[PATCH 5/5] test_ap_ciphers: add delayed group rekey retransmit test for IGTK

[Johannes Berg <johannes@xxxxxxxxxxxxxxxx>]

From: Johannes Berg <johannes.berg@xxxxxxxxx>

Add a test for delayed group rekey retransmission that checks that
the IGTK is protected against it by not resetting the IPN replay
counter when reinstalling such a key.

Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
---
 tests/hwsim/test_ap_ciphers.py | 61 ++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/tests/hwsim/test_ap_ciphers.py b/tests/hwsim/test_ap_ciphers.py
index 741e3a5cba73..d43831bc776a 100644
--- a/tests/hwsim/test_ap_ciphers.py
+++ b/tests/hwsim/test_ap_ciphers.py
@@ -867,6 +867,67 @@ def run_ap_wpa2_delayed_group_m1_retransmission(dev, apdev):
         if a < b:
             raise Exception("RX counter decreased: idx=%d before=%d after=%d" % (i, b, a))
 
+def test_ap_wpa2_delayed_group_m1_retransmission_igtk(dev, apdev):
+    """Delayed group M1 retransmission (check IGTK protection)"""
+    require_under_vm()
+    try:
+        subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=1'],
+                        stdout=open('/dev/null', 'w'))
+        subprocess.call(['sysctl', '-w',
+                         'net.ipv6.conf.default.disable_ipv6=1'],
+                        stdout=open('/dev/null', 'w'))
+        run_ap_wpa2_delayed_group_m1_retransmission_igtk(dev, apdev)
+    finally:
+        subprocess.call(['sysctl', '-w', 'net.ipv6.conf.all.disable_ipv6=0'],
+                        stdout=open('/dev/null', 'w'))
+        subprocess.call(['sysctl', '-w',
+                         'net.ipv6.conf.default.disable_ipv6=0'],
+                        stdout=open('/dev/null', 'w'))
+
+def run_ap_wpa2_delayed_group_m1_retransmission_igtk(dev, apdev):
+    params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678",
+                                 ieee80211w="2")
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    # XXX: what's this for?
+    Wlantest.setup(hapd)
+    wt = Wlantest()
+    wt.flush()
+    wt.add_passphrase("12345678")
+
+    phy = dev[0].get_driver_status_field("phyname")
+    dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412",
+                   ieee80211w="1")
+    hapd.wait_sta()
+
+    hwsim_utils.test_connectivity(dev[0], hapd, timeout=1)
+
+    # deauth once to see that works OK
+    addr = dev[0].own_addr()
+    hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff")
+    dev[0].wait_disconnected(timeout=10)
+
+    # now to check the protection
+    dev[0].connect("test-wpa2-psk", psk="12345678", scan_freq="2412",
+                   ieee80211w="1")
+    hapd.wait_sta()
+
+    hwsim_utils.test_connectivity(dev[0], hapd, timeout=1)
+
+    if "OK" not in hapd.request("RESEND_GROUP_M1 " + addr):
+        raise Exception("RESEND_GROUP_M1 failed")
+    if "OK" not in hapd.request("RESET_PN ff:ff:ff:ff:ff:ff IGTK"):
+        raise Exception("RESET_PN failed")
+
+    time.sleep(0.1)
+    hapd.request("DEAUTHENTICATE ff:ff:ff:ff:ff:ff test=25")
+
+    time.sleep(0.1)
+    hwsim_utils.test_connectivity(dev[0], hapd, timeout=1)
+
+    dev[0].request("DISCONNECT")
+    dev[0].wait_disconnected()
+
 def test_ap_wpa2_delayed_m1_m3_zero_tk(dev, apdev):
     """Delayed M1+M3 retransmission and zero TK"""
     params = hostapd.wpa2_params(ssid="test-wpa2-psk", passphrase="12345678")
-- 
2.25.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap