This extends testing coverage to detect an issue that was fixed in
commit bf9cbb462f ("Fix writing of BIGTK in FT protocol").
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant has support for only a single FT key hierarchy and as
such, cannot use more than a single mobility domain at a time. Do not
allow FT protocol to be started if there is a request to reassociate to
a different BSS within the same ESS if that BSS is in a different
mobility domain. This results in the initial mobility domain association
being used whenever moving to another mobility domain.
While it would be possible to add support for multiple FT key hierachies
and multiple mobility domains in theory, there does not yet seem to be
sufficient justification to add the complexity needed for that due to
limited, if any, deployment of such networks. As such, it is simplest to
just prevent these attempts for now and start with a clean initial
mobility domain association.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This test cases can fail if previously executed tests leave older scan
results in cfg80211 scan table. Clear that scan table explicitly to
avoid such issues.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The test case name ap_ft_pmf_over_ds was used for two different test
cases which resulted in only one of those being used. Fix this by using
unique test case names.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Clear scan cache to avoid issues with old scan results from earlier test
cases. This caused issues like the following test case sequence failing:
rrm_beacon_req_active_ap_channels ap_ft_eap_dis_over_ds
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Dump pending monitor interface messages between each roaming step to
make the test log easier to understand and hostapd wait for the new
connection more robust by ensuring that the processed event if for the
very last reassociation. It looks like at least ap_ft_vlan_over_ds_many
could fail due to the connectivity check being started before the final
roam had been completed on the AP side even though there was an explicit
hapd2ap.wait_sta() wait before the test.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The test configures ft_r0_key_lifetime parameter, however ft_params
already contain the r0_key_lifetime. Since both options are accepted by
hostapd and set the same field, one of them gets overwritten.
As the dictionary enumeration order is not guaranteed in python, the
test may sporadically fail.
Fix that by explicitely removing the unneeded parameter.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Python enumerates dictionaries in an arbitrary order, thus the resulting
configuration file will have the parameters shuffled randomly. This may
cause the test to fail when, for example, auth_server_addr is placed
after auth_server_port. Fix this by enforcing some of the fields to be
placed before the others.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This makes it more convenient to run tests with builds that disable
TKIP/WPA(v1) support completely.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is in preparation for a hostapd implementation change on how to
address the unexpected RSNXE Used field value in FTE during FT
reassociation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Verify hostapd behavior during FT protocol processing when a STA entry
is still present in the AP and that association has PMF negotiated.
Signed-off-by: Jouni Malinen <j@w1.fi>
Replace the hardcoded /tmp filenames for generated ACL and BSS
configuration files with proper temporary files from tempfile.mkstemp()
to avoid conflicts with existing files or with parallel uses. Remove ACL
files from the local directory at the end of each test case. BSS files
are currently left behind, but can be cleaned up separately if needed
for non-VM testing (VM testing has those on ramdrive so they get dropped
automatically at the end) and for remote devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
Generate ACL files instead of using files with hardcoded values for the
STA MAC addresses. Send the generated files also to the remote client if
required.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
The RECONNECT command on the station was issued immediately after
wpa_supplicant had processed EAPOL-Key msg 3/4. This could happen before
hostapd has processed EAPOL-Key msg 4/4 and especially with UML
time-travel, this could result in the following FT protocol exchange
going through in a manner that makes the hostapd process EAPOL-Key msg
4/4 from the first association as a postponed EAPOL RX at the beginning
of the second association. Avoid this by waiting hostapd to report
completion of the connection before issuing RECONNECT.
Signed-off-by: Jouni Malinen <j@w1.fi>
This PMKID replacement case is not going to prevent connection after a
change in wpa_insert_pmkid() so remove it.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like the wpa_auth_get_seqnum() function might not always be
visible in the backtrace since the compiler may optimize that wrapper
away. Use the i802_get_seqnum() function instead as a trigger for the
get_seqnum operation failure trigger to avoid this.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case was failing if wlantest was able to decrypt the CCMP
protected frames. Fix the tshark filter string to include only the
actually encrypted frames for PN comparison.
Signed-off-by: Jouni Malinen <j@w1.fi>
The AP side may not have had enough time to configure the new TK into
the driver if the connectivity test is started immediately after the
station side event.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When going through 4-way handshake, the station side reports
CTRL-EVENT-CONNECTED after having sent out EAPOL-Key msg 4/4. The AP
side reports AP-STA-CONNECT after having completed processing of this
frame. Especially when using UML with time travel, it is possible for
the connectivity test to be started before the AP side has configured
the pairwise TK if the test is triggered based on CTRL-EVENT-CONNECTED
instead of AP-STA-CONNECT.
Add explicit wait for AP-STA-CONNECT in some of these cases to reduce
likelihood of reporting failures for test cases that are actually
behaving as expected. This shows up with "dev1->dev2 unicast data
delivery failed" in the test log.
Do the same before requesting reauthentication from the station side
since that has a similar issue with the EAPOL-Start frame getting
encrypted before the AP is ready for it.
Signed-off-by: Jouni Malinen <j@w1.fi>