Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: af0c6e09e6
Branches Tags
krackattacks
/
tests
/
hwsim
/
test_owe.py

test_owe.py 13 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345 
  1. # Test cases for Opportunistic Wireless Encryption (OWE)
    2. 

  2. # Copyright (c) 2017, Jouni Malinen <j@w1.fi>
    3. 

  3. #
    4. 

  4. # This software may be distributed under the terms of the BSD license.
    5. 

  5. # See README for more details.
    6. 

  6. 

  7. import logging
    8. 

  8. logger = logging.getLogger()
    9. 

  9. import time
    10. 

  10. 

  11. import hostapd
    12. 

  12. from wpasupplicant import WpaSupplicant
    13. 

  13. import hwsim_utils
    14. 

  14. from utils import HwsimSkip
    15. 

  15. 

  16. def test_owe(dev, apdev):
    17. 

  17.     """Opportunistic Wireless Encryption"""
    18. 

  18.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    19. 

  19.         raise HwsimSkip("OWE not supported")
    20. 

  20.     params = { "ssid": "owe",
    21. 

  21.                "wpa": "2",
    22. 

  22.                "wpa_key_mgmt": "OWE",
    23. 

  23.                "rsn_pairwise": "CCMP" }
    24. 

  24.     hapd = hostapd.add_ap(apdev[0], params)
    25. 

  25.     bssid = hapd.own_addr()
    26. 

  26. 

  27.     dev[0].scan_for_bss(bssid, freq="2412")
    28. 

  28.     bss = dev[0].get_bss(bssid)
    29. 

  29.     if "[WPA2-OWE-CCMP]" not in bss['flags']:
    30. 

  30.         raise Exception("OWE AKM not recognized: " + bss['flags'])
    31. 

  31. 

  32.     dev[0].connect("owe", key_mgmt="OWE")
    33. 

  33.     hwsim_utils.test_connectivity(dev[0], hapd)
    34. 

  34.     val = dev[0].get_status_field("key_mgmt")
    35. 

  35.     if val != "OWE":
    36. 

  36.         raise Exception("Unexpected key_mgmt: " + val)
    37. 

  37. 

  38. def test_owe_groups(dev, apdev):
    39. 

  39.     """Opportunistic Wireless Encryption - DH groups"""
    40. 

  40.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    41. 

  41.         raise HwsimSkip("OWE not supported")
    42. 

  42.     params = { "ssid": "owe",
    43. 

  43.                "wpa": "2",
    44. 

  44.                "wpa_key_mgmt": "OWE",
    45. 

  45.                "rsn_pairwise": "CCMP" }
    46. 

  46.     hapd = hostapd.add_ap(apdev[0], params)
    47. 

  47.     bssid = hapd.own_addr()
    48. 

  48. 

  49.     dev[0].scan_for_bss(bssid, freq="2412")
    50. 

  50.     for group in [ 19, 20, 21 ]:
    51. 

  51.         dev[0].connect("owe", key_mgmt="OWE", owe_group=str(group))
    52. 

  52.         hwsim_utils.test_connectivity(dev[0], hapd)
    53. 

  53.         dev[0].request("REMOVE_NETWORK all")
    54. 

  54.         dev[0].wait_disconnected()
    55. 

  55.         dev[0].dump_monitor()
    56. 

  56. 

  57. def test_owe_pmksa_caching(dev, apdev):
    58. 

  58.     """Opportunistic Wireless Encryption and PMKSA caching"""
    59. 

  59.     run_owe_pmksa_caching(dev, apdev)
    60. 

  60. 

  61. def test_owe_pmksa_caching_connect_cmd(dev, apdev):
    62. 

  62.     """Opportunistic Wireless Encryption and PMKSA caching using cfg80211 connect command"""
    63. 

  63.     wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
    64. 

  64.     wpas.interface_add("wlan5", drv_params="force_connect_cmd=1")
    65. 

  65.     run_owe_pmksa_caching([ wpas ], apdev)
    66. 

  66. 

  67. def run_owe_pmksa_caching(dev, apdev):
    68. 

  68.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    69. 

  69.         raise HwsimSkip("OWE not supported")
    70. 

  70.     params = { "ssid": "owe",
    71. 

  71.                "wpa": "2",
    72. 

  72.                "wpa_key_mgmt": "OWE",
    73. 

  73.                "rsn_pairwise": "CCMP" }
    74. 

  74.     hapd = hostapd.add_ap(apdev[0], params)
    75. 

  75.     bssid = hapd.own_addr()
    76. 

  76. 

  77.     dev[0].scan_for_bss(bssid, freq="2412")
    78. 

  78.     id = dev[0].connect("owe", key_mgmt="OWE")
    79. 

  79.     hwsim_utils.test_connectivity(dev[0], hapd)
    80. 

  80.     pmksa = dev[0].get_pmksa(bssid)
    81. 

  81.     dev[0].request("DISCONNECT")
    82. 

  82.     dev[0].wait_disconnected()
    83. 

  83.     dev[0].dump_monitor()
    84. 

  84. 

  85.     dev[0].select_network(id, 2412)
    86. 

  86.     dev[0].wait_connected()
    87. 

  87.     hwsim_utils.test_connectivity(dev[0], hapd)
    88. 

  88.     pmksa2 = dev[0].get_pmksa(bssid)
    89. 

  89.     dev[0].request("DISCONNECT")
    90. 

  90.     dev[0].wait_disconnected()
    91. 

  91.     dev[0].dump_monitor()
    92. 

  92. 

  93.     if "OK" not in hapd.request("PMKSA_FLUSH"):
    94. 

  94.         raise Exception("PMKSA_FLUSH failed")
    95. 

  95. 

  96.     dev[0].select_network(id, 2412)
    97. 

  97.     dev[0].wait_connected()
    98. 

  98.     hwsim_utils.test_connectivity(dev[0], hapd)
    99. 

  99.     pmksa3 = dev[0].get_pmksa(bssid)
    100. 

  100.     dev[0].request("DISCONNECT")
    101. 

  101.     dev[0].wait_disconnected()
    102. 

  102.     dev[0].dump_monitor()
    103. 

  103. 

  104.     if pmksa is None or pmksa2 is None or pmksa3 is None:
    105. 

  105.         raise Exception("PMKSA entry missing")
    106. 

  106.     if pmksa['pmkid'] != pmksa2['pmkid']:
    107. 

  107.         raise Exception("Unexpected PMKID change when using PMKSA caching")
    108. 

  108.     if pmksa['pmkid'] == pmksa3['pmkid']:
    109. 

  109.         raise Exception("PMKID did not change after PMKSA cache flush")
    110. 

  110. 

  111. def test_owe_and_psk(dev, apdev):
    112. 

  112.     """Opportunistic Wireless Encryption and WPA2-PSK enabled"""
    113. 

  113.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    114. 

  114.         raise HwsimSkip("OWE not supported")
    115. 

  115.     params = { "ssid": "owe+psk",
    116. 

  116.                "wpa": "2",
    117. 

  117.                "wpa_key_mgmt": "OWE WPA-PSK",
    118. 

  118.                "rsn_pairwise": "CCMP",
    119. 

  119.                "wpa_passphrase": "12345678" }
    120. 

  120.     hapd = hostapd.add_ap(apdev[0], params)
    121. 

  121.     bssid = hapd.own_addr()
    122. 

  122. 

  123.     dev[0].scan_for_bss(bssid, freq="2412")
    124. 

  124.     dev[0].connect("owe+psk", psk="12345678")
    125. 

  125.     hwsim_utils.test_connectivity(dev[0], hapd)
    126. 

  126. 

  127.     dev[1].scan_for_bss(bssid, freq="2412")
    128. 

  128.     dev[1].connect("owe+psk", key_mgmt="OWE")
    129. 

  129.     hwsim_utils.test_connectivity(dev[1], hapd)
    130. 

  130. 

  131. def test_owe_transition_mode(dev, apdev):
    132. 

  132.     """Opportunistic Wireless Encryption transition mode"""
    133. 

  133.     run_owe_transition_mode(dev, apdev)
    134. 

  134. 

  135. def test_owe_transition_mode_connect_cmd(dev, apdev):
    136. 

  136.     """Opportunistic Wireless Encryption transition mode using cfg80211 connect command"""
    137. 

  137.     wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
    138. 

  138.     wpas.interface_add("wlan5", drv_params="force_connect_cmd=1")
    139. 

  139.     run_owe_transition_mode([ wpas ], apdev)
    140. 

  140. 

  141. def run_owe_transition_mode(dev, apdev):
    142. 

  142.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    143. 

  143.         raise HwsimSkip("OWE not supported")
    144. 

  144.     dev[0].flush_scan_cache()
    145. 

  145.     params = { "ssid": "owe-random",
    146. 

  146.                "wpa": "2",
    147. 

  147.                "wpa_key_mgmt": "OWE",
    148. 

  148.                "rsn_pairwise": "CCMP",
    149. 

  149.                "ieee80211w": "2",
    150. 

  150.                "owe_transition_bssid": apdev[1]['bssid'],
    151. 

  151.                "owe_transition_ssid": '"owe-test"',
    152. 

  152.                "ignore_broadcast_ssid": "1" }
    153. 

  153.     hapd = hostapd.add_ap(apdev[0], params)
    154. 

  154.     bssid = hapd.own_addr()
    155. 

  155. 

  156.     params = { "ssid": "owe-test",
    157. 

  157.                "owe_transition_bssid": apdev[0]['bssid'],
    158. 

  158.                "owe_transition_ssid": '"owe-random"' }
    159. 

  159.     hapd2 = hostapd.add_ap(apdev[1], params)
    160. 

  160.     bssid2 = hapd2.own_addr()
    161. 

  161. 

  162.     dev[0].scan_for_bss(bssid, freq="2412")
    163. 

  163.     dev[0].scan_for_bss(bssid2, freq="2412")
    164. 

  164. 

  165.     bss = dev[0].get_bss(bssid)
    166. 

  166.     if "[WPA2-OWE-CCMP]" not in bss['flags']:
    167. 

  167.         raise Exception("OWE AKM not recognized: " + bss['flags'])
    168. 

  168.     if "[OWE-TRANS]" not in bss['flags']:
    169. 

  169.         raise Exception("OWE transition not recognized: " + bss['flags'])
    170. 

  170. 

  171.     bss = dev[0].get_bss(bssid2)
    172. 

  172.     if "[OWE-TRANS-OPEN]" not in bss['flags']:
    173. 

  173.         raise Exception("OWE transition (open) not recognized: " + bss['flags'])
    174. 

  174. 

  175.     id = dev[0].connect("owe-test", key_mgmt="OWE", ieee80211w="2",
    176. 

  176.                         scan_freq="2412")
    177. 

  177.     hwsim_utils.test_connectivity(dev[0], hapd)
    178. 

  178.     val = dev[0].get_status_field("key_mgmt")
    179. 

  179.     if val != "OWE":
    180. 

  180.         raise Exception("Unexpected key_mgmt: " + val)
    181. 

  181. 

  182.     logger.info("Move to OWE only mode (disable transition mode)")
    183. 

  183. 

  184.     dev[0].request("DISCONNECT")
    185. 

  185.     dev[0].wait_disconnected()
    186. 

  186.     dev[0].dump_monitor()
    187. 

  187. 

  188.     hapd2.disable()
    189. 

  189.     hapd.disable()
    190. 

  190.     dev[0].flush_scan_cache()
    191. 

  191.     hapd.set("owe_transition_bssid", "00:00:00:00:00:00")
    192. 

  192.     hapd.set("ignore_broadcast_ssid", '0')
    193. 

  193.     hapd.set("ssid", 'owe-test')
    194. 

  194.     hapd.enable()
    195. 

  195. 

  196.     dev[0].scan_for_bss(bssid, freq="2412")
    197. 

  197.     dev[0].select_network(id, 2412)
    198. 

  198.     dev[0].wait_connected()
    199. 

  199.     hwsim_utils.test_connectivity(dev[0], hapd)
    200. 

  200. 

  201. def test_owe_transition_mode_open_only_ap(dev, apdev):
    202. 

  202.     """Opportunistic Wireless Encryption transition mode connect to open-only AP"""
    203. 

  203.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    204. 

  204.         raise HwsimSkip("OWE not supported")
    205. 

  205.     dev[0].flush_scan_cache()
    206. 

  206.     params = { "ssid": "owe-test-open" }
    207. 

  207.     hapd = hostapd.add_ap(apdev[0], params)
    208. 

  208.     bssid = hapd.own_addr()
    209. 

  209. 

  210.     dev[0].scan_for_bss(bssid, freq="2412")
    211. 

  211. 

  212.     bss = dev[0].get_bss(bssid)
    213. 

  213. 

  214.     id = dev[0].connect("owe-test-open", key_mgmt="OWE", ieee80211w="2",
    215. 

  215.                         scan_freq="2412")
    216. 

  216.     hwsim_utils.test_connectivity(dev[0], hapd)
    217. 

  217.     val = dev[0].get_status_field("key_mgmt")
    218. 

  218.     if val != "NONE":
    219. 

  219.         raise Exception("Unexpected key_mgmt: " + val)
    220. 

  220. 

  221. def test_owe_transition_mode_multi_bss(dev, apdev):
    222. 

  222.     """Opportunistic Wireless Encryption transition mode (multi BSS)"""
    223. 

  223.     try:
    224. 

  224.         run_owe_transition_mode_multi_bss(dev, apdev)
    225. 

  225.     finally:
    226. 

  226.         dev[0].request("SCAN_INTERVAL 5")
    227. 

  227. 

  228. def run_owe_transition_mode_multi_bss(dev, apdev):
    229. 

  229.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    230. 

  230.         raise HwsimSkip("OWE not supported")
    231. 

  231.     ifname1 = apdev[0]['ifname']
    232. 

  232.     ifname2 = apdev[0]['ifname'] + '-2'
    233. 

  233.     hapd1 = hostapd.add_bss(apdev[0], ifname1, 'owe-bss-1.conf')
    234. 

  234.     hapd2 = hostapd.add_bss(apdev[0], ifname2, 'owe-bss-2.conf')
    235. 

  235. 

  236.     bssid = hapd1.own_addr()
    237. 

  237.     bssid2 = hapd2.own_addr()
    238. 

  238. 

  239.     # Beaconing with the OWE Transition Mode element can start only once both
    240. 

  240.     # BSSs are enabled, so the very first Beacon frame may go out without this
    241. 

  241.     # element. Wait a bit to avoid getting incomplete scan results.
    242. 

  242.     time.sleep(0.1)
    243. 

  243. 

  244.     dev[0].request("SCAN_INTERVAL 1")
    245. 

  245.     dev[0].scan_for_bss(bssid2, freq="2412")
    246. 

  246.     dev[0].scan_for_bss(bssid, freq="2412")
    247. 

  247.     dev[0].connect("transition-mode-open", key_mgmt="OWE")
    248. 

  248.     hwsim_utils.test_connectivity(dev[0], hapd2)
    249. 

  249.     val = dev[0].get_status_field("key_mgmt")
    250. 

  250.     if val != "OWE":
    251. 

  251.         raise Exception("Unexpected key_mgmt: " + val)
    252. 

  252. 

  253. def test_owe_unsupported_group(dev, apdev):
    254. 

  254.     """Opportunistic Wireless Encryption and unsupported group"""
    255. 

  255.     try:
    256. 

  256.         run_owe_unsupported_group(dev, apdev)
    257. 

  257.     finally:
    258. 

  258.         dev[0].request("VENDOR_ELEM_REMOVE 13 *")
    259. 

  259. 

  260. def test_owe_unsupported_group_connect_cmd(dev, apdev):
    261. 

  261.     """Opportunistic Wireless Encryption and unsupported group using cfg80211 connect command"""
    262. 

  262.     try:
    263. 

  263.         wpas = None
    264. 

  264.         wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
    265. 

  265.         wpas.interface_add("wlan5", drv_params="force_connect_cmd=1")
    266. 

  266.         run_owe_unsupported_group([ wpas ], apdev)
    267. 

  267.     finally:
    268. 

  268.         if wpas:
    269. 

  269.             wpas.request("VENDOR_ELEM_REMOVE 13 *")
    270. 

  270. 

  271. def run_owe_unsupported_group(dev, apdev):
    272. 

  272.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    273. 

  273.         raise HwsimSkip("OWE not supported")
    274. 

  274.     # Override OWE Dh Parameters element with a payload that uses invalid group
    275. 

  275.     # 0 (and actual group 19 data) to make the AP reject this with the specific
    276. 

  276.     # status code 77.
    277. 

  277.     dev[0].request("VENDOR_ELEM_ADD 13 ff23200000783590fb7440e03d5b3b33911f86affdcc6b4411b707846ac4ff08ddc8831ccd")
    278. 

  278. 

  279.     params = { "ssid": "owe",
    280. 

  280.                "wpa": "2",
    281. 

  281.                "wpa_key_mgmt": "OWE",
    282. 

  282.                "rsn_pairwise": "CCMP" }
    283. 

  283.     hapd = hostapd.add_ap(apdev[0], params)
    284. 

  284.     bssid = hapd.own_addr()
    285. 

  285. 

  286.     dev[0].scan_for_bss(bssid, freq="2412")
    287. 

  287.     dev[0].connect("owe", key_mgmt="OWE", wait_connect=False)
    288. 

  288.     ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"], timeout=10)
    289. 

  289.     dev[0].request("DISCONNECT")
    290. 

  290.     if ev is None:
    291. 

  291.         raise Exception("Association not rejected")
    292. 

  292.     if "status_code=77" not in ev:
    293. 

  293.         raise Exception("Unexpected rejection reason: " + ev)
    294. 

  294. 

  295. def test_owe_limited_group_set(dev, apdev):
    296. 

  296.     """Opportunistic Wireless Encryption and limited group set"""
    297. 

  297.     if "OWE" not in dev[0].get_capability("key_mgmt"):
    298. 

  298.         raise HwsimSkip("OWE not supported")
    299. 

  299.     params = { "ssid": "owe",
    300. 

  300.                "wpa": "2",
    301. 

  301.                "wpa_key_mgmt": "OWE",
    302. 

  302.                "rsn_pairwise": "CCMP",
    303. 

  303.                "owe_groups": "20 21" }
    304. 

  304.     hapd = hostapd.add_ap(apdev[0], params)
    305. 

  305.     bssid = hapd.own_addr()
    306. 

  306. 

  307.     dev[0].scan_for_bss(bssid, freq="2412")
    308. 

  308.     dev[0].connect("owe", key_mgmt="OWE", owe_group="19", wait_connect=False)
    309. 

  309.     ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"], timeout=10)
    310. 

  310.     dev[0].request("DISCONNECT")
    311. 

  311.     if ev is None:
    312. 

  312.         raise Exception("Association not rejected")
    313. 

  313.     if "status_code=77" not in ev:
    314. 

  314.         raise Exception("Unexpected rejection reason: " + ev)
    315. 

  315.     dev[0].dump_monitor()
    316. 

  316. 

  317.     for group in [ 20, 21 ]:
    318. 

  318.         dev[0].connect("owe", key_mgmt="OWE", owe_group=str(group))
    319. 

  319.         dev[0].request("REMOVE_NETWORK all")
    320. 

  320.         dev[0].wait_disconnected()
    321. 

  321.         dev[0].dump_monitor()
    322. 

  322. 

  323. def test_owe_group_negotiation(dev, apdev):
    324. 

  324.     """Opportunistic Wireless Encryption and group negotiation"""
    325. 

  325.     run_owe_group_negotiation(dev[0], apdev)
    326. 

  326. 

  327. def test_owe_group_negotiation_connect_cmd(dev, apdev):
    328. 

  328.     """Opportunistic Wireless Encryption and group negotiation (connect command)"""
    329. 

  329.     wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
    330. 

  330.     wpas.interface_add("wlan5", drv_params="force_connect_cmd=1")
    331. 

  331.     run_owe_group_negotiation(wpas, apdev)
    332. 

  332. 

  333. def run_owe_group_negotiation(dev, apdev):
    334. 

  334.     if "OWE" not in dev.get_capability("key_mgmt"):
    335. 

  335.         raise HwsimSkip("OWE not supported")
    336. 

  336.     params = { "ssid": "owe",
    337. 

  337.                "wpa": "2",
    338. 

  338.                "wpa_key_mgmt": "OWE",
    339. 

  339.                "rsn_pairwise": "CCMP",
    340. 

  340.                "owe_groups": "21" }
    341. 

  341.     hapd = hostapd.add_ap(apdev[0], params)
    342. 

  342.     bssid = hapd.own_addr()
    343. 

  343. 

  344.     dev.scan_for_bss(bssid, freq="2412")
    345. 

  345.     dev.connect("owe", key_mgmt="OWE")
    346.