From 5742d12d4a02bda14f33c2ff9771d26b89832227 Mon Sep 17 00:00:00 2001 From: Alexander Wetzel Date: Fri, 10 Jan 2020 23:19:10 +0100 Subject: [PATCH] tests: Allow PTK0 rekey for tests Verify PTK0 rekey blocking is working as intended. Signed-off-by: Alexander Wetzel --- tests/hwsim/hostapd.py | 2 +- tests/hwsim/test_ap_eap.py | 40 +++++++++++++++++++++++++++++++++++ tests/hwsim/test_ap_psk.py | 41 +++++++++++++++++++++++++++++++++++- tests/hwsim/wpasupplicant.py | 3 ++- 4 files changed, 83 insertions(+), 3 deletions(-) diff --git a/tests/hwsim/hostapd.py b/tests/hwsim/hostapd.py index fac287e99..7a52ebea3 100644 --- a/tests/hwsim/hostapd.py +++ b/tests/hwsim/hostapd.py @@ -551,7 +551,7 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30, raise Exception("Could not ping hostapd") hapd.set_defaults() fields = ["ssid", "wpa_passphrase", "nas_identifier", "wpa_key_mgmt", - "wpa", + "wpa", "wpa_deny_ptk0_rekey", "wpa_pairwise", "rsn_pairwise", "auth_server_addr", "acct_server_addr", "osu_server_uri"] for field in fields: diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 913132275..bdfe96111 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -5131,6 +5131,46 @@ def test_ap_wpa2_eap_reauth(dev, apdev): if state != "COMPLETED": raise Exception("Reauthentication did not complete") +def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_ap(dev, apdev): + """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on AP""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + params['eap_reauth_period'] = '2' + params['wpa_deny_ptk0_rekey'] = '2' + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "PAX", "pax.user@example.com", + password_hex="0123456789abcdef0123456789abcdef") + logger.info("Wait for disconnect due to reauth") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", + "CTRL-EVENT-DISCONNECTED"], timeout=10) + if ev is None: + raise Exception("Timeout on reauthentication") + if "CTRL-EVENT-EAP-STARTED" in ev: + raise Exception("Reauthentication without disconnect") + + ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1) + if ev is None: + raise Exception("Timeout on reconnect") + +def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_sta(dev, apdev): + """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on station""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + params['eap_reauth_period'] = '2' + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "PAX", "pax.user@example.com", + password_hex="0123456789abcdef0123456789abcdef", + wpa_deny_ptk0_rekey="2") + logger.info("Wait for disconnect due to reauth") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", + "CTRL-EVENT-DISCONNECTED"], timeout=10) + if ev is None: + raise Exception("Timeout on reauthentication") + if "CTRL-EVENT-EAP-STARTED" in ev: + raise Exception("Reauthentication without disconnect") + + ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1) + if ev is None: + raise Exception("Timeout on reconnect") + def test_ap_wpa2_eap_request_identity_message(dev, apdev): """Optional displayable message in EAP Request-Identity""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py index ac0fabc5d..2f2a354a5 100644 --- a/tests/hwsim/test_ap_psk.py +++ b/tests/hwsim/test_ap_psk.py @@ -211,11 +211,50 @@ def test_ap_wpa2_ptk_rekey(dev, apdev): params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase) hapd = hostapd.add_ap(apdev[0], params) dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412") - ev = dev[0].wait_event(["WPA: Key negotiation completed"]) + ev = dev[0].wait_event(["WPA: Key negotiation completed", + "CTRL-EVENT-DISCONNECTED"]) if ev is None: raise Exception("PTK rekey timed out") + if "CTRL-EVENT-DISCONNECTED" in ev: + raise Exception("Disconnect instead of rekey") hwsim_utils.test_connectivity(dev[0], hapd) +def test_ap_wpa2_ptk_rekey_blocked_ap(dev, apdev): + """WPA2-PSK AP and PTK rekey enforced by station and AP blocking it""" + ssid = "test-wpa2-psk" + passphrase = 'qwertyuiop' + params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase) + params['wpa_deny_ptk0_rekey'] = "2" + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412") + ev = dev[0].wait_event(["WPA: Key negotiation completed", + "CTRL-EVENT-DISCONNECTED"]) + if ev is None: + raise Exception("PTK rekey timed out") + if "WPA: Key negotiation completed" in ev: + raise Exception("No disconnect, PTK rekey succeeded") + ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1) + if ev is None: + raise Exception("Reconnect too slow") + +def test_ap_wpa2_ptk_rekey_blocked_sta(dev, apdev): + """WPA2-PSK AP and PTK rekey enforced by station while also blocking it""" + ssid = "test-wpa2-psk" + passphrase = 'qwertyuiop' + params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase) + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412", + wpa_deny_ptk0_rekey="2") + ev = dev[0].wait_event(["WPA: Key negotiation completed", + "CTRL-EVENT-DISCONNECTED"]) + if ev is None: + raise Exception("PTK rekey timed out") + if "WPA: Key negotiation completed" in ev: + raise Exception("No disconnect, PTK rekey succeeded") + ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1) + if ev is None: + raise Exception("Reconnect too slow") + def test_ap_wpa2_ptk_rekey_anonce(dev, apdev): """WPA2-PSK AP and PTK rekey enforced by station and ANonce change""" ssid = "test-wpa2-psk" diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index 0f3bb1866..d1c249328 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -1104,7 +1104,8 @@ class WpaSupplicant: "owe_ptk_workaround", "roaming_consortium_selection", "ocv", "multi_ap_backhaul_sta", "rx_stbc", "tx_stbc", - "ft_eap_pmksa_caching", "beacon_prot"] + "ft_eap_pmksa_caching", "beacon_prot", + "wpa_deny_ptk0_rekey"] for field in not_quoted: if field in kwargs and kwargs[field]: self.set_network(id, field, kwargs[field])