diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index 28f50f11c..eb25730c5 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -9543,6 +9543,11 @@ static int nl80211_set_param(void *priv, const char *param) } } + if (os_strstr(param, "secure_ltf=1")) { + drv->capa.flags2 |= WPA_DRIVER_FLAGS2_SEC_LTF_STA | + WPA_DRIVER_FLAGS2_SEC_LTF_AP; + } + return 0; } diff --git a/tests/hwsim/test_pasn.py b/tests/hwsim/test_pasn.py index bff09841c..a34e47ad1 100644 --- a/tests/hwsim/test_pasn.py +++ b/tests/hwsim/test_pasn.py @@ -47,7 +47,8 @@ def start_pasn_ap(apdev, params): raise HwsimSkip("PASN not supported") raise -def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False, clear_keys=True): +def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False, clear_keys=True, + require_kdk=False): sta_ptksa = dev.get_ptksa(hapd.own_addr(), cipher) ap_ptksa = hapd.get_ptksa(dev.own_addr(), cipher) @@ -61,9 +62,11 @@ def check_pasn_ptk(dev, hapd, cipher, fail_ptk=False, clear_keys=True): if sta_ptksa['tk'] != ap_ptksa['tk'] or sta_ptksa['kdk'] != ap_ptksa['kdk']: raise Exception("TK/KDK mismatch") - elif fail_ptk: + if fail_ptk: raise Exception("TK/KDK match although key derivation should have failed") - elif clear_keys: + if require_kdk and sta_ptksa['kdk'] == '': + raise Exception("KDK was not derived") + if clear_keys: cmd = "PASN_DEAUTH bssid=%s" % hapd.own_addr() dev.request(cmd) @@ -909,3 +912,90 @@ def test_pasn_kdk_derivation(dev, apdev): check_pasn_akmp_cipher(dev[0], hapd1, "PASN", "CCMP") finally: dev[0].set("force_kdk_derivation", "0") + +def test_pasn_sae_kdk_secure_ltf(dev, apdev): + """Station authentication with SAE AP with KDK derivation during connection based on Secure LTF support""" + params = hostapd.wpa2_params(ssid="test-sae", + passphrase="12345678") + params['wpa_key_mgmt'] = 'SAE' + params['sae_pwe'] = "2" + params['driver_params'] = "secure_ltf=1" + hapd = start_pasn_ap(apdev[0], params) + + wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') + wpas.interface_add("wlan5", drv_params="secure_ltf=1") + check_pasn_capab(wpas) + check_sae_capab(wpas) + + try: + wpas.set("sae_groups", "") + wpas.set("sae_pwe", "2") + wpas.connect("test-sae", psk="12345678", key_mgmt="SAE", + scan_freq="2412") + + check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True) + finally: + wpas.set("sae_pwe", "0") + +def test_pasn_owe_kdk_secure_ltf(dev, apdev): + """Station authentication with OWE AP with KDK derivation during connection based on Secure LTF support""" + params = {"ssid": "owe", + "wpa": "2", + "ieee80211w": "2", + "wpa_key_mgmt": "OWE", + "rsn_pairwise": "CCMP"} + params['driver_params'] = "secure_ltf=1" + hapd = start_pasn_ap(apdev[0], params) + + wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') + wpas.interface_add("wlan5", drv_params="secure_ltf=1") + check_pasn_capab(wpas) + if "OWE" not in wpas.get_capability("key_mgmt"): + raise HwsimSkip("OWE not supported") + + wpas.connect("owe", key_mgmt="OWE", ieee80211w="2", scan_freq="2412") + + check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True) + +def test_pasn_owe_tm_kdk_secure_ltf(dev, apdev): + """Station authentication with OWE transition mode AP with KDK derivation during connection based on Secure LTF support""" + params = {"ssid": "owe-random", + "wpa": "2", + "ieee80211w": "2", + "wpa_key_mgmt": "OWE", + "rsn_pairwise": "CCMP", + "owe_transition_bssid": apdev[1]['bssid'], + "owe_transition_ssid": '"owe-test"', + "ignore_broadcast_ssid": "1", + 'driver_params': "secure_ltf=1"} + hapd = start_pasn_ap(apdev[0], params) + bssid = hapd.own_addr() + + params = {"ssid": "owe-test", + "owe_transition_bssid": apdev[0]['bssid'], + "owe_transition_ssid": '"owe-random"', + 'driver_params': "secure_ltf=1"} + hapd2 = hostapd.add_ap(apdev[1], params) + bssid2 = hapd2.own_addr() + + wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5') + wpas.interface_add("wlan5", drv_params="secure_ltf=1") + check_pasn_capab(wpas) + if "OWE" not in wpas.get_capability("key_mgmt"): + raise HwsimSkip("OWE not supported") + wpas.flush_scan_cache() + + wpas.scan_for_bss(bssid, freq="2412") + wpas.scan_for_bss(bssid2, freq="2412") + + wpas.connect("owe-test", key_mgmt="OWE", ieee80211w="2", scan_freq="2412") + + check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True) + + wpas.scan(type="ONLY", freq=2412) + + wpas.request("DISCONNECT") + wpas.wait_disconnected() + wpas.request("RECONNECT") + wpas.wait_connected() + check_pasn_ptk(wpas, hapd, "CCMP", clear_keys=False, require_kdk=True)