Fix the notes on EAPOL-Key testing procedures

The extra sanity check for replay protection in these procedures ended
up breaking the tests. RESET_PN cannot be used before RESEND_* commands
since that would prevent the DUT from accepting the retransmitted
EAPOL-Key frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-10-20 18:18:53 +03:00 committed by Jouni Malinen
parent 3d0fb95583
commit 6e3027a57e

View File

@ -236,19 +236,10 @@ the following hostapd_cli commands:
Test broadcast connectivity; should work Test broadcast connectivity; should work
> raw RESET_PN ff:ff:ff:ff:ff:ff
OK
Test broadcast connectivity; should not work; if it does, replay
protection is completely broken and the following step cannot be
executed reliably. The following command needs to be run before there
has been large enough number of new frames to increment the PN on the
test tool. It would also be possible to execute "raw RESET_PN
ff:ff:ff:ff:ff:ff" again after the initial sanity testing to get back to
PN 0 for the next step.
> raw RESEND_GROUP_M1 <DUT MAC address> > raw RESEND_GROUP_M1 <DUT MAC address>
OK OK
> raw RESET_PN ff:ff:ff:ff:ff:ff
OK
Test broadcast connectivity; should not work; if it does, the device Test broadcast connectivity; should not work; if it does, the device
does not implement protection for delayed retransmission of Group Key does not implement protection for delayed retransmission of Group Key
@ -263,19 +254,10 @@ broadcast traffic, but with the following hostapd_cli commands:
Test broadcast connectivity; should work Test broadcast connectivity; should work
> raw RESET_PN ff:ff:ff:ff:ff:ff
OK
Test broadcast connectivity; should not work; if it does, replay
protection is completely broken and the following step cannot be
executed reliably. The following command needs to be run before there
has been large enough number of new frames to increment the PN on the
test tool. It would also be possible to execute "raw RESET_PN
ff:ff:ff:ff:ff:ff" again after the initial sanity testing to get back to
PN 0 for the next step.
> raw RESEND_M3 <DUT MAC address> > raw RESEND_M3 <DUT MAC address>
OK OK
> raw RESET_PN ff:ff:ff:ff:ff:ff
OK
Test broadcast connectivity; should not work; if it does, the device Test broadcast connectivity; should not work; if it does, the device
does not implement protection for delayed retransmission of 4-way does not implement protection for delayed retransmission of 4-way
@ -310,19 +292,10 @@ unicast traffic, but with the following hostapd_cli commands:
Test unicast connectivity; should work Test unicast connectivity; should work
> raw RESET_PN <DUT MAC address>
OK
Test unicast connectivity; should not work; if it does, replay
protection is completely broken and the following step cannot be
executed reliably. The following command needs to be run before there
has been large enough number of new frames to increment the PN on the
test tool. It would also be possible to execute "raw RESET_PN <DUT MAC
address>" again after the initial sanity testing to get back to PN 0 for
the next step.
> raw RESEND_M3 <DUT MAC address> > raw RESEND_M3 <DUT MAC address>
OK OK
> raw RESET_PN <DUT MAC address>
OK
Test unicast connectivity; should not work; if it does, the device Test unicast connectivity; should not work; if it does, the device
does not implement protection for delayed retransmission of 4-way does not implement protection for delayed retransmission of 4-way