From b42b6c4d530e87fec7a37b3cc61da2aaa28e1b35 Mon Sep 17 00:00:00 2001 From: Ilan Peer Date: Mon, 15 Mar 2021 14:57:04 +0200 Subject: [PATCH] tests: Add test coverage for PASN with MIC errors Signed-off-by: Ilan Peer --- tests/hwsim/test_pasn.py | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/tests/hwsim/test_pasn.py b/tests/hwsim/test_pasn.py index 579625b00..543e1e909 100644 --- a/tests/hwsim/test_pasn.py +++ b/tests/hwsim/test_pasn.py @@ -46,10 +46,12 @@ def start_pasn_ap(apdev, params): raise HwsimSkip("PASN not supported") raise -def check_pasn_ptk(dev, hapd, cipher): +def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False): sta_ptksa = dev.get_ptksa(hapd.own_addr(), cipher) ap_ptksa = hapd.get_ptksa(dev.own_addr(), cipher) if not (sta_ptksa and ap_ptksa): + if fail_ptk: + return raise Exception("Could not get PTKSA entry") logger.info("sta: TK: %s KDK: %s" % (sta_ptksa['tk'], sta_ptksa['kdk'])) @@ -57,9 +59,12 @@ def check_pasn_ptk(dev, hapd, cipher): if sta_ptksa['tk'] != ap_ptksa['tk'] or sta_ptksa['kdk'] != ap_ptksa['kdk']: raise Exception("TK/KDK mismatch") + elif fail_ptk: + raise Exception("TK/KDK match although key derivation should have failed") def check_pasn_akmp_cipher(dev, hapd, akmp="PASN", cipher="CCMP", - group="19", status=0, fail=0, nid=""): + group="19", status=0, fail=0, nid="", + fail_ptk=False): dev.flush_scan_cache() dev.scan(type="ONLY", freq=2412) @@ -88,7 +93,7 @@ def check_pasn_akmp_cipher(dev, hapd, akmp="PASN", cipher="CCMP", if status: return - check_pasn_ptk(dev, hapd, cipher) + check_pasn_ptk(dev, hapd, cipher, fail_ptk) @remote_compatible def test_pasn_ccmp(dev, apdev): @@ -636,3 +641,31 @@ def test_pasn_ft_eap_sha384(dev, apdev): pasn_hapd = hapd0 check_pasn_akmp_cipher(dev[0], pasn_hapd, "FT-EAP-SHA384", "CCMP") + +def test_pasn_sta_mic_error(dev, apdev): + """PASN authentication with WPA2/CCMP AP with corrupted MIC on station""" + params = pasn_ap_params("PASN", "CCMP", "19") + hapd = hostapd.add_ap(apdev[0], params) + + try: + # When forcing MIC corruption, the exchange would be still successful + # on the station side, but the AP would fail the exchange and would not + # store the keys. + dev[0].set("pasn_corrupt_mic", "1") + check_pasn_akmp_cipher(dev[0], hapd, "PASN", "CCMP", fail_ptk=True) + finally: + dev[0].set("pasn_corrupt_mic", "0") + + # Now verify the successful case + check_pasn_akmp_cipher(dev[0], hapd, "PASN", "CCMP") + +def test_pasn_ap_mic_error(dev, apdev): + """PASN authentication with WPA2/CCMP AP with corrupted MIC on AP""" + params = pasn_ap_params("PASN", "CCMP", "19") + hapd0 = hostapd.add_ap(apdev[0], params) + + params['pasn_corrupt_mic'] = "1" + hapd1 = hostapd.add_ap(apdev[1], params) + + check_pasn_akmp_cipher(dev[0], hapd1, "PASN", "CCMP", status=1) + check_pasn_akmp_cipher(dev[0], hapd0, "PASN", "CCMP")