 check_erp_capa(dev
[0])
1662 start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1664 bssid
= apdev
[0]['bssid']
1665 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1666 params
['wpa_key_mgmt'] = "FILS-SHA256"
1667 params
['auth_server_port'] = "18128"
1668 params
['erp_domain'] = 'example.com'
1669 params
['fils_realm'] = 'example.com'
1671 params
['wpa_ptk_rekey'] = str(wpa_ptk_rekey
)
1673 params
['wpa_group_rekey'] = str(wpa_group_rekey
)
1674 if not pmksa_caching
:
1675 params
['disable_pmksa_caching'] = '1'
1676 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1678 dev
[0].scan_for_bss(bssid
, freq
=2412)
1679 dev
[0].request("ERP_FLUSH")
1680 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1681 eap
="PSK", identity
="psk.user@example.com",
1682 password_hex
="0123456789abcdef0123456789abcdef",
1683 erp
="1", scan_freq
="2412")
1685 dev
[0].request("DISCONNECT")
1686 dev
[0].wait_disconnected()
1688 dev
[0].dump_monitor()
1689 dev
[0].select_network(id, freq
=2412)
1690 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1691 "CTRL-EVENT-CONNECTED"], timeout
=10)
1693 raise Exception("Connection using ERP or PMKSA caching timed out")
1694 if "CTRL-EVENT-EAP-STARTED" in ev
:
1695 raise Exception("Unexpected EAP exchange")
1696 dev
[0].dump_monitor()
1698 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1701 def test_fils_auth_gtk_rekey(dev
, apdev
, params
):
1702 """GTK rekeying after FILS authentication"""
1703 hapd
= setup_fils_rekey(dev
, apdev
, params
, wpa_group_rekey
=1)
1704 ev
= dev
[0].wait_event(["WPA: Group rekeying completed"], timeout
=2)
1706 raise Exception("GTK rekey timed out")
1707 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1709 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=5)
1711 raise Exception("Rekeying failed - disconnected")
1712 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1714 def test_fils_auth_ptk_rekey_ap(dev
, apdev
, params
):
1715 """PTK rekeying after FILS authentication triggered by AP"""
1716 hapd
= setup_fils_rekey(dev
, apdev
, params
, wpa_ptk_rekey
=2)
1717 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=3)
1719 raise Exception("PTK rekey timed out")
1720 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1722 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
1724 raise Exception("Rekeying failed - disconnected")
1725 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1727 def test_fils_auth_ptk_rekey_ap_erp(dev
, apdev
, params
):
1728 """PTK rekeying after FILS authentication triggered by AP (ERP)"""
1729 hapd
= setup_fils_rekey(dev
, apdev
, params
, wpa_ptk_rekey
=2,
1730 pmksa_caching
=False)
1731 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=3)
1733 raise Exception("PTK rekey timed out")
1734 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1736 ev
= dev
[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout
=1)
1738 raise Exception("Rekeying failed - disconnected")
1739 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1741 def test_fils_and_ft(dev
, apdev
, params
):
1742 """FILS SK using ERP and FT initial mobility domain association"""
1743 check_fils_capa(dev
[0])
1744 check_erp_capa(dev
[0])
1746 er
= start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1748 bssid
= apdev
[0]['bssid']
1749 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1750 params
['wpa_key_mgmt'] = "FILS-SHA256"
1751 params
['auth_server_port'] = "18128"
1752 params
['erp_domain'] = 'example.com'
1753 params
['fils_realm'] = 'example.com'
1754 params
['disable_pmksa_caching'] = '1'
1755 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1757 dev
[0].scan_for_bss(bssid
, freq
=2412)
1758 dev
[0].request("ERP_FLUSH")
1759 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1760 eap
="PSK", identity
="psk.user@example.com",
1761 password_hex
="0123456789abcdef0123456789abcdef",
1762 erp
="1", scan_freq
="2412")
1764 dev
[0].request("DISCONNECT")
1765 dev
[0].wait_disconnected()
1767 dev
[0].flush_scan_cache()
1768 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
1769 raise Exception("PMKSA_FLUSH failed")
1771 params
= hostapd
.wpa2_eap_params(ssid
="fils-ft")
1772 params
['wpa_key_mgmt'] = "FILS-SHA256 FT-FILS-SHA256 FT-EAP"
1773 params
['auth_server_port'] = "18128"
1774 params
['erp_domain'] = 'example.com'
1775 params
['fils_realm'] = 'example.com'
1776 params
['disable_pmksa_caching'] = '1'
1777 params
["mobility_domain"] = "a1b2"
1778 params
["r0_key_lifetime"] = "10000"
1779 params
["pmk_r1_push"] = "1"
1780 params
["reassociation_deadline"] = "1000"
1781 params
['nas_identifier'] = "nas1.w1.fi"
1782 params
['r1_key_holder'] = "000102030405"
1783 params
['r0kh'] = ["02:00:00:00:04:00 nas2.w1.fi 300102030405060708090a0b0c0d0e0f"]
1784 params
['r1kh'] = "02:00:00:00:04:00 00:01:02:03:04:06 200102030405060708090a0b0c0d0e0f"
1785 params
['ieee80211w'] = "1"
1786 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1788 dev
[0].scan_for_bss(bssid
, freq
=2412)
1789 dev
[0].dump_monitor()
1790 id = dev
[0].connect("fils-ft", key_mgmt
="FILS-SHA256 FT-FILS-SHA256 FT-EAP",
1792 eap
="PSK", identity
="psk.user@example.com",
1793 password_hex
="0123456789abcdef0123456789abcdef",
1794 erp
="1", scan_freq
="2412", wait_connect
=False)
1796 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1797 "CTRL-EVENT-AUTH-REJECT",
1798 "EVENT-ASSOC-REJECT",
1799 "CTRL-EVENT-CONNECTED"], timeout
=10)
1801 raise Exception("Connection using FILS/ERP timed out")
1802 if "CTRL-EVENT-EAP-STARTED" in ev
:
1803 raise Exception("Unexpected EAP exchange")
1804 if "CTRL-EVENT-AUTH-REJECT" in ev
:
1805 raise Exception("Authentication failed")
1806 if "EVENT-ASSOC-REJECT" in ev
:
1807 raise Exception("Association failed")
1808 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1812 # FIX: FT-FILS-SHA256 does not currently work for FT protocol due to not
1813 # fully defined FT Reassociation Request/Response frame MIC use in FTE.
1814 # FT-EAP can be used to work around that in this test case to confirm the
1815 # FT key hierarchy was properly formed in the previous step.
1816 #params['wpa_key_mgmt'] = "FILS-SHA256 FT-FILS-SHA256"
1817 params
['wpa_key_mgmt'] = "FT-EAP"
1818 params
['nas_identifier'] = "nas2.w1.fi"
1819 params
['r1_key_holder'] = "000102030406"
1820 params
['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0e0f"]
1821 params
['r1kh'] = "02:00:00:00:03:00 00:01:02:03:04:05 300102030405060708090a0b0c0d0e0f"
1822 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
1824 dev
[0].scan_for_bss(apdev
[1]['bssid'], freq
="2412", force_scan
=True)
1825 # FIX: Cannot use FT-over-DS without the FTE MIC issue addressed
1826 #dev[0].roam_over_ds(apdev[1]['bssid'])
1827 dev
[0].roam(apdev
[1]['bssid'])
1829 def test_fils_and_ft_over_air(dev
, apdev
, params
):
1830 """FILS SK using ERP and FT-over-air (SHA256)"""
1831 run_fils_and_ft_over_air(dev
, apdev
, params
, "FT-FILS-SHA256")
1833 def test_fils_and_ft_over_air_sha384(dev
, apdev
, params
):
1834 """FILS SK using ERP and FT-over-air (SHA384)"""
1835 run_fils_and_ft_over_air(dev
, apdev
, params
, "FT-FILS-SHA384")
1837 def run_fils_and_ft_over_air(dev
, apdev
, params
, key_mgmt
):
1838 hapd
, hapd2
= run_fils_and_ft_setup(dev
, apdev
, params
, key_mgmt
)
1840 logger
.info("FT protocol using FT key hierarchy established during FILS authentication")
1841 dev
[0].scan_for_bss(apdev
[1]['bssid'], freq
="2412", force_scan
=True)
1842 hapd
.request("NOTE FT protocol to AP2 using FT keys established during FILS FILS authentication")
1843 dev
[0].roam(apdev
[1]['bssid'])
1844 hwsim_utils
.test_connectivity(dev
[0], hapd2
)
1846 logger
.info("FT protocol using the previously established FT key hierarchy from FILS authentication")
1847 hapd
.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication")
1848 dev
[0].roam(apdev
[0]['bssid'])
1849 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1851 hapd
.request("NOTE FT protocol back to AP2 using FT keys established during FILS FILS authentication")
1852 dev
[0].roam(apdev
[1]['bssid'])
1853 hwsim_utils
.test_connectivity(dev
[0], hapd2
)
1855 hapd
.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication (2)")
1856 dev
[0].roam(apdev
[0]['bssid'])
1857 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1859 def test_fils_and_ft_over_ds(dev
, apdev
, params
):
1860 """FILS SK using ERP and FT-over-DS (SHA256)"""
1861 run_fils_and_ft_over_ds(dev
, apdev
, params
, "FT-FILS-SHA256")
1863 def test_fils_and_ft_over_ds_sha384(dev
, apdev
, params
):
1864 """FILS SK using ERP and FT-over-DS (SHA384)"""
1865 run_fils_and_ft_over_ds(dev
, apdev
, params
, "FT-FILS-SHA384")
1867 def run_fils_and_ft_over_ds(dev
, apdev
, params
, key_mgmt
):
1868 hapd
, hapd2
= run_fils_and_ft_setup(dev
, apdev
, params
, key_mgmt
)
1870 logger
.info("FT protocol using FT key hierarchy established during FILS authentication")
1871 dev
[0].scan_for_bss(apdev
[1]['bssid'], freq
="2412", force_scan
=True)
1872 hapd
.request("NOTE FT protocol to AP2 using FT keys established during FILS FILS authentication")
1873 dev
[0].roam_over_ds(apdev
[1]['bssid'])
1875 logger
.info("FT protocol using the previously established FT key hierarchy from FILS authentication")
1876 hapd
.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication")
1877 dev
[0].roam_over_ds(apdev
[0]['bssid'])
1879 hapd
.request("NOTE FT protocol back to AP2 using FT keys established during FILS FILS authentication")
1880 dev
[0].roam_over_ds(apdev
[1]['bssid'])
1882 hapd
.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication (2)")
1883 dev
[0].roam_over_ds(apdev
[0]['bssid'])
1885 def run_fils_and_ft_setup(dev
, apdev
, params
, key_mgmt
):
1886 check_fils_capa(dev
[0])
1887 check_erp_capa(dev
[0])
1889 er
= start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
1891 logger
.info("Set up ERP key hierarchy without FILS/FT authentication")
1892 bssid
= apdev
[0]['bssid']
1893 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1894 params
['wpa_key_mgmt'] = key_mgmt
1895 params
['auth_server_port'] = "18128"
1896 params
['erp_domain'] = 'example.com'
1897 params
['fils_realm'] = 'example.com'
1898 params
['disable_pmksa_caching'] = '1'
1899 params
['ieee80211w'] = "2"
1900 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1902 dev
[0].scan_for_bss(bssid
, freq
=2412)
1903 dev
[0].request("ERP_FLUSH")
1904 hapd
.request("NOTE Initial association to establish ERP keys")
1905 id = dev
[0].connect("fils", key_mgmt
=key_mgmt
, ieee80211w
="2",
1906 eap
="PSK", identity
="psk.user@example.com",
1907 password_hex
="0123456789abcdef0123456789abcdef",
1908 erp
="1", scan_freq
="2412")
1910 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1912 dev
[0].request("DISCONNECT")
1913 dev
[0].wait_disconnected()
1915 dev
[0].flush_scan_cache()
1916 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
1917 raise Exception("PMKSA_FLUSH failed")
1919 logger
.info("Initial mobility domain association using FILS authentication")
1920 params
= hostapd
.wpa2_eap_params(ssid
="fils-ft")
1921 params
['wpa_key_mgmt'] = key_mgmt
1922 params
['auth_server_port'] = "18128"
1923 params
['erp_domain'] = 'example.com'
1924 params
['fils_realm'] = 'example.com'
1925 params
['disable_pmksa_caching'] = '1'
1926 params
["mobility_domain"] = "a1b2"
1927 params
["r0_key_lifetime"] = "10000"
1928 params
["pmk_r1_push"] = "1"
1929 params
["reassociation_deadline"] = "1000"
1930 params
['nas_identifier'] = "nas1.w1.fi"
1931 params
['r1_key_holder'] = "000102030405"
1932 params
['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f",
1933 "02:00:00:00:04:00 nas2.w1.fi 300102030405060708090a0b0c0d0e0f"]
1934 params
['r1kh'] = "02:00:00:00:04:00 00:01:02:03:04:06 200102030405060708090a0b0c0d0e0f"
1935 params
['ieee80211w'] = "2"
1936 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1938 dev
[0].scan_for_bss(bssid
, freq
=2412)
1939 dev
[0].dump_monitor()
1940 hapd
.request("NOTE Initial FT mobility domain association using FILS authentication")
1941 dev
[0].set_network_quoted(id, "ssid", "fils-ft")
1942 dev
[0].select_network(id, freq
=2412)
1944 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1945 "CTRL-EVENT-AUTH-REJECT",
1946 "EVENT-ASSOC-REJECT",
1947 "CTRL-EVENT-CONNECTED"], timeout
=10)
1949 raise Exception("Connection using FILS/ERP timed out")
1950 if "CTRL-EVENT-EAP-STARTED" in ev
:
1951 raise Exception("Unexpected EAP exchange")
1952 if "CTRL-EVENT-AUTH-REJECT" in ev
:
1953 raise Exception("Authentication failed")
1954 if "EVENT-ASSOC-REJECT" in ev
:
1955 raise Exception("Association failed")
1957 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1961 params
['wpa_key_mgmt'] = key_mgmt
1962 params
['nas_identifier'] = "nas2.w1.fi"
1963 params
['r1_key_holder'] = "000102030406"
1964 params
['r0kh'] = ["02:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0e0f",
1965 "02:00:00:00:04:00 nas2.w1.fi 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f"]
1966 params
['r1kh'] = "02:00:00:00:03:00 00:01:02:03:04:05 300102030405060708090a0b0c0d0e0f"
1967 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
1971 def test_fils_assoc_replay(dev
, apdev
, params
):
1972 """FILS AP and replayed Association Request frame"""
1973 capfile
= os
.path
.join(params
['logdir'], "hwsim0.pcapng")
1974 check_fils_capa(dev
[0])
1975 check_erp_capa(dev
[0])
1979 bssid
= apdev
[0]['bssid']
1980 params
= hostapd
.wpa2_eap_params(ssid
="fils")
1981 params
['wpa_key_mgmt'] = "FILS-SHA256"
1982 params
['auth_server_port'] = "18128"
1983 params
['erp_domain'] = 'example.com'
1984 params
['fils_realm'] = 'example.com'
1985 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1987 dev
[0].scan_for_bss(bssid
, freq
=2412)
1988 dev
[0].request("ERP_FLUSH")
1989 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
1990 eap
="PSK", identity
="psk.user@example.com",
1991 password_hex
="0123456789abcdef0123456789abcdef",
1992 erp
="1", scan_freq
="2412")
1994 dev
[0].request("DISCONNECT")
1995 dev
[0].wait_disconnected()
1997 hapd
.set("ext_mgmt_frame_handling", "1")
1998 dev
[0].dump_monitor()
1999 dev
[0].select_network(id, freq
=2412)
2004 req
= hapd
.mgmt_rx()
2007 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
.hexlify(req
['frame']).decode())
2008 if req
['subtype'] == 0:
2010 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
2012 raise Exception("No TX status seen")
2013 cmd
= "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev
.split(' ')[1:4]))
2014 if "OK" not in hapd
.request(cmd
):
2015 raise Exception("MGMT_TX_STATUS_PROCESS failed")
2017 hapd
.set("ext_mgmt_frame_handling", "0")
2018 if assocreq
is None:
2019 raise Exception("No Association Request frame seen")
2020 dev
[0].wait_connected()
2021 dev
[0].dump_monitor()
2024 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2026 logger
.info("Replay the last Association Request frame")
2028 hapd
.set("ext_mgmt_frame_handling", "1")
2029 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
.hexlify(req
['frame']).decode())
2030 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
2032 raise Exception("No TX status seen")
2033 cmd
= "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev
.split(' ')[1:4]))
2034 if "OK" not in hapd
.request(cmd
):
2035 raise Exception("MGMT_TX_STATUS_PROCESS failed")
2036 hapd
.set("ext_mgmt_frame_handling", "0")
2039 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2044 ap
= hapd
.own_addr()
2045 sta
= dev
[0].own_addr()
2046 filt
= "wlan.fc.type == 2 && " + \
2047 "wlan.da == " + sta
+ " && " + \
2048 "wlan.sa == " + ap
+ " && wlan.ccmp.extiv"
2049 fields
= ["wlan.ccmp.extiv"]
2050 res
= run_tshark(capfile
, filt
, fields
)
2051 vals
= res
.splitlines()
2052 logger
.info("CCMP PN: " + str(vals
))
2054 raise Exception("Could not find all CCMP protected frames from capture")
2055 if len(set(vals
)) < len(vals
):
2056 raise Exception("Duplicate CCMP PN used")
2059 raise Exception("The second hwsim connectivity test failed")
2061 def test_fils_sk_erp_server_flush(dev
, apdev
, params
):
2062 """FILS SK ERP and ERP flush on server, but not on peer"""
2063 check_fils_capa(dev
[0])
2064 check_erp_capa(dev
[0])
2066 hapd_as
= start_erp_as(msk_dump
=os
.path
.join(params
['logdir'], "msk.lst"))
2068 bssid
= apdev
[0]['bssid']
2069 params
= hostapd
.wpa2_eap_params(ssid
="fils")
2070 params
['wpa_key_mgmt'] = "FILS-SHA256"
2071 params
['auth_server_port'] = "18128"
2072 params
['erp_domain'] = 'example.com'
2073 params
['fils_realm'] = 'example.com'
2074 params
['disable_pmksa_caching'] = '1'
2075 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2077 dev
[0].scan_for_bss(bssid
, freq
=2412)
2078 dev
[0].request("ERP_FLUSH")
2079 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
2080 eap
="PSK", identity
="psk.user@example.com",
2081 password_hex
="0123456789abcdef0123456789abcdef",
2082 erp
="1", scan_freq
="2412")
2084 dev
[0].request("DISCONNECT")
2085 dev
[0].wait_disconnected()
2087 dev
[0].dump_monitor()
2088 dev
[0].select_network(id, freq
=2412)
2089 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2090 "EVENT-ASSOC-REJECT",
2091 "CTRL-EVENT-CONNECTED"], timeout
=10)
2093 raise Exception("Connection using FILS/ERP timed out")
2094 if "CTRL-EVENT-EAP-STARTED" in ev
:
2095 raise Exception("Unexpected EAP exchange")
2096 if "EVENT-ASSOC-REJECT" in ev
:
2097 raise Exception("Association failed")
2099 dev
[0].request("DISCONNECT")
2100 dev
[0].wait_disconnected()
2102 hapd_as
.request("ERP_FLUSH")
2103 dev
[0].dump_monitor()
2104 dev
[0].select_network(id, freq
=2412)
2105 ev
= dev
[0].wait_event(["CTRL-EVENT-AUTH-REJECT"], timeout
=10)
2107 raise Exception("No authentication rejection seen after ERP flush on server")
2109 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2110 "CTRL-EVENT-AUTH-REJECT",
2111 "EVENT-ASSOC-REJECT",
2112 "CTRL-EVENT-CONNECTED"], timeout
=10)
2114 raise Exception("Connection attempt using FILS/ERP timed out")
2115 if "CTRL-EVENT-AUTH-REJECT" in ev
:
2116 raise Exception("Failed to recover from ERP flush on server")
2117 if "EVENT-ASSOC-REJECT" in ev
:
2118 raise Exception("Association failed")
2119 if "CTRL-EVENT-EAP-STARTED" not in ev
:
2120 raise Exception("New EAP exchange not seen")
2121 dev
[0].wait_connected(error
="Connection timeout after ERP flush")
2123 dev
[0].request("DISCONNECT")
2124 dev
[0].wait_disconnected()
2125 dev
[0].dump_monitor()
2126 dev
[0].select_network(id, freq
=2412)
2127 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2128 "CTRL-EVENT-AUTH-REJECT",
2129 "EVENT-ASSOC-REJECT",
2130 "CTRL-EVENT-CONNECTED"], timeout
=10)
2132 raise Exception("Connection attempt using FILS with new ERP keys timed out")
2133 if "CTRL-EVENT-AUTH-REJECT" in ev
:
2134 raise Exception("Authentication failed with new ERP keys")
2135 if "EVENT-ASSOC-REJECT" in ev
:
2136 raise Exception("Association failed with new ERP keys")
2137 if "CTRL-EVENT-EAP-STARTED" in ev
:
2138 raise Exception("Unexpected EAP exchange")
2140 def test_fils_sk_erp_radius_ext(dev
, apdev
, params
):
2141 """FILS SK using ERP and external RADIUS server"""
2142 as_hapd
= hostapd
.Hostapd("as")
2145 as_hapd
.set("eap_server_erp", "1")
2146 as_hapd
.set("erp_domain", "erp.example.com")
2148 run_fils_sk_erp_radius_ext(dev
, apdev
, params
)
2151 as_hapd
.set("eap_server_erp", "0")
2152 as_hapd
.set("erp_domain", "")
2155 def run_fils_sk_erp_radius_ext(dev
, apdev
, params
):
2156 check_fils_capa(dev
[0])
2157 check_erp_capa(dev
[0])
2159 bssid
= apdev
[0]['bssid']
2160 params
= hostapd
.wpa2_eap_params(ssid
="fils")
2161 params
['wpa_key_mgmt'] = "FILS-SHA256"
2162 params
['erp_domain'] = 'erp.example.com'
2163 params
['fils_realm'] = 'erp.example.com'
2164 params
['disable_pmksa_caching'] = '1'
2165 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2167 dev
[0].scan_for_bss(bssid
, freq
=2412)
2168 dev
[0].request("ERP_FLUSH")
2169 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256",
2170 eap
="PWD", identity
="pwd@erp.example.com",
2171 password
="secret password",
2172 erp
="1", scan_freq
="2412")
2174 dev
[0].request("DISCONNECT")
2175 dev
[0].wait_disconnected()
2177 dev
[0].dump_monitor()
2178 dev
[0].select_network(id, freq
=2412)
2179 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2180 "EVENT-ASSOC-REJECT",
2181 "CTRL-EVENT-CONNECTED"], timeout
=10)
2183 raise Exception("Connection using FILS/ERP timed out")
2184 if "CTRL-EVENT-EAP-STARTED" in ev
:
2185 raise Exception("Unexpected EAP exchange")
2186 if "EVENT-ASSOC-REJECT" in ev
:
2187 raise Exception("Association failed")
2188 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2190 def test_fils_sk_erp_radius_roam(dev
, apdev
):
2191 """FILS SK/ERP and roaming with different AKM"""
2192 as_hapd
= hostapd
.Hostapd("as")
2195 as_hapd
.set("eap_server_erp", "1")
2196 as_hapd
.set("erp_domain", "example.com")
2198 run_fils_sk_erp_radius_roam(dev
, apdev
)
2201 as_hapd
.set("eap_server_erp", "0")
2202 as_hapd
.set("erp_domain", "")
2205 def run_fils_sk_erp_radius_roam(dev
, apdev
):
2206 check_fils_capa(dev
[0])
2207 check_erp_capa(dev
[0])
2209 bssid
= apdev
[0]['bssid']
2210 params
= hostapd
.wpa2_eap_params(ssid
="fils")
2211 params
['wpa_key_mgmt'] = "FILS-SHA256"
2212 params
['erp_domain'] = 'example.com'
2213 params
['fils_realm'] = 'example.com'
2214 params
['disable_pmksa_caching'] = '1'
2215 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2217 dev
[0].scan_for_bss(bssid
, freq
=2412)
2218 dev
[0].request("ERP_FLUSH")
2219 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256 FILS-SHA384",
2220 eap
="PWD", identity
="erp-pwd@example.com",
2221 password
="secret password",
2222 erp
="1", scan_freq
="2412")
2224 bssid2
= apdev
[1]['bssid']
2225 params
= hostapd
.wpa2_eap_params(ssid
="fils")
2226 params
['wpa_key_mgmt'] = "FILS-SHA384"
2227 params
['erp_domain'] = 'example.com'
2228 params
['fils_realm'] = 'example.com'
2229 params
['disable_pmksa_caching'] = '1'
2230 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
2232 dev
[0].scan_for_bss(bssid2
, freq
=2412)
2234 dev
[0].dump_monitor()
2235 if "OK" not in dev
[0].request("ROAM " + bssid2
):
2236 raise Exception("ROAM failed")
2238 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2239 "CTRL-EVENT-CONNECTED"], timeout
=10)
2241 raise Exception("Connection using PMKSA caching timed out")
2242 if "CTRL-EVENT-EAP-STARTED" in ev
:
2243 raise Exception("Unexpected EAP exchange")
2244 if bssid2
not in ev
:
2245 raise Exception("Failed to connect to the second AP")
2248 hwsim_utils
.test_connectivity(dev
[0], hapd2
)
2250 def test_fils_sk_erp_roam_diff_akm(dev
, apdev
, params
):
2251 """FILS SK using ERP and SHA256/SHA384 change in roam"""
2252 check_fils_capa(dev
[0])
2253 check_erp_capa(dev
[0])
2257 bssid
= apdev
[0]['bssid']
2258 params
= hostapd
.wpa2_eap_params(ssid
="fils")
2259 params
['wpa_key_mgmt'] = "FILS-SHA256"
2260 params
['auth_server_port'] = "18128"
2261 params
['erp_domain'] = 'example.com'
2262 params
['fils_realm'] = 'example.com'
2263 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2265 dev
[0].scan_for_bss(bssid
, freq
=2412)
2266 dev
[0].request("ERP_FLUSH")
2267 id = dev
[0].connect("fils", key_mgmt
="FILS-SHA256 FILS-SHA384",
2268 eap
="PSK", identity
="psk.user@example.com",
2269 password_hex
="0123456789abcdef0123456789abcdef",
2270 erp
="1", scan_freq
="2412")
2271 dev
[0].request("DISCONNECT")
2272 dev
[0].wait_disconnected()
2273 dev
[0].request("RECONNECT")
2274 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2275 "CTRL-EVENT-CONNECTED"], timeout
=10)
2277 raise Exception("Connection using FILS timed out")
2278 if "CTRL-EVENT-EAP-STARTED" in ev
:
2279 raise Exception("Unexpected EAP exchange")
2281 bssid2
= apdev
[1]['bssid']
2282 params
= hostapd
.wpa2_eap_params(ssid
="fils")
2283 params
['wpa_key_mgmt'] = "FILS-SHA256 FILS-SHA384"
2284 params
['auth_server_port'] = "18128"
2285 params
['erp_domain'] = 'example.com'
2286 params
['fils_realm'] = 'example.com'
2287 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
2289 dev
[0].scan_for_bss(bssid2
, freq
=2412)
2291 dev
[0].dump_monitor()
2292 if "OK" not in dev
[0].request("ROAM " + bssid2
):
2293 raise Exception("ROAM failed")
2295 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2296 "CTRL-EVENT-CONNECTED"], timeout
=10)
2298 raise Exception("Roaming using FILS timed out")
2299 if "CTRL-EVENT-EAP-STARTED" in ev
:
2300 raise Exception("Unexpected EAP exchange")
2301 if bssid2
not in ev
:
2302 raise Exception("Failed to connect to the second AP")
2304 hwsim_utils
.test_connectivity(dev
[0], hapd2
)