fragattacks/tests/hwsim/test_ap_ciphers.py
Jouni Malinen e9f2d54f44 tests: Use shell in local cmd_execute() only if needed
The generic cmd_execute() function was introduced in a manner that
converted the argument array to a string and used shell to run the
command unconditionally. This is not really desirable, so move back to
using the command array by default and use the single command string
with a shell only when really needed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-27 21:10:35 +03:00

212 lines
8.3 KiB
Python

# Cipher suite tests
# Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
#
# This software may be distributed under the terms of the BSD license.
# See README for more details.
import time
import logging
logger = logging.getLogger()
import os.path
import hwsim_utils
import hostapd
from utils import HwsimSkip, skip_with_fips
from wlantest import Wlantest
def check_cipher(dev, ap, cipher):
if cipher not in dev.get_capability("pairwise"):
raise HwsimSkip("Cipher %s not supported" % cipher)
params = { "ssid": "test-wpa2-psk",
"wpa_passphrase": "12345678",
"wpa": "2",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": cipher }
hapd = hostapd.add_ap(ap, params)
dev.connect("test-wpa2-psk", psk="12345678",
pairwise=cipher, group=cipher, scan_freq="2412")
hwsim_utils.test_connectivity(dev, hapd)
def check_group_mgmt_cipher(dev, ap, cipher):
if cipher not in dev.get_capability("group_mgmt"):
raise HwsimSkip("Cipher %s not supported" % cipher)
params = { "ssid": "test-wpa2-psk-pmf",
"wpa_passphrase": "12345678",
"wpa": "2",
"ieee80211w": "2",
"wpa_key_mgmt": "WPA-PSK-SHA256",
"rsn_pairwise": "CCMP",
"group_mgmt_cipher": cipher }
hapd = hostapd.add_ap(ap, params)
Wlantest.setup(hapd)
wt = Wlantest()
wt.flush()
wt.add_passphrase("12345678")
dev.connect("test-wpa2-psk-pmf", psk="12345678", ieee80211w="2",
key_mgmt="WPA-PSK-SHA256",
pairwise="CCMP", group="CCMP", scan_freq="2412")
hwsim_utils.test_connectivity(dev, hapd)
hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
dev.wait_disconnected()
if wt.get_bss_counter('valid_bip_mmie', ap['bssid']) < 1:
raise Exception("No valid BIP MMIE seen")
if wt.get_bss_counter('bip_deauth', ap['bssid']) < 1:
raise Exception("No valid BIP deauth seen")
if cipher == "AES-128-CMAC":
group_mgmt = "BIP"
else:
group_mgmt = cipher
res = wt.info_bss('group_mgmt', ap['bssid']).strip()
if res != group_mgmt:
raise Exception("Unexpected group mgmt cipher: " + res)
def test_ap_cipher_tkip(dev, apdev):
"""WPA2-PSK/TKIP connection"""
skip_with_fips(dev[0])
check_cipher(dev[0], apdev[0], "TKIP")
def test_ap_cipher_tkip_countermeasures_ap(dev, apdev):
"""WPA-PSK/TKIP countermeasures (detected by AP)"""
skip_with_fips(dev[0])
testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (dev[0].get_driver_status_field("phyname"), dev[0].ifname)
if dev[0].cmd_execute([ "ls", testfile ])[0] != 0:
raise HwsimSkip("tkip_mic_test not supported in mac80211")
params = { "ssid": "tkip-countermeasures",
"wpa_passphrase": "12345678",
"wpa": "1",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP" }
hapd = hostapd.add_ap(apdev[0], params)
dev[0].connect("tkip-countermeasures", psk="12345678",
pairwise="TKIP", group="TKIP", scan_freq="2412")
dev[0].dump_monitor()
dev[0].cmd_execute([ "echo", "-n", apdev[0]['bssid'], ">", testfile ],
shell=True)
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
if ev is not None:
raise Exception("Unexpected disconnection on first Michael MIC failure")
dev[0].cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile ],
shell=True)
ev = dev[0].wait_disconnected(timeout=10,
error="No disconnection after two Michael MIC failures")
if "reason=14" not in ev:
raise Exception("Unexpected disconnection reason: " + ev)
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
if ev is not None:
raise Exception("Unexpected connection during TKIP countermeasures")
def test_ap_cipher_tkip_countermeasures_sta(dev, apdev):
"""WPA-PSK/TKIP countermeasures (detected by STA)"""
skip_with_fips(dev[0])
params = { "ssid": "tkip-countermeasures",
"wpa_passphrase": "12345678",
"wpa": "1",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP" }
hapd = hostapd.add_ap(apdev[0], params)
testfile = "/sys/kernel/debug/ieee80211/%s/netdev:%s/tkip_mic_test" % (hapd.get_driver_status_field("phyname"), apdev[0]['ifname'])
if hapd.cmd_execute([ "ls", testfile ])[0] != 0:
raise HwsimSkip("tkip_mic_test not supported in mac80211")
dev[0].connect("tkip-countermeasures", psk="12345678",
pairwise="TKIP", group="TKIP", scan_freq="2412")
dev[0].dump_monitor()
hapd.cmd_execute([ "echo", "-n", dev[0].own_addr(), ">", testfile ],
shell=True)
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
if ev is not None:
raise Exception("Unexpected disconnection on first Michael MIC failure")
hapd.cmd_execute([ "echo", "-n", "ff:ff:ff:ff:ff:ff", ">", testfile ],
shell=True)
ev = dev[0].wait_disconnected(timeout=10,
error="No disconnection after two Michael MIC failures")
if "reason=14 locally_generated=1" not in ev:
raise Exception("Unexpected disconnection reason: " + ev)
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
if ev is not None:
raise Exception("Unexpected connection during TKIP countermeasures")
def test_ap_cipher_ccmp(dev, apdev):
"""WPA2-PSK/CCMP connection"""
check_cipher(dev[0], apdev[0], "CCMP")
def test_ap_cipher_gcmp(dev, apdev):
"""WPA2-PSK/GCMP connection"""
check_cipher(dev[0], apdev[0], "GCMP")
def test_ap_cipher_ccmp_256(dev, apdev):
"""WPA2-PSK/CCMP-256 connection"""
check_cipher(dev[0], apdev[0], "CCMP-256")
def test_ap_cipher_gcmp_256(dev, apdev):
"""WPA2-PSK/GCMP-256 connection"""
check_cipher(dev[0], apdev[0], "GCMP-256")
def test_ap_cipher_mixed_wpa_wpa2(dev, apdev):
"""WPA2-PSK/CCMP/ and WPA-PSK/TKIP mixed configuration"""
skip_with_fips(dev[0])
ssid = "test-wpa-wpa2-psk"
passphrase = "12345678"
params = { "ssid": ssid,
"wpa_passphrase": passphrase,
"wpa": "3",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": "CCMP",
"wpa_pairwise": "TKIP" }
hapd = hostapd.add_ap(apdev[0], params)
dev[0].connect(ssid, psk=passphrase, proto="WPA2",
pairwise="CCMP", group="TKIP", scan_freq="2412")
status = dev[0].get_status()
if status['key_mgmt'] != 'WPA2-PSK':
raise Exception("Incorrect key_mgmt reported")
if status['pairwise_cipher'] != 'CCMP':
raise Exception("Incorrect pairwise_cipher reported")
if status['group_cipher'] != 'TKIP':
raise Exception("Incorrect group_cipher reported")
bss = dev[0].get_bss(apdev[0]['bssid'])
if bss['ssid'] != ssid:
raise Exception("Unexpected SSID in the BSS entry")
if "[WPA-PSK-TKIP]" not in bss['flags']:
raise Exception("Missing BSS flag WPA-PSK-TKIP")
if "[WPA2-PSK-CCMP]" not in bss['flags']:
raise Exception("Missing BSS flag WPA2-PSK-CCMP")
hwsim_utils.test_connectivity(dev[0], hapd)
dev[1].connect(ssid, psk=passphrase, proto="WPA",
pairwise="TKIP", group="TKIP", scan_freq="2412")
status = dev[1].get_status()
if status['key_mgmt'] != 'WPA-PSK':
raise Exception("Incorrect key_mgmt reported")
if status['pairwise_cipher'] != 'TKIP':
raise Exception("Incorrect pairwise_cipher reported")
if status['group_cipher'] != 'TKIP':
raise Exception("Incorrect group_cipher reported")
hwsim_utils.test_connectivity(dev[1], hapd)
hwsim_utils.test_connectivity(dev[0], dev[1])
def test_ap_cipher_bip(dev, apdev):
"""WPA2-PSK with BIP"""
check_group_mgmt_cipher(dev[0], apdev[0], "AES-128-CMAC")
def test_ap_cipher_bip_gmac_128(dev, apdev):
"""WPA2-PSK with BIP-GMAC-128"""
check_group_mgmt_cipher(dev[0], apdev[0], "BIP-GMAC-128")
def test_ap_cipher_bip_gmac_256(dev, apdev):
"""WPA2-PSK with BIP-GMAC-256"""
check_group_mgmt_cipher(dev[0], apdev[0], "BIP-GMAC-256")
def test_ap_cipher_bip_cmac_256(dev, apdev):
"""WPA2-PSK with BIP-CMAC-256"""
check_group_mgmt_cipher(dev[0], apdev[0], "BIP-CMAC-256")