tests: FT and PTK rekeying
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
b583ed38df
commit
425e5f977e
1 changed files with 108 additions and 53 deletions
|
@ -134,7 +134,7 @@ def run_roams(dev, apdev, hapd0, hapd1, ssid, passphrase, over_ds=False,
|
||||||
force_initial_conn_to_first_ap=False, sha384=False,
|
force_initial_conn_to_first_ap=False, sha384=False,
|
||||||
group_mgmt=None, ocv=None, sae_password=None,
|
group_mgmt=None, ocv=None, sae_password=None,
|
||||||
sae_password_id=None, sae_and_psk=False, pmksa_caching=False,
|
sae_password_id=None, sae_and_psk=False, pmksa_caching=False,
|
||||||
roam_with_reassoc=False, also_non_ft=False):
|
roam_with_reassoc=False, also_non_ft=False, only_one_way=False):
|
||||||
logger.info("Connect to first AP")
|
logger.info("Connect to first AP")
|
||||||
|
|
||||||
copts = {}
|
copts = {}
|
||||||
|
@ -222,6 +222,8 @@ def run_roams(dev, apdev, hapd0, hapd1, ssid, passphrase, over_ds=False,
|
||||||
else:
|
else:
|
||||||
hwsim_utils.test_connectivity(dev, hapd2ap)
|
hwsim_utils.test_connectivity(dev, hapd2ap)
|
||||||
|
|
||||||
|
if only_one_way:
|
||||||
|
return
|
||||||
# Roaming artificially fast can make data test fail because the key is
|
# Roaming artificially fast can make data test fail because the key is
|
||||||
# set later.
|
# set later.
|
||||||
time.sleep(0.01)
|
time.sleep(0.01)
|
||||||
|
@ -893,44 +895,82 @@ def test_ap_ft_over_ds_pull_vlan(dev, apdev):
|
||||||
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
|
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
|
||||||
conndev="brvlan1")
|
conndev="brvlan1")
|
||||||
|
|
||||||
def test_ap_ft_sae(dev, apdev):
|
def start_ft_sae(dev, apdev, wpa_ptk_rekey=None):
|
||||||
"""WPA2-PSK-FT-SAE AP"""
|
if "SAE" not in dev.get_capability("auth_alg"):
|
||||||
if "SAE" not in dev[0].get_capability("auth_alg"):
|
|
||||||
raise HwsimSkip("SAE not supported")
|
raise HwsimSkip("SAE not supported")
|
||||||
ssid = "test-ft"
|
ssid = "test-ft"
|
||||||
passphrase = "12345678"
|
passphrase = "12345678"
|
||||||
|
|
||||||
params = ft_params1(ssid=ssid, passphrase=passphrase)
|
params = ft_params1(ssid=ssid, passphrase=passphrase)
|
||||||
params['wpa_key_mgmt'] = "FT-SAE"
|
params['wpa_key_mgmt'] = "FT-SAE"
|
||||||
|
if wpa_ptk_rekey:
|
||||||
|
params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
|
||||||
hapd0 = hostapd.add_ap(apdev[0], params)
|
hapd0 = hostapd.add_ap(apdev[0], params)
|
||||||
params = ft_params2(ssid=ssid, passphrase=passphrase)
|
params = ft_params2(ssid=ssid, passphrase=passphrase)
|
||||||
params['wpa_key_mgmt'] = "FT-SAE"
|
params['wpa_key_mgmt'] = "FT-SAE"
|
||||||
hapd = hostapd.add_ap(apdev[1], params)
|
if wpa_ptk_rekey:
|
||||||
key_mgmt = hapd.get_config()['key_mgmt']
|
params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
|
||||||
|
hapd1 = hostapd.add_ap(apdev[1], params)
|
||||||
|
key_mgmt = hapd1.get_config()['key_mgmt']
|
||||||
if key_mgmt.split(' ')[0] != "FT-SAE":
|
if key_mgmt.split(' ')[0] != "FT-SAE":
|
||||||
raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
|
raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
|
||||||
|
|
||||||
dev[0].request("SET sae_groups ")
|
dev.request("SET sae_groups ")
|
||||||
run_roams(dev[0], apdev, hapd0, hapd, ssid, passphrase, sae=True)
|
return hapd0, hapd1
|
||||||
|
|
||||||
|
def test_ap_ft_sae(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT-SAE AP"""
|
||||||
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True)
|
||||||
|
|
||||||
|
def test_ap_ft_sae_ptk_rekey0(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT-SAE AP and PTK rekey triggered by station"""
|
||||||
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
|
||||||
|
ptk_rekey="1", roams=0)
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
|
def test_ap_ft_sae_ptk_rekey1(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT-SAE AP and PTK rekey triggered by station"""
|
||||||
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
|
||||||
|
ptk_rekey="1", only_one_way=True)
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
|
def test_ap_ft_sae_ptk_rekey_ap(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT-SAE AP and PTK rekey triggered by AP"""
|
||||||
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev, wpa_ptk_rekey=2)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
|
||||||
|
only_one_way=True)
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
def test_ap_ft_sae_over_ds(dev, apdev):
|
def test_ap_ft_sae_over_ds(dev, apdev):
|
||||||
"""WPA2-PSK-FT-SAE AP over DS"""
|
"""WPA2-PSK-FT-SAE AP over DS"""
|
||||||
if "SAE" not in dev[0].get_capability("auth_alg"):
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
|
||||||
raise HwsimSkip("SAE not supported")
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
|
||||||
ssid = "test-ft"
|
|
||||||
passphrase = "12345678"
|
|
||||||
|
|
||||||
params = ft_params1(ssid=ssid, passphrase=passphrase)
|
|
||||||
params['wpa_key_mgmt'] = "FT-SAE"
|
|
||||||
hapd0 = hostapd.add_ap(apdev[0], params)
|
|
||||||
params = ft_params2(ssid=ssid, passphrase=passphrase)
|
|
||||||
params['wpa_key_mgmt'] = "FT-SAE"
|
|
||||||
hapd1 = hostapd.add_ap(apdev[1], params)
|
|
||||||
|
|
||||||
dev[0].request("SET sae_groups ")
|
|
||||||
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, sae=True,
|
|
||||||
over_ds=True)
|
over_ds=True)
|
||||||
|
|
||||||
|
def test_ap_ft_sae_over_ds_ptk_rekey0(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by station"""
|
||||||
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
|
||||||
|
over_ds=True, ptk_rekey="1", roams=0)
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
|
def test_ap_ft_sae_over_ds_ptk_rekey1(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by station"""
|
||||||
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
|
||||||
|
over_ds=True, ptk_rekey="1", only_one_way=True)
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
|
def test_ap_ft_sae_over_ds_ptk_rekey_ap(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by AP"""
|
||||||
|
hapd0, hapd1 = start_ft_sae(dev[0], apdev, wpa_ptk_rekey=2)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
|
||||||
|
over_ds=True, only_one_way=True)
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
def test_ap_ft_sae_pw_id(dev, apdev):
|
def test_ap_ft_sae_pw_id(dev, apdev):
|
||||||
"""FT-SAE with Password Identifier"""
|
"""FT-SAE with Password Identifier"""
|
||||||
if "SAE" not in dev[0].get_capability("auth_alg"):
|
if "SAE" not in dev[0].get_capability("auth_alg"):
|
||||||
|
@ -995,7 +1035,8 @@ def test_ap_ft_sae_pmksa_caching(dev, apdev):
|
||||||
pmksa_caching=True)
|
pmksa_caching=True)
|
||||||
|
|
||||||
def generic_ap_ft_eap(dev, apdev, vlan=False, cui=False, over_ds=False,
|
def generic_ap_ft_eap(dev, apdev, vlan=False, cui=False, over_ds=False,
|
||||||
discovery=False, roams=1):
|
discovery=False, roams=1, wpa_ptk_rekey=0,
|
||||||
|
only_one_way=False):
|
||||||
ssid = "test-ft"
|
ssid = "test-ft"
|
||||||
passphrase = "12345678"
|
passphrase = "12345678"
|
||||||
if vlan:
|
if vlan:
|
||||||
|
@ -1024,16 +1065,20 @@ def generic_ap_ft_eap(dev, apdev, vlan=False, cui=False, over_ds=False,
|
||||||
params["ieee8021x"] = "1"
|
params["ieee8021x"] = "1"
|
||||||
if vlan:
|
if vlan:
|
||||||
params["dynamic_vlan"] = "1"
|
params["dynamic_vlan"] = "1"
|
||||||
|
if wpa_ptk_rekey:
|
||||||
|
params["wpa_ptk_rekey"] = str(wpa_ptk_rekey)
|
||||||
params = dict(list(radius.items()) + list(params.items()))
|
params = dict(list(radius.items()) + list(params.items()))
|
||||||
hapd1 = hostapd.add_ap(apdev[1], params)
|
hapd1 = hostapd.add_ap(apdev[1], params)
|
||||||
|
|
||||||
run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True,
|
run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True,
|
||||||
over_ds=over_ds, roams=roams, eap_identity=identity,
|
over_ds=over_ds, roams=roams, eap_identity=identity,
|
||||||
conndev=conndev)
|
conndev=conndev, only_one_way=only_one_way)
|
||||||
if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"):
|
if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"):
|
||||||
raise Exception("Scan results missing RSN element info")
|
raise Exception("Scan results missing RSN element info")
|
||||||
check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"),
|
check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"),
|
||||||
("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3")])
|
("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3")])
|
||||||
|
if only_one_way:
|
||||||
|
return
|
||||||
|
|
||||||
# Verify EAPOL reauthentication after FT protocol
|
# Verify EAPOL reauthentication after FT protocol
|
||||||
if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
|
if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
|
||||||
|
@ -2298,57 +2343,67 @@ def test_rsn_ie_proto_ft_psk_sta(dev, apdev):
|
||||||
raise Exception("Unexpected connection")
|
raise Exception("Unexpected connection")
|
||||||
dev[0].request("DISCONNECT")
|
dev[0].request("DISCONNECT")
|
||||||
|
|
||||||
def test_ap_ft_ptk_rekey(dev, apdev):
|
def start_ft(apdev, wpa_ptk_rekey=None):
|
||||||
"""WPA2-PSK-FT PTK rekeying triggered by station after roam"""
|
|
||||||
ssid = "test-ft"
|
ssid = "test-ft"
|
||||||
passphrase = "12345678"
|
passphrase = "12345678"
|
||||||
|
|
||||||
params = ft_params1(ssid=ssid, passphrase=passphrase)
|
params = ft_params1(ssid=ssid, passphrase=passphrase)
|
||||||
|
if wpa_ptk_rekey:
|
||||||
|
params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
|
||||||
hapd0 = hostapd.add_ap(apdev[0], params)
|
hapd0 = hostapd.add_ap(apdev[0], params)
|
||||||
params = ft_params2(ssid=ssid, passphrase=passphrase)
|
params = ft_params2(ssid=ssid, passphrase=passphrase)
|
||||||
|
if wpa_ptk_rekey:
|
||||||
|
params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
|
||||||
hapd1 = hostapd.add_ap(apdev[1], params)
|
hapd1 = hostapd.add_ap(apdev[1], params)
|
||||||
|
|
||||||
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, ptk_rekey="1")
|
return hapd0, hapd1
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED",
|
def check_ptk_rekey(dev, hapd0=None, hapd1=None):
|
||||||
|
ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED",
|
||||||
"WPA: Key negotiation completed"], timeout=5)
|
"WPA: Key negotiation completed"], timeout=5)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("No event received after roam")
|
raise Exception("No event received after roam")
|
||||||
if "CTRL-EVENT-DISCONNECTED" in ev:
|
if "CTRL-EVENT-DISCONNECTED" in ev:
|
||||||
raise Exception("Unexpected disconnection after roam")
|
raise Exception("Unexpected disconnection after roam")
|
||||||
|
|
||||||
if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
|
if not hapd0 or not hapd1:
|
||||||
|
return
|
||||||
|
if dev.get_status_field('bssid') == hapd0.own_addr():
|
||||||
hapd = hapd0
|
hapd = hapd0
|
||||||
else:
|
else:
|
||||||
hapd = hapd1
|
hapd = hapd1
|
||||||
hwsim_utils.test_connectivity(dev[0], hapd)
|
hwsim_utils.test_connectivity(dev, hapd)
|
||||||
|
|
||||||
|
def test_ap_ft_ptk_rekey(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT PTK rekeying triggered by station after roam"""
|
||||||
|
hapd0, hapd1 = start_ft(apdev)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", ptk_rekey="1")
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
|
def test_ap_ft_ptk_rekey2(dev, apdev):
|
||||||
|
"""WPA2-PSK-FT PTK rekeying triggered by station after one roam"""
|
||||||
|
hapd0, hapd1 = start_ft(apdev)
|
||||||
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", ptk_rekey="1",
|
||||||
|
only_one_way=True)
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
def test_ap_ft_ptk_rekey_ap(dev, apdev):
|
def test_ap_ft_ptk_rekey_ap(dev, apdev):
|
||||||
"""WPA2-PSK-FT PTK rekeying triggered by AP after roam"""
|
"""WPA2-PSK-FT PTK rekeying triggered by AP after roam"""
|
||||||
ssid = "test-ft"
|
hapd0, hapd1 = start_ft(apdev, wpa_ptk_rekey=2)
|
||||||
passphrase = "12345678"
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678")
|
||||||
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
params = ft_params1(ssid=ssid, passphrase=passphrase)
|
def test_ap_ft_ptk_rekey_ap2(dev, apdev):
|
||||||
params['wpa_ptk_rekey'] = '2'
|
"""WPA2-PSK-FT PTK rekeying triggered by AP after one roam"""
|
||||||
hapd0 = hostapd.add_ap(apdev[0], params)
|
hapd0, hapd1 = start_ft(apdev, wpa_ptk_rekey=2)
|
||||||
params = ft_params2(ssid=ssid, passphrase=passphrase)
|
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678",
|
||||||
params['wpa_ptk_rekey'] = '2'
|
only_one_way=True)
|
||||||
hapd1 = hostapd.add_ap(apdev[1], params)
|
check_ptk_rekey(dev[0], hapd0, hapd1)
|
||||||
|
|
||||||
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase)
|
def test_ap_ft_eap_ptk_rekey_ap(dev, apdev):
|
||||||
|
"""WPA2-EAP-FT PTK rekeying triggered by AP"""
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED",
|
generic_ap_ft_eap(dev, apdev, only_one_way=True, wpa_ptk_rekey=2)
|
||||||
"WPA: Key negotiation completed"], timeout=5)
|
check_ptk_rekey(dev[0])
|
||||||
if ev is None:
|
|
||||||
raise Exception("No event received after roam")
|
|
||||||
if "CTRL-EVENT-DISCONNECTED" in ev:
|
|
||||||
raise Exception("Unexpected disconnection after roam")
|
|
||||||
|
|
||||||
if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
|
|
||||||
hapd = hapd0
|
|
||||||
else:
|
|
||||||
hapd = hapd1
|
|
||||||
hwsim_utils.test_connectivity(dev[0], hapd)
|
|
||||||
|
|
||||||
def test_ap_ft_internal_rrb_check(dev, apdev):
|
def test_ap_ft_internal_rrb_check(dev, apdev):
|
||||||
"""RRB internal delivery only to WPA enabled BSS"""
|
"""RRB internal delivery only to WPA enabled BSS"""
|
||||||
|
|
Loading…
Reference in a new issue