From 6e3027a57ecbf4c4bbfaf0b43a8f4117ffbef74f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 20 Oct 2017 18:18:53 +0300 Subject: [PATCH] Fix the notes on EAPOL-Key testing procedures The extra sanity check for replay protection in these procedures ended up breaking the tests. RESET_PN cannot be used before RESEND_* commands since that would prevent the DUT from accepting the retransmitted EAPOL-Key frames. Signed-off-by: Jouni Malinen --- tests/cipher-and-key-mgmt-testing.txt | 39 +++++---------------------- 1 file changed, 6 insertions(+), 33 deletions(-) diff --git a/tests/cipher-and-key-mgmt-testing.txt b/tests/cipher-and-key-mgmt-testing.txt index 5030ca869..1b93b777e 100644 --- a/tests/cipher-and-key-mgmt-testing.txt +++ b/tests/cipher-and-key-mgmt-testing.txt @@ -236,19 +236,10 @@ the following hostapd_cli commands: Test broadcast connectivity; should work -> raw RESET_PN ff:ff:ff:ff:ff:ff -OK - -Test broadcast connectivity; should not work; if it does, replay -protection is completely broken and the following step cannot be -executed reliably. The following command needs to be run before there -has been large enough number of new frames to increment the PN on the -test tool. It would also be possible to execute "raw RESET_PN -ff:ff:ff:ff:ff:ff" again after the initial sanity testing to get back to -PN 0 for the next step. - > raw RESEND_GROUP_M1 OK +> raw RESET_PN ff:ff:ff:ff:ff:ff +OK Test broadcast connectivity; should not work; if it does, the device does not implement protection for delayed retransmission of Group Key @@ -263,19 +254,10 @@ broadcast traffic, but with the following hostapd_cli commands: Test broadcast connectivity; should work -> raw RESET_PN ff:ff:ff:ff:ff:ff -OK - -Test broadcast connectivity; should not work; if it does, replay -protection is completely broken and the following step cannot be -executed reliably. The following command needs to be run before there -has been large enough number of new frames to increment the PN on the -test tool. It would also be possible to execute "raw RESET_PN -ff:ff:ff:ff:ff:ff" again after the initial sanity testing to get back to -PN 0 for the next step. - > raw RESEND_M3 OK +> raw RESET_PN ff:ff:ff:ff:ff:ff +OK Test broadcast connectivity; should not work; if it does, the device does not implement protection for delayed retransmission of 4-way @@ -310,19 +292,10 @@ unicast traffic, but with the following hostapd_cli commands: Test unicast connectivity; should work -> raw RESET_PN -OK - -Test unicast connectivity; should not work; if it does, replay -protection is completely broken and the following step cannot be -executed reliably. The following command needs to be run before there -has been large enough number of new frames to increment the PN on the -test tool. It would also be possible to execute "raw RESET_PN " again after the initial sanity testing to get back to PN 0 for -the next step. - > raw RESEND_M3 OK +> raw RESET_PN +OK Test unicast connectivity; should not work; if it does, the device does not implement protection for delayed retransmission of 4-way