1 # WPA2-Enterprise PMKSA caching tests
2 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
8 logger = logging.getLogger()
13 from wpasupplicant import WpaSupplicant
14 from utils import alloc_fail
15 from test_ap_eap import eap_connect
17 def test_pmksa_cache_on_roam_back(dev, apdev):
18 """PMKSA cache to skip EAP on reassociation back to same AP"""
19 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
20 hostapd.add_ap(apdev[0]['ifname'], params)
21 bssid = apdev[0]['bssid']
22 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
23 eap="GPSK", identity="gpsk user",
24 password="abcdefghijklmnop0123456789abcdef",
26 pmksa = dev[0].get_pmksa(bssid)
28 raise Exception("No PMKSA cache entry created")
29 if pmksa['opportunistic'] != '0':
30 raise Exception("Unexpected opportunistic PMKSA cache entry")
32 hostapd.add_ap(apdev[1]['ifname'], params)
33 bssid2 = apdev[1]['bssid']
36 logger.info("Roam to AP2")
37 # It can take some time for the second AP to become ready to reply to Probe
38 # Request frames especially under heavy CPU load, so allow couple of rounds
39 # of scanning to avoid reporting errors incorrectly just because of scans
40 # not having seen the target AP.
41 for i in range(0, 10):
42 dev[0].scan(freq="2412")
43 if dev[0].get_bss(bssid2) is not None:
45 logger.info("Scan again to find target AP")
46 dev[0].request("ROAM " + bssid2)
47 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
49 raise Exception("EAP success timed out")
50 dev[0].wait_connected(timeout=10, error="Roaming timed out")
51 pmksa2 = dev[0].get_pmksa(bssid2)
53 raise Exception("No PMKSA cache entry found")
54 if pmksa2['opportunistic'] != '0':
55 raise Exception("Unexpected opportunistic PMKSA cache entry")
58 logger.info("Roam back to AP1")
59 dev[0].scan(freq="2412")
60 dev[0].request("ROAM " + bssid)
61 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
62 "CTRL-EVENT-CONNECTED"], timeout=10)
64 raise Exception("Roaming with the AP timed out")
65 if "CTRL-EVENT-EAP-STARTED" in ev:
66 raise Exception("Unexpected EAP exchange")
67 pmksa1b = dev[0].get_pmksa(bssid)
69 raise Exception("No PMKSA cache entry found")
70 if pmksa['pmkid'] != pmksa1b['pmkid']:
71 raise Exception("Unexpected PMKID change for AP1")
74 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
75 raise Exception("PMKSA_FLUSH failed")
76 if dev[0].get_pmksa(bssid) is not None or dev[0].get_pmksa(bssid2) is not None:
77 raise Exception("PMKSA_FLUSH did not remove PMKSA entries")
78 dev[0].wait_disconnected(timeout=5)
79 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
81 def test_pmksa_cache_and_reauth(dev, apdev):
82 """PMKSA caching and EAPOL reauthentication"""
83 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
84 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
85 bssid = apdev[0]['bssid']
86 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
87 eap="GPSK", identity="gpsk user",
88 password="abcdefghijklmnop0123456789abcdef",
91 hostapd.add_ap(apdev[1]['ifname'], params)
92 bssid2 = apdev[1]['bssid']
95 logger.info("Roam to AP2")
96 # It can take some time for the second AP to become ready to reply to Probe
97 # Request frames especially under heavy CPU load, so allow couple of rounds
98 # of scanning to avoid reporting errors incorrectly just because of scans
99 # not having seen the target AP.
100 for i in range(0, 10):
101 dev[0].scan(freq="2412")
102 if dev[0].get_bss(bssid2) is not None:
104 logger.info("Scan again to find target AP")
105 dev[0].request("ROAM " + bssid2)
106 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
108 raise Exception("EAP success timed out")
109 dev[0].wait_connected(timeout=10, error="Roaming timed out")
111 dev[0].dump_monitor()
112 logger.info("Roam back to AP1")
113 dev[0].scan(freq="2412")
114 dev[0].request("ROAM " + bssid)
115 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
116 "CTRL-EVENT-CONNECTED"], timeout=10)
118 raise Exception("Roaming with the AP timed out")
119 if "CTRL-EVENT-EAP-STARTED" in ev:
120 raise Exception("Unexpected EAP exchange")
122 # Verify EAPOL reauthentication after PMKSA caching
123 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
124 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
126 raise Exception("EAP authentication did not start")
127 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5)
129 raise Exception("EAP authentication did not succeed")
131 def test_pmksa_cache_opportunistic_only_on_sta(dev, apdev):
132 """Opportunistic PMKSA caching enabled only on station"""
133 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
134 hostapd.add_ap(apdev[0]['ifname'], params)
135 bssid = apdev[0]['bssid']
136 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
137 eap="GPSK", identity="gpsk user",
138 password="abcdefghijklmnop0123456789abcdef", okc=True,
140 pmksa = dev[0].get_pmksa(bssid)
142 raise Exception("No PMKSA cache entry created")
143 if pmksa['opportunistic'] != '0':
144 raise Exception("Unexpected opportunistic PMKSA cache entry")
146 hostapd.add_ap(apdev[1]['ifname'], params)
147 bssid2 = apdev[1]['bssid']
149 dev[0].dump_monitor()
150 logger.info("Roam to AP2")
151 dev[0].scan(freq="2412")
152 dev[0].request("ROAM " + bssid2)
153 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
155 raise Exception("EAP success timed out")
156 dev[0].wait_connected(timeout=10, error="Roaming timed out")
157 pmksa2 = dev[0].get_pmksa(bssid2)
159 raise Exception("No PMKSA cache entry found")
160 if pmksa2['opportunistic'] != '0':
161 raise Exception("Unexpected opportunistic PMKSA cache entry")
163 dev[0].dump_monitor()
164 logger.info("Roam back to AP1")
165 dev[0].scan(freq="2412")
166 dev[0].request("ROAM " + bssid)
167 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
168 "CTRL-EVENT-CONNECTED"], timeout=10)
170 raise Exception("Roaming with the AP timed out")
171 if "CTRL-EVENT-EAP-STARTED" in ev:
172 raise Exception("Unexpected EAP exchange")
173 pmksa1b = dev[0].get_pmksa(bssid)
175 raise Exception("No PMKSA cache entry found")
176 if pmksa['pmkid'] != pmksa1b['pmkid']:
177 raise Exception("Unexpected PMKID change for AP1")
179 def test_pmksa_cache_opportunistic(dev, apdev):
180 """Opportunistic PMKSA caching"""
181 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
183 hostapd.add_ap(apdev[0]['ifname'], params)
184 bssid = apdev[0]['bssid']
185 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
186 eap="GPSK", identity="gpsk user",
187 password="abcdefghijklmnop0123456789abcdef", okc=True,
189 pmksa = dev[0].get_pmksa(bssid)
191 raise Exception("No PMKSA cache entry created")
192 if pmksa['opportunistic'] != '0':
193 raise Exception("Unexpected opportunistic PMKSA cache entry")
195 hostapd.add_ap(apdev[1]['ifname'], params)
196 bssid2 = apdev[1]['bssid']
198 dev[0].dump_monitor()
199 logger.info("Roam to AP2")
200 dev[0].scan(freq="2412")
201 dev[0].request("ROAM " + bssid2)
202 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
203 "CTRL-EVENT-CONNECTED"], timeout=10)
205 raise Exception("Roaming with the AP timed out")
206 if "CTRL-EVENT-EAP-STARTED" in ev:
207 raise Exception("Unexpected EAP exchange")
208 pmksa2 = dev[0].get_pmksa(bssid2)
210 raise Exception("No PMKSA cache entry created")
212 dev[0].dump_monitor()
213 logger.info("Roam back to AP1")
214 dev[0].scan(freq="2412")
215 dev[0].request("ROAM " + bssid)
216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
217 "CTRL-EVENT-CONNECTED"], timeout=10)
219 raise Exception("Roaming with the AP timed out")
220 if "CTRL-EVENT-EAP-STARTED" in ev:
221 raise Exception("Unexpected EAP exchange")
223 pmksa1b = dev[0].get_pmksa(bssid)
225 raise Exception("No PMKSA cache entry found")
226 if pmksa['pmkid'] != pmksa1b['pmkid']:
227 raise Exception("Unexpected PMKID change for AP1")
229 def test_pmksa_cache_opportunistic_connect(dev, apdev):
230 """Opportunistic PMKSA caching with connect API"""
231 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
233 hostapd.add_ap(apdev[0]['ifname'], params)
234 bssid = apdev[0]['bssid']
235 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
236 wpas.interface_add("wlan5", drv_params="force_connect_cmd=1")
237 wpas.connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
238 eap="GPSK", identity="gpsk user",
239 password="abcdefghijklmnop0123456789abcdef", okc=True,
241 pmksa = wpas.get_pmksa(bssid)
243 raise Exception("No PMKSA cache entry created")
244 if pmksa['opportunistic'] != '0':
245 raise Exception("Unexpected opportunistic PMKSA cache entry")
247 hostapd.add_ap(apdev[1]['ifname'], params)
248 bssid2 = apdev[1]['bssid']
251 logger.info("Roam to AP2")
252 wpas.scan_for_bss(bssid2, freq="2412")
253 wpas.request("ROAM " + bssid2)
254 ev = wpas.wait_event(["CTRL-EVENT-EAP-STARTED",
255 "CTRL-EVENT-CONNECTED"], timeout=10)
257 raise Exception("Roaming with the AP timed out")
258 if "CTRL-EVENT-EAP-STARTED" in ev:
259 raise Exception("Unexpected EAP exchange")
260 pmksa2 = wpas.get_pmksa(bssid2)
262 raise Exception("No PMKSA cache entry created")
265 logger.info("Roam back to AP1")
266 wpas.scan(freq="2412")
267 wpas.request("ROAM " + bssid)
268 ev = wpas.wait_event(["CTRL-EVENT-EAP-STARTED",
269 "CTRL-EVENT-CONNECTED"], timeout=10)
271 raise Exception("Roaming with the AP timed out")
272 if "CTRL-EVENT-EAP-STARTED" in ev:
273 raise Exception("Unexpected EAP exchange")
275 pmksa1b = wpas.get_pmksa(bssid)
277 raise Exception("No PMKSA cache entry found")
278 if pmksa['pmkid'] != pmksa1b['pmkid']:
279 raise Exception("Unexpected PMKID change for AP1")
281 def test_pmksa_cache_expiration(dev, apdev):
282 """PMKSA cache entry expiration"""
283 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
284 hostapd.add_ap(apdev[0]['ifname'], params)
285 bssid = apdev[0]['bssid']
286 dev[0].request("SET dot11RSNAConfigPMKLifetime 10")
287 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
288 eap="GPSK", identity="gpsk user",
289 password="abcdefghijklmnop0123456789abcdef",
291 pmksa = dev[0].get_pmksa(bssid)
293 raise Exception("No PMKSA cache entry created")
294 logger.info("Wait for PMKSA cache entry to expire")
295 ev = dev[0].wait_event(["WPA: Key negotiation completed",
296 "CTRL-EVENT-DISCONNECTED"], timeout=15)
298 raise Exception("No EAP reauthentication seen")
299 if "CTRL-EVENT-DISCONNECTED" in ev:
300 raise Exception("Unexpected disconnection")
301 pmksa2 = dev[0].get_pmksa(bssid)
302 if pmksa['pmkid'] == pmksa2['pmkid']:
303 raise Exception("PMKID did not change")
305 def test_pmksa_cache_expiration_disconnect(dev, apdev):
306 """PMKSA cache entry expiration (disconnect)"""
307 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
308 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
309 bssid = apdev[0]['bssid']
310 dev[0].request("SET dot11RSNAConfigPMKLifetime 2")
311 dev[0].request("SET dot11RSNAConfigPMKReauthThreshold 100")
312 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
313 eap="GPSK", identity="gpsk user",
314 password="abcdefghijklmnop0123456789abcdef",
316 pmksa = dev[0].get_pmksa(bssid)
318 raise Exception("No PMKSA cache entry created")
319 hapd.request("SET auth_server_shared_secret incorrect")
320 logger.info("Wait for PMKSA cache entry to expire")
321 ev = dev[0].wait_event(["WPA: Key negotiation completed",
322 "CTRL-EVENT-DISCONNECTED"], timeout=15)
324 raise Exception("No EAP reauthentication seen")
325 if "CTRL-EVENT-DISCONNECTED" not in ev:
326 raise Exception("Missing disconnection")
327 hapd.request("SET auth_server_shared_secret radius")
328 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=15)
330 raise Exception("No EAP reauthentication seen")
331 pmksa2 = dev[0].get_pmksa(bssid)
332 if pmksa['pmkid'] == pmksa2['pmkid']:
333 raise Exception("PMKID did not change")
335 def test_pmksa_cache_and_cui(dev, apdev):
336 """PMKSA cache and Chargeable-User-Identity"""
337 params = hostapd.wpa2_eap_params(ssid="cui")
338 params['radius_request_cui'] = '1'
339 params['acct_server_addr'] = "127.0.0.1"
340 params['acct_server_port'] = "1813"
341 params['acct_server_shared_secret'] = "radius"
342 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
343 bssid = apdev[0]['bssid']
344 dev[0].connect("cui", proto="RSN", key_mgmt="WPA-EAP",
345 eap="GPSK", identity="gpsk-cui",
346 password="abcdefghijklmnop0123456789abcdef",
348 pmksa = dev[0].get_pmksa(bssid)
350 raise Exception("No PMKSA cache entry created")
351 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
353 raise Exception("No connection event received from hostapd")
355 dev[0].dump_monitor()
356 logger.info("Disconnect and reconnect to the same AP")
357 dev[0].request("DISCONNECT")
358 dev[0].wait_disconnected()
359 dev[0].request("RECONNECT")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
361 "CTRL-EVENT-CONNECTED"], timeout=10)
363 raise Exception("Reconnect timed out")
364 if "CTRL-EVENT-EAP-STARTED" in ev:
365 raise Exception("Unexpected EAP exchange")
366 pmksa1b = dev[0].get_pmksa(bssid)
368 raise Exception("No PMKSA cache entry found")
369 if pmksa['pmkid'] != pmksa1b['pmkid']:
370 raise Exception("Unexpected PMKID change for AP1")
372 dev[0].request("REAUTHENTICATE")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
375 raise Exception("EAP success timed out")
376 for i in range(0, 20):
377 state = dev[0].get_status_field("wpa_state")
378 if state == "COMPLETED":
381 if state != "COMPLETED":
382 raise Exception("Reauthentication did not complete")
384 def test_pmksa_cache_preauth(dev, apdev):
385 """RSN pre-authentication to generate PMKSA cache entry"""
387 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
388 params['bridge'] = 'ap-br0'
389 hostapd.add_ap(apdev[0]['ifname'], params)
390 subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
391 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
392 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
393 password_hex="0123456789abcdef0123456789abcdef")
395 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
396 params['bridge'] = 'ap-br0'
397 params['rsn_preauth'] = '1'
398 params['rsn_preauth_interfaces'] = 'ap-br0'
399 hostapd.add_ap(apdev[1]['ifname'], params)
400 bssid1 = apdev[1]['bssid']
401 dev[0].scan(freq="2412")
404 for i in range(0, 50):
406 status = dev[0].request("STATUS")
407 if "Pre-authentication EAPOL state machines:" in status:
410 pmksa = dev[0].get_pmksa(bssid1)
415 raise Exception("No PMKSA cache entry created from pre-authentication")
417 raise Exception("Pre-authentication EAPOL status was not available")
419 dev[0].scan(freq="2412")
420 if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
421 raise Exception("Scan results missing RSN element info")
422 dev[0].request("ROAM " + bssid1)
423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
424 "CTRL-EVENT-CONNECTED"], timeout=10)
426 raise Exception("Roaming with the AP timed out")
427 if "CTRL-EVENT-EAP-STARTED" in ev:
428 raise Exception("Unexpected EAP exchange")
429 pmksa2 = dev[0].get_pmksa(bssid1)
431 raise Exception("No PMKSA cache entry")
432 if pmksa['pmkid'] != pmksa2['pmkid']:
433 raise Exception("Unexpected PMKID change")
436 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
437 subprocess.call(['brctl', 'delbr', 'ap-br0'])
439 def test_pmksa_cache_preauth_vlan_enabled(dev, apdev):
440 """RSN pre-authentication to generate PMKSA cache entry (dynamic_vlan optional but station without VLAN set)"""
442 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
443 params['bridge'] = 'ap-br0'
444 params['dynamic_vlan'] = '1'
445 hostapd.add_ap(apdev[0]['ifname'], params)
446 subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
447 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
448 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
449 password_hex="0123456789abcdef0123456789abcdef")
451 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
452 params['bridge'] = 'ap-br0'
453 params['rsn_preauth'] = '1'
454 params['rsn_preauth_interfaces'] = 'ap-br0'
455 params['dynamic_vlan'] = '1'
456 hostapd.add_ap(apdev[1]['ifname'], params)
457 bssid1 = apdev[1]['bssid']
458 dev[0].scan(freq="2412")
461 for i in range(0, 50):
463 status = dev[0].request("STATUS")
464 if "Pre-authentication EAPOL state machines:" in status:
467 pmksa = dev[0].get_pmksa(bssid1)
472 raise Exception("No PMKSA cache entry created from pre-authentication")
474 raise Exception("Pre-authentication EAPOL status was not available")
476 dev[0].scan(freq="2412")
477 if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
478 raise Exception("Scan results missing RSN element info")
479 dev[0].request("ROAM " + bssid1)
480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
481 "CTRL-EVENT-CONNECTED"], timeout=10)
483 raise Exception("Roaming with the AP timed out")
484 if "CTRL-EVENT-EAP-STARTED" in ev:
485 raise Exception("Unexpected EAP exchange")
486 pmksa2 = dev[0].get_pmksa(bssid1)
488 raise Exception("No PMKSA cache entry")
489 if pmksa['pmkid'] != pmksa2['pmkid']:
490 raise Exception("Unexpected PMKID change")
493 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
494 subprocess.call(['brctl', 'delbr', 'ap-br0'])
496 def test_pmksa_cache_preauth_vlan_used(dev, apdev):
497 """RSN pre-authentication to generate PMKSA cache entry (station with VLAN set)"""
499 subprocess.call(['brctl', 'addbr', 'brvlan1'])
500 subprocess.call(['brctl', 'setfd', 'brvlan1', '0'])
501 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
502 params['bridge'] = 'ap-br0'
503 params['dynamic_vlan'] = '1'
504 params['vlan_file'] = 'hostapd.wlan3.vlan'
505 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
506 subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
507 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
508 eap_connect(dev[0], apdev[0], "PAX", "vlan1",
509 password_hex="0123456789abcdef0123456789abcdef")
511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
512 params['bridge'] = 'ap-br0'
513 params['rsn_preauth'] = '1'
514 params['rsn_preauth_interfaces'] = 'brvlan1'
515 params['dynamic_vlan'] = '1'
516 params['vlan_file'] = 'hostapd.wlan4.vlan'
517 hostapd.add_ap(apdev[1]['ifname'], params)
518 bssid1 = apdev[1]['bssid']
519 dev[0].scan(freq="2412")
522 for i in range(0, 50):
524 status = dev[0].request("STATUS")
525 if "Pre-authentication EAPOL state machines:" in status:
528 pmksa = dev[0].get_pmksa(bssid1)
533 raise Exception("No PMKSA cache entry created from pre-authentication")
535 raise Exception("Pre-authentication EAPOL status was not available")
537 dev[0].scan(freq="2412")
538 if "[WPA2-EAP-CCMP-preauth]" not in dev[0].request("SCAN_RESULTS"):
539 raise Exception("Scan results missing RSN element info")
540 dev[0].request("ROAM " + bssid1)
541 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
542 "CTRL-EVENT-CONNECTED"], timeout=10)
544 raise Exception("Roaming with the AP timed out")
545 if "CTRL-EVENT-EAP-STARTED" in ev:
546 raise Exception("Unexpected EAP exchange")
547 pmksa2 = dev[0].get_pmksa(bssid1)
549 raise Exception("No PMKSA cache entry")
550 if pmksa['pmkid'] != pmksa2['pmkid']:
551 raise Exception("Unexpected PMKID change")
553 # Disconnect the STA from both APs to avoid forceful ifdown by the
554 # test script on a VLAN that this has an associated STA. That used to
555 # trigger a mac80211 warning.
556 dev[0].request("DISCONNECT")
557 hapd.request("DISABLE")
560 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'],
561 stderr=open('/dev/null', 'w'))
562 subprocess.call(['ip', 'link', 'set', 'dev', 'brvlan1', 'down'])
563 subprocess.call(['ip', 'link', 'set', 'dev', 'wlan3.1', 'down'],
564 stderr=open('/dev/null', 'w'))
565 subprocess.call(['ip', 'link', 'set', 'dev', 'wlan4.1', 'down'],
566 stderr=open('/dev/null', 'w'))
567 subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan3.1'],
568 stderr=open('/dev/null', 'w'))
569 subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan4.1'],
570 stderr=open('/dev/null', 'w'))
571 subprocess.call(['brctl', 'delbr', 'ap-br0'],
572 stderr=open('/dev/null', 'w'))
573 subprocess.call(['brctl', 'delbr', 'brvlan1'])
575 def test_pmksa_cache_disabled(dev, apdev):
576 """PMKSA cache disabling on AP"""
577 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
578 params['disable_pmksa_caching'] = '1'
579 hostapd.add_ap(apdev[0]['ifname'], params)
580 bssid = apdev[0]['bssid']
581 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
582 eap="GPSK", identity="gpsk user",
583 password="abcdefghijklmnop0123456789abcdef",
586 hostapd.add_ap(apdev[1]['ifname'], params)
587 bssid2 = apdev[1]['bssid']
589 dev[0].dump_monitor()
590 logger.info("Roam to AP2")
591 dev[0].scan_for_bss(bssid2, freq="2412")
592 dev[0].request("ROAM " + bssid2)
593 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
595 raise Exception("EAP success timed out")
596 dev[0].wait_connected(timeout=10, error="Roaming timed out")
598 dev[0].dump_monitor()
599 logger.info("Roam back to AP1")
600 dev[0].scan(freq="2412")
601 dev[0].request("ROAM " + bssid)
602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
603 "CTRL-EVENT-CONNECTED"], timeout=20)
605 raise Exception("Roaming with the AP timed out")
606 if "CTRL-EVENT-CONNECTED" in ev:
607 raise Exception("EAP exchange missing")
608 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=20)
610 raise Exception("Roaming with the AP timed out")
612 def test_pmksa_cache_ap_expiration(dev, apdev):
613 """PMKSA cache entry expiring on AP"""
614 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
615 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
616 bssid = apdev[0]['bssid']
617 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
618 eap="GPSK", identity="gpsk-user-session-timeout",
619 password="abcdefghijklmnop0123456789abcdef",
621 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
623 raise Exception("No connection event received from hostapd")
624 dev[0].request("DISCONNECT")
626 dev[0].dump_monitor()
627 dev[0].request("RECONNECT")
628 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
629 "CTRL-EVENT-CONNECTED"], timeout=20)
631 raise Exception("Roaming with the AP timed out")
632 if "CTRL-EVENT-CONNECTED" in ev:
633 raise Exception("EAP exchange missing")
634 dev[0].wait_connected(timeout=20, error="Reconnect timed out")
635 dev[0].dump_monitor()
636 dev[0].wait_disconnected(timeout=20)
637 dev[0].wait_connected(timeout=20, error="Reassociation timed out")
639 def test_pmksa_cache_multiple_sta(dev, apdev):
640 """PMKSA cache with multiple stations"""
641 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
642 hostapd.add_ap(apdev[0]['ifname'], params)
643 bssid = apdev[0]['bssid']
644 dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
645 eap="GPSK", identity="gpsk-user-session-timeout",
646 password="abcdefghijklmnop0123456789abcdef",
648 dev[1].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
649 eap="GPSK", identity="gpsk user",
650 password="abcdefghijklmnop0123456789abcdef",
652 dev[2].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
653 eap="GPSK", identity="gpsk-user-session-timeout",
654 password="abcdefghijklmnop0123456789abcdef",
657 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
658 wpas.interface_add("wlan5")
659 wpas.connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
660 eap="GPSK", identity="gpsk user",
661 password="abcdefghijklmnop0123456789abcdef",
664 hostapd.add_ap(apdev[1]['ifname'], params)
665 bssid2 = apdev[1]['bssid']
667 logger.info("Roam to AP2")
668 for sta in [ dev[1], dev[0], dev[2], wpas ]:
670 sta.scan_for_bss(bssid2, freq="2412")
671 sta.request("ROAM " + bssid2)
672 ev = sta.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
674 raise Exception("EAP success timed out")
675 sta.wait_connected(timeout=10, error="Roaming timed out")
677 logger.info("Roam back to AP1")
678 for sta in [ dev[1], wpas, dev[0], dev[2] ]:
680 sta.scan(freq="2412")
682 sta.request("ROAM " + bssid)
683 sta.wait_connected(timeout=10, error="Roaming timed out")
688 logger.info("Roam back to AP2")
689 for sta in [ dev[1], wpas, dev[0], dev[2] ]:
691 sta.scan(freq="2412")
693 sta.request("ROAM " + bssid2)
694 sta.wait_connected(timeout=10, error="Roaming timed out")
697 def test_pmksa_cache_opportunistic_multiple_sta(dev, apdev):
698 """Opportunistic PMKSA caching with multiple stations"""
699 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
701 hostapd.add_ap(apdev[0]['ifname'], params)
702 bssid = apdev[0]['bssid']
703 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
704 wpas.interface_add("wlan5")
705 for sta in [ dev[0], dev[1], dev[2], wpas ]:
706 sta.connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
707 eap="GPSK", identity="gpsk user",
708 password="abcdefghijklmnop0123456789abcdef", okc=True,
711 hostapd.add_ap(apdev[1]['ifname'], params)
712 bssid2 = apdev[1]['bssid']
714 logger.info("Roam to AP2")
715 for sta in [ dev[2], dev[0], wpas, dev[1] ]:
717 sta.scan_for_bss(bssid2, freq="2412")
718 if "OK" not in sta.request("ROAM " + bssid2):
719 raise Exception("ROAM command failed")
720 ev = sta.wait_event(["CTRL-EVENT-EAP-STARTED",
721 "CTRL-EVENT-CONNECTED"], timeout=10)
723 raise Exception("Roaming with the AP timed out")
724 if "CTRL-EVENT-EAP-STARTED" in ev:
725 raise Exception("Unexpected EAP exchange")
726 pmksa2 = sta.get_pmksa(bssid2)
728 raise Exception("No PMKSA cache entry created")
730 logger.info("Roam back to AP1")
731 for sta in [ dev[0], dev[1], dev[2], wpas ]:
733 sta.scan_for_bss(bssid, freq="2412")
734 sta.request("ROAM " + bssid)
735 ev = sta.wait_event(["CTRL-EVENT-EAP-STARTED",
736 "CTRL-EVENT-CONNECTED"], timeout=10)
738 raise Exception("Roaming with the AP timed out")
739 if "CTRL-EVENT-EAP-STARTED" in ev:
740 raise Exception("Unexpected EAP exchange")
742 def test_pmksa_cache_preauth_oom(dev, apdev):
743 """RSN pre-authentication to generate PMKSA cache entry and OOM"""
745 _test_pmksa_cache_preauth_oom(dev, apdev)
747 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'down'])
748 subprocess.call(['brctl', 'delbr', 'ap-br0'])
750 def _test_pmksa_cache_preauth_oom(dev, apdev):
751 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
752 params['bridge'] = 'ap-br0'
753 hostapd.add_ap(apdev[0]['ifname'], params)
754 subprocess.call(['brctl', 'setfd', 'ap-br0', '0'])
755 subprocess.call(['ip', 'link', 'set', 'dev', 'ap-br0', 'up'])
756 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
757 password_hex="0123456789abcdef0123456789abcdef",
758 bssid=apdev[0]['bssid'])
760 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
761 params['bridge'] = 'ap-br0'
762 params['rsn_preauth'] = '1'
763 params['rsn_preauth_interfaces'] = 'ap-br0'
764 hapd = hostapd.add_ap(apdev[1]['ifname'], params)
765 bssid1 = apdev[1]['bssid']
767 tests = [ (1, "rsn_preauth_receive"),
768 (2, "rsn_preauth_receive"),
769 (1, "rsn_preauth_send") ]
771 with alloc_fail(hapd, test[0], test[1]):
772 dev[0].scan_for_bss(bssid1, freq="2412")
773 if "OK" not in dev[0].request("PREAUTH " + bssid1):
774 raise Exception("PREAUTH failed")
780 pmksa = dev[0].get_pmksa(bssid1)
784 state = hapd.request('GET_ALLOC_FAIL')
785 if state.startswith('0:'):
789 logger.info("PMKSA cache success: " + str(success))
791 dev[0].request("PMKSA_FLUSH")
792 dev[0].wait_disconnected()
793 dev[0].wait_connected()
794 dev[0].dump_monitor()
796 def test_pmksa_cache_size_limit(dev, apdev):
797 """PMKSA cache size limit in wpa_supplicant"""
799 _test_pmksa_cache_size_limit(dev, apdev)
802 hapd = hostapd.HostapdGlobal()
804 hapd.remove(apdev[0]['ifname'])
807 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
808 bssid = apdev[0]['bssid']
809 params['bssid'] = bssid
810 hostapd.add_ap(apdev[0]['ifname'], params)
812 def _test_pmksa_cache_size_limit(dev, apdev):
813 params = hostapd.wpa2_eap_params(ssid="test-pmksa-cache")
814 id = dev[0].connect("test-pmksa-cache", proto="RSN", key_mgmt="WPA-EAP",
815 eap="GPSK", identity="gpsk user",
816 password="abcdefghijklmnop0123456789abcdef",
817 scan_freq="2412", only_add_network=True)
819 bssid = apdev[0]['bssid'][0:15] + "%02x" % i
820 logger.info("Iteration with BSSID " + bssid)
821 params['bssid'] = bssid
822 hostapd.add_ap(apdev[0]['ifname'], params)
823 dev[0].request("BSS_FLUSH 0")
824 dev[0].scan_for_bss(bssid, freq=2412, only_new=True)
825 dev[0].select_network(id)
826 dev[0].wait_connected()
827 dev[0].request("DISCONNECT")
828 dev[0].wait_disconnected()
829 dev[0].dump_monitor()
830 entries = len(dev[0].request("PMKSA").splitlines()) - 1
833 raise Exception("Unexpected number of PMKSA entries after expected removal of the oldest entry")
834 elif i + 1 != entries:
835 raise Exception("Unexpected number of PMKSA entries")
837 hapd = hostapd.HostapdGlobal()
839 hapd.remove(apdev[0]['ifname'])
841 def test_pmksa_cache_preauth_timeout(dev, apdev):
842 """RSN pre-authentication timing out"""
844 _test_pmksa_cache_preauth_timeout(dev, apdev)
846 dev[0].request("SET dot11RSNAConfigSATimeout 60")
848 def _test_pmksa_cache_preauth_timeout(dev, apdev):
849 dev[0].request("SET dot11RSNAConfigSATimeout 1")
850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
851 hostapd.add_ap(apdev[0]['ifname'], params)
852 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
853 password_hex="0123456789abcdef0123456789abcdef",
854 bssid=apdev[0]['bssid'])
855 if "OK" not in dev[0].request("PREAUTH f2:11:22:33:44:55"):
856 raise Exception("PREAUTH failed")
857 ev = dev[0].wait_event(["RSN: pre-authentication with"], timeout=5)
859 raise Exception("No timeout event seen")
860 if "timed out" not in ev:
861 raise Exception("Unexpected event: " + ev)
863 def test_pmksa_cache_preauth_wpas_oom(dev, apdev):
864 """RSN pre-authentication OOM in wpa_supplicant"""
865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
866 hostapd.add_ap(apdev[0]['ifname'], params)
867 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
868 password_hex="0123456789abcdef0123456789abcdef",
869 bssid=apdev[0]['bssid'])
870 for i in range(1, 11):
871 with alloc_fail(dev[0], i, "rsn_preauth_init"):
872 res = dev[0].request("PREAUTH f2:11:22:33:44:55").strip()
873 logger.info("Iteration %d - PREAUTH command results: %s" % (i, res))
875 state = dev[0].request('GET_ALLOC_FAIL')
876 if state.startswith('0:'):