Hwsim is not affected by the PTK rekey issues.
Don't enforce the new "disconnect on rekey" default action for the
existing tests and add some tests to verify wpa_deny_ptk0_rekey is
working.
Signed-off-by: Alexander Wetzel <alexander@xxxxxxxxxxxxxx>
---
tests/hwsim/hostapd.py | 7 +++-
tests/hwsim/multi-bss-iface-per_sta_vif.conf | 2 +
tests/hwsim/multi-bss-iface.conf | 2 +
tests/hwsim/test_ap_ciphers.py | 11 +++++
tests/hwsim/test_ap_eap.py | 44 +++++++++++++++++++-
tests/hwsim/test_ap_ft.py | 1 +
tests/hwsim/test_ap_pmf.py | 1 +
tests/hwsim/test_ap_psk.py | 41 +++++++++++++++++-
tests/hwsim/wpasupplicant.py | 4 +-
9 files changed, 108 insertions(+), 5 deletions(-)
diff --git a/tests/hwsim/hostapd.py b/tests/hwsim/hostapd.py
index e555f75ed..c618a28e0 100644
--- a/tests/hwsim/hostapd.py
+++ b/tests/hwsim/hostapd.py
@@ -548,7 +548,7 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30,
raise Exception("Could not ping hostapd")
hapd.set_defaults()
fields = ["ssid", "wpa_passphrase", "nas_identifier", "wpa_key_mgmt",
- "wpa",
+ "wpa", "wpa_deny_ptk0_rekey",
"wpa_pairwise", "rsn_pairwise", "auth_server_addr",
"acct_server_addr", "osu_server_uri"]
for field in fields:
@@ -633,6 +633,7 @@ def terminate(apdev):
def wpa2_params(ssid=None, passphrase=None):
params = {"wpa": "2",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": "CCMP"}
if ssid:
@@ -643,6 +644,7 @@ def wpa2_params(ssid=None, passphrase=None):
def wpa_params(ssid=None, passphrase=None):
params = {"wpa": "1",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP"}
if ssid:
@@ -653,6 +655,7 @@ def wpa_params(ssid=None, passphrase=None):
def wpa_mixed_params(ssid=None, passphrase=None):
params = {"wpa": "3",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP",
"rsn_pairwise": "CCMP"}
@@ -672,6 +675,7 @@ def radius_params():
def wpa_eap_params(ssid=None):
params = radius_params()
params["wpa"] = "1"
+ params["wpa_deny_ptk0_rekey"] = "0"
params["wpa_key_mgmt"] = "WPA-EAP"
params["wpa_pairwise"] = "TKIP"
params["ieee8021x"] = "1"
@@ -682,6 +686,7 @@ def wpa_eap_params(ssid=None):
def wpa2_eap_params(ssid=None):
params = radius_params()
params["wpa"] = "2"
+ params["wpa_deny_ptk0_rekey"] = "0"
params["wpa_key_mgmt"] = "WPA-EAP"
params["rsn_pairwise"] = "CCMP"
params["ieee8021x"] = "1"
diff --git a/tests/hwsim/multi-bss-iface-per_sta_vif.conf b/tests/hwsim/multi-bss-iface-per_sta_vif.conf
index f07c13b21..9bf40f527 100644
--- a/tests/hwsim/multi-bss-iface-per_sta_vif.conf
+++ b/tests/hwsim/multi-bss-iface-per_sta_vif.conf
@@ -12,6 +12,7 @@ dynamic_vlan=1
vlan_tagged_interface=dummy0
vlan_bridge=brvlan
wpa=2
+wpa_deny_ptk0_rekey=0
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
ieee8021x=1
@@ -31,6 +32,7 @@ dynamic_vlan=1
vlan_tagged_interface=dummy0
vlan_bridge=brvlan
wpa=2
+wpa_deny_ptk0_rekey=0
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
ieee8021x=1
diff --git a/tests/hwsim/multi-bss-iface.conf b/tests/hwsim/multi-bss-iface.conf
index 6b6167f51..9a5ac6383 100644
--- a/tests/hwsim/multi-bss-iface.conf
+++ b/tests/hwsim/multi-bss-iface.conf
@@ -12,6 +12,7 @@ dynamic_vlan=1
vlan_tagged_interface=dummy0
vlan_bridge=brvlan
wpa=2
+wpa_deny_ptk0_rekey=0
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
ieee8021x=1
@@ -30,6 +31,7 @@ dynamic_vlan=1
vlan_tagged_interface=dummy0
vlan_bridge=brvlan
wpa=2
+wpa_deny_ptk0_rekey=0
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
ieee8021x=1
diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index 4e7939169..48903ede9 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -25,6 +25,7 @@ def check_cipher(dev, ap, cipher, group_cipher=None):
params = {"ssid": "test-wpa2-psk",
"wpa_passphrase": "12345678",
"wpa": "2",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": cipher}
if group_cipher:
@@ -43,6 +44,7 @@ def check_group_mgmt_cipher(dev, ap, cipher, sta_req_cipher=None):
params = {"ssid": "test-wpa2-psk-pmf",
"wpa_passphrase": "12345678",
"wpa": "2",
+ "wpa_deny_ptk0_rekey": "0",
"ieee80211w": "2",
"wpa_key_mgmt": "WPA-PSK-SHA256",
"rsn_pairwise": "CCMP",
@@ -91,6 +93,7 @@ def test_ap_cipher_tkip_countermeasures_ap(dev, apdev):
params = {"ssid": "tkip-countermeasures",
"wpa_passphrase": "12345678",
"wpa": "1",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP"}
hapd = hostapd.add_ap(apdev[0], params)
@@ -125,6 +128,7 @@ def test_ap_cipher_tkip_countermeasures_ap_mixed_mode(dev, apdev):
params = {"ssid": "tkip-countermeasures",
"wpa_passphrase": "12345678",
"wpa": "3",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP",
"rsn_pairwise": "CCMP"}
@@ -169,6 +173,7 @@ def test_ap_cipher_tkip_countermeasures_sta(dev, apdev):
params = {"ssid": "tkip-countermeasures",
"wpa_passphrase": "12345678",
"wpa": "1",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP"}
hapd = hostapd.add_ap(apdev[0], params)
@@ -205,6 +210,7 @@ def test_ap_cipher_tkip_countermeasures_sta2(dev, apdev, params):
params = {"ssid": "tkip-countermeasures",
"wpa_passphrase": "12345678",
"wpa": "1",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"wpa_pairwise": "TKIP"}
hapd = hostapd.add_ap(apdev[0], params)
@@ -316,6 +322,7 @@ def test_ap_cipher_gcmp_ccmp(dev, apdev, params):
params = {"ssid": "test-wpa2-psk",
"wpa_passphrase": "12345678",
"wpa": "2",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": "CCMP GCMP CCMP-256 GCMP-256"}
hapd = hostapd.add_ap(apdev[0], params)
@@ -370,6 +377,7 @@ def test_ap_cipher_mixed_wpa_wpa2(dev, apdev):
params = {"ssid": ssid,
"wpa_passphrase": passphrase,
"wpa": "3",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": "CCMP",
"wpa_pairwise": "TKIP"}
@@ -455,6 +463,7 @@ def test_ap_cipher_bip_req_mismatch(dev, apdev):
params = {"ssid": "test-wpa2-psk-pmf",
"wpa_passphrase": "12345678",
"wpa": "2",
+ "wpa_deny_ptk0_rekey": "0",
"ieee80211w": "2",
"wpa_key_mgmt": "WPA-PSK-SHA256",
"rsn_pairwise": "CCMP",
@@ -528,6 +537,7 @@ def run_ap_cipher_replay_protection_ap(dev, apdev, cipher):
params = {"ssid": "test-wpa2-psk",
"wpa_passphrase": "12345678",
"wpa": "2",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": cipher}
hapd = hostapd.add_ap(apdev[0], params)
@@ -598,6 +608,7 @@ def run_ap_cipher_replay_protection_sta(dev, apdev, cipher, gtk=False):
params = {"ssid": "test-wpa2-psk",
"wpa_passphrase": "12345678",
"wpa": "2",
+ "wpa_deny_ptk0_rekey": "0",
"wpa_key_mgmt": "WPA-PSK",
"rsn_pairwise": cipher}
hapd = hostapd.add_ap(apdev[0], params)
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 1eef5b7d6..28a1b11e4 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -3156,7 +3156,7 @@ def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
params = {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
"rsn_pairwise": "CCMP", "ieee8021x": "1",
"eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
- "fragment_size": "50"}
+ "fragment_size": "50", "wpa_deny_ptk0_rekey": "0"}
hapd = hostapd.add_ap(apdev[0], params)
eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
password="ike password")
@@ -4115,7 +4115,7 @@ def int_eap_server_params():
"ca_cert": "auth_serv/ca.pem",
"server_cert": "auth_serv/server.pem",
"private_key": "auth_serv/server.key",
- "dh_file": "auth_serv/dh.conf"}
+ "dh_file": "auth_serv/dh.conf", "wpa_deny_ptk0_rekey" : "0"}
return params
def run_openssl(arg):
@@ -5126,6 +5126,46 @@ def test_ap_wpa2_eap_reauth(dev, apdev):
if state != "COMPLETED":
raise Exception("Reauthentication did not complete")
+def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_ap(dev, apdev):
+ """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on AP"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ params['eap_reauth_period'] = '2'
+ params['wpa_deny_ptk0_rekey'] = '2'
+ hapd = hostapd.add_ap(apdev[0], params)
+ eap_connect(dev[0], hapd, "PAX", "pax.user@xxxxxxxxxxx",
+ password_hex="0123456789abcdef0123456789abcdef")
+ logger.info("Wait for disconnect due to reauth")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
+ "CTRL-EVENT-DISCONNECTED"], timeout=10)
+ if ev is None:
+ raise Exception("Timeout on reauthentication")
+ elif "CTRL-EVENT-EAP-STARTED" in ev:
+ raise Exception("Reauthentication without disconnect")
+
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+ if ev is None:
+ raise Exception("Timeout on reconnect")
+
+def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_sta(dev, apdev):
+ """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on station"""
+ params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+ params['eap_reauth_period'] = '2'
+ hapd = hostapd.add_ap(apdev[0], params)
+ eap_connect(dev[0], hapd, "PAX", "pax.user@xxxxxxxxxxx",
+ password_hex="0123456789abcdef0123456789abcdef",
+ wpa_deny_ptk0_rekey="2")
+ logger.info("Wait for disconnect due to reauth")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
+ "CTRL-EVENT-DISCONNECTED"], timeout=10)
+ if ev is None:
+ raise Exception("Timeout on reauthentication")
+ elif "CTRL-EVENT-EAP-STARTED" in ev:
+ raise Exception("Reauthentication without disconnect")
+
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+ if ev is None:
+ raise Exception("Timeout on reconnect")
+
def test_ap_wpa2_eap_request_identity_message(dev, apdev):
"""Optional displayable message in EAP Request-Identity"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
diff --git a/tests/hwsim/test_ap_ft.py b/tests/hwsim/test_ap_ft.py
index e3cd4bee0..f827ada07 100644
--- a/tests/hwsim/test_ap_ft.py
+++ b/tests/hwsim/test_ap_ft.py
@@ -51,6 +51,7 @@ def ft_params(rsn=True, ssid=None, passphrase=None):
params["r0_key_lifetime"] = "10000"
params["pmk_r1_push"] = "1"
params["reassociation_deadline"] = "1000"
+ params['wpa_deny_ptk0_rekey'] = "0"
return params
def ft_params1a(rsn=True, ssid=None, passphrase=None):
diff --git a/tests/hwsim/test_ap_pmf.py b/tests/hwsim/test_ap_pmf.py
index be9b5d213..d755062e3 100644
--- a/tests/hwsim/test_ap_pmf.py
+++ b/tests/hwsim/test_ap_pmf.py
@@ -335,6 +335,7 @@ def start_wpas_ap(ssid):
wpas.set_network(id, "mode", "2")
wpas.set_network_quoted(id, "ssid", ssid)
wpas.set_network(id, "proto", "WPA2")
+ wpas.set_network(id, "wpa_deny_ptk0_rekey", "0")
wpas.set_network(id, "key_mgmt", "WPA-PSK-SHA256")
wpas.set_network(id, "ieee80211w", "2")
wpas.set_network_quoted(id, "psk", "12345678")
diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py
index 472264c69..9511cbbfa 100644
--- a/tests/hwsim/test_ap_psk.py
+++ b/tests/hwsim/test_ap_psk.py
@@ -211,11 +211,50 @@ def test_ap_wpa2_ptk_rekey(dev, apdev):
params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
hapd = hostapd.add_ap(apdev[0], params)
dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
- ev = dev[0].wait_event(["WPA: Key negotiation completed"])
+ ev = dev[0].wait_event(["WPA: Key negotiation completed",
+ "CTRL-EVENT-DISCONNECTED"])
if ev is None:
raise Exception("PTK rekey timed out")
+ elif "CTRL-EVENT-DISCONNECTED" in ev:
+ raise Exception("Disconnect instead of rekey")
hwsim_utils.test_connectivity(dev[0], hapd)
+def test_ap_wpa2_ptk_rekey_blocked_ap(dev, apdev):
+ """WPA2-PSK AP and PTK rekey enforced by station and AP blocking it"""
+ ssid = "test-wpa2-psk"
+ passphrase = 'qwertyuiop'
+ params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
+ params['wpa_deny_ptk0_rekey'] = "2"
+ hapd = hostapd.add_ap(apdev[0], params)
+ dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed",
+ "CTRL-EVENT-DISCONNECTED"])
+ if ev is None:
+ raise Exception("PTK rekey timed out")
+ elif "WPA: Key negotiation completed" in ev:
+ raise Exception("No disconnect, PTK rekey succeeded")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+ if ev is None:
+ raise Exception("Reconnect too slow")
+
+def test_ap_wpa2_ptk_rekey_blocked_sta(dev, apdev):
+ """WPA2-PSK AP and PTK rekey enforced by station while also blocking it"""
+ ssid = "test-wpa2-psk"
+ passphrase = 'qwertyuiop'
+ params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
+ hapd = hostapd.add_ap(apdev[0], params)
+ dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412",
+ wpa_deny_ptk0_rekey="2")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed",
+ "CTRL-EVENT-DISCONNECTED"])
+ if ev is None:
+ raise Exception("PTK rekey timed out")
+ elif "WPA: Key negotiation completed" in ev:
+ raise Exception("No disconnect, PTK rekey succeeded")
+ ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=1)
+ if ev is None:
+ raise Exception("Reconnect too slow")
+
def test_ap_wpa2_ptk_rekey_anonce(dev, apdev):
"""WPA2-PSK AP and PTK rekey enforced by station and ANonce change"""
ssid = "test-wpa2-psk"
diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py
index c9ebb250d..08fa55cd1 100644
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@@ -1053,7 +1053,7 @@ class WpaSupplicant:
if tspecs:
raise Exception("DELTS failed (still in tspec list)")
- def connect(self, ssid=None, ssid2=None, **kwargs):
+ def connect(self, ssid=None, ssid2=None, wpa_deny_ptk0_rekey="0", **kwargs):
logger.info("Connect STA " + self.ifname + " to AP")
id = self.add_network()
if ssid:
@@ -1061,6 +1061,8 @@ class WpaSupplicant:
elif ssid2:
self.set_network(id, "ssid", ssid2)
+ self.set_network(id, "wpa_deny_ptk0_rekey", wpa_deny_ptk0_rekey)
+
quoted = ["psk", "identity", "anonymous_identity", "password",
"machine_identity", "machine_password",
"ca_cert", "client_cert", "private_key",
--
2.24.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
