From patchwork Sat Aug 17 21:14:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Wetzel X-Patchwork-Id: 1148796 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=wetzel-home.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="EoldTcOt"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=wetzel-home.de header.i=@wetzel-home.de header.b="C2xfq+jQ"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 469tL51Wknz9sBF for ; Sun, 18 Aug 2019 07:17:01 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=z5mBPLLJS3/7UigigFuPnt8kH6TngLbhSva4H63HQzQ=; b=EoldTcOtvn9cn0 n6GZaYcZT/Qyz8nI/dhR7A3AZzsFcTB23u/NDGcWyVz+sTvU3avnJQeFn0arupFSUTTdiHjF6qBVe zYxEdaudnmE8SdGaGb3hRoiFrTgP2Q4F4RkOg2Ef2WzuUVMplEF6QEBxag1HsTqEeaiUxIDPhqO2X R0D5LgAruEorByn5mq7k7kb3I+8LIYWbA9btPRDO+/7L7xc+uM/uO875fcwvdf2I3wHvA1JOetaOY 9rL9Oy/Ckr7A4oj1IuaYKib6Ha9DO0EyPW11ChXuLuf6LoZUMqBlNOObVscGzYuuO+EwrEH/T9wIq vxmqDb10FXtL2kut0vBQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hz64H-0004rk-Up; Sat, 17 Aug 2019 21:16:58 +0000 Received: from 5.mo4.mail-out.ovh.net ([188.165.44.50]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hz62X-00023H-BZ for hostap@lists.infradead.org; Sat, 17 Aug 2019 21:15:15 +0000 Received: from player762.ha.ovh.net (unknown [10.109.160.5]) by mo4.mail-out.ovh.net (Postfix) with ESMTP id 6637E2015C7 for ; Sat, 17 Aug 2019 23:14:59 +0200 (CEST) Received: from awhome.eu (p4FF9179D.dip0.t-ipconnect.de [79.249.23.157]) (Authenticated sender: postmaster@awhome.eu) by player762.ha.ovh.net (Postfix) with ESMTPSA id 21E5D8EA52C9; Sat, 17 Aug 2019 21:14:56 +0000 (UTC) From: Alexander Wetzel DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de; s=wetzel-home; t=1566076491; bh=AVEAXUjMcySWjaLoszV0GhzfSWR3whOa5p4r+Q2n4Ew=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=C2xfq+jQd2jRLGjr+FvBod/Om2vdXqjEbJ4E2DwBh2WFto8wbSvM1Q7oSBZrfaZou JQF+ZpFMMIbUgWcxeinmXK6+ooj5mVjRvSUuUmjj3Z5dP4fyllUrKDvi5UQtrGvfI1 Huqnb4ykjyWS2tCaPEJP21H8aop3tBceb8/3GC1U= To: j@w1.fi Subject: [PATCH v3 11/17] tests: Extended Key ID tests Date: Sat, 17 Aug 2019 23:14:29 +0200 Message-Id: <20190817211435.158335-12-alexander@wetzel-home.de> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190817211435.158335-1-alexander@wetzel-home.de> References: <20190817211435.158335-1-alexander@wetzel-home.de> MIME-Version: 1.0 X-Ovh-Tracer-Id: 7949697769268124924 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduvddrudefhedgudeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecu X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190817_141509_751821_2390554D X-CRM114-Status: GOOD ( 13.11 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [188.165.44.50 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Wetzel , hostap@lists.infradead.org, luca@coelho.fi, johannes@sipsolutions.net Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add the needed infrastructure for the Extended Key ID tests, update the tests overriding RSN Capabilities to work with and without Extended Key ID support and add additional interoperability tests for Extended Key ID. When supported by the platform (hwsim) all tests will use Extended Key ID when it's allowed while - with the exception of the interoperability test - continue to work with the classical key install. Signed-off-by: Alexander Wetzel --- There is of course much more we could test here. Especially wlantest is a neglected area so far. But then all test using it are also working when we use Extended Key ID. Since all exiting tests are with this patch set also working when we use Extended Key ID. (The last patch of the series uses the keyid 1 for the initial key, making sure that even tests without rekey are compatible.) Sample test runs are linked in the cover letter of the series. tests/hwsim/hostapd.py | 19 ++++++++- tests/hwsim/test_ap_eap.py | 20 +++++++++- tests/hwsim/test_ap_psk.py | 76 ++++++++++++++++++++++++++++++++---- tests/hwsim/test_ocv.py | 13 ++++-- tests/hwsim/test_rrm.py | 7 +++- tests/hwsim/wpasupplicant.py | 7 +++- wlantest/bss.c | 4 +- wlantest/rx_eapol.c | 4 ++ 8 files changed, 134 insertions(+), 16 deletions(-) diff --git a/tests/hwsim/hostapd.py b/tests/hwsim/hostapd.py index 4430d8055..c8021ffcc 100644 --- a/tests/hwsim/hostapd.py +++ b/tests/hwsim/hostapd.py @@ -151,6 +151,7 @@ class Hostapd: self.mon.attach() self.bssid = None self.bssidx = bssidx + self.extKeyID = None def cmd_execute(self, cmd_array, shell=False): if self.hostname is None: @@ -536,7 +537,7 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30, raise Exception("Could not ping hostapd") hapd.set_defaults() fields = ["ssid", "wpa_passphrase", "nas_identifier", "wpa_key_mgmt", - "wpa", + "wpa", "wpa_extended_key_id", "wpa_pairwise", "rsn_pairwise", "auth_server_addr", "acct_server_addr", "osu_server_uri"] for field in fields: @@ -554,6 +555,16 @@ def add_ap(apdev, params, wait_enabled=True, no_enable=False, timeout=30, return hapd hapd.enable() if wait_enabled: + if "wpa" in params and params["wpa"] == "2": + ev = hapd.wait_event(["Extended Key ID"], timeout=5) + if ev is None or "requires wpa2" in ev: + hapd.extKeyID = "unused" + elif "not supported" in ev: + hapd.extKeyID = "auto-off" + elif "disabled" in ev: + hapd.extKeyID = "force-off" + else: + hapd.extKeyID = "auto-on" ev = hapd.wait_event(["AP-ENABLED", "AP-DISABLED"], timeout=timeout) if ev is None: raise Exception("AP startup timed out") @@ -619,7 +630,7 @@ def terminate(apdev): hapd_global = HostapdGlobal(apdev) hapd_global.terminate() -def wpa2_params(ssid=None, passphrase=None): +def wpa2_params(ssid=None, passphrase=None, wpa_extended_key_id="auto"): params = {"wpa": "2", "wpa_key_mgmt": "WPA-PSK", "rsn_pairwise": "CCMP"} @@ -627,6 +638,10 @@ def wpa2_params(ssid=None, passphrase=None): params["ssid"] = ssid if passphrase: params["wpa_passphrase"] = passphrase + if wpa_extended_key_id == "on": + params["wpa_extended_key_id"] = "1" + elif wpa_extended_key_id == "off": + params["wpa_extended_key_id"] = "0" return params def wpa_params(ssid=None, passphrase=None): diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 2fc6925a1..6fc208d20 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6535,7 +6535,7 @@ def test_eap_tls_sha384(dev, apdev, params): def test_ap_wpa2_eap_assoc_rsn(dev, apdev): """WPA2-Enterprise AP and association request RSN IE differences""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") - hostapd.add_ap(apdev[0], params) + hapd = hostapd.add_ap(apdev[0], params) params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w") params["ieee80211w"] = "2" @@ -6555,6 +6555,17 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apdev): ("RSN IE without AKM", "300c0100000fac040100000fac04"), ("RSN IE without pairwise", "30060100000fac04"), ("RSN IE without group", "30020100")] + + if hapd.extKeyID == "auto-on": + tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID", + "30140100000fac040100000fac040100000fac010020"), + ("Extra PMKIDCount field in RSN IE with Extended Key ID", + "30160100000fac040100000fac040100000fac0100200000"), + ("Extra Group Management Cipher Suite in RSN IE with Extended Key ID", + "301a0100000fac040100000fac040100000fac0100200000000fac06"), + ("Extra undefined extension field in RSN IE with Extended Key ID", + "301c0100000fac040100000fac040100000fac0100200000000fac061122")] + for title, ie in tests: logger.info(title) set_test_assoc_ie(dev[0], ie) @@ -6569,6 +6580,13 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apdev): "30140100000fac040100000fac040100000fac01cc00"), ("Group management cipher included in assoc req RSN IE", "301a0100000fac040100000fac040100000fac01cc000000000fac06")] + + if hapd.extKeyID == "auto-on": + tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID", + "30140100000fac040100000fac040100000fac01cc20"), + ("Group management cipher included in assoc req RSN IE with Extended Key ID", + "301a0100000fac040100000fac040100000fac01cc200000000fac06")] + for title, ie in tests: logger.info(title) set_test_assoc_ie(dev[0], ie) diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py index 2655c960c..9bb996f09 100644 --- a/tests/hwsim/test_ap_psk.py +++ b/tests/hwsim/test_ap_psk.py @@ -203,16 +203,56 @@ def _test_ap_wpa2_psk_mem(dev, apdev): @remote_compatible def test_ap_wpa2_ptk_rekey(dev, apdev): - """WPA2-PSK AP and PTK rekey enforced by station""" + """WPA2-PSK AP and PTK rekey enforced by station without Extended Key ID""" + ssid = "test-wpa2-psk" + passphrase = 'qwertyuiop' + params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase, + wpa_extended_key_id="off") + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412", + wpa_extended_key_id="off") + ev = dev[0].wait_event(["WPA: Key negotiation completed"]) + if ev is None: + raise Exception("PTK rekey timed out") + hwsim_utils.test_connectivity(dev[0], hapd) + +def test_ap_wpa2_ptk_extended_key_id_rekey(dev, apdev): + """WPA2-PSK AP and PTK rekey enforced by station with Extended Key ID""" ssid = "test-wpa2-psk" passphrase = 'qwertyuiop' params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase) hapd = hostapd.add_ap(apdev[0], params) + if hapd.extKeyID == "auto-off": + raise Exception("Extended Key ID support missing in hwsim") + + dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412", + wpa_extended_key_id="off") + ev = dev[0].wait_event(["WPA: Key negotiation completed"]) + if ev is None: + raise Exception("PTK rekey timed out (STA without Extended Key ID)") + hwsim_utils.test_connectivity(dev[0], hapd) + dev[0].reset() + dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412") ev = dev[0].wait_event(["WPA: Key negotiation completed"]) if ev is None: - raise Exception("PTK rekey timed out") + raise Exception("PTK rekey timed out (STA with Extended Key ID)") + hwsim_utils.test_connectivity(dev[0], hapd) + ev = dev[0].wait_event(["WPA: Key negotiation completed"]) + if ev is None: + raise Exception("PTK rekey timed out 2 (STA with Extended Key ID)") hwsim_utils.test_connectivity(dev[0], hapd) + dev[0].reset() + + params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase, + wpa_extended_key_id="off") + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect(ssid, psk=passphrase, wpa_ptk_rekey="1", scan_freq="2412") + ev = dev[0].wait_event(["WPA: Key negotiation completed"]) + if ev is None: + raise Exception("PTK rekey timed out (AP without Extended Key ID") + hwsim_utils.test_connectivity(dev[0], hapd) + dev[0].reset() def test_ap_wpa2_ptk_rekey_anonce(dev, apdev): """WPA2-PSK AP and PTK rekey enforced by station and ANonce change""" @@ -1355,10 +1395,15 @@ def eapol_test(apdev, dev, wpa2=True, ieee80211w=0): ieee80211w=str(ieee80211w)) addr = dev.p2p_interface_addr() if wpa2: - if ieee80211w == 2: - rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac02cc00') + if hapd.extKeyID == "auto-on" and ieee80211w == 2: + cap = "cc20" + elif hapd.extKeyID == "auto-on": + cap = "0020" + elif ieee80211w == 2: + cap = "cc00" else: - rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac020000') + cap = "0000" + rsne = binascii.unhexlify('30140100000fac040100000fac040100000fac02'+cap) else: rsne = binascii.unhexlify('dd160050f20101000050f20201000050f20201000050f202') snonce = binascii.unhexlify('1111111111111111111111111111111111111111111111111111111111111111') @@ -2928,6 +2973,11 @@ def test_ap_wpa2_psk_assoc_rsn(dev, apdev): "30140100000fac040100000fac040100000fac020000"), ("RSN IE without RSN Capabilities", "30120100000fac040100000fac040100000fac02")] + + if hapd.extKeyID == "auto-on": + tests += [("Normal wpa_supplicant assoc req RSN IE with Extended Key ID", + "30140100000fac040100000fac040100000fac020020")] + for title, ie in tests: logger.info(title) set_test_assoc_ie(dev[0], ie) @@ -2971,9 +3021,13 @@ def test_ap_wpa2_psk_ft_workaround(dev, apdev): params['r1_key_holder'] = "000102030405" hapd = hostapd.add_ap(apdev[0], params) + if hapd.extKeyID == "auto-on": + ie = "30180100000fac040100000fac040200000fac02000fac040020" + else: + ie = "30180100000fac040100000fac040200000fac02000fac040000" + # Include both WPA-PSK and FT-PSK AKMs in Association Request frame - set_test_assoc_ie(dev[0], - "30180100000fac040100000fac040200000fac02000fac040000") + set_test_assoc_ie(dev[0], ie) dev[0].connect(ssid, psk=passphrase, scan_freq="2412") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() @@ -2990,6 +3044,14 @@ def test_ap_wpa2_psk_assoc_rsn_pmkid(dev, apdev): dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() + if not hapd.extKeyID == "auto-on": + return + + set_test_assoc_ie(dev[0], "30260100000fac040100000fac040100000fac0200200100" + 16*'00') + dev[0].connect(ssid, psk=passphrase, scan_freq="2412") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + def test_ap_wpa_psk_rsn_pairwise(dev, apdev): """WPA-PSK AP and only rsn_pairwise set""" params = {"ssid": "wpapsk", "wpa": "1", "wpa_key_mgmt": "WPA-PSK", diff --git a/tests/hwsim/test_ocv.py b/tests/hwsim/test_ocv.py index 176e17faf..7787a4056 100644 --- a/tests/hwsim/test_ocv.py +++ b/tests/hwsim/test_ocv.py @@ -380,10 +380,17 @@ class APConnection: self.bssid = apdev['bssid'] pmk = binascii.unhexlify("c2c6c255af836bed1b3f2f1ded98e052f5ad618bb554e2836757b55854a0eab7") - if sta_ocv != "0": - self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac0280400000000fac06") + if self.hapd.extKeyID == "auto-on": + if sta_ocv != "0": + cap = "8060" + else: + cap = "8020" else: - self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac0280000000000fac06") + if sta_ocv != "0": + cap = "8040" + else: + cap = "8000" + self.rsne = binascii.unhexlify("301a0100000fac040100000fac040100000fac02"+cap+"0000000fac06") self.snonce = binascii.unhexlify('1111111111111111111111111111111111111111111111111111111111111111') dev.connect(self.ssid, raw_psk=self.psk, scan_freq=freq, ocv=sta_ocv, diff --git a/tests/hwsim/test_rrm.py b/tests/hwsim/test_rrm.py index c9c8d6103..4f2a323c2 100644 --- a/tests/hwsim/test_rrm.py +++ b/tests/hwsim/test_rrm.py @@ -1182,6 +1182,11 @@ def test_rrm_beacon_req_table_rsne(dev, apdev): params["rrm_beacon_report"] = "1" hapd = hostapd.add_ap(apdev[0], params) + if hapd.extKeyID == "auto-on": + cap = "0c20" + else: + cap = "0c00" + dev[0].connect("rrm-rsn", psk="12345678", scan_freq="2412") addr = dev[0].own_addr() @@ -1196,7 +1201,7 @@ def test_rrm_beacon_req_table_rsne(dev, apdev): raise Exception("Reported Frame Body subelement missing") if len(report.frame_body) != 12 + 22: raise Exception("Unexpected Reported Frame Body subelement length with Reporting Detail 1 and requested element RSNE") - if binascii.unhexlify("30140100000fac040100000fac040100000fac020c00") not in report.frame_body: + if binascii.unhexlify("30140100000fac040100000fac040100000fac02"+cap) not in report.frame_body: raise Exception("Full RSNE not found") def test_rrm_beacon_req_table_vht(dev, apdev): diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index 8c7e13d02..c02aca409 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -1053,13 +1053,18 @@ class WpaSupplicant: if tspecs: raise Exception("DELTS failed (still in tspec list)") - def connect(self, ssid=None, ssid2=None, **kwargs): + def connect(self, ssid=None, ssid2=None, + wpa_extended_key_id="auto", **kwargs): logger.info("Connect STA " + self.ifname + " to AP") id = self.add_network() if ssid: self.set_network_quoted(id, "ssid", ssid) elif ssid2: self.set_network(id, "ssid", ssid2) + if wpa_extended_key_id == "on": + self.set_network(id, "wpa_extended_key_id", "1") + elif wpa_extended_key_id == "off": + self.set_network(id, "wpa_extended_key_id", "0") quoted = ["psk", "identity", "anonymous_identity", "password", "ca_cert", "client_cert", "private_key", diff --git a/wlantest/bss.c b/wlantest/bss.c index 298a902c7..08181dc8c 100644 --- a/wlantest/bss.c +++ b/wlantest/bss.c @@ -334,7 +334,9 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss, bss->rsn_capab & WPA_CAPABILITY_MFPC ? "MFPC " : "", bss->rsn_capab & WPA_CAPABILITY_PEERKEY_ENABLED ? "PEERKEY " : "", - bss->rsn_capab & WPA_CAPABILITY_OCVC ? "OCVC " : ""); + bss->rsn_capab & WPA_CAPABILITY_OCVC ? "OCVC " : "", + bss->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST ? + "Extended Key ID" : ""); } diff --git a/wlantest/rx_eapol.c b/wlantest/rx_eapol.c index 1af48ec8f..4d692e09a 100644 --- a/wlantest/rx_eapol.c +++ b/wlantest/rx_eapol.c @@ -458,6 +458,10 @@ static void learn_kde_keys(struct wlantest *wt, struct wlantest_bss *bss, ie.rsn_ie, ie.rsn_ie_len); } + if (ie.key_id) { + add_note(wt, MSG_DEBUG, "KeyID %u", ie.key_id[0]); + } + if (ie.gtk) { wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - GTK KDE", ie.gtk, ie.gtk_len);