tests: Add test coverage for PASN with MIC errors

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This commit is contained in:
Ilan Peer 2021-03-15 14:57:04 +02:00 committed by Jouni Malinen
parent b866786338
commit b42b6c4d53

View file

@ -46,10 +46,12 @@ def start_pasn_ap(apdev, params):
raise HwsimSkip("PASN not supported") raise HwsimSkip("PASN not supported")
raise raise
def check_pasn_ptk(dev, hapd, cipher): def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False):
sta_ptksa = dev.get_ptksa(hapd.own_addr(), cipher) sta_ptksa = dev.get_ptksa(hapd.own_addr(), cipher)
ap_ptksa = hapd.get_ptksa(dev.own_addr(), cipher) ap_ptksa = hapd.get_ptksa(dev.own_addr(), cipher)
if not (sta_ptksa and ap_ptksa): if not (sta_ptksa and ap_ptksa):
if fail_ptk:
return
raise Exception("Could not get PTKSA entry") raise Exception("Could not get PTKSA entry")
logger.info("sta: TK: %s KDK: %s" % (sta_ptksa['tk'], sta_ptksa['kdk'])) logger.info("sta: TK: %s KDK: %s" % (sta_ptksa['tk'], sta_ptksa['kdk']))
@ -57,9 +59,12 @@ def check_pasn_ptk(dev, hapd, cipher):
if sta_ptksa['tk'] != ap_ptksa['tk'] or sta_ptksa['kdk'] != ap_ptksa['kdk']: if sta_ptksa['tk'] != ap_ptksa['tk'] or sta_ptksa['kdk'] != ap_ptksa['kdk']:
raise Exception("TK/KDK mismatch") raise Exception("TK/KDK mismatch")
elif fail_ptk:
raise Exception("TK/KDK match although key derivation should have failed")
def check_pasn_akmp_cipher(dev, hapd, akmp="PASN", cipher="CCMP", def check_pasn_akmp_cipher(dev, hapd, akmp="PASN", cipher="CCMP",
group="19", status=0, fail=0, nid=""): group="19", status=0, fail=0, nid="",
fail_ptk=False):
dev.flush_scan_cache() dev.flush_scan_cache()
dev.scan(type="ONLY", freq=2412) dev.scan(type="ONLY", freq=2412)
@ -88,7 +93,7 @@ def check_pasn_akmp_cipher(dev, hapd, akmp="PASN", cipher="CCMP",
if status: if status:
return return
check_pasn_ptk(dev, hapd, cipher) check_pasn_ptk(dev, hapd, cipher, fail_ptk)
@remote_compatible @remote_compatible
def test_pasn_ccmp(dev, apdev): def test_pasn_ccmp(dev, apdev):
@ -636,3 +641,31 @@ def test_pasn_ft_eap_sha384(dev, apdev):
pasn_hapd = hapd0 pasn_hapd = hapd0
check_pasn_akmp_cipher(dev[0], pasn_hapd, "FT-EAP-SHA384", "CCMP") check_pasn_akmp_cipher(dev[0], pasn_hapd, "FT-EAP-SHA384", "CCMP")
def test_pasn_sta_mic_error(dev, apdev):
"""PASN authentication with WPA2/CCMP AP with corrupted MIC on station"""
params = pasn_ap_params("PASN", "CCMP", "19")
hapd = hostapd.add_ap(apdev[0], params)
try:
# When forcing MIC corruption, the exchange would be still successful
# on the station side, but the AP would fail the exchange and would not
# store the keys.
dev[0].set("pasn_corrupt_mic", "1")
check_pasn_akmp_cipher(dev[0], hapd, "PASN", "CCMP", fail_ptk=True)
finally:
dev[0].set("pasn_corrupt_mic", "0")
# Now verify the successful case
check_pasn_akmp_cipher(dev[0], hapd, "PASN", "CCMP")
def test_pasn_ap_mic_error(dev, apdev):
"""PASN authentication with WPA2/CCMP AP with corrupted MIC on AP"""
params = pasn_ap_params("PASN", "CCMP", "19")
hapd0 = hostapd.add_ap(apdev[0], params)
params['pasn_corrupt_mic'] = "1"
hapd1 = hostapd.add_ap(apdev[1], params)
check_pasn_akmp_cipher(dev[0], hapd1, "PASN", "CCMP", status=1)
check_pasn_akmp_cipher(dev[0], hapd0, "PASN", "CCMP")