From fc1d0aaefdf742fdc132eba7935a3dc520fa35ab Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Date: Thu, 10 Dec 2020 05:12:51 +0400
Subject: [PATCH] fragattack: new testcase in README

---
 research/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/research/README.md b/research/README.md
index 0c1ec5508..7e0d22d5e 100644
--- a/research/README.md
+++ b/research/README.md
@@ -538,6 +538,7 @@ All commands work against both clients and APs unless noted otherwise.
 | `ping I,E,F,AE --rekey-plain`          | If the device performs the rekey handshake in plaintext.
 | `ping I,E,F,AE --rekey-plain --rekey-req` | Same as above, and actively request a rekey as client.
 | `ping I,E,F,AE --rekey-early-install`  | Install the new key after sending message 3 of the 4-way handshake.
+| `ping I,E,F,E [--rekey-pl] [--rekey-req]` | Same as above 4 tests, but with longer delay before 2nd fragment.
 | `ping I,F,BE,AE --freebsd`             | Mixed key attack against FreeBSD or similar implementations.
 | <div align="center">*[Cache attacks (§5)](#id-extended-cache)*</div>
 | `ping I,E,R,AE --freebsd [--full-reconnect]` | Cache attack specific to FreeBSD implementations.
@@ -599,6 +600,10 @@ these alternative mixed key attack tests. Some remarks:
   a pairwise session rekey. To reliably test these clients, add the `--rekey-early-install` parameter. This test
   is not meaningfull against APs.
 
+- `ping I,E,F,E [--rekey-pl] [--rekey-req]`: This test variant is the same as the above four, except that the second
+  fragment is send 1 second after the 4-way handshake. This can be important because in a low number of devices there
+  is a small delay the new key is installed. Note that `--rekey-pl` is a shorthand of `--rekey-plain`.
+
 Finally, in case the test `ping-frag-sep` doesn't succeed, you should try the following mixed key attack test:
 
 - `ping I,F,BE,AE --freebsd`: This essentially performs the rekey handshake against a FreeBSD implementation, or