[PATCH 06/15] tests: Add test coverage for PASN with MIC errors

Ilan Peer ilan.peer at intel.com
Mon Mar 15 12:57:04 GMT 2021 

Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 tests/hwsim/test_pasn.py | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/tests/hwsim/test_pasn.py b/tests/hwsim/test_pasn.py
index 579625b00d..69e0509c72 100644
--- a/tests/hwsim/test_pasn.py
+++ b/tests/hwsim/test_pasn.py
@@ -46,10 +46,12 @@ def start_pasn_ap(apdev, params):
             raise HwsimSkip("PASN not supported")
         raise
 
-def check_pasn_ptk(dev, hapd, cipher):
+def check_pasn_ptk(dev, hapd, cipher, fail_ptk=0):
     sta_ptksa = dev.get_ptksa(hapd.own_addr(), cipher)
     ap_ptksa = hapd.get_ptksa(dev.own_addr(), cipher)
     if not (sta_ptksa and ap_ptksa):
+        if fail_ptk == 1:
+            return
         raise Exception("Could not get PTKSA entry")
 
     logger.info("sta: TK: %s KDK: %s" % (sta_ptksa['tk'], sta_ptksa['kdk']))
@@ -57,9 +59,11 @@ def check_pasn_ptk(dev, hapd, cipher):
 
     if sta_ptksa['tk'] != ap_ptksa['tk'] or sta_ptksa['kdk'] != ap_ptksa['kdk']:
         raise Exception("TK/KDK mismatch")
+    elif fail_ptk == 1:
+        raise Exception("TK/KDK match although key derivation should have failed")
 
 def check_pasn_akmp_cipher(dev, hapd, akmp="PASN", cipher="CCMP",
-                           group="19", status=0, fail=0, nid=""):
+                           group="19", status=0, fail=0, nid="", fail_ptk=0):
     dev.flush_scan_cache()
     dev.scan(type="ONLY", freq=2412)
 
@@ -88,7 +92,7 @@ def check_pasn_akmp_cipher(dev, hapd, akmp="PASN", cipher="CCMP",
     if status:
         return
 
-    check_pasn_ptk(dev, hapd, cipher)
+    check_pasn_ptk(dev, hapd, cipher, fail_ptk)
 
 @remote_compatible
 def test_pasn_ccmp(dev, apdev):
@@ -636,3 +640,30 @@ def test_pasn_ft_eap_sha384(dev, apdev):
         pasn_hapd = hapd0
 
     check_pasn_akmp_cipher(dev[0], pasn_hapd, "FT-EAP-SHA384", "CCMP")
+
+def test_pasn_sta_mic_error(dev, apdev):
+    """PASN authentication with WPA2/CCMP AP with corrupted MIC on station"""
+    params = pasn_ap_params("PASN", "CCMP", "19")
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    try:
+        # When forcing MIC corruption, the exchange would be still successful on the station side,
+        # but the AP would fail the exchange and would not store the keys.
+        dev[0].request("SET pasn_corrupt_mic 1")
+        check_pasn_akmp_cipher(dev[0], hapd, "PASN", "CCMP", fail_ptk=1)
+    finally:
+        dev[0].request("SET pasn_corrupt_mic 0")
+
+    # Now verify the successful case
+    check_pasn_akmp_cipher(dev[0], hapd, "PASN", "CCMP")
+
+def test_pasn_ap_mic_error(dev, apdev):
+    """PASN authentication with WPA2/CCMP AP with corrupted MIC on AP"""
+    params = pasn_ap_params("PASN", "CCMP", "19")
+    hapd0 = hostapd.add_ap(apdev[0], params)
+
+    params['pasn_corrupt_mic'] = "1"
+    hapd1 = hostapd.add_ap(apdev[1], params)
+
+    check_pasn_akmp_cipher(dev[0], hapd1, "PASN", "CCMP", status=1)
+    check_pasn_akmp_cipher(dev[0], hapd0, "PASN", "CCMP")
-- 
2.17.1

More information about the Hostap mailing list