]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_fils.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Use python3 compatible "except" statement
[thirdparty/hostap.git] / tests / hwsim / test_fils.py
1 # Test cases for FILS
2 # Copyright (c) 2015-2017, Qualcomm Atheros, Inc.
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import binascii
8 import hashlib
9 import logging
10 logger = logging.getLogger()
11 import os
12 import socket
13 import struct
14 import time
15
16 import hostapd
17 from tshark import run_tshark
18 from wpasupplicant import WpaSupplicant
19 import hwsim_utils
20 from utils import HwsimSkip, alloc_fail
21 from test_erp import check_erp_capa, start_erp_as
22 from test_ap_hs20 import ip_checksum
23
24 def check_fils_capa(dev):
25 capa = dev.get_capability("fils")
26 if capa is None or "FILS" not in capa:
27 raise HwsimSkip("FILS not supported")
28
29 def check_fils_sk_pfs_capa(dev):
30 capa = dev.get_capability("fils")
31 if capa is None or "FILS-SK-PFS" not in capa:
32 raise HwsimSkip("FILS-SK-PFS not supported")
33
34 def test_fils_sk_full_auth(dev, apdev, params):
35 """FILS SK full authentication"""
36 check_fils_capa(dev[0])
37 check_erp_capa(dev[0])
38
39 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
40
41 bssid = apdev[0]['bssid']
42 params = hostapd.wpa2_eap_params(ssid="fils")
43 params['wpa_key_mgmt'] = "FILS-SHA256"
44 params['auth_server_port'] = "18128"
45 params['erp_send_reauth_start'] = '1'
46 params['erp_domain'] = 'example.com'
47 params['fils_realm'] = 'example.com'
48 params['wpa_group_rekey'] = '1'
49 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
50
51 dev[0].scan_for_bss(bssid, freq=2412)
52 bss = dev[0].get_bss(bssid)
53 logger.debug("BSS: " + str(bss))
54 if "[FILS]" not in bss['flags']:
55 raise Exception("[FILS] flag not indicated")
56 if "[WPA2-FILS-SHA256-CCMP]" not in bss['flags']:
57 raise Exception("[WPA2-FILS-SHA256-CCMP] flag not indicated")
58
59 res = dev[0].request("SCAN_RESULTS")
60 logger.debug("SCAN_RESULTS: " + res)
61 if "[FILS]" not in res:
62 raise Exception("[FILS] flag not indicated")
63 if "[WPA2-FILS-SHA256-CCMP]" not in res:
64 raise Exception("[WPA2-FILS-SHA256-CCMP] flag not indicated")
65
66 dev[0].request("ERP_FLUSH")
67 dev[0].connect("fils", key_mgmt="FILS-SHA256",
68 eap="PSK", identity="psk.user@example.com",
69 password_hex="0123456789abcdef0123456789abcdef",
70 erp="1", scan_freq="2412")
71 hwsim_utils.test_connectivity(dev[0], hapd)
72
73 ev = dev[0].wait_event(["WPA: Group rekeying completed"], timeout=2)
74 if ev is None:
75 raise Exception("GTK rekey timed out")
76 hwsim_utils.test_connectivity(dev[0], hapd)
77
78 conf = hapd.get_config()
79 if conf['key_mgmt'] != 'FILS-SHA256':
80 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
81
82 def test_fils_sk_sha384_full_auth(dev, apdev, params):
83 """FILS SK full authentication (SHA384)"""
84 check_fils_capa(dev[0])
85 check_erp_capa(dev[0])
86
87 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
88
89 bssid = apdev[0]['bssid']
90 params = hostapd.wpa2_eap_params(ssid="fils")
91 params['wpa_key_mgmt'] = "FILS-SHA384"
92 params['auth_server_port'] = "18128"
93 params['erp_send_reauth_start'] = '1'
94 params['erp_domain'] = 'example.com'
95 params['fils_realm'] = 'example.com'
96 params['wpa_group_rekey'] = '1'
97 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
98
99 dev[0].scan_for_bss(bssid, freq=2412)
100 bss = dev[0].get_bss(bssid)
101 logger.debug("BSS: " + str(bss))
102 if "[FILS]" not in bss['flags']:
103 raise Exception("[FILS] flag not indicated")
104 if "[WPA2-FILS-SHA384-CCMP]" not in bss['flags']:
105 raise Exception("[WPA2-FILS-SHA384-CCMP] flag not indicated")
106
107 res = dev[0].request("SCAN_RESULTS")
108 logger.debug("SCAN_RESULTS: " + res)
109 if "[FILS]" not in res:
110 raise Exception("[FILS] flag not indicated")
111 if "[WPA2-FILS-SHA384-CCMP]" not in res:
112 raise Exception("[WPA2-FILS-SHA384-CCMP] flag not indicated")
113
114 dev[0].request("ERP_FLUSH")
115 dev[0].connect("fils", key_mgmt="FILS-SHA384",
116 eap="PSK", identity="psk.user@example.com",
117 password_hex="0123456789abcdef0123456789abcdef",
118 erp="1", scan_freq="2412")
119 hwsim_utils.test_connectivity(dev[0], hapd)
120
121 ev = dev[0].wait_event(["WPA: Group rekeying completed"], timeout=2)
122 if ev is None:
123 raise Exception("GTK rekey timed out")
124 hwsim_utils.test_connectivity(dev[0], hapd)
125
126 conf = hapd.get_config()
127 if conf['key_mgmt'] != 'FILS-SHA384':
128 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
129
130 def test_fils_sk_pmksa_caching(dev, apdev, params):
131 """FILS SK and PMKSA caching"""
132 check_fils_capa(dev[0])
133 check_erp_capa(dev[0])
134
135 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
136
137 bssid = apdev[0]['bssid']
138 params = hostapd.wpa2_eap_params(ssid="fils")
139 params['wpa_key_mgmt'] = "FILS-SHA256"
140 params['auth_server_port'] = "18128"
141 params['erp_domain'] = 'example.com'
142 params['fils_realm'] = 'example.com'
143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
144
145 dev[0].scan_for_bss(bssid, freq=2412)
146 dev[0].request("ERP_FLUSH")
147 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
148 eap="PSK", identity="psk.user@example.com",
149 password_hex="0123456789abcdef0123456789abcdef",
150 erp="1", scan_freq="2412")
151 pmksa = dev[0].get_pmksa(bssid)
152 if pmksa is None:
153 raise Exception("No PMKSA cache entry created")
154
155 dev[0].request("DISCONNECT")
156 dev[0].wait_disconnected()
157
158 dev[0].dump_monitor()
159 dev[0].select_network(id, freq=2412)
160 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
161 "CTRL-EVENT-CONNECTED"], timeout=10)
162 if ev is None:
163 raise Exception("Connection using PMKSA caching timed out")
164 if "CTRL-EVENT-EAP-STARTED" in ev:
165 raise Exception("Unexpected EAP exchange")
166 hwsim_utils.test_connectivity(dev[0], hapd)
167 pmksa2 = dev[0].get_pmksa(bssid)
168 if pmksa2 is None:
169 raise Exception("No PMKSA cache entry found")
170 if pmksa['pmkid'] != pmksa2['pmkid']:
171 raise Exception("Unexpected PMKID change")
172
173 # Verify EAPOL reauthentication after FILS authentication
174 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
175 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
176 if ev is None:
177 raise Exception("EAP authentication did not start")
178 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
179 if ev is None:
180 raise Exception("EAP authentication did not succeed")
181 time.sleep(0.1)
182 hwsim_utils.test_connectivity(dev[0], hapd)
183
184 def test_fils_sk_pmksa_caching_ocv(dev, apdev, params):
185 """FILS SK and PMKSA caching with OCV"""
186 check_fils_capa(dev[0])
187 check_erp_capa(dev[0])
188
189 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
190
191 bssid = apdev[0]['bssid']
192 params = hostapd.wpa2_eap_params(ssid="fils")
193 params['wpa_key_mgmt'] = "FILS-SHA256"
194 params['auth_server_port'] = "18128"
195 params['erp_domain'] = 'example.com'
196 params['fils_realm'] = 'example.com'
197 params['ieee80211w'] = '1'
198 params['ocv'] = '1'
199 try:
200 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
201 except Exception as e:
202 if "Failed to set hostapd parameter ocv" in str(e):
203 raise HwsimSkip("OCV not supported")
204 raise
205
206 dev[0].scan_for_bss(bssid, freq=2412)
207 dev[0].request("ERP_FLUSH")
208 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
209 eap="PSK", identity="psk.user@example.com",
210 password_hex="0123456789abcdef0123456789abcdef",
211 erp="1", scan_freq="2412", ieee80211w="1", ocv="1")
212 pmksa = dev[0].get_pmksa(bssid)
213 if pmksa is None:
214 raise Exception("No PMKSA cache entry created")
215
216 dev[0].request("DISCONNECT")
217 dev[0].wait_disconnected()
218
219 dev[0].dump_monitor()
220 dev[0].select_network(id, freq=2412)
221 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
222 "CTRL-EVENT-CONNECTED"], timeout=10)
223 if ev is None:
224 raise Exception("Connection using PMKSA caching timed out")
225 if "CTRL-EVENT-EAP-STARTED" in ev:
226 raise Exception("Unexpected EAP exchange")
227 hwsim_utils.test_connectivity(dev[0], hapd)
228 pmksa2 = dev[0].get_pmksa(bssid)
229 if pmksa2 is None:
230 raise Exception("No PMKSA cache entry found")
231 if pmksa['pmkid'] != pmksa2['pmkid']:
232 raise Exception("Unexpected PMKID change")
233
234 # Verify EAPOL reauthentication after FILS authentication
235 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
236 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
237 if ev is None:
238 raise Exception("EAP authentication did not start")
239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
240 if ev is None:
241 raise Exception("EAP authentication did not succeed")
242 time.sleep(0.1)
243 hwsim_utils.test_connectivity(dev[0], hapd)
244
245 def test_fils_sk_pmksa_caching_and_cache_id(dev, apdev):
246 """FILS SK and PMKSA caching with Cache Identifier"""
247 check_fils_capa(dev[0])
248 check_erp_capa(dev[0])
249
250 bssid = apdev[0]['bssid']
251 params = hostapd.wpa2_eap_params(ssid="fils")
252 params['wpa_key_mgmt'] = "FILS-SHA256"
253 params['auth_server_port'] = "18128"
254 params['erp_domain'] = 'example.com'
255 params['fils_realm'] = 'example.com'
256 params['fils_cache_id'] = "abcd"
257 params["radius_server_clients"] = "auth_serv/radius_clients.conf"
258 params["radius_server_auth_port"] = '18128'
259 params["eap_server"] = "1"
260 params["eap_user_file"] = "auth_serv/eap_user.conf"
261 params["ca_cert"] = "auth_serv/ca.pem"
262 params["server_cert"] = "auth_serv/server.pem"
263 params["private_key"] = "auth_serv/server.key"
264 params["eap_sim_db"] = "unix:/tmp/hlr_auc_gw.sock"
265 params["dh_file"] = "auth_serv/dh.conf"
266 params["pac_opaque_encr_key"] = "000102030405060708090a0b0c0d0e0f"
267 params["eap_fast_a_id"] = "101112131415161718191a1b1c1d1e1f"
268 params["eap_fast_a_id_info"] = "test server"
269 params["eap_server_erp"] = "1"
270 params["erp_domain"] = "example.com"
271 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
272
273 dev[0].scan_for_bss(bssid, freq=2412)
274 dev[0].request("ERP_FLUSH")
275 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
276 eap="PSK", identity="psk.user@example.com",
277 password_hex="0123456789abcdef0123456789abcdef",
278 erp="1", scan_freq="2412")
279 res = dev[0].request("PMKSA")
280 if "FILS Cache Identifier" not in res:
281 raise Exception("PMKSA list does not include FILS Cache Identifier")
282 pmksa = dev[0].get_pmksa(bssid)
283 if pmksa is None:
284 raise Exception("No PMKSA cache entry created")
285 if "cache_id" not in pmksa:
286 raise Exception("No FILS Cache Identifier listed")
287 if pmksa["cache_id"] != "abcd":
288 raise Exception("The configured FILS Cache Identifier not seen in PMKSA")
289
290 bssid2 = apdev[1]['bssid']
291 params = hostapd.wpa2_eap_params(ssid="fils")
292 params['wpa_key_mgmt'] = "FILS-SHA256"
293 params['auth_server_port'] = "18128"
294 params['erp_domain'] = 'example.com'
295 params['fils_realm'] = 'example.com'
296 params['fils_cache_id'] = "abcd"
297 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
298
299 dev[0].scan_for_bss(bssid2, freq=2412)
300
301 dev[0].dump_monitor()
302 if "OK" not in dev[0].request("ROAM " + bssid2):
303 raise Exception("ROAM failed")
304
305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
306 "CTRL-EVENT-CONNECTED"], timeout=10)
307 if ev is None:
308 raise Exception("Connection using PMKSA caching timed out")
309 if "CTRL-EVENT-EAP-STARTED" in ev:
310 raise Exception("Unexpected EAP exchange")
311 if bssid2 not in ev:
312 raise Exception("Failed to connect to the second AP")
313
314 hwsim_utils.test_connectivity(dev[0], hapd2)
315 pmksa2 = dev[0].get_pmksa(bssid2)
316 if pmksa2:
317 raise Exception("Unexpected extra PMKSA cache added")
318 pmksa2 = dev[0].get_pmksa(bssid)
319 if not pmksa2:
320 raise Exception("Original PMKSA cache entry removed")
321 if pmksa['pmkid'] != pmksa2['pmkid']:
322 raise Exception("Unexpected PMKID change")
323
324 def test_fils_sk_pmksa_caching_ctrl_ext(dev, apdev, params):
325 """FILS SK and PMKSA caching with Cache Identifier and external management"""
326 check_fils_capa(dev[0])
327 check_erp_capa(dev[0])
328
329 hapd_as = start_erp_as(apdev[1],
330 msk_dump=os.path.join(params['logdir'], "msk.lst"))
331
332 bssid = apdev[0]['bssid']
333 params = hostapd.wpa2_eap_params(ssid="fils")
334 params['wpa_key_mgmt'] = "FILS-SHA384"
335 params['auth_server_port'] = "18128"
336 params['erp_send_reauth_start'] = '1'
337 params['erp_domain'] = 'example.com'
338 params['fils_realm'] = 'example.com'
339 params['fils_cache_id'] = "ffee"
340 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
341
342 dev[0].scan_for_bss(bssid, freq=2412)
343 dev[0].request("ERP_FLUSH")
344 id = dev[0].connect("fils", key_mgmt="FILS-SHA384",
345 eap="PSK", identity="psk.user@example.com",
346 password_hex="0123456789abcdef0123456789abcdef",
347 erp="1", scan_freq="2412")
348
349 res1 = dev[0].request("PMKSA_GET %d" % id)
350 logger.info("PMKSA_GET: " + res1)
351 if "UNKNOWN COMMAND" in res1:
352 raise HwsimSkip("PMKSA_GET not supported in the build")
353 if bssid not in res1:
354 raise Exception("PMKSA cache entry missing")
355 if "ffee" not in res1:
356 raise Exception("FILS Cache Identifier not seen in PMKSA cache entry")
357
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
360 hapd_as.disable()
361
362 dev[0].scan_for_bss(bssid, freq=2412)
363 dev[0].request("PMKSA_FLUSH")
364 dev[0].request("ERP_FLUSH")
365 for entry in res1.splitlines():
366 if "OK" not in dev[0].request("PMKSA_ADD %d %s" % (id, entry)):
367 raise Exception("Failed to add PMKSA entry")
368
369 bssid2 = apdev[1]['bssid']
370 params = hostapd.wpa2_eap_params(ssid="fils")
371 params['wpa_key_mgmt'] = "FILS-SHA384"
372 params['auth_server_port'] = "18128"
373 params['erp_send_reauth_start'] = '1'
374 params['erp_domain'] = 'example.com'
375 params['fils_realm'] = 'example.com'
376 params['fils_cache_id'] = "ffee"
377 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
378
379 dev[0].scan_for_bss(bssid2, freq=2412)
380 dev[0].set_network(id, "bssid", bssid2)
381 dev[0].select_network(id, freq=2412)
382 ev = dev[0].wait_connected()
383 if bssid2 not in ev:
384 raise Exception("Unexpected BSS selected")
385
386 def test_fils_sk_erp(dev, apdev, params):
387 """FILS SK using ERP"""
388 run_fils_sk_erp(dev, apdev, "FILS-SHA256", params)
389
390 def test_fils_sk_erp_sha384(dev, apdev, params):
391 """FILS SK using ERP and SHA384"""
392 run_fils_sk_erp(dev, apdev, "FILS-SHA384", params)
393
394 def run_fils_sk_erp(dev, apdev, key_mgmt, params):
395 check_fils_capa(dev[0])
396 check_erp_capa(dev[0])
397
398 start_erp_as(apdev[1],
399 msk_dump=os.path.join(params['logdir'], "msk.lst"))
400
401 bssid = apdev[0]['bssid']
402 params = hostapd.wpa2_eap_params(ssid="fils")
403 params['wpa_key_mgmt'] = key_mgmt
404 params['auth_server_port'] = "18128"
405 params['erp_domain'] = 'example.com'
406 params['fils_realm'] = 'example.com'
407 params['disable_pmksa_caching'] = '1'
408 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
409
410 dev[0].scan_for_bss(bssid, freq=2412)
411 dev[0].request("ERP_FLUSH")
412 id = dev[0].connect("fils", key_mgmt=key_mgmt,
413 eap="PSK", identity="psk.user@example.com",
414 password_hex="0123456789abcdef0123456789abcdef",
415 erp="1", scan_freq="2412")
416
417 dev[0].request("DISCONNECT")
418 dev[0].wait_disconnected()
419
420 dev[0].dump_monitor()
421 dev[0].select_network(id, freq=2412)
422 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
423 "EVENT-ASSOC-REJECT",
424 "CTRL-EVENT-CONNECTED"], timeout=10)
425 if ev is None:
426 raise Exception("Connection using FILS/ERP timed out")
427 if "CTRL-EVENT-EAP-STARTED" in ev:
428 raise Exception("Unexpected EAP exchange")
429 if "EVENT-ASSOC-REJECT" in ev:
430 raise Exception("Association failed")
431 hwsim_utils.test_connectivity(dev[0], hapd)
432
433 def test_fils_sk_erp_followed_by_pmksa_caching(dev, apdev, params):
434 """FILS SK ERP following by PMKSA caching"""
435 check_fils_capa(dev[0])
436 check_erp_capa(dev[0])
437
438 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
439
440 bssid = apdev[0]['bssid']
441 params = hostapd.wpa2_eap_params(ssid="fils")
442 params['wpa_key_mgmt'] = "FILS-SHA256"
443 params['auth_server_port'] = "18128"
444 params['erp_domain'] = 'example.com'
445 params['fils_realm'] = 'example.com'
446 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
447
448 dev[0].scan_for_bss(bssid, freq=2412)
449 dev[0].request("ERP_FLUSH")
450 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
451 eap="PSK", identity="psk.user@example.com",
452 password_hex="0123456789abcdef0123456789abcdef",
453 erp="1", scan_freq="2412")
454
455 dev[0].request("DISCONNECT")
456 dev[0].wait_disconnected()
457
458 # Force the second connection to use ERP by deleting the PMKSA entry.
459 dev[0].request("PMKSA_FLUSH")
460
461 dev[0].dump_monitor()
462 dev[0].select_network(id, freq=2412)
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
464 "EVENT-ASSOC-REJECT",
465 "CTRL-EVENT-CONNECTED"], timeout=10)
466 if ev is None:
467 raise Exception("Connection using FILS/ERP timed out")
468 if "CTRL-EVENT-EAP-STARTED" in ev:
469 raise Exception("Unexpected EAP exchange")
470 if "EVENT-ASSOC-REJECT" in ev:
471 raise Exception("Association failed")
472 hwsim_utils.test_connectivity(dev[0], hapd)
473
474 pmksa = dev[0].get_pmksa(bssid)
475 if pmksa is None:
476 raise Exception("No PMKSA cache entry created")
477
478 dev[0].request("DISCONNECT")
479 dev[0].wait_disconnected()
480
481 # The third connection is expected to use PMKSA caching for FILS
482 # authentication.
483 dev[0].dump_monitor()
484 dev[0].select_network(id, freq=2412)
485 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
486 "EVENT-ASSOC-REJECT",
487 "CTRL-EVENT-CONNECTED"], timeout=10)
488 if ev is None:
489 raise Exception("Connection using PMKSA caching timed out")
490 if "CTRL-EVENT-EAP-STARTED" in ev:
491 raise Exception("Unexpected EAP exchange")
492 if "EVENT-ASSOC-REJECT" in ev:
493 raise Exception("Association failed")
494 hwsim_utils.test_connectivity(dev[0], hapd)
495
496 pmksa2 = dev[0].get_pmksa(bssid)
497 if pmksa2 is None:
498 raise Exception("No PMKSA cache entry found")
499 if pmksa['pmkid'] != pmksa2['pmkid']:
500 raise Exception("Unexpected PMKID change")
501
502 def test_fils_sk_erp_another_ssid(dev, apdev, params):
503 """FILS SK using ERP and roam to another SSID"""
504 check_fils_capa(dev[0])
505 check_erp_capa(dev[0])
506
507 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
508
509 bssid = apdev[0]['bssid']
510 params = hostapd.wpa2_eap_params(ssid="fils")
511 params['wpa_key_mgmt'] = "FILS-SHA256"
512 params['auth_server_port'] = "18128"
513 params['erp_domain'] = 'example.com'
514 params['fils_realm'] = 'example.com'
515 params['disable_pmksa_caching'] = '1'
516 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
517
518 dev[0].scan_for_bss(bssid, freq=2412)
519 dev[0].request("ERP_FLUSH")
520 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
521 eap="PSK", identity="psk.user@example.com",
522 password_hex="0123456789abcdef0123456789abcdef",
523 erp="1", scan_freq="2412")
524
525 dev[0].request("DISCONNECT")
526 dev[0].wait_disconnected()
527 hapd.disable()
528 dev[0].flush_scan_cache()
529 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
530 raise Exception("PMKSA_FLUSH failed")
531
532 params = hostapd.wpa2_eap_params(ssid="fils2")
533 params['wpa_key_mgmt'] = "FILS-SHA256"
534 params['auth_server_port'] = "18128"
535 params['erp_domain'] = 'example.com'
536 params['fils_realm'] = 'example.com'
537 params['disable_pmksa_caching'] = '1'
538 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
539
540 dev[0].scan_for_bss(bssid, freq=2412)
541 dev[0].dump_monitor()
542 id = dev[0].connect("fils2", key_mgmt="FILS-SHA256",
543 eap="PSK", identity="psk.user@example.com",
544 password_hex="0123456789abcdef0123456789abcdef",
545 erp="1", scan_freq="2412", wait_connect=False)
546
547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
548 "EVENT-ASSOC-REJECT",
549 "CTRL-EVENT-CONNECTED"], timeout=10)
550 if ev is None:
551 raise Exception("Connection using FILS/ERP timed out")
552 if "CTRL-EVENT-EAP-STARTED" in ev:
553 raise Exception("Unexpected EAP exchange")
554 if "EVENT-ASSOC-REJECT" in ev:
555 raise Exception("Association failed")
556 hwsim_utils.test_connectivity(dev[0], hapd)
557
558 def test_fils_sk_multiple_realms(dev, apdev, params):
559 """FILS SK and multiple realms"""
560 check_fils_capa(dev[0])
561 check_erp_capa(dev[0])
562
563 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
564
565 bssid = apdev[0]['bssid']
566 params = hostapd.wpa2_eap_params(ssid="fils")
567 params['wpa_key_mgmt'] = "FILS-SHA256"
568 params['auth_server_port'] = "18128"
569 params['erp_domain'] = 'example.com'
570 fils_realms = [ 'r1.example.org', 'r2.EXAMPLE.org', 'r3.example.org',
571 'r4.example.org', 'r5.example.org', 'r6.example.org',
572 'r7.example.org', 'r8.example.org',
573 'example.com',
574 'r9.example.org', 'r10.example.org', 'r11.example.org',
575 'r12.example.org', 'r13.example.org', 'r14.example.org',
576 'r15.example.org', 'r16.example.org' ]
577 params['fils_realm'] = fils_realms
578 params['fils_cache_id'] = "1234"
579 params['hessid'] = bssid
580 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
581
582 dev[0].scan_for_bss(bssid, freq=2412)
583
584 if "OK" not in dev[0].request("ANQP_GET " + bssid + " 275"):
585 raise Exception("ANQP_GET command failed")
586 ev = dev[0].wait_event(["GAS-QUERY-DONE"], timeout=10)
587 if ev is None:
588 raise Exception("GAS query timed out")
589 bss = dev[0].get_bss(bssid)
590
591 if 'fils_info' not in bss:
592 raise Exception("FILS Indication element information missing")
593 if bss['fils_info'] != '02b8':
594 raise Exception("Unexpected FILS Information: " + bss['fils_info'])
595
596 if 'fils_cache_id' not in bss:
597 raise Exception("FILS Cache Identifier missing")
598 if bss['fils_cache_id'] != '1234':
599 raise Exception("Unexpected FILS Cache Identifier: " + bss['fils_cache_id'])
600
601 if 'fils_realms' not in bss:
602 raise Exception("FILS Realm Identifiers missing")
603 expected = ''
604 count = 0
605 for realm in fils_realms:
606 hash = hashlib.sha256(realm.lower()).digest()
607 expected += binascii.hexlify(hash[0:2])
608 count += 1
609 if count == 7:
610 break
611 if bss['fils_realms'] != expected:
612 raise Exception("Unexpected FILS Realm Identifiers: " + bss['fils_realms'])
613
614 if 'anqp_fils_realm_info' not in bss:
615 raise Exception("FILS Realm Information ANQP-element not seen")
616 info = bss['anqp_fils_realm_info'];
617 expected = ''
618 for realm in fils_realms:
619 hash = hashlib.sha256(realm.lower()).digest()
620 expected += binascii.hexlify(hash[0:2])
621 if info != expected:
622 raise Exception("Unexpected FILS Realm Info ANQP-element: " + info)
623
624 dev[0].request("ERP_FLUSH")
625 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
626 eap="PSK", identity="psk.user@example.com",
627 password_hex="0123456789abcdef0123456789abcdef",
628 erp="1", scan_freq="2412")
629
630 dev[0].request("DISCONNECT")
631 dev[0].wait_disconnected()
632
633 dev[0].dump_monitor()
634 dev[0].select_network(id, freq=2412)
635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
636 "EVENT-ASSOC-REJECT",
637 "CTRL-EVENT-CONNECTED"], timeout=10)
638 if ev is None:
639 raise Exception("Connection using FILS/ERP timed out")
640 if "CTRL-EVENT-EAP-STARTED" in ev:
641 raise Exception("Unexpected EAP exchange")
642 if "EVENT-ASSOC-REJECT" in ev:
643 raise Exception("Association failed")
644 hwsim_utils.test_connectivity(dev[0], hapd)
645
646 # DHCP message op codes
647 BOOTREQUEST=1
648 BOOTREPLY=2
649
650 OPT_PAD=0
651 OPT_DHCP_MESSAGE_TYPE=53
652 OPT_RAPID_COMMIT=80
653 OPT_END=255
654
655 DHCPDISCOVER=1
656 DHCPOFFER=2
657 DHCPREQUEST=3
658 DHCPDECLINE=4
659 DHCPACK=5
660 DHCPNAK=6
661 DHCPRELEASE=7
662 DHCPINFORM=8
663
664 def build_dhcp(req, dhcp_msg, chaddr, giaddr="0.0.0.0",
665 ip_src="0.0.0.0", ip_dst="255.255.255.255",
666 rapid_commit=True, override_op=None, magic_override=None,
667 opt_end=True, extra_op=None):
668 proto = '\x08\x00' # IPv4
669 _ip_src = socket.inet_pton(socket.AF_INET, ip_src)
670 _ip_dst = socket.inet_pton(socket.AF_INET, ip_dst)
671
672 _ciaddr = '\x00\x00\x00\x00'
673 _yiaddr = '\x00\x00\x00\x00'
674 _siaddr = '\x00\x00\x00\x00'
675 _giaddr = socket.inet_pton(socket.AF_INET, giaddr)
676 _chaddr = binascii.unhexlify(chaddr.replace(':','')) + 10*'\x00'
677 htype = 1 # Hardware address type; 1 = Ethernet
678 hlen = 6 # Hardware address length
679 hops = 0
680 xid = 123456
681 secs = 0
682 flags = 0
683 if req:
684 op = BOOTREQUEST
685 src_port = 68
686 dst_port = 67
687 else:
688 op = BOOTREPLY
689 src_port = 67
690 dst_port = 68
691 if override_op is not None:
692 op = override_op
693 payload = struct.pack('>BBBBLHH', op, htype, hlen, hops, xid, secs, flags)
694 sname = 64*'\x00'
695 file = 128*'\x00'
696 payload += _ciaddr + _yiaddr + _siaddr + _giaddr + _chaddr + sname + file
697 # magic - DHCP
698 if magic_override is not None:
699 payload += magic_override
700 else:
701 payload += '\x63\x82\x53\x63'
702 # Option: DHCP Message Type
703 if dhcp_msg is not None:
704 payload += struct.pack('BBB', OPT_DHCP_MESSAGE_TYPE, 1, dhcp_msg)
705 if rapid_commit:
706 # Option: Rapid Commit
707 payload += struct.pack('BB', OPT_RAPID_COMMIT, 0)
708 if extra_op:
709 payload += extra_op
710 # End Option
711 if opt_end:
712 payload += struct.pack('B', OPT_END)
713
714 udp = struct.pack('>HHHH', src_port, dst_port,
715 8 + len(payload), 0) + payload
716
717 tot_len = 20 + len(udp)
718 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 17)
719 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
720 csum = ip_checksum(ipv4)
721 ipv4 = start + csum + _ip_src + _ip_dst
722
723 return proto + ipv4 + udp
724
725 def fils_hlp_config(fils_hlp_wait_time=10000):
726 params = hostapd.wpa2_eap_params(ssid="fils")
727 params['wpa_key_mgmt'] = "FILS-SHA256"
728 params['auth_server_port'] = "18128"
729 params['erp_domain'] = 'example.com'
730 params['fils_realm'] = 'example.com'
731 params['disable_pmksa_caching'] = '1'
732 params['own_ip_addr'] = '127.0.0.3'
733 params['dhcp_server'] = '127.0.0.2'
734 params['fils_hlp_wait_time'] = str(fils_hlp_wait_time)
735 return params
736
737 def test_fils_sk_hlp(dev, apdev, params):
738 """FILS SK HLP (rapid commit server)"""
739 run_fils_sk_hlp(dev, apdev, True, params)
740
741 def test_fils_sk_hlp_no_rapid_commit(dev, apdev, params):
742 """FILS SK HLP (no rapid commit server)"""
743 run_fils_sk_hlp(dev, apdev, False, params)
744
745 def run_fils_sk_hlp(dev, apdev, rapid_commit_server, params):
746 check_fils_capa(dev[0])
747 check_erp_capa(dev[0])
748
749 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
750
751 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
752 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
753 sock.settimeout(5)
754 sock.bind(("127.0.0.2", 67))
755
756 bssid = apdev[0]['bssid']
757 params = fils_hlp_config()
758 params['fils_hlp_wait_time'] = '10000'
759 if not rapid_commit_server:
760 params['dhcp_rapid_commit_proxy'] = '1'
761 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
762
763 dev[0].scan_for_bss(bssid, freq=2412)
764 dev[0].request("ERP_FLUSH")
765 if "OK" not in dev[0].request("FILS_HLP_REQ_FLUSH"):
766 raise Exception("Failed to flush pending FILS HLP requests")
767 tests = [ "",
768 "q",
769 "ff:ff:ff:ff:ff:ff",
770 "ff:ff:ff:ff:ff:ff q" ]
771 for t in tests:
772 if "FAIL" not in dev[0].request("FILS_HLP_REQ_ADD " + t):
773 raise Exception("Invalid FILS_HLP_REQ_ADD accepted: " + t)
774 dhcpdisc = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
775 chaddr=dev[0].own_addr())
776 tests = [ "ff:ff:ff:ff:ff:ff aabb",
777 "ff:ff:ff:ff:ff:ff " + 255*'cc',
778 hapd.own_addr() + " ddee010203040506070809",
779 "ff:ff:ff:ff:ff:ff " + binascii.hexlify(dhcpdisc) ]
780 for t in tests:
781 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD " + t):
782 raise Exception("FILS_HLP_REQ_ADD failed: " + t)
783 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
784 eap="PSK", identity="psk.user@example.com",
785 password_hex="0123456789abcdef0123456789abcdef",
786 erp="1", scan_freq="2412")
787
788 dev[0].request("DISCONNECT")
789 dev[0].wait_disconnected()
790
791 dev[0].dump_monitor()
792 dev[0].select_network(id, freq=2412)
793
794 (msg,addr) = sock.recvfrom(1000)
795 logger.debug("Received DHCP message from %s" % str(addr))
796 if rapid_commit_server:
797 # TODO: Proper rapid commit response
798 dhcpdisc = build_dhcp(req=False, dhcp_msg=DHCPACK,
799 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
800 sock.sendto(dhcpdisc[2+20+8:], addr)
801 else:
802 dhcpdisc = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
803 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
804 sock.sendto(dhcpdisc[2+20+8:], addr)
805 (msg,addr) = sock.recvfrom(1000)
806 logger.debug("Received DHCP message from %s" % str(addr))
807 dhcpdisc = build_dhcp(req=False, dhcp_msg=DHCPACK, rapid_commit=False,
808 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
809 sock.sendto(dhcpdisc[2+20+8:], addr)
810 ev = dev[0].wait_event(["FILS-HLP-RX"], timeout=10)
811 if ev is None:
812 raise Exception("FILS HLP response not reported")
813 vals = ev.split(' ')
814 frame = binascii.unhexlify(vals[3].split('=')[1])
815 proto, = struct.unpack('>H', frame[0:2])
816 if proto != 0x0800:
817 raise Exception("Unexpected ethertype in HLP response: %d" % proto)
818 frame = frame[2:]
819 ip = frame[0:20]
820 if ip_checksum(ip) != '\x00\x00':
821 raise Exception("IP header checksum mismatch in HLP response")
822 frame = frame[20:]
823 udp = frame[0:8]
824 frame = frame[8:]
825 sport, dport, ulen, ucheck = struct.unpack('>HHHH', udp)
826 if sport != 67 or dport != 68:
827 raise Exception("Unexpected UDP port in HLP response")
828 dhcp = frame[0:28]
829 frame = frame[28:]
830 op,htype,hlen,hops,xid,secs,flags,ciaddr,yiaddr,siaddr,giaddr = struct.unpack('>4BL2H4L', dhcp)
831 chaddr = frame[0:16]
832 frame = frame[16:]
833 sname = frame[0:64]
834 frame = frame[64:]
835 file = frame[0:128]
836 frame = frame[128:]
837 options = frame
838 if options[0:4] != '\x63\x82\x53\x63':
839 raise Exception("No DHCP magic seen in HLP response")
840 options = options[4:]
841 # TODO: fully parse and validate DHCPACK options
842 if struct.pack('BBB', OPT_DHCP_MESSAGE_TYPE, 1, DHCPACK) not in options:
843 raise Exception("DHCPACK not in HLP response")
844
845 dev[0].wait_connected()
846
847 dev[0].request("FILS_HLP_REQ_FLUSH")
848
849 def test_fils_sk_hlp_timeout(dev, apdev, params):
850 """FILS SK HLP (rapid commit server timeout)"""
851 check_fils_capa(dev[0])
852 check_erp_capa(dev[0])
853
854 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
855
856 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
857 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
858 sock.settimeout(5)
859 sock.bind(("127.0.0.2", 67))
860
861 bssid = apdev[0]['bssid']
862 params = fils_hlp_config(fils_hlp_wait_time=30)
863 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
864
865 dev[0].scan_for_bss(bssid, freq=2412)
866 dev[0].request("ERP_FLUSH")
867 if "OK" not in dev[0].request("FILS_HLP_REQ_FLUSH"):
868 raise Exception("Failed to flush pending FILS HLP requests")
869 dhcpdisc = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
870 chaddr=dev[0].own_addr())
871 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii.hexlify(dhcpdisc)):
872 raise Exception("FILS_HLP_REQ_ADD failed")
873 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
874 eap="PSK", identity="psk.user@example.com",
875 password_hex="0123456789abcdef0123456789abcdef",
876 erp="1", scan_freq="2412")
877
878 dev[0].request("DISCONNECT")
879 dev[0].wait_disconnected()
880
881 dev[0].dump_monitor()
882 dev[0].select_network(id, freq=2412)
883
884 (msg,addr) = sock.recvfrom(1000)
885 logger.debug("Received DHCP message from %s" % str(addr))
886 # Wait for HLP wait timeout to hit
887 # FILS: HLP response timeout - continue with association response
888 dev[0].wait_connected()
889
890 dev[0].request("FILS_HLP_REQ_FLUSH")
891
892 def test_fils_sk_hlp_oom(dev, apdev, params):
893 """FILS SK HLP and hostapd OOM"""
894 check_fils_capa(dev[0])
895 check_erp_capa(dev[0])
896
897 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
898
899 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
900 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
901 sock.settimeout(5)
902 sock.bind(("127.0.0.2", 67))
903
904 bssid = apdev[0]['bssid']
905 params = fils_hlp_config(fils_hlp_wait_time=500)
906 params['dhcp_rapid_commit_proxy'] = '1'
907 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
908
909 dev[0].scan_for_bss(bssid, freq=2412)
910 dev[0].request("ERP_FLUSH")
911 if "OK" not in dev[0].request("FILS_HLP_REQ_FLUSH"):
912 raise Exception("Failed to flush pending FILS HLP requests")
913 dhcpdisc = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
914 chaddr=dev[0].own_addr())
915 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii.hexlify(dhcpdisc)):
916 raise Exception("FILS_HLP_REQ_ADD failed")
917 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
918 eap="PSK", identity="psk.user@example.com",
919 password_hex="0123456789abcdef0123456789abcdef",
920 erp="1", scan_freq="2412")
921
922 dev[0].request("DISCONNECT")
923 dev[0].wait_disconnected()
924
925 dev[0].dump_monitor()
926 with alloc_fail(hapd, 1, "fils_process_hlp"):
927 dev[0].select_network(id, freq=2412)
928 dev[0].wait_connected()
929 dev[0].request("DISCONNECT")
930 dev[0].wait_disconnected()
931
932 dev[0].dump_monitor()
933 with alloc_fail(hapd, 1, "fils_process_hlp_dhcp"):
934 dev[0].select_network(id, freq=2412)
935 dev[0].wait_connected()
936 dev[0].request("DISCONNECT")
937 dev[0].wait_disconnected()
938
939 dev[0].dump_monitor()
940 with alloc_fail(hapd, 1, "wpabuf_alloc;fils_process_hlp_dhcp"):
941 dev[0].select_network(id, freq=2412)
942 dev[0].wait_connected()
943 dev[0].request("DISCONNECT")
944 dev[0].wait_disconnected()
945
946 dev[0].dump_monitor()
947 with alloc_fail(hapd, 1, "wpabuf_alloc;fils_dhcp_handler"):
948 dev[0].select_network(id, freq=2412)
949 (msg,addr) = sock.recvfrom(1000)
950 logger.debug("Received DHCP message from %s" % str(addr))
951 dhcpdisc = build_dhcp(req=False, dhcp_msg=DHCPACK,
952 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
953 sock.sendto(dhcpdisc[2+20+8:], addr)
954 dev[0].wait_connected()
955 dev[0].request("DISCONNECT")
956 dev[0].wait_disconnected()
957
958 dev[0].dump_monitor()
959 with alloc_fail(hapd, 1, "wpabuf_resize;fils_dhcp_handler"):
960 dev[0].select_network(id, freq=2412)
961 (msg,addr) = sock.recvfrom(1000)
962 logger.debug("Received DHCP message from %s" % str(addr))
963 dhcpdisc = build_dhcp(req=False, dhcp_msg=DHCPACK,
964 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
965 sock.sendto(dhcpdisc[2+20+8:], addr)
966 dev[0].wait_connected()
967 dev[0].request("DISCONNECT")
968 dev[0].wait_disconnected()
969
970 dev[0].dump_monitor()
971 dev[0].select_network(id, freq=2412)
972 (msg,addr) = sock.recvfrom(1000)
973 logger.debug("Received DHCP message from %s" % str(addr))
974 dhcpoffer = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
975 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
976 with alloc_fail(hapd, 1, "wpabuf_resize;fils_dhcp_request"):
977 sock.sendto(dhcpoffer[2+20+8:], addr)
978 dev[0].wait_connected()
979 dev[0].request("DISCONNECT")
980 dev[0].wait_disconnected()
981
982 dev[0].request("FILS_HLP_REQ_FLUSH")
983
984 def test_fils_sk_hlp_req_parsing(dev, apdev, params):
985 """FILS SK HLP request parsing"""
986 check_fils_capa(dev[0])
987 check_erp_capa(dev[0])
988
989 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
990
991 bssid = apdev[0]['bssid']
992 params = fils_hlp_config(fils_hlp_wait_time=30)
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994
995 dev[0].scan_for_bss(bssid, freq=2412)
996 dev[0].request("ERP_FLUSH")
997 if "OK" not in dev[0].request("FILS_HLP_REQ_FLUSH"):
998 raise Exception("Failed to flush pending FILS HLP requests")
999
1000 tot_len = 20 + 1
1001 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 17)
1002 _ip_src = '\x00\x00\x00\x00'
1003 _ip_dst = '\x00\x00\x00\x00'
1004 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
1005 csum = ip_checksum(ipv4)
1006 ipv4_overflow = start + csum + _ip_src + _ip_dst
1007
1008 tot_len = 20
1009 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 123)
1010 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
1011 csum = ip_checksum(ipv4)
1012 ipv4_unknown_proto = start + csum + _ip_src + _ip_dst
1013
1014 tot_len = 20
1015 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 17)
1016 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
1017 csum = ip_checksum(ipv4)
1018 ipv4_missing_udp_hdr = start + csum + _ip_src + _ip_dst
1019
1020 src_port = 68
1021 dst_port = 67
1022 udp = struct.pack('>HHHH', src_port, dst_port, 8 + 1, 0)
1023 tot_len = 20 + len(udp)
1024 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 17)
1025 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
1026 csum = ip_checksum(ipv4)
1027 udp_overflow = start + csum + _ip_src + _ip_dst + udp
1028
1029 udp = struct.pack('>HHHH', src_port, dst_port, 7, 0)
1030 tot_len = 20 + len(udp)
1031 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 17)
1032 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
1033 csum = ip_checksum(ipv4)
1034 udp_underflow = start + csum + _ip_src + _ip_dst + udp
1035
1036 src_port = 123
1037 dst_port = 456
1038 udp = struct.pack('>HHHH', src_port, dst_port, 8, 0)
1039 tot_len = 20 + len(udp)
1040 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 17)
1041 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
1042 csum = ip_checksum(ipv4)
1043 udp_unknown_port = start + csum + _ip_src + _ip_dst + udp
1044
1045 src_port = 68
1046 dst_port = 67
1047 udp = struct.pack('>HHHH', src_port, dst_port, 8, 0)
1048 tot_len = 20 + len(udp)
1049 start = struct.pack('>BBHHBBBB', 0x45, 0, tot_len, 0, 0, 0, 128, 17)
1050 ipv4 = start + '\x00\x00' + _ip_src + _ip_dst
1051 csum = ip_checksum(ipv4)
1052 dhcp_missing_data = start + csum + _ip_src + _ip_dst + udp
1053
1054 dhcp_not_req = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
1055 chaddr=dev[0].own_addr(), override_op=BOOTREPLY)
1056 dhcp_no_magic = build_dhcp(req=True, dhcp_msg=None,
1057 chaddr=dev[0].own_addr(), magic_override='',
1058 rapid_commit=False, opt_end=False)
1059 dhcp_unknown_magic = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
1060 chaddr=dev[0].own_addr(),
1061 magic_override='\x00\x00\x00\x00')
1062 dhcp_opts = build_dhcp(req=True, dhcp_msg=DHCPNAK,
1063 chaddr=dev[0].own_addr(),
1064 extra_op='\x00\x11', opt_end=False)
1065 dhcp_opts2 = build_dhcp(req=True, dhcp_msg=DHCPNAK,
1066 chaddr=dev[0].own_addr(),
1067 extra_op='\x11\x01', opt_end=False)
1068 dhcp_valid = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
1069 chaddr=dev[0].own_addr())
1070
1071 tests = [ "ff",
1072 "0800",
1073 "0800" + 20*"00",
1074 "0800" + binascii.hexlify(ipv4_overflow),
1075 "0800" + binascii.hexlify(ipv4_unknown_proto),
1076 "0800" + binascii.hexlify(ipv4_missing_udp_hdr),
1077 "0800" + binascii.hexlify(udp_overflow),
1078 "0800" + binascii.hexlify(udp_underflow),
1079 "0800" + binascii.hexlify(udp_unknown_port),
1080 "0800" + binascii.hexlify(dhcp_missing_data),
1081 binascii.hexlify(dhcp_not_req),
1082 binascii.hexlify(dhcp_no_magic),
1083 binascii.hexlify(dhcp_unknown_magic) ]
1084 for t in tests:
1085 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD ff:ff:ff:ff:ff:ff " + t):
1086 raise Exception("FILS_HLP_REQ_ADD failed: " + t)
1087 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1088 eap="PSK", identity="psk.user@example.com",
1089 password_hex="0123456789abcdef0123456789abcdef",
1090 erp="1", scan_freq="2412")
1091
1092 dev[0].request("DISCONNECT")
1093 dev[0].wait_disconnected()
1094
1095 dev[0].dump_monitor()
1096 dev[0].select_network(id, freq=2412)
1097 dev[0].wait_connected()
1098 dev[0].request("DISCONNECT")
1099 dev[0].wait_disconnected()
1100
1101 dev[0].request("FILS_HLP_REQ_FLUSH")
1102 tests = [ binascii.hexlify(dhcp_opts),
1103 binascii.hexlify(dhcp_opts2) ]
1104 for t in tests:
1105 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD ff:ff:ff:ff:ff:ff " + t):
1106 raise Exception("FILS_HLP_REQ_ADD failed: " + t)
1107
1108 dev[0].dump_monitor()
1109 dev[0].select_network(id, freq=2412)
1110 dev[0].wait_connected()
1111 dev[0].request("DISCONNECT")
1112 dev[0].wait_disconnected()
1113
1114 dev[0].request("FILS_HLP_REQ_FLUSH")
1115 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD ff:ff:ff:ff:ff:ff " + binascii.hexlify(dhcp_valid)):
1116 raise Exception("FILS_HLP_REQ_ADD failed")
1117 hapd.set("own_ip_addr", "0.0.0.0")
1118 dev[0].select_network(id, freq=2412)
1119 dev[0].wait_connected()
1120 dev[0].request("DISCONNECT")
1121 dev[0].wait_disconnected()
1122
1123 hapd.set("dhcp_server", "0.0.0.0")
1124 dev[0].select_network(id, freq=2412)
1125 dev[0].wait_connected()
1126 dev[0].request("DISCONNECT")
1127 dev[0].wait_disconnected()
1128
1129 # FILS: Failed to bind DHCP socket: Address already in use
1130 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
1131 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
1132 sock.settimeout(5)
1133 sock.bind(("127.0.0.2", 67))
1134 hapd.set("own_ip_addr", "127.0.0.2")
1135 hapd.set("dhcp_server", "127.0.0.2")
1136 dev[0].select_network(id, freq=2412)
1137 dev[0].wait_connected()
1138 dev[0].request("DISCONNECT")
1139 dev[0].wait_disconnected()
1140
1141 # FILS: DHCP sendto failed: Invalid argument
1142 hapd.set("own_ip_addr", "127.0.0.3")
1143 hapd.set("dhcp_server", "127.0.0.2")
1144 hapd.set("dhcp_relay_port", "0")
1145 hapd.set("dhcp_server_port", "0")
1146 dev[0].select_network(id, freq=2412)
1147 dev[0].wait_connected()
1148 dev[0].request("DISCONNECT")
1149 dev[0].wait_disconnected()
1150
1151 dev[0].request("FILS_HLP_REQ_FLUSH")
1152
1153 def test_fils_sk_hlp_dhcp_parsing(dev, apdev, params):
1154 """FILS SK HLP and DHCP response parsing"""
1155 check_fils_capa(dev[0])
1156 check_erp_capa(dev[0])
1157
1158 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
1159
1160 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
1161 sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
1162 sock.settimeout(5)
1163 sock.bind(("127.0.0.2", 67))
1164
1165 bssid = apdev[0]['bssid']
1166 params = fils_hlp_config(fils_hlp_wait_time=30)
1167 params['dhcp_rapid_commit_proxy'] = '1'
1168 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1169
1170 dev[0].scan_for_bss(bssid, freq=2412)
1171 dev[0].request("ERP_FLUSH")
1172 if "OK" not in dev[0].request("FILS_HLP_REQ_FLUSH"):
1173 raise Exception("Failed to flush pending FILS HLP requests")
1174 dhcpdisc = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
1175 chaddr=dev[0].own_addr())
1176 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii.hexlify(dhcpdisc)):
1177 raise Exception("FILS_HLP_REQ_ADD failed")
1178 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1179 eap="PSK", identity="psk.user@example.com",
1180 password_hex="0123456789abcdef0123456789abcdef",
1181 erp="1", scan_freq="2412")
1182
1183 dev[0].request("DISCONNECT")
1184 dev[0].wait_disconnected()
1185
1186 dev[0].dump_monitor()
1187 with alloc_fail(hapd, 1, "fils_process_hlp"):
1188 dev[0].select_network(id, freq=2412)
1189 dev[0].wait_connected()
1190 dev[0].request("DISCONNECT")
1191 dev[0].wait_disconnected()
1192
1193 dev[0].dump_monitor()
1194 dev[0].select_network(id, freq=2412)
1195 (msg,addr) = sock.recvfrom(1000)
1196 logger.debug("Received DHCP message from %s" % str(addr))
1197 dhcpdisc = build_dhcp(req=False, dhcp_msg=DHCPACK,
1198 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
1199 #sock.sendto(dhcpdisc[2+20+8:], addr)
1200 chaddr = binascii.unhexlify(dev[0].own_addr().replace(':','')) + 10*'\x00'
1201 tests = [ "\x00",
1202 "\x02" + 500 * "\x00",
1203 "\x02\x00\x00\x00" + 20*"\x00" + "\x7f\x00\x00\x03" + 500 * "\x00",
1204 "\x02\x00\x00\x00" + 20*"\x00" + "\x7f\x00\x00\x03" + 16*"\x00" + 64*"\x00" + 128*"\x00" + "\x63\x82\x53\x63",
1205 "\x02\x00\x00\x00" + 20*"\x00" + "\x7f\x00\x00\x03" + 16*"\x00" + 64*"\x00" + 128*"\x00" + "\x63\x82\x53\x63" + "\x00\x11",
1206 "\x02\x00\x00\x00" + 20*"\x00" + "\x7f\x00\x00\x03" + 16*"\x00" + 64*"\x00" + 128*"\x00" + "\x63\x82\x53\x63" + "\x11\x01",
1207 "\x02\x00\x00\x00" + 20*"\x00" + "\x7f\x00\x00\x03" + chaddr + 64*"\x00" + 128*"\x00" + "\x63\x82\x53\x63" + "\x35\x00\xff",
1208 "\x02\x00\x00\x00" + 20*"\x00" + "\x7f\x00\x00\x03" + chaddr + 64*"\x00" + 128*"\x00" + "\x63\x82\x53\x63" + "\x35\x01\x00\xff",
1209 1501 * "\x00" ]
1210 for t in tests:
1211 sock.sendto(t, addr)
1212 dev[0].wait_connected()
1213 dev[0].request("DISCONNECT")
1214 dev[0].wait_disconnected()
1215
1216 # FILS: DHCP sendto failed: Invalid argument for second DHCP TX in proxy
1217 dev[0].dump_monitor()
1218 dev[0].select_network(id, freq=2412)
1219 (msg,addr) = sock.recvfrom(1000)
1220 logger.debug("Received DHCP message from %s" % str(addr))
1221 hapd.set("dhcp_server_port", "0")
1222 dhcpoffer = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
1223 chaddr=dev[0].own_addr(), giaddr="127.0.0.3")
1224 sock.sendto(dhcpoffer[2+20+8:], addr)
1225 dev[0].wait_connected()
1226 dev[0].request("DISCONNECT")
1227 dev[0].wait_disconnected()
1228 hapd.set("dhcp_server_port", "67")
1229
1230 # Options in DHCPOFFER
1231 dev[0].dump_monitor()
1232 dev[0].select_network(id, freq=2412)
1233 (msg,addr) = sock.recvfrom(1000)
1234 logger.debug("Received DHCP message from %s" % str(addr))
1235 dhcpoffer = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
1236 chaddr=dev[0].own_addr(), giaddr="127.0.0.3",
1237 extra_op="\x00\x11", opt_end=False)
1238 sock.sendto(dhcpoffer[2+20+8:], addr)
1239 (msg,addr) = sock.recvfrom(1000)
1240 logger.debug("Received DHCP message from %s" % str(addr))
1241 dev[0].wait_connected()
1242 dev[0].request("DISCONNECT")
1243 dev[0].wait_disconnected()
1244
1245 # Options in DHCPOFFER (2)
1246 dev[0].dump_monitor()
1247 dev[0].select_network(id, freq=2412)
1248 (msg,addr) = sock.recvfrom(1000)
1249 logger.debug("Received DHCP message from %s" % str(addr))
1250 dhcpoffer = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
1251 chaddr=dev[0].own_addr(), giaddr="127.0.0.3",
1252 extra_op="\x11\x01", opt_end=False)
1253 sock.sendto(dhcpoffer[2+20+8:], addr)
1254 (msg,addr) = sock.recvfrom(1000)
1255 logger.debug("Received DHCP message from %s" % str(addr))
1256 dev[0].wait_connected()
1257 dev[0].request("DISCONNECT")
1258 dev[0].wait_disconnected()
1259
1260 # Server ID in DHCPOFFER
1261 dev[0].dump_monitor()
1262 dev[0].select_network(id, freq=2412)
1263 (msg,addr) = sock.recvfrom(1000)
1264 logger.debug("Received DHCP message from %s" % str(addr))
1265 dhcpoffer = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
1266 chaddr=dev[0].own_addr(), giaddr="127.0.0.3",
1267 extra_op="\x36\x01\x30")
1268 sock.sendto(dhcpoffer[2+20+8:], addr)
1269 (msg,addr) = sock.recvfrom(1000)
1270 logger.debug("Received DHCP message from %s" % str(addr))
1271 dev[0].wait_connected()
1272 dev[0].request("DISCONNECT")
1273 dev[0].wait_disconnected()
1274
1275 # FILS: Could not update DHCPDISCOVER
1276 dev[0].request("FILS_HLP_REQ_FLUSH")
1277 dhcpdisc = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
1278 chaddr=dev[0].own_addr(),
1279 extra_op="\x00\x11", opt_end=False)
1280 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii.hexlify(dhcpdisc)):
1281 raise Exception("FILS_HLP_REQ_ADD failed")
1282 dev[0].dump_monitor()
1283 dev[0].select_network(id, freq=2412)
1284 (msg,addr) = sock.recvfrom(1000)
1285 logger.debug("Received DHCP message from %s" % str(addr))
1286 dhcpoffer = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
1287 chaddr=dev[0].own_addr(), giaddr="127.0.0.3",
1288 extra_op="\x36\x01\x30")
1289 sock.sendto(dhcpoffer[2+20+8:], addr)
1290 dev[0].wait_connected()
1291 dev[0].request("DISCONNECT")
1292 dev[0].wait_disconnected()
1293
1294 # FILS: Could not update DHCPDISCOVER (2)
1295 dev[0].request("FILS_HLP_REQ_FLUSH")
1296 dhcpdisc = build_dhcp(req=True, dhcp_msg=DHCPDISCOVER,
1297 chaddr=dev[0].own_addr(),
1298 extra_op="\x11\x01", opt_end=False)
1299 if "OK" not in dev[0].request("FILS_HLP_REQ_ADD " + "ff:ff:ff:ff:ff:ff " + binascii.hexlify(dhcpdisc)):
1300 raise Exception("FILS_HLP_REQ_ADD failed")
1301 dev[0].dump_monitor()
1302 dev[0].select_network(id, freq=2412)
1303 (msg,addr) = sock.recvfrom(1000)
1304 logger.debug("Received DHCP message from %s" % str(addr))
1305 dhcpoffer = build_dhcp(req=False, dhcp_msg=DHCPOFFER, rapid_commit=False,
1306 chaddr=dev[0].own_addr(), giaddr="127.0.0.3",
1307 extra_op="\x36\x01\x30")
1308 sock.sendto(dhcpoffer[2+20+8:], addr)
1309 dev[0].wait_connected()
1310 dev[0].request("DISCONNECT")
1311 dev[0].wait_disconnected()
1312
1313 dev[0].request("FILS_HLP_REQ_FLUSH")
1314
1315 def test_fils_sk_erp_and_reauth(dev, apdev, params):
1316 """FILS SK using ERP and AP going away"""
1317 check_fils_capa(dev[0])
1318 check_erp_capa(dev[0])
1319
1320 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
1321
1322 bssid = apdev[0]['bssid']
1323 params = hostapd.wpa2_eap_params(ssid="fils")
1324 params['wpa_key_mgmt'] = "FILS-SHA256"
1325 params['auth_server_port'] = "18128"
1326 params['erp_domain'] = 'example.com'
1327 params['fils_realm'] = 'example.com'
1328 params['disable_pmksa_caching'] = '1'
1329 params['broadcast_deauth'] = '0'
1330 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1331
1332 dev[0].scan_for_bss(bssid, freq=2412)
1333 dev[0].request("ERP_FLUSH")
1334 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1335 eap="PSK", identity="psk.user@example.com",
1336 password_hex="0123456789abcdef0123456789abcdef",
1337 erp="1", scan_freq="2412")
1338
1339 hapd.disable()
1340 dev[0].wait_disconnected()
1341 dev[0].dump_monitor()
1342 hapd.enable()
1343
1344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1345 "EVENT-ASSOC-REJECT",
1346 "CTRL-EVENT-CONNECTED"], timeout=10)
1347 if ev is None:
1348 raise Exception("Reconnection using FILS/ERP timed out")
1349 if "CTRL-EVENT-EAP-STARTED" in ev:
1350 raise Exception("Unexpected EAP exchange")
1351 if "EVENT-ASSOC-REJECT" in ev:
1352 raise Exception("Association failed")
1353
1354 def test_fils_sk_erp_sim(dev, apdev, params):
1355 """FILS SK using ERP with SIM"""
1356 check_fils_capa(dev[0])
1357 check_erp_capa(dev[0])
1358
1359 realm='wlan.mnc001.mcc232.3gppnetwork.org'
1360 start_erp_as(apdev[1], erp_domain=realm,
1361 msk_dump=os.path.join(params['logdir'], "msk.lst"))
1362
1363 bssid = apdev[0]['bssid']
1364 params = hostapd.wpa2_eap_params(ssid="fils")
1365 params['wpa_key_mgmt'] = "FILS-SHA256"
1366 params['auth_server_port'] = "18128"
1367 params['fils_realm'] = realm
1368 params['disable_pmksa_caching'] = '1'
1369 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1370
1371 dev[0].scan_for_bss(bssid, freq=2412)
1372 dev[0].request("ERP_FLUSH")
1373 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1374 eap="SIM", identity="1232010000000000@" + realm,
1375 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1376 erp="1", scan_freq="2412")
1377
1378 hapd.disable()
1379 dev[0].wait_disconnected()
1380 dev[0].dump_monitor()
1381 hapd.enable()
1382
1383 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1384 "EVENT-ASSOC-REJECT",
1385 "CTRL-EVENT-CONNECTED"], timeout=10)
1386 if ev is None:
1387 raise Exception("Reconnection using FILS/ERP timed out")
1388 if "CTRL-EVENT-EAP-STARTED" in ev:
1389 raise Exception("Unexpected EAP exchange")
1390 if "EVENT-ASSOC-REJECT" in ev:
1391 raise Exception("Association failed")
1392
1393 def test_fils_sk_pfs_19(dev, apdev, params):
1394 """FILS SK with PFS (DH group 19)"""
1395 run_fils_sk_pfs(dev, apdev, "19", params)
1396
1397 def test_fils_sk_pfs_20(dev, apdev, params):
1398 """FILS SK with PFS (DH group 20)"""
1399 run_fils_sk_pfs(dev, apdev, "20", params)
1400
1401 def test_fils_sk_pfs_21(dev, apdev, params):
1402 """FILS SK with PFS (DH group 21)"""
1403 run_fils_sk_pfs(dev, apdev, "21", params)
1404
1405 def test_fils_sk_pfs_25(dev, apdev, params):
1406 """FILS SK with PFS (DH group 25)"""
1407 run_fils_sk_pfs(dev, apdev, "25", params)
1408
1409 def test_fils_sk_pfs_26(dev, apdev, params):
1410 """FILS SK with PFS (DH group 26)"""
1411 run_fils_sk_pfs(dev, apdev, "26", params)
1412
1413 def test_fils_sk_pfs_27(dev, apdev, params):
1414 """FILS SK with PFS (DH group 27)"""
1415 run_fils_sk_pfs(dev, apdev, "27", params)
1416
1417 def test_fils_sk_pfs_28(dev, apdev, params):
1418 """FILS SK with PFS (DH group 28)"""
1419 run_fils_sk_pfs(dev, apdev, "28", params)
1420
1421 def test_fils_sk_pfs_29(dev, apdev, params):
1422 """FILS SK with PFS (DH group 29)"""
1423 run_fils_sk_pfs(dev, apdev, "29", params)
1424
1425 def test_fils_sk_pfs_30(dev, apdev, params):
1426 """FILS SK with PFS (DH group 30)"""
1427 run_fils_sk_pfs(dev, apdev, "30", params)
1428
1429 def run_fils_sk_pfs(dev, apdev, group, params):
1430 check_fils_sk_pfs_capa(dev[0])
1431 check_erp_capa(dev[0])
1432
1433 tls = dev[0].request("GET tls_library")
1434 if int(group) in [ 25 ]:
1435 if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls)):
1436 raise HwsimSkip("EC group not supported")
1437 if int(group) in [ 27, 28, 29, 30 ]:
1438 if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls)):
1439 raise HwsimSkip("Brainpool EC group not supported")
1440
1441 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
1442
1443 bssid = apdev[0]['bssid']
1444 params = hostapd.wpa2_eap_params(ssid="fils")
1445 params['wpa_key_mgmt'] = "FILS-SHA256"
1446 params['auth_server_port'] = "18128"
1447 params['erp_domain'] = 'example.com'
1448 params['fils_realm'] = 'example.com'
1449 params['disable_pmksa_caching'] = '1'
1450 params['fils_dh_group'] = group
1451 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1452
1453 dev[0].scan_for_bss(bssid, freq=2412)
1454 dev[0].request("ERP_FLUSH")
1455 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1456 eap="PSK", identity="psk.user@example.com",
1457 password_hex="0123456789abcdef0123456789abcdef",
1458 erp="1", fils_dh_group=group, scan_freq="2412")
1459
1460 dev[0].request("DISCONNECT")
1461 dev[0].wait_disconnected()
1462
1463 dev[0].dump_monitor()
1464 dev[0].select_network(id, freq=2412)
1465 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1466 "EVENT-ASSOC-REJECT",
1467 "CTRL-EVENT-CONNECTED"], timeout=10)
1468 if ev is None:
1469 raise Exception("Connection using FILS/ERP timed out")
1470 if "CTRL-EVENT-EAP-STARTED" in ev:
1471 raise Exception("Unexpected EAP exchange")
1472 if "EVENT-ASSOC-REJECT" in ev:
1473 raise Exception("Association failed")
1474 hwsim_utils.test_connectivity(dev[0], hapd)
1475
1476 def test_fils_sk_pfs_group_mismatch(dev, apdev, params):
1477 """FILS SK PFS DH group mismatch"""
1478 check_fils_sk_pfs_capa(dev[0])
1479 check_erp_capa(dev[0])
1480
1481 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
1482
1483 bssid = apdev[0]['bssid']
1484 params = hostapd.wpa2_eap_params(ssid="fils")
1485 params['wpa_key_mgmt'] = "FILS-SHA256"
1486 params['auth_server_port'] = "18128"
1487 params['erp_domain'] = 'example.com'
1488 params['fils_realm'] = 'example.com'
1489 params['disable_pmksa_caching'] = '1'
1490 params['fils_dh_group'] = "20"
1491 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1492
1493 dev[0].scan_for_bss(bssid, freq=2412)
1494 dev[0].request("ERP_FLUSH")
1495 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1496 eap="PSK", identity="psk.user@example.com",
1497 password_hex="0123456789abcdef0123456789abcdef",
1498 erp="1", fils_dh_group="19", scan_freq="2412")
1499
1500 dev[0].request("DISCONNECT")
1501 dev[0].wait_disconnected()
1502
1503 dev[0].dump_monitor()
1504 dev[0].select_network(id, freq=2412)
1505 ev = dev[0].wait_event(["CTRL-EVENT-AUTH-REJECT"], timeout=10)
1506 dev[0].request("DISCONNECT")
1507 if ev is None:
1508 raise Exception("Authentication rejection not seen")
1509 if "auth_type=5 auth_transaction=2 status_code=77" not in ev:
1510 raise Exception("Unexpected auth reject value: " + ev)
1511
1512 def test_fils_sk_pfs_pmksa_caching(dev, apdev, params):
1513 """FILS SK with PFS and PMKSA caching"""
1514 check_fils_sk_pfs_capa(dev[0])
1515 check_erp_capa(dev[0])
1516
1517 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
1518
1519 bssid = apdev[0]['bssid']
1520 params = hostapd.wpa2_eap_params(ssid="fils")
1521 params['wpa_key_mgmt'] = "FILS-SHA256"
1522 params['auth_server_port'] = "18128"
1523 params['erp_domain'] = 'example.com'
1524 params['fils_realm'] = 'example.com'
1525 params['fils_dh_group'] = "19"
1526 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1527
1528 dev[0].scan_for_bss(bssid, freq=2412)
1529 dev[0].request("ERP_FLUSH")
1530 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1531 eap="PSK", identity="psk.user@example.com",
1532 password_hex="0123456789abcdef0123456789abcdef",
1533 erp="1", fils_dh_group="19", scan_freq="2412")
1534 pmksa = dev[0].get_pmksa(bssid)
1535 if pmksa is None:
1536 raise Exception("No PMKSA cache entry created")
1537
1538 dev[0].request("DISCONNECT")
1539 dev[0].wait_disconnected()
1540
1541 # FILS authentication with PMKSA caching and PFS
1542 dev[0].dump_monitor()
1543 dev[0].select_network(id, freq=2412)
1544 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1545 "CTRL-EVENT-CONNECTED"], timeout=10)
1546 if ev is None:
1547 raise Exception("Connection using PMKSA caching timed out")
1548 if "CTRL-EVENT-EAP-STARTED" in ev:
1549 raise Exception("Unexpected EAP exchange")
1550 hwsim_utils.test_connectivity(dev[0], hapd)
1551 pmksa2 = dev[0].get_pmksa(bssid)
1552 if pmksa2 is None:
1553 raise Exception("No PMKSA cache entry found")
1554 if pmksa['pmkid'] != pmksa2['pmkid']:
1555 raise Exception("Unexpected PMKID change")
1556
1557 # Verify EAPOL reauthentication after FILS authentication
1558 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
1559 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
1560 if ev is None:
1561 raise Exception("EAP authentication did not start")
1562 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
1563 if ev is None:
1564 raise Exception("EAP authentication did not succeed")
1565 time.sleep(0.1)
1566 hwsim_utils.test_connectivity(dev[0], hapd)
1567
1568 dev[0].request("DISCONNECT")
1569 dev[0].wait_disconnected()
1570
1571 # FILS authentication with ERP and PFS
1572 dev[0].request("PMKSA_FLUSH")
1573 dev[0].dump_monitor()
1574 dev[0].select_network(id, freq=2412)
1575 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1576 "CTRL-EVENT-EAP-SUCCESS",
1577 "CTRL-EVENT-CONNECTED"], timeout=10)
1578 if ev is None:
1579 raise Exception("Connection using ERP and PFS timed out")
1580 if "CTRL-EVENT-EAP-STARTED" in ev:
1581 raise Exception("Unexpected EAP exchange")
1582 if "CTRL-EVENT-EAP-SUCCESS" not in ev:
1583 raise Exception("ERP success not reported")
1584 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1585 "SME: Trying to authenticate",
1586 "CTRL-EVENT-CONNECTED"], timeout=10)
1587 if ev is None:
1588 raise Exception("Connection using ERP and PFS timed out")
1589 if "CTRL-EVENT-EAP-STARTED" in ev:
1590 raise Exception("Unexpected EAP exchange")
1591 if "SME: Trying to authenticate" in ev:
1592 raise Exception("Unexpected extra authentication round with ERP and PFS")
1593 hwsim_utils.test_connectivity(dev[0], hapd)
1594 pmksa3 = dev[0].get_pmksa(bssid)
1595 if pmksa3 is None:
1596 raise Exception("No PMKSA cache entry found")
1597 if pmksa2['pmkid'] == pmksa3['pmkid']:
1598 raise Exception("PMKID did not change")
1599
1600 dev[0].request("DISCONNECT")
1601 dev[0].wait_disconnected()
1602
1603 # FILS authentication with PMKSA caching and PFS
1604 dev[0].dump_monitor()
1605 dev[0].select_network(id, freq=2412)
1606 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1607 "CTRL-EVENT-CONNECTED"], timeout=10)
1608 if ev is None:
1609 raise Exception("Connection using PMKSA caching timed out")
1610 if "CTRL-EVENT-EAP-STARTED" in ev:
1611 raise Exception("Unexpected EAP exchange")
1612 hwsim_utils.test_connectivity(dev[0], hapd)
1613 pmksa4 = dev[0].get_pmksa(bssid)
1614 if pmksa4 is None:
1615 raise Exception("No PMKSA cache entry found")
1616 if pmksa3['pmkid'] != pmksa4['pmkid']:
1617 raise Exception("Unexpected PMKID change (2)")
1618
1619 def test_fils_sk_auth_mismatch(dev, apdev, params):
1620 """FILS SK authentication type mismatch (PFS not supported)"""
1621 check_fils_sk_pfs_capa(dev[0])
1622 check_erp_capa(dev[0])
1623
1624 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
1625
1626 bssid = apdev[0]['bssid']
1627 params = hostapd.wpa2_eap_params(ssid="fils")
1628 params['wpa_key_mgmt'] = "FILS-SHA256"
1629 params['auth_server_port'] = "18128"
1630 params['erp_domain'] = 'example.com'
1631 params['fils_realm'] = 'example.com'
1632 params['disable_pmksa_caching'] = '1'
1633 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1634
1635 dev[0].scan_for_bss(bssid, freq=2412)
1636 dev[0].request("ERP_FLUSH")
1637 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1638 eap="PSK", identity="psk.user@example.com",
1639 password_hex="0123456789abcdef0123456789abcdef",
1640 erp="1", fils_dh_group="19", scan_freq="2412")
1641
1642 dev[0].request("DISCONNECT")
1643 dev[0].wait_disconnected()
1644
1645 dev[0].dump_monitor()
1646 dev[0].select_network(id, freq=2412)
1647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1648 "EVENT-ASSOC-REJECT",
1649 "CTRL-EVENT-CONNECTED"], timeout=10)
1650 if ev is None:
1651 raise Exception("Connection using FILS/ERP timed out")
1652 if "CTRL-EVENT-EAP-STARTED" not in ev:
1653 raise Exception("No EAP exchange seen")
1654 dev[0].wait_connected()
1655 hwsim_utils.test_connectivity(dev[0], hapd)
1656
1657 def test_fils_auth_gtk_rekey(dev, apdev, params):
1658 """GTK rekeying after FILS authentication"""
1659 check_fils_capa(dev[0])
1660 check_erp_capa(dev[0])
1661
1662 start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'], "msk.lst"))
1663
1664 bssid = apdev[0]['bssid']
1665 params = hostapd.wpa2_eap_params(ssid="fils")
1666 params['wpa_key_mgmt'] = "FILS-SHA256"
1667 params['auth_server_port'] = "18128"
1668 params['erp_domain'] = 'example.com'
1669 params['fils_realm'] = 'example.com'
1670 params['wpa_group_rekey'] = '1'
1671 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1672
1673 dev[0].scan_for_bss(bssid, freq=2412)
1674 dev[0].request("ERP_FLUSH")
1675 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1676 eap="PSK", identity="psk.user@example.com",
1677 password_hex="0123456789abcdef0123456789abcdef",
1678 erp="1", scan_freq="2412")
1679
1680 dev[0].request("DISCONNECT")
1681 dev[0].wait_disconnected()
1682
1683 dev[0].dump_monitor()
1684 dev[0].select_network(id, freq=2412)
1685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1686 "CTRL-EVENT-CONNECTED"], timeout=10)
1687 if ev is None:
1688 raise Exception("Connection using PMKSA caching timed out")
1689 if "CTRL-EVENT-EAP-STARTED" in ev:
1690 raise Exception("Unexpected EAP exchange")
1691 dev[0].dump_monitor()
1692
1693 hwsim_utils.test_connectivity(dev[0], hapd)
1694 ev = dev[0].wait_event(["WPA: Group rekeying completed"], timeout=2)
1695 if ev is None:
1696 raise Exception("GTK rekey timed out")
1697 hwsim_utils.test_connectivity(dev[0], hapd)
1698
1699 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
1700 if ev is not None:
1701 raise Exception("Rekeying failed - disconnected")
1702 hwsim_utils.test_connectivity(dev[0], hapd)
1703
1704 def test_fils_and_ft(dev, apdev, params):
1705 """FILS SK using ERP and FT initial mobility domain association"""
1706 check_fils_capa(dev[0])
1707 check_erp_capa(dev[0])
1708
1709 er = start_erp_as(apdev[1],
1710 msk_dump=os.path.join(params['logdir'], "msk.lst"))
1711
1712 bssid = apdev[0]['bssid']
1713 params = hostapd.wpa2_eap_params(ssid="fils")
1714 params['wpa_key_mgmt'] = "FILS-SHA256"
1715 params['auth_server_port'] = "18128"
1716 params['erp_domain'] = 'example.com'
1717 params['fils_realm'] = 'example.com'
1718 params['disable_pmksa_caching'] = '1'
1719 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1720
1721 dev[0].scan_for_bss(bssid, freq=2412)
1722 dev[0].request("ERP_FLUSH")
1723 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1724 eap="PSK", identity="psk.user@example.com",
1725 password_hex="0123456789abcdef0123456789abcdef",
1726 erp="1", scan_freq="2412")
1727
1728 dev[0].request("DISCONNECT")
1729 dev[0].wait_disconnected()
1730 hapd.disable()
1731 dev[0].flush_scan_cache()
1732 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
1733 raise Exception("PMKSA_FLUSH failed")
1734
1735 params = hostapd.wpa2_eap_params(ssid="fils-ft")
1736 params['wpa_key_mgmt'] = "FILS-SHA256 FT-FILS-SHA256 FT-EAP"
1737 params['auth_server_port'] = "18128"
1738 params['erp_domain'] = 'example.com'
1739 params['fils_realm'] = 'example.com'
1740 params['disable_pmksa_caching'] = '1'
1741 params["mobility_domain"] = "a1b2"
1742 params["r0_key_lifetime"] = "10000"
1743 params["pmk_r1_push"] = "1"
1744 params["reassociation_deadline"] = "1000"
1745 params['nas_identifier'] = "nas1.w1.fi"
1746 params['r1_key_holder'] = "000102030405"
1747 params['r0kh'] = [ "02:00:00:00:04:00 nas2.w1.fi 300102030405060708090a0b0c0d0e0f" ]
1748 params['r1kh'] = "02:00:00:00:04:00 00:01:02:03:04:06 200102030405060708090a0b0c0d0e0f"
1749 params['ieee80211w'] = "1"
1750 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1751
1752 dev[0].scan_for_bss(bssid, freq=2412)
1753 dev[0].dump_monitor()
1754 id = dev[0].connect("fils-ft", key_mgmt="FILS-SHA256 FT-FILS-SHA256 FT-EAP",
1755 ieee80211w="1",
1756 eap="PSK", identity="psk.user@example.com",
1757 password_hex="0123456789abcdef0123456789abcdef",
1758 erp="1", scan_freq="2412", wait_connect=False)
1759
1760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1761 "CTRL-EVENT-AUTH-REJECT",
1762 "EVENT-ASSOC-REJECT",
1763 "CTRL-EVENT-CONNECTED"], timeout=10)
1764 if ev is None:
1765 raise Exception("Connection using FILS/ERP timed out")
1766 if "CTRL-EVENT-EAP-STARTED" in ev:
1767 raise Exception("Unexpected EAP exchange")
1768 if "CTRL-EVENT-AUTH-REJECT" in ev:
1769 raise Exception("Authentication failed")
1770 if "EVENT-ASSOC-REJECT" in ev:
1771 raise Exception("Association failed")
1772 hwsim_utils.test_connectivity(dev[0], hapd)
1773
1774 er.disable()
1775
1776 # FIX: FT-FILS-SHA256 does not currently work for FT protocol due to not
1777 # fully defined FT Reassociation Request/Response frame MIC use in FTE.
1778 # FT-EAP can be used to work around that in this test case to confirm the
1779 # FT key hierarchy was properly formed in the previous step.
1780 #params['wpa_key_mgmt'] = "FILS-SHA256 FT-FILS-SHA256"
1781 params['wpa_key_mgmt'] = "FT-EAP"
1782 params['nas_identifier'] = "nas2.w1.fi"
1783 params['r1_key_holder'] = "000102030406"
1784 params['r0kh'] = [ "02:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0e0f" ]
1785 params['r1kh'] = "02:00:00:00:03:00 00:01:02:03:04:05 300102030405060708090a0b0c0d0e0f"
1786 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
1787
1788 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412", force_scan=True)
1789 # FIX: Cannot use FT-over-DS without the FTE MIC issue addressed
1790 #dev[0].roam_over_ds(apdev[1]['bssid'])
1791 dev[0].roam(apdev[1]['bssid'])
1792
1793 def test_fils_and_ft_over_air(dev, apdev, params):
1794 """FILS SK using ERP and FT-over-air (SHA256)"""
1795 run_fils_and_ft_over_air(dev, apdev, params, "FT-FILS-SHA256")
1796
1797 def test_fils_and_ft_over_air_sha384(dev, apdev, params):
1798 """FILS SK using ERP and FT-over-air (SHA384)"""
1799 run_fils_and_ft_over_air(dev, apdev, params, "FT-FILS-SHA384")
1800
1801 def run_fils_and_ft_over_air(dev, apdev, params, key_mgmt):
1802 hapd, hapd2 = run_fils_and_ft_setup(dev, apdev, params, key_mgmt)
1803
1804 logger.info("FT protocol using FT key hierarchy established during FILS authentication")
1805 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412", force_scan=True)
1806 hapd.request("NOTE FT protocol to AP2 using FT keys established during FILS FILS authentication")
1807 dev[0].roam(apdev[1]['bssid'])
1808 hwsim_utils.test_connectivity(dev[0], hapd2)
1809
1810 logger.info("FT protocol using the previously established FT key hierarchy from FILS authentication")
1811 hapd.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication")
1812 dev[0].roam(apdev[0]['bssid'])
1813 hwsim_utils.test_connectivity(dev[0], hapd)
1814
1815 hapd.request("NOTE FT protocol back to AP2 using FT keys established during FILS FILS authentication")
1816 dev[0].roam(apdev[1]['bssid'])
1817 hwsim_utils.test_connectivity(dev[0], hapd2)
1818
1819 hapd.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication (2)")
1820 dev[0].roam(apdev[0]['bssid'])
1821 hwsim_utils.test_connectivity(dev[0], hapd)
1822
1823 def test_fils_and_ft_over_ds(dev, apdev, params):
1824 """FILS SK using ERP and FT-over-DS (SHA256)"""
1825 run_fils_and_ft_over_ds(dev, apdev, params, "FT-FILS-SHA256")
1826
1827 def test_fils_and_ft_over_ds_sha384(dev, apdev, params):
1828 """FILS SK using ERP and FT-over-DS (SHA384)"""
1829 run_fils_and_ft_over_ds(dev, apdev, params, "FT-FILS-SHA384")
1830
1831 def run_fils_and_ft_over_ds(dev, apdev, params, key_mgmt):
1832 hapd, hapd2 = run_fils_and_ft_setup(dev, apdev, params, key_mgmt)
1833
1834 logger.info("FT protocol using FT key hierarchy established during FILS authentication")
1835 dev[0].scan_for_bss(apdev[1]['bssid'], freq="2412", force_scan=True)
1836 hapd.request("NOTE FT protocol to AP2 using FT keys established during FILS FILS authentication")
1837 dev[0].roam_over_ds(apdev[1]['bssid'])
1838
1839 logger.info("FT protocol using the previously established FT key hierarchy from FILS authentication")
1840 hapd.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication")
1841 dev[0].roam_over_ds(apdev[0]['bssid'])
1842
1843 hapd.request("NOTE FT protocol back to AP2 using FT keys established during FILS FILS authentication")
1844 dev[0].roam_over_ds(apdev[1]['bssid'])
1845
1846 hapd.request("NOTE FT protocol back to AP1 using FT keys established during FILS FILS authentication (2)")
1847 dev[0].roam_over_ds(apdev[0]['bssid'])
1848
1849 def run_fils_and_ft_setup(dev, apdev, params, key_mgmt):
1850 check_fils_capa(dev[0])
1851 check_erp_capa(dev[0])
1852
1853 er = start_erp_as(apdev[1],
1854 msk_dump=os.path.join(params['logdir'], "msk.lst"))
1855
1856 logger.info("Set up ERP key hierarchy without FILS/FT authentication")
1857 bssid = apdev[0]['bssid']
1858 params = hostapd.wpa2_eap_params(ssid="fils")
1859 params['wpa_key_mgmt'] = key_mgmt
1860 params['auth_server_port'] = "18128"
1861 params['erp_domain'] = 'example.com'
1862 params['fils_realm'] = 'example.com'
1863 params['disable_pmksa_caching'] = '1'
1864 params['ieee80211w'] = "2"
1865 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1866
1867 dev[0].scan_for_bss(bssid, freq=2412)
1868 dev[0].request("ERP_FLUSH")
1869 hapd.request("NOTE Initial association to establish ERP keys")
1870 id = dev[0].connect("fils", key_mgmt=key_mgmt, ieee80211w="2",
1871 eap="PSK", identity="psk.user@example.com",
1872 password_hex="0123456789abcdef0123456789abcdef",
1873 erp="1", scan_freq="2412")
1874 hwsim_utils.test_connectivity(dev[0], hapd)
1875
1876 dev[0].request("DISCONNECT")
1877 dev[0].wait_disconnected()
1878 hapd.disable()
1879 dev[0].flush_scan_cache()
1880 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
1881 raise Exception("PMKSA_FLUSH failed")
1882
1883 logger.info("Initial mobility domain association using FILS authentication")
1884 params = hostapd.wpa2_eap_params(ssid="fils-ft")
1885 params['wpa_key_mgmt'] = key_mgmt
1886 params['auth_server_port'] = "18128"
1887 params['erp_domain'] = 'example.com'
1888 params['fils_realm'] = 'example.com'
1889 params['disable_pmksa_caching'] = '1'
1890 params["mobility_domain"] = "a1b2"
1891 params["r0_key_lifetime"] = "10000"
1892 params["pmk_r1_push"] = "1"
1893 params["reassociation_deadline"] = "1000"
1894 params['nas_identifier'] = "nas1.w1.fi"
1895 params['r1_key_holder'] = "000102030405"
1896 params['r0kh'] = [ "02:00:00:00:03:00 nas1.w1.fi 100102030405060708090a0b0c0d0e0f100102030405060708090a0b0c0d0e0f",
1897 "02:00:00:00:04:00 nas2.w1.fi 300102030405060708090a0b0c0d0e0f" ]
1898 params['r1kh'] = "02:00:00:00:04:00 00:01:02:03:04:06 200102030405060708090a0b0c0d0e0f"
1899 params['ieee80211w'] = "2"
1900 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1901
1902 dev[0].scan_for_bss(bssid, freq=2412)
1903 dev[0].dump_monitor()
1904 hapd.request("NOTE Initial FT mobility domain association using FILS authentication")
1905 dev[0].set_network_quoted(id, "ssid", "fils-ft")
1906 dev[0].select_network(id, freq=2412)
1907
1908 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
1909 "CTRL-EVENT-AUTH-REJECT",
1910 "EVENT-ASSOC-REJECT",
1911 "CTRL-EVENT-CONNECTED"], timeout=10)
1912 if ev is None:
1913 raise Exception("Connection using FILS/ERP timed out")
1914 if "CTRL-EVENT-EAP-STARTED" in ev:
1915 raise Exception("Unexpected EAP exchange")
1916 if "CTRL-EVENT-AUTH-REJECT" in ev:
1917 raise Exception("Authentication failed")
1918 if "EVENT-ASSOC-REJECT" in ev:
1919 raise Exception("Association failed")
1920 hwsim_utils.test_connectivity(dev[0], hapd)
1921
1922 er.disable()
1923
1924 params['wpa_key_mgmt'] = key_mgmt
1925 params['nas_identifier'] = "nas2.w1.fi"
1926 params['r1_key_holder'] = "000102030406"
1927 params['r0kh'] = [ "02:00:00:00:03:00 nas1.w1.fi 200102030405060708090a0b0c0d0e0f",
1928 "02:00:00:00:04:00 nas2.w1.fi 000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f" ]
1929 params['r1kh'] = "02:00:00:00:03:00 00:01:02:03:04:05 300102030405060708090a0b0c0d0e0f"
1930 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
1931
1932 return hapd, hapd2
1933
1934 def test_fils_assoc_replay(dev, apdev, params):
1935 """FILS AP and replayed Association Request frame"""
1936 capfile = os.path.join(params['logdir'], "hwsim0.pcapng")
1937 check_fils_capa(dev[0])
1938 check_erp_capa(dev[0])
1939
1940 start_erp_as(apdev[1])
1941
1942 bssid = apdev[0]['bssid']
1943 params = hostapd.wpa2_eap_params(ssid="fils")
1944 params['wpa_key_mgmt'] = "FILS-SHA256"
1945 params['auth_server_port'] = "18128"
1946 params['erp_domain'] = 'example.com'
1947 params['fils_realm'] = 'example.com'
1948 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1949
1950 dev[0].scan_for_bss(bssid, freq=2412)
1951 dev[0].request("ERP_FLUSH")
1952 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
1953 eap="PSK", identity="psk.user@example.com",
1954 password_hex="0123456789abcdef0123456789abcdef",
1955 erp="1", scan_freq="2412")
1956
1957 dev[0].request("DISCONNECT")
1958 dev[0].wait_disconnected()
1959
1960 hapd.set("ext_mgmt_frame_handling", "1")
1961 dev[0].dump_monitor()
1962 dev[0].select_network(id, freq=2412)
1963
1964 assocreq = None
1965 count = 0
1966 while count < 100:
1967 req = hapd.mgmt_rx()
1968 count += 1
1969 hapd.dump_monitor()
1970 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii.hexlify(req['frame']))
1971 if req['subtype'] == 0:
1972 assocreq = req
1973 ev = hapd.wait_event(["MGMT-TX-STATUS"], timeout=5)
1974 if ev is None:
1975 raise Exception("No TX status seen")
1976 cmd = "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev.split(' ')[1:4]))
1977 if "OK" not in hapd.request(cmd):
1978 raise Exception("MGMT_TX_STATUS_PROCESS failed")
1979 break
1980 hapd.set("ext_mgmt_frame_handling", "0")
1981 if assocreq is None:
1982 raise Exception("No Association Request frame seen")
1983 dev[0].wait_connected()
1984 dev[0].dump_monitor()
1985 hapd.dump_monitor()
1986
1987 hwsim_utils.test_connectivity(dev[0], hapd)
1988
1989 logger.info("Replay the last Association Request frame")
1990 hapd.dump_monitor()
1991 hapd.set("ext_mgmt_frame_handling", "1")
1992 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii.hexlify(req['frame']))
1993 ev = hapd.wait_event(["MGMT-TX-STATUS"], timeout=5)
1994 if ev is None:
1995 raise Exception("No TX status seen")
1996 cmd = "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev.split(' ')[1:4]))
1997 if "OK" not in hapd.request(cmd):
1998 raise Exception("MGMT_TX_STATUS_PROCESS failed")
1999 hapd.set("ext_mgmt_frame_handling", "0")
2000
2001 try:
2002 hwsim_utils.test_connectivity(dev[0], hapd)
2003 ok = True
2004 except:
2005 ok = False
2006
2007 ap = hapd.own_addr()
2008 sta = dev[0].own_addr()
2009 filt = "wlan.fc.type == 2 && " + \
2010 "wlan.da == " + sta + " && " + \
2011 "wlan.sa == " + ap + " && wlan.ccmp.extiv"
2012 fields = [ "wlan.ccmp.extiv" ]
2013 res = run_tshark(capfile, filt, fields)
2014 vals = res.splitlines()
2015 logger.info("CCMP PN: " + str(vals))
2016 if len(vals) < 2:
2017 raise Exception("Could not find all CCMP protected frames from capture")
2018 if len(set(vals)) < len(vals):
2019 raise Exception("Duplicate CCMP PN used")
2020
2021 if not ok:
2022 raise Exception("The second hwsim connectivity test failed")
2023
2024 def test_fils_sk_erp_server_flush(dev, apdev, params):
2025 """FILS SK ERP and ERP flush on server, but not on peer"""
2026 check_fils_capa(dev[0])
2027 check_erp_capa(dev[0])
2028
2029 hapd_as = start_erp_as(apdev[1], msk_dump=os.path.join(params['logdir'],
2030 "msk.lst"))
2031
2032 bssid = apdev[0]['bssid']
2033 params = hostapd.wpa2_eap_params(ssid="fils")
2034 params['wpa_key_mgmt'] = "FILS-SHA256"
2035 params['auth_server_port'] = "18128"
2036 params['erp_domain'] = 'example.com'
2037 params['fils_realm'] = 'example.com'
2038 params['disable_pmksa_caching'] = '1'
2039 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2040
2041 dev[0].scan_for_bss(bssid, freq=2412)
2042 dev[0].request("ERP_FLUSH")
2043 id = dev[0].connect("fils", key_mgmt="FILS-SHA256",
2044 eap="PSK", identity="psk.user@example.com",
2045 password_hex="0123456789abcdef0123456789abcdef",
2046 erp="1", scan_freq="2412")
2047
2048 dev[0].request("DISCONNECT")
2049 dev[0].wait_disconnected()
2050
2051 dev[0].dump_monitor()
2052 dev[0].select_network(id, freq=2412)
2053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2054 "EVENT-ASSOC-REJECT",
2055 "CTRL-EVENT-CONNECTED"], timeout=10)
2056 if ev is None:
2057 raise Exception("Connection using FILS/ERP timed out")
2058 if "CTRL-EVENT-EAP-STARTED" in ev:
2059 raise Exception("Unexpected EAP exchange")
2060 if "EVENT-ASSOC-REJECT" in ev:
2061 raise Exception("Association failed")
2062
2063 dev[0].request("DISCONNECT")
2064 dev[0].wait_disconnected()
2065
2066 hapd_as.request("ERP_FLUSH")
2067 dev[0].dump_monitor()
2068 dev[0].select_network(id, freq=2412)
2069 ev = dev[0].wait_event(["CTRL-EVENT-AUTH-REJECT"], timeout=10)
2070 if ev is None:
2071 raise Exception("No authentication rejection seen after ERP flush on server")
2072
2073 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2074 "CTRL-EVENT-AUTH-REJECT",
2075 "EVENT-ASSOC-REJECT",
2076 "CTRL-EVENT-CONNECTED"], timeout=10)
2077 if ev is None:
2078 raise Exception("Connection attempt using FILS/ERP timed out")
2079 if "CTRL-EVENT-AUTH-REJECT" in ev:
2080 raise Exception("Failed to recover from ERP flush on server")
2081 if "EVENT-ASSOC-REJECT" in ev:
2082 raise Exception("Association failed")
2083 if "CTRL-EVENT-EAP-STARTED" not in ev:
2084 raise Exception("New EAP exchange not seen")
2085 dev[0].wait_connected(error="Connection timeout after ERP flush")
2086
2087 dev[0].request("DISCONNECT")
2088 dev[0].wait_disconnected()
2089 dev[0].dump_monitor()
2090 dev[0].select_network(id, freq=2412)
2091 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
2092 "CTRL-EVENT-AUTH-REJECT",
2093 "EVENT-ASSOC-REJECT",
2094 "CTRL-EVENT-CONNECTED"], timeout=10)
2095 if ev is None:
2096 raise Exception("Connection attempt using FILS with new ERP keys timed out")
2097 if "CTRL-EVENT-AUTH-REJECT" in ev:
2098 raise Exception("Authentication failed with new ERP keys")
2099 if "EVENT-ASSOC-REJECT" in ev:
2100 raise Exception("Association failed with new ERP keys")
2101 if "CTRL-EVENT-EAP-STARTED" in ev:
2102 raise Exception("Unexpected EAP exchange")
Unnamed repository; edit this file 'description' to name the repository.