From 5742d12d4a02bda14f33c2ff9771d26b89832227 Mon Sep 17 00:00:00 2001
From: Alexander Wetzel <alexander@wetzel-home.de>
Date: Fri, 10 Jan 2020 23:19:10 +0100
Subject: [PATCH] tests: Allow PTK0 rekey for tests

Verify PTK0 rekey blocking is working as intended.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
---
 tests/hwsim/hostapd.py       |  2 +-
 tests/hwsim/test_ap_eap.py   | 40 +++++++++++++++++++++++++++++++++++
 tests/hwsim/test_ap_psk.py   | 41 +++++++++++++++++++++++++++++++++++-
 tests/hwsim/wpasupplicant.py |  3 ++-
 4 files changed, 83 insertions(+), 3 deletions(-)

diff --git a/tests/hwsim/hostapd.py b/tests/hwsim/hostapd.py
index fac287e99..7a52ebea3 100644
--- a/tests/hwsim/hostapd.py
+++ b/tests/hwsim/hostapd.py
@@ -551,7 +551,7 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30,
             raise Exception("Could not ping hostapd")
         hapd.set_defaults()
         fields = ["ssid", "wpa_passphrase", "nas_identifier", "wpa_key_mgmt",
-                  "wpa",
+                  "wpa", "wpa_deny_ptk0_rekey",
                   "wpa_pairwise", "rsn_pairwise", "auth_server_addr",
                   "acct_server_addr", "osu_server_uri"]
         for field in fields:
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 913132275..bdfe96111 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -5131,6 +5131,46 @@ def test_ap_wpa2_eap_reauth(dev, apdev):
     if state != "COMPLETED":
         raise Exception("Reauthentication did not complete")
 
+def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_ap(dev, apdev):
+    """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on AP"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    params['eap_reauth_period'] = '2'
+    params['wpa_deny_ptk0_rekey'] = '2'
+    hapd = hostapd.add_ap(apdev[0], params)
+    eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
+                password_hex="0123456789abcdef0123456789abcdef")
+    logger.info("Wait for disconnect due to reauth")
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("Timeout on reauthentication")
+    if "CTRL-EVENT-EAP-STARTED" in ev:
+        raise Exception("Reauthentication without disconnect")
+
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+    if ev is None:
+        raise Exception("Timeout on reconnect")
+
+def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_sta(dev, apdev):
+    """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on station"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    params['eap_reauth_period'] = '2'
+    hapd = hostapd.add_ap(apdev[0], params)
+    eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
+                password_hex="0123456789abcdef0123456789abcdef",
+                wpa_deny_ptk0_rekey="2")
+    logger.info("Wait for disconnect due to reauth")
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("Timeout on reauthentication")
+    if "CTRL-EVENT-EAP-STARTED" in ev:
+        raise Exception("Reauthentication without disconnect")
+
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+    if ev is None:
+        raise Exception("Timeout on reconnect")
+
 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
     """Optional displayable message in EAP Request-Identity"""
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py
index ac0fabc5d..2f2a354a5 100644
--- a/tests/hwsim/test_ap_psk.py
+++ b/tests/hwsim/test_ap_psk.py
@@ -211,11 +211,50 @@ def test_ap_wpa2_ptk_rekey(dev, apdev):
     params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
     hapd = hostapd.add_ap(apdev[0], params)
     dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
-    ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+    ev = dev[0].wait_event(["WPA: Key negotiation completed",
+                            "CTRL-EVENT-DISCONNECTED"])
     if ev is None:
         raise Exception("PTK rekey timed out")
+    if "CTRL-EVENT-DISCONNECTED" in ev:
+       raise Exception("Disconnect instead of rekey")
     hwsim_utils.test_connectivity(dev[0], hapd)
 
+def test_ap_wpa2_ptk_rekey_blocked_ap(dev, apdev):
+    """WPA2-PSK AP and PTK rekey enforced by station and AP blocking it"""
+    ssid = "test-wpa2-psk"
+    passphrase = 'qwertyuiop'
+    params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
+    params['wpa_deny_ptk0_rekey'] = "2"
+    hapd = hostapd.add_ap(apdev[0], params)
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed",
+                            "CTRL-EVENT-DISCONNECTED"])
+    if ev is None:
+        raise Exception("PTK rekey timed out")
+    if "WPA: Key negotiation completed" in ev:
+        raise Exception("No disconnect, PTK rekey succeeded")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+    if ev is None:
+        raise Exception("Reconnect too slow")
+
+def test_ap_wpa2_ptk_rekey_blocked_sta(dev, apdev):
+    """WPA2-PSK AP and PTK rekey enforced by station while also blocking it"""
+    ssid = "test-wpa2-psk"
+    passphrase = 'qwertyuiop'
+    params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
+    hapd = hostapd.add_ap(apdev[0], params)
+    dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412",
+                   wpa_deny_ptk0_rekey="2")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed",
+                            "CTRL-EVENT-DISCONNECTED"])
+    if ev is None:
+        raise Exception("PTK rekey timed out")
+    if "WPA: Key negotiation completed" in ev:
+        raise Exception("No disconnect, PTK rekey succeeded")
+    ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+    if ev is None:
+        raise Exception("Reconnect too slow")
+
 def test_ap_wpa2_ptk_rekey_anonce(dev, apdev):
     """WPA2-PSK AP and PTK rekey enforced by station and ANonce change"""
     ssid = "test-wpa2-psk"
diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py
index 0f3bb1866..d1c249328 100644
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@@ -1104,7 +1104,8 @@ class WpaSupplicant:
                       "owe_ptk_workaround",
                       "roaming_consortium_selection", "ocv",
                       "multi_ap_backhaul_sta", "rx_stbc", "tx_stbc",
-                      "ft_eap_pmksa_caching", "beacon_prot"]
+                      "ft_eap_pmksa_caching", "beacon_prot",
+                      "wpa_deny_ptk0_rekey"]
         for field in not_quoted:
             if field in kwargs and kwargs[field]:
                 self.set_network(id, field, kwargs[field])