tests: KDK derivation based on Secure LTF capability

This adds more production-like testing coverage for KDK derivation. Both
SAE and OWE transition mode are covered. The latter has some corner
cases that did not work correctly previously.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

src/drivers/driver_nl80211.c

@@ -9543,6 +9543,11 @@ static int nl80211_set_param(void *priv, const char *param)
 		}
 	}
 
+	if (os_strstr(param, "secure_ltf=1")) {
+		drv->capa.flags2 |= WPA_DRIVER_FLAGS2_SEC_LTF_STA |
+			WPA_DRIVER_FLAGS2_SEC_LTF_AP;
+	}
+
 	return 0;
 }
 

tests/hwsim/test_pasn.py

@@ -47,7 +47,8 @@ def start_pasn_ap(apdev, params):
             raise HwsimSkip("PASN not supported")
         raise
 
-def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False, clear_keys=True):
+def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False, clear_keys=True,
+                   require_kdk=False):
     sta_ptksa = dev.get_ptksa(hapd.own_addr(), cipher)
     ap_ptksa = hapd.get_ptksa(dev.own_addr(), cipher)
 
@@ -61,9 +62,11 @@ def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False, clear_keys=True):
 
     if sta_ptksa['tk'] != ap_ptksa['tk'] or sta_ptksa['kdk'] != ap_ptksa['kdk']:
         raise Exception("TK/KDK mismatch")
-    elif fail_ptk:
+    if fail_ptk:
         raise Exception("TK/KDK match although key derivation should have failed")
-    elif clear_keys:
+    if require_kdk and sta_ptksa['kdk'] == '':
+        raise Exception("KDK was not derived")
+    if clear_keys:
         cmd = "PASN_DEAUTH bssid=%s" % hapd.own_addr()
         dev.request(cmd)
 
@@ -909,3 +912,90 @@ def test_pasn_kdk_derivation(dev, apdev):
         check_pasn_akmp_cipher(dev[0], hapd1, "PASN", "CCMP")
     finally:
         dev[0].set("force_kdk_derivation", "0")
+
+def test_pasn_sae_kdk_secure_ltf(dev, apdev):
+    """Station authentication with SAE AP with KDK derivation during connection based on Secure LTF support"""
+    params = hostapd.wpa2_params(ssid="test-sae",
+                                 passphrase="12345678")
+    params['wpa_key_mgmt'] = 'SAE'
+    params['sae_pwe'] = "2"
+    params['driver_params'] = "secure_ltf=1"
+    hapd = start_pasn_ap(apdev[0], params)
+
+    wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
+    wpas.interface_add("wlan5", drv_params="secure_ltf=1")
+    check_pasn_capab(wpas)
+    check_sae_capab(wpas)
+
+    try:
+        wpas.set("sae_groups", "")
+        wpas.set("sae_pwe", "2")
+        wpas.connect("test-sae", psk="12345678", key_mgmt="SAE",
+                     scan_freq="2412")
+
+        check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True)
+    finally:
+        wpas.set("sae_pwe", "0")
+
+def test_pasn_owe_kdk_secure_ltf(dev, apdev):
+    """Station authentication with OWE AP with KDK derivation during connection based on Secure LTF support"""
+    params = {"ssid": "owe",
+              "wpa": "2",
+              "ieee80211w": "2",
+              "wpa_key_mgmt": "OWE",
+              "rsn_pairwise": "CCMP"}
+    params['driver_params'] = "secure_ltf=1"
+    hapd = start_pasn_ap(apdev[0], params)
+
+    wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
+    wpas.interface_add("wlan5", drv_params="secure_ltf=1")
+    check_pasn_capab(wpas)
+    if "OWE" not in wpas.get_capability("key_mgmt"):
+        raise HwsimSkip("OWE not supported")
+
+    wpas.connect("owe", key_mgmt="OWE", ieee80211w="2", scan_freq="2412")
+
+    check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True)
+
+def test_pasn_owe_tm_kdk_secure_ltf(dev, apdev):
+    """Station authentication with OWE transition mode AP with KDK derivation during connection based on Secure LTF support"""
+    params = {"ssid": "owe-random",
+              "wpa": "2",
+              "ieee80211w": "2",
+              "wpa_key_mgmt": "OWE",
+              "rsn_pairwise": "CCMP",
+              "owe_transition_bssid": apdev[1]['bssid'],
+              "owe_transition_ssid": '"owe-test"',
+              "ignore_broadcast_ssid": "1",
+              'driver_params': "secure_ltf=1"}
+    hapd = start_pasn_ap(apdev[0], params)
+    bssid = hapd.own_addr()
+
+    params = {"ssid": "owe-test",
+              "owe_transition_bssid": apdev[0]['bssid'],
+              "owe_transition_ssid": '"owe-random"',
+              'driver_params': "secure_ltf=1"}
+    hapd2 = hostapd.add_ap(apdev[1], params)
+    bssid2 = hapd2.own_addr()
+
+    wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
+    wpas.interface_add("wlan5", drv_params="secure_ltf=1")
+    check_pasn_capab(wpas)
+    if "OWE" not in wpas.get_capability("key_mgmt"):
+        raise HwsimSkip("OWE not supported")
+    wpas.flush_scan_cache()
+
+    wpas.scan_for_bss(bssid, freq="2412")
+    wpas.scan_for_bss(bssid2, freq="2412")
+
+    wpas.connect("owe-test", key_mgmt="OWE", ieee80211w="2", scan_freq="2412")
+
+    check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True)
+
+    wpas.scan(type="ONLY", freq=2412)
+
+    wpas.request("DISCONNECT")
+    wpas.wait_disconnected()
+    wpas.request("RECONNECT")
+    wpas.wait_connected()
+    check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True)