tests: FT and PTK rekeying

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-04-19 11:45:27 +03:00
parent b583ed38df
commit 425e5f977e

View file

@ -134,7 +134,7 @@ def run_roams(dev, apdev, hapd0, hapd1, ssid, passphrase, over_ds=False,
force_initial_conn_to_first_ap=False, sha384=False, force_initial_conn_to_first_ap=False, sha384=False,
group_mgmt=None, ocv=None, sae_password=None, group_mgmt=None, ocv=None, sae_password=None,
sae_password_id=None, sae_and_psk=False, pmksa_caching=False, sae_password_id=None, sae_and_psk=False, pmksa_caching=False,
roam_with_reassoc=False, also_non_ft=False): roam_with_reassoc=False, also_non_ft=False, only_one_way=False):
logger.info("Connect to first AP") logger.info("Connect to first AP")
copts = {} copts = {}
@ -222,6 +222,8 @@ def run_roams(dev, apdev, hapd0, hapd1, ssid, passphrase, over_ds=False,
else: else:
hwsim_utils.test_connectivity(dev, hapd2ap) hwsim_utils.test_connectivity(dev, hapd2ap)
if only_one_way:
return
# Roaming artificially fast can make data test fail because the key is # Roaming artificially fast can make data test fail because the key is
# set later. # set later.
time.sleep(0.01) time.sleep(0.01)
@ -893,44 +895,82 @@ def test_ap_ft_over_ds_pull_vlan(dev, apdev):
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True, run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, over_ds=True,
conndev="brvlan1") conndev="brvlan1")
def test_ap_ft_sae(dev, apdev): def start_ft_sae(dev, apdev, wpa_ptk_rekey=None):
"""WPA2-PSK-FT-SAE AP""" if "SAE" not in dev.get_capability("auth_alg"):
if "SAE" not in dev[0].get_capability("auth_alg"):
raise HwsimSkip("SAE not supported") raise HwsimSkip("SAE not supported")
ssid = "test-ft" ssid = "test-ft"
passphrase = "12345678" passphrase = "12345678"
params = ft_params1(ssid=ssid, passphrase=passphrase) params = ft_params1(ssid=ssid, passphrase=passphrase)
params['wpa_key_mgmt'] = "FT-SAE" params['wpa_key_mgmt'] = "FT-SAE"
if wpa_ptk_rekey:
params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
hapd0 = hostapd.add_ap(apdev[0], params) hapd0 = hostapd.add_ap(apdev[0], params)
params = ft_params2(ssid=ssid, passphrase=passphrase) params = ft_params2(ssid=ssid, passphrase=passphrase)
params['wpa_key_mgmt'] = "FT-SAE" params['wpa_key_mgmt'] = "FT-SAE"
hapd = hostapd.add_ap(apdev[1], params) if wpa_ptk_rekey:
key_mgmt = hapd.get_config()['key_mgmt'] params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
hapd1 = hostapd.add_ap(apdev[1], params)
key_mgmt = hapd1.get_config()['key_mgmt']
if key_mgmt.split(' ')[0] != "FT-SAE": if key_mgmt.split(' ')[0] != "FT-SAE":
raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
dev[0].request("SET sae_groups ") dev.request("SET sae_groups ")
run_roams(dev[0], apdev, hapd0, hapd, ssid, passphrase, sae=True) return hapd0, hapd1
def test_ap_ft_sae(dev, apdev):
"""WPA2-PSK-FT-SAE AP"""
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True)
def test_ap_ft_sae_ptk_rekey0(dev, apdev):
"""WPA2-PSK-FT-SAE AP and PTK rekey triggered by station"""
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
ptk_rekey="1", roams=0)
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_sae_ptk_rekey1(dev, apdev):
"""WPA2-PSK-FT-SAE AP and PTK rekey triggered by station"""
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
ptk_rekey="1", only_one_way=True)
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_sae_ptk_rekey_ap(dev, apdev):
"""WPA2-PSK-FT-SAE AP and PTK rekey triggered by AP"""
hapd0, hapd1 = start_ft_sae(dev[0], apdev, wpa_ptk_rekey=2)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
only_one_way=True)
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_sae_over_ds(dev, apdev): def test_ap_ft_sae_over_ds(dev, apdev):
"""WPA2-PSK-FT-SAE AP over DS""" """WPA2-PSK-FT-SAE AP over DS"""
if "SAE" not in dev[0].get_capability("auth_alg"): hapd0, hapd1 = start_ft_sae(dev[0], apdev)
raise HwsimSkip("SAE not supported") run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
ssid = "test-ft"
passphrase = "12345678"
params = ft_params1(ssid=ssid, passphrase=passphrase)
params['wpa_key_mgmt'] = "FT-SAE"
hapd0 = hostapd.add_ap(apdev[0], params)
params = ft_params2(ssid=ssid, passphrase=passphrase)
params['wpa_key_mgmt'] = "FT-SAE"
hapd1 = hostapd.add_ap(apdev[1], params)
dev[0].request("SET sae_groups ")
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, sae=True,
over_ds=True) over_ds=True)
def test_ap_ft_sae_over_ds_ptk_rekey0(dev, apdev):
"""WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by station"""
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
over_ds=True, ptk_rekey="1", roams=0)
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_sae_over_ds_ptk_rekey1(dev, apdev):
"""WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by station"""
hapd0, hapd1 = start_ft_sae(dev[0], apdev)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
over_ds=True, ptk_rekey="1", only_one_way=True)
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_sae_over_ds_ptk_rekey_ap(dev, apdev):
"""WPA2-PSK-FT-SAE AP over DS and PTK rekey triggered by AP"""
hapd0, hapd1 = start_ft_sae(dev[0], apdev, wpa_ptk_rekey=2)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", sae=True,
over_ds=True, only_one_way=True)
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_sae_pw_id(dev, apdev): def test_ap_ft_sae_pw_id(dev, apdev):
"""FT-SAE with Password Identifier""" """FT-SAE with Password Identifier"""
if "SAE" not in dev[0].get_capability("auth_alg"): if "SAE" not in dev[0].get_capability("auth_alg"):
@ -995,7 +1035,8 @@ def test_ap_ft_sae_pmksa_caching(dev, apdev):
pmksa_caching=True) pmksa_caching=True)
def generic_ap_ft_eap(dev, apdev, vlan=False, cui=False, over_ds=False, def generic_ap_ft_eap(dev, apdev, vlan=False, cui=False, over_ds=False,
discovery=False, roams=1): discovery=False, roams=1, wpa_ptk_rekey=0,
only_one_way=False):
ssid = "test-ft" ssid = "test-ft"
passphrase = "12345678" passphrase = "12345678"
if vlan: if vlan:
@ -1024,16 +1065,20 @@ def generic_ap_ft_eap(dev, apdev, vlan=False, cui=False, over_ds=False,
params["ieee8021x"] = "1" params["ieee8021x"] = "1"
if vlan: if vlan:
params["dynamic_vlan"] = "1" params["dynamic_vlan"] = "1"
if wpa_ptk_rekey:
params["wpa_ptk_rekey"] = str(wpa_ptk_rekey)
params = dict(list(radius.items()) + list(params.items())) params = dict(list(radius.items()) + list(params.items()))
hapd1 = hostapd.add_ap(apdev[1], params) hapd1 = hostapd.add_ap(apdev[1], params)
run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True, run_roams(dev[0], apdev, hapd, hapd1, ssid, passphrase, eap=True,
over_ds=over_ds, roams=roams, eap_identity=identity, over_ds=over_ds, roams=roams, eap_identity=identity,
conndev=conndev) conndev=conndev, only_one_way=only_one_way)
if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"): if "[WPA2-FT/EAP-CCMP]" not in dev[0].request("SCAN_RESULTS"):
raise Exception("Scan results missing RSN element info") raise Exception("Scan results missing RSN element info")
check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"), check_mib(dev[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-3"),
("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3")]) ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-3")])
if only_one_way:
return
# Verify EAPOL reauthentication after FT protocol # Verify EAPOL reauthentication after FT protocol
if dev[0].get_status_field('bssid') == apdev[0]['bssid']: if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
@ -2298,57 +2343,67 @@ def test_rsn_ie_proto_ft_psk_sta(dev, apdev):
raise Exception("Unexpected connection") raise Exception("Unexpected connection")
dev[0].request("DISCONNECT") dev[0].request("DISCONNECT")
def test_ap_ft_ptk_rekey(dev, apdev): def start_ft(apdev, wpa_ptk_rekey=None):
"""WPA2-PSK-FT PTK rekeying triggered by station after roam"""
ssid = "test-ft" ssid = "test-ft"
passphrase = "12345678" passphrase = "12345678"
params = ft_params1(ssid=ssid, passphrase=passphrase) params = ft_params1(ssid=ssid, passphrase=passphrase)
if wpa_ptk_rekey:
params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
hapd0 = hostapd.add_ap(apdev[0], params) hapd0 = hostapd.add_ap(apdev[0], params)
params = ft_params2(ssid=ssid, passphrase=passphrase) params = ft_params2(ssid=ssid, passphrase=passphrase)
if wpa_ptk_rekey:
params['wpa_ptk_rekey'] = str(wpa_ptk_rekey)
hapd1 = hostapd.add_ap(apdev[1], params) hapd1 = hostapd.add_ap(apdev[1], params)
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase, ptk_rekey="1") return hapd0, hapd1
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED", def check_ptk_rekey(dev, hapd0=None, hapd1=None):
ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED",
"WPA: Key negotiation completed"], timeout=5) "WPA: Key negotiation completed"], timeout=5)
if ev is None: if ev is None:
raise Exception("No event received after roam") raise Exception("No event received after roam")
if "CTRL-EVENT-DISCONNECTED" in ev: if "CTRL-EVENT-DISCONNECTED" in ev:
raise Exception("Unexpected disconnection after roam") raise Exception("Unexpected disconnection after roam")
if dev[0].get_status_field('bssid') == apdev[0]['bssid']: if not hapd0 or not hapd1:
return
if dev.get_status_field('bssid') == hapd0.own_addr():
hapd = hapd0 hapd = hapd0
else: else:
hapd = hapd1 hapd = hapd1
hwsim_utils.test_connectivity(dev[0], hapd) hwsim_utils.test_connectivity(dev, hapd)
def test_ap_ft_ptk_rekey(dev, apdev):
"""WPA2-PSK-FT PTK rekeying triggered by station after roam"""
hapd0, hapd1 = start_ft(apdev)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", ptk_rekey="1")
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_ptk_rekey2(dev, apdev):
"""WPA2-PSK-FT PTK rekeying triggered by station after one roam"""
hapd0, hapd1 = start_ft(apdev)
run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678", ptk_rekey="1",
only_one_way=True)
check_ptk_rekey(dev[0], hapd0, hapd1)
def test_ap_ft_ptk_rekey_ap(dev, apdev): def test_ap_ft_ptk_rekey_ap(dev, apdev):
"""WPA2-PSK-FT PTK rekeying triggered by AP after roam""" """WPA2-PSK-FT PTK rekeying triggered by AP after roam"""
ssid = "test-ft" hapd0, hapd1 = start_ft(apdev, wpa_ptk_rekey=2)
passphrase = "12345678" run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678")
check_ptk_rekey(dev[0], hapd0, hapd1)
params = ft_params1(ssid=ssid, passphrase=passphrase) def test_ap_ft_ptk_rekey_ap2(dev, apdev):
params['wpa_ptk_rekey'] = '2' """WPA2-PSK-FT PTK rekeying triggered by AP after one roam"""
hapd0 = hostapd.add_ap(apdev[0], params) hapd0, hapd1 = start_ft(apdev, wpa_ptk_rekey=2)
params = ft_params2(ssid=ssid, passphrase=passphrase) run_roams(dev[0], apdev, hapd0, hapd1, "test-ft", "12345678",
params['wpa_ptk_rekey'] = '2' only_one_way=True)
hapd1 = hostapd.add_ap(apdev[1], params) check_ptk_rekey(dev[0], hapd0, hapd1)
run_roams(dev[0], apdev, hapd0, hapd1, ssid, passphrase) def test_ap_ft_eap_ptk_rekey_ap(dev, apdev):
"""WPA2-EAP-FT PTK rekeying triggered by AP"""
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED", generic_ap_ft_eap(dev, apdev, only_one_way=True, wpa_ptk_rekey=2)
"WPA: Key negotiation completed"], timeout=5) check_ptk_rekey(dev[0])
if ev is None:
raise Exception("No event received after roam")
if "CTRL-EVENT-DISCONNECTED" in ev:
raise Exception("Unexpected disconnection after roam")
if dev[0].get_status_field('bssid') == apdev[0]['bssid']:
hapd = hapd0
else:
hapd = hapd1
hwsim_utils.test_connectivity(dev[0], hapd)
def test_ap_ft_internal_rrb_check(dev, apdev): def test_ap_ft_internal_rrb_check(dev, apdev):
"""RRB internal delivery only to WPA enabled BSS""" """RRB internal delivery only to WPA enabled BSS"""