]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_sae.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: Comment out during-association TK-in-memory checks
[thirdparty/hostap.git] / tests / hwsim / test_sae.py
CommitLineData
1640a2e4 1# Test cases for SAE
4f6985de 2# Copyright (c) 2013-2016, Jouni Malinen <j@w1.fi>
1640a2e4
JM		 3#
4# This software may be distributed under the terms of the BSD license.
5# See README for more details.
6
9fd6804d 7from remotehost import remote_compatible
5b3c40a6
JM		 8import binascii
9import os
1640a2e4 10import time
1640a2e4
JM		 11import logging
12logger = logging.getLogger()
13
14import hwsim_utils
15import hostapd
51761ba2 16from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
5b3c40a6 17from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
1640a2e4 18
9fd6804d 19@remote_compatible
1640a2e4
JM		 20def test_sae(dev, apdev):
21 """SAE with default group"""
b9749b6a
JM		 22 if "SAE" not in dev[0].get_capability("auth_alg"):
23 raise HwsimSkip("SAE not supported")
1640a2e4
JM		 24 params = hostapd.wpa2_params(ssid="test-sae",
25 passphrase="12345678")
26 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 27 hapd = hostapd.add_ap(apdev[0], params)
65038313
JM		 28 key_mgmt = hapd.get_config()['key_mgmt']
29 if key_mgmt.split(' ')[0] != "SAE":
30 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1640a2e4
JM		 31
32 dev[0].request("SET sae_groups ")
33 id = dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
34 scan_freq="2412")
35 if dev[0].get_status_field('sae_group') != '19':
36 raise Exception("Expected default SAE group not used")
d463c556
JM		 37 bss = dev[0].get_bss(apdev[0]['bssid'])
38 if 'flags' not in bss:
39 raise Exception("Could not get BSS flags from BSS table")
40 if "[WPA2-SAE-CCMP]" not in bss['flags']:
41 raise Exception("Unexpected BSS flags: " + bss['flags'])
1640a2e4 42
7b28c408
JM		 43 res = hapd.request("STA-FIRST")
44 if "sae_group=19" not in res.splitlines():
45 raise Exception("hostapd STA output did not specify SAE group")
46
9fd6804d 47@remote_compatible
33dcced5
JM		 48def test_sae_password_ecc(dev, apdev):
49 """SAE with number of different passwords (ECC)"""
50 if "SAE" not in dev[0].get_capability("auth_alg"):
51 raise HwsimSkip("SAE not supported")
52 params = hostapd.wpa2_params(ssid="test-sae",
53 passphrase="12345678")
54 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 55 hapd = hostapd.add_ap(apdev[0], params)
33dcced5
JM		 56
57 dev[0].request("SET sae_groups 19")
58
59 for i in range(10):
60 password = "12345678-" + str(i)
61 hapd.set("wpa_passphrase", password)
62 dev[0].connect("test-sae", psk=password, key_mgmt="SAE",
63 scan_freq="2412")
64 dev[0].request("REMOVE_NETWORK all")
65 dev[0].wait_disconnected()
66
9fd6804d 67@remote_compatible
33dcced5
JM		 68def test_sae_password_ffc(dev, apdev):
69 """SAE with number of different passwords (FFC)"""
70 if "SAE" not in dev[0].get_capability("auth_alg"):
71 raise HwsimSkip("SAE not supported")
72 params = hostapd.wpa2_params(ssid="test-sae",
73 passphrase="12345678")
74 params['wpa_key_mgmt'] = 'SAE'
75 params['sae_groups'] = '22'
8b8a1864 76 hapd = hostapd.add_ap(apdev[0], params)
33dcced5
JM		 77
78 dev[0].request("SET sae_groups 22")
79
80 for i in range(10):
81 password = "12345678-" + str(i)
82 hapd.set("wpa_passphrase", password)
83 dev[0].connect("test-sae", psk=password, key_mgmt="SAE",
84 scan_freq="2412")
85 dev[0].request("REMOVE_NETWORK all")
86 dev[0].wait_disconnected()
87
9fd6804d 88@remote_compatible
19d3a6e3
JM		 89def test_sae_pmksa_caching(dev, apdev):
90 """SAE and PMKSA caching"""
b9749b6a
JM		 91 if "SAE" not in dev[0].get_capability("auth_alg"):
92 raise HwsimSkip("SAE not supported")
19d3a6e3
JM		 93 params = hostapd.wpa2_params(ssid="test-sae",
94 passphrase="12345678")
95 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 96 hapd = hostapd.add_ap(apdev[0], params)
19d3a6e3
JM		 97
98 dev[0].request("SET sae_groups ")
99 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
100 scan_freq="2412")
7cc9a81f
JM		 101 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
102 if ev is None:
103 raise Exception("No connection event received from hostapd")
19d3a6e3 104 dev[0].request("DISCONNECT")
7cc9a81f 105 dev[0].wait_disconnected()
19d3a6e3 106 dev[0].request("RECONNECT")
5f35a5e2 107 dev[0].wait_connected(timeout=15, error="Reconnect timed out")
19d3a6e3
JM		 108 if dev[0].get_status_field('sae_group') is not None:
109 raise Exception("SAE group claimed to have been used")
110
9fd6804d 111@remote_compatible
19d3a6e3
JM		 112def test_sae_pmksa_caching_disabled(dev, apdev):
113 """SAE and PMKSA caching disabled"""
b9749b6a
JM		 114 if "SAE" not in dev[0].get_capability("auth_alg"):
115 raise HwsimSkip("SAE not supported")
19d3a6e3
JM		 116 params = hostapd.wpa2_params(ssid="test-sae",
117 passphrase="12345678")
118 params['wpa_key_mgmt'] = 'SAE'
119 params['disable_pmksa_caching'] = '1'
8b8a1864 120 hapd = hostapd.add_ap(apdev[0], params)
19d3a6e3
JM		 121
122 dev[0].request("SET sae_groups ")
123 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
124 scan_freq="2412")
7cc9a81f
JM		 125 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
126 if ev is None:
127 raise Exception("No connection event received from hostapd")
19d3a6e3 128 dev[0].request("DISCONNECT")
7cc9a81f 129 dev[0].wait_disconnected()
19d3a6e3 130 dev[0].request("RECONNECT")
5f35a5e2 131 dev[0].wait_connected(timeout=15, error="Reconnect timed out")
19d3a6e3
JM		 132 if dev[0].get_status_field('sae_group') != '19':
133 raise Exception("Expected default SAE group not used")
134
1640a2e4
JM		 135def test_sae_groups(dev, apdev):
136 """SAE with all supported groups"""
b9749b6a
JM		 137 if "SAE" not in dev[0].get_capability("auth_alg"):
138 raise HwsimSkip("SAE not supported")
b1f487cb
JM		 139 # This is the full list of supported groups, but groups 14-16 (2048-4096 bit
140 # MODP) and group 21 (521-bit random ECP group) are a bit too slow on some
141 # VMs and can result in hitting the mac80211 authentication timeout, so
142 # allow them to fail and just report such failures in the debug log.
143 sae_groups = [ 19, 25, 26, 20, 21, 2, 5, 14, 15, 16, 22, 23, 24 ]
9e286d5e
JM		 144 tls = dev[0].request("GET tls_library")
145 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
146 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
147 sae_groups += [ 27, 28, 29, 30 ]
b1f487cb 148 heavy_groups = [ 14, 15, 16 ]
1640a2e4
JM		 149 groups = [str(g) for g in sae_groups]
150 params = hostapd.wpa2_params(ssid="test-sae-groups",
151 passphrase="12345678")
152 params['wpa_key_mgmt'] = 'SAE'
153 params['sae_groups'] = ' '.join(groups)
8b8a1864 154 hostapd.add_ap(apdev[0], params)
1640a2e4
JM		 155
156 for g in groups:
157 logger.info("Testing SAE group " + g)
158 dev[0].request("SET sae_groups " + g)
159 id = dev[0].connect("test-sae-groups", psk="12345678", key_mgmt="SAE",
b1f487cb
JM		 160 scan_freq="2412", wait_connect=False)
161 if int(g) in heavy_groups:
162 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=5)
163 if ev is None:
164 logger.info("No connection with heavy SAE group %s did not connect - likely hitting timeout in mac80211" % g)
165 dev[0].remove_network(id)
166 time.sleep(0.1)
167 dev[0].dump_monitor()
168 continue
169 logger.info("Connection with heavy SAE group " + g)
170 else:
a68d1792
JM		 171 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
172 if ev is None:
173 if "BoringSSL" in tls and int(g) in [ 25 ]:
174 logger.info("Ignore connection failure with group " + g + " with BoringSSL")
175 dev[0].remove_network(id)
176 dev[0].dump_monitor()
177 continue
178 raise Exception("Connection timed out with group " + g)
1640a2e4
JM		 179 if dev[0].get_status_field('sae_group') != g:
180 raise Exception("Expected SAE group not used")
181 dev[0].remove_network(id)
b1f487cb
JM		 182 dev[0].wait_disconnected()
183 dev[0].dump_monitor()
1640a2e4 184
9fd6804d 185@remote_compatible
1640a2e4
JM		 186def test_sae_group_nego(dev, apdev):
187 """SAE group negotiation"""
b9749b6a
JM		 188 if "SAE" not in dev[0].get_capability("auth_alg"):
189 raise HwsimSkip("SAE not supported")
1640a2e4
JM		 190 params = hostapd.wpa2_params(ssid="test-sae-group-nego",
191 passphrase="12345678")
192 params['wpa_key_mgmt'] = 'SAE'
193 params['sae_groups'] = '19'
8b8a1864 194 hostapd.add_ap(apdev[0], params)
1640a2e4
JM		 195
196 dev[0].request("SET sae_groups 25 26 20 19")
197 dev[0].connect("test-sae-group-nego", psk="12345678", key_mgmt="SAE",
198 scan_freq="2412")
199 if dev[0].get_status_field('sae_group') != '19':
200 raise Exception("Expected SAE group not used")
a6cf5cd6 201
9fd6804d 202@remote_compatible
a6cf5cd6
JM		 203def test_sae_anti_clogging(dev, apdev):
204 """SAE anti clogging"""
b9749b6a
JM		 205 if "SAE" not in dev[0].get_capability("auth_alg"):
206 raise HwsimSkip("SAE not supported")
a6cf5cd6
JM		 207 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
208 params['wpa_key_mgmt'] = 'SAE'
209 params['sae_anti_clogging_threshold'] = '1'
8b8a1864 210 hostapd.add_ap(apdev[0], params)
a6cf5cd6
JM		 211
212 dev[0].request("SET sae_groups ")
213 dev[1].request("SET sae_groups ")
214 id = {}
215 for i in range(0, 2):
216 dev[i].scan(freq="2412")
217 id[i] = dev[i].connect("test-sae", psk="12345678", key_mgmt="SAE",
218 scan_freq="2412", only_add_network=True)
219 for i in range(0, 2):
220 dev[i].select_network(id[i])
221 for i in range(0, 2):
5f35a5e2 222 dev[i].wait_connected(timeout=10)
d05ff960
JM		 223
224def test_sae_forced_anti_clogging(dev, apdev):
225 """SAE anti clogging (forced)"""
b9749b6a
JM		 226 if "SAE" not in dev[0].get_capability("auth_alg"):
227 raise HwsimSkip("SAE not supported")
d05ff960 228 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
fd4709ff 229 params['wpa_key_mgmt'] = 'SAE WPA-PSK'
d05ff960 230 params['sae_anti_clogging_threshold'] = '0'
8b8a1864 231 hostapd.add_ap(apdev[0], params)
fd4709ff 232 dev[2].connect("test-sae", psk="12345678", scan_freq="2412")
d05ff960
JM		 233 for i in range(0, 2):
234 dev[i].request("SET sae_groups ")
235 dev[i].connect("test-sae", psk="12345678", key_mgmt="SAE",
236 scan_freq="2412")
237
238def test_sae_mixed(dev, apdev):
239 """Mixed SAE and non-SAE network"""
b9749b6a
JM		 240 if "SAE" not in dev[0].get_capability("auth_alg"):
241 raise HwsimSkip("SAE not supported")
d05ff960
JM		 242 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
243 params['wpa_key_mgmt'] = 'SAE WPA-PSK'
244 params['sae_anti_clogging_threshold'] = '0'
8b8a1864 245 hostapd.add_ap(apdev[0], params)
d05ff960
JM		 246
247 dev[2].connect("test-sae", psk="12345678", scan_freq="2412")
248 for i in range(0, 2):
249 dev[i].request("SET sae_groups ")
250 dev[i].connect("test-sae", psk="12345678", key_mgmt="SAE",
251 scan_freq="2412")
acb63c75 252
9fd6804d 253@remote_compatible
acb63c75
JM		 254def test_sae_missing_password(dev, apdev):
255 """SAE and missing password"""
b9749b6a
JM		 256 if "SAE" not in dev[0].get_capability("auth_alg"):
257 raise HwsimSkip("SAE not supported")
acb63c75
JM		 258 params = hostapd.wpa2_params(ssid="test-sae",
259 passphrase="12345678")
260 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 261 hapd = hostapd.add_ap(apdev[0], params)
acb63c75
JM		 262
263 dev[0].request("SET sae_groups ")
264 id = dev[0].connect("test-sae",
265 raw_psk="46b4a73b8a951ad53ebd2e0afdb9c5483257edd4c21d12b7710759da70945858",
266 key_mgmt="SAE", scan_freq="2412", wait_connect=False)
267 ev = dev[0].wait_event(['CTRL-EVENT-SSID-TEMP-DISABLED'], timeout=10)
268 if ev is None:
269 raise Exception("Invalid network not temporarily disabled")
5b3c40a6
JM		 270
271
272def test_sae_key_lifetime_in_memory(dev, apdev, params):
273 """SAE and key lifetime in memory"""
b9749b6a
JM		 274 if "SAE" not in dev[0].get_capability("auth_alg"):
275 raise HwsimSkip("SAE not supported")
5b3c40a6
JM		 276 password = "5ad144a7c1f5a5503baa6fa01dabc15b1843e8c01662d78d16b70b5cd23cf8b"
277 p = hostapd.wpa2_params(ssid="test-sae", passphrase=password)
278 p['wpa_key_mgmt'] = 'SAE'
8b8a1864 279 hapd = hostapd.add_ap(apdev[0], p)
5b3c40a6
JM		 280
281 pid = find_wpas_process(dev[0])
282
283 dev[0].request("SET sae_groups ")
284 id = dev[0].connect("test-sae", psk=password, key_mgmt="SAE",
285 scan_freq="2412")
286
8e416cec
JM		 287 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
288 # event has been delivered, so verify that wpa_supplicant has returned to
289 # eloop before reading process memory.
54f2cae2 290 time.sleep(1)
8e416cec 291 dev[0].ping()
5b3c40a6
JM		 292 buf = read_process_memory(pid, password)
293
294 dev[0].request("DISCONNECT")
295 dev[0].wait_disconnected()
296
297 dev[0].relog()
298 sae_k = None
299 sae_keyseed = None
300 sae_kck = None
301 pmk = None
302 ptk = None
303 gtk = None
304 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
305 for l in f.readlines():
306 if "SAE: k - hexdump" in l:
307 val = l.strip().split(':')[3].replace(' ', '')
308 sae_k = binascii.unhexlify(val)
309 if "SAE: keyseed - hexdump" in l:
310 val = l.strip().split(':')[3].replace(' ', '')
311 sae_keyseed = binascii.unhexlify(val)
312 if "SAE: KCK - hexdump" in l:
313 val = l.strip().split(':')[3].replace(' ', '')
314 sae_kck = binascii.unhexlify(val)
315 if "SAE: PMK - hexdump" in l:
316 val = l.strip().split(':')[3].replace(' ', '')
317 pmk = binascii.unhexlify(val)
318 if "WPA: PTK - hexdump" in l:
319 val = l.strip().split(':')[3].replace(' ', '')
320 ptk = binascii.unhexlify(val)
321 if "WPA: Group Key - hexdump" in l:
322 val = l.strip().split(':')[3].replace(' ', '')
323 gtk = binascii.unhexlify(val)
324 if not sae_k or not sae_keyseed or not sae_kck or not pmk or not ptk or not gtk:
325 raise Exception("Could not find keys from debug log")
326 if len(gtk) != 16:
327 raise Exception("Unexpected GTK length")
328
329 kck = ptk[0:16]
330 kek = ptk[16:32]
331 tk = ptk[32:48]
332
333 fname = os.path.join(params['logdir'],
334 'sae_key_lifetime_in_memory.memctx-')
335
336 logger.info("Checking keys in memory while associated")
337 get_key_locations(buf, password, "Password")
338 get_key_locations(buf, pmk, "PMK")
339 if password not in buf:
81e787b7 340 raise HwsimSkip("Password not found while associated")
5b3c40a6 341 if pmk not in buf:
81e787b7 342 raise HwsimSkip("PMK not found while associated")
5b3c40a6
JM		 343 if kck not in buf:
344 raise Exception("KCK not found while associated")
345 if kek not in buf:
346 raise Exception("KEK not found while associated")
b74f82a4
JM		 347 #if tk in buf:
348 # raise Exception("TK found from memory")
5b3c40a6
JM		 349 verify_not_present(buf, sae_k, fname, "SAE(k)")
350 verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
351 verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
352
353 logger.info("Checking keys in memory after disassociation")
354 buf = read_process_memory(pid, password)
355
356 # Note: Password is still present in network configuration
357 # Note: PMK is in PMKSA cache
358
359 get_key_locations(buf, password, "Password")
360 get_key_locations(buf, pmk, "PMK")
361 verify_not_present(buf, kck, fname, "KCK")
362 verify_not_present(buf, kek, fname, "KEK")
363 verify_not_present(buf, tk, fname, "TK")
6db556b2
JM		 364 if gtk in buf:
365 get_key_locations(buf, gtk, "GTK")
5b3c40a6
JM		 366 verify_not_present(buf, gtk, fname, "GTK")
367 verify_not_present(buf, sae_k, fname, "SAE(k)")
368 verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
369 verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
370
371 dev[0].request("PMKSA_FLUSH")
372 logger.info("Checking keys in memory after PMKSA cache flush")
373 buf = read_process_memory(pid, password)
374 get_key_locations(buf, password, "Password")
375 get_key_locations(buf, pmk, "PMK")
376 verify_not_present(buf, pmk, fname, "PMK")
377
378 dev[0].request("REMOVE_NETWORK all")
379
380 logger.info("Checking keys in memory after network profile removal")
381 buf = read_process_memory(pid, password)
382
383 get_key_locations(buf, password, "Password")
384 get_key_locations(buf, pmk, "PMK")
385 verify_not_present(buf, password, fname, "password")
386 verify_not_present(buf, pmk, fname, "PMK")
387 verify_not_present(buf, kck, fname, "KCK")
388 verify_not_present(buf, kek, fname, "KEK")
389 verify_not_present(buf, tk, fname, "TK")
390 verify_not_present(buf, gtk, fname, "GTK")
391 verify_not_present(buf, sae_k, fname, "SAE(k)")
392 verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
393 verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
eb6d3532 394
9fd6804d 395@remote_compatible
eb6d3532
JM		 396def test_sae_oom_wpas(dev, apdev):
397 """SAE and OOM in wpa_supplicant"""
398 if "SAE" not in dev[0].get_capability("auth_alg"):
399 raise HwsimSkip("SAE not supported")
400 params = hostapd.wpa2_params(ssid="test-sae",
401 passphrase="12345678")
402 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 403 hapd = hostapd.add_ap(apdev[0], params)
eb6d3532
JM		 404
405 dev[0].request("SET sae_groups 25")
db036ed5
JM		 406 tls = dev[0].request("GET tls_library")
407 if "BoringSSL" in tls:
408 dev[0].request("SET sae_groups 26")
eb6d3532
JM		 409 with alloc_fail(dev[0], 1, "sae_set_group"):
410 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
411 scan_freq="2412")
412 dev[0].request("REMOVE_NETWORK all")
413
414 dev[0].request("SET sae_groups ")
415 with alloc_fail(dev[0], 2, "sae_set_group"):
416 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
417 scan_freq="2412")
418 dev[0].request("REMOVE_NETWORK all")
5527a391 419
2fd44db7
JM		 420 with alloc_fail(dev[0], 1, "wpabuf_alloc;sme_auth_build_sae_commit"):
421 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
422 scan_freq="2412")
423 dev[0].request("REMOVE_NETWORK all")
424
425 with alloc_fail(dev[0], 1, "wpabuf_alloc;sme_auth_build_sae_confirm"):
426 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
427 scan_freq="2412", wait_connect=False)
428 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
429 dev[0].request("REMOVE_NETWORK all")
430
431 with alloc_fail(dev[0], 1, "=sme_authenticate"):
432 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
433 scan_freq="2412", wait_connect=False)
434 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
435 dev[0].request("REMOVE_NETWORK all")
436
437 with alloc_fail(dev[0], 1, "radio_add_work;sme_authenticate"):
438 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
439 scan_freq="2412", wait_connect=False)
440 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
441 dev[0].request("REMOVE_NETWORK all")
442
9fd6804d 443@remote_compatible
5527a391
JM		 444def test_sae_proto_ecc(dev, apdev):
445 """SAE protocol testing (ECC)"""
446 if "SAE" not in dev[0].get_capability("auth_alg"):
447 raise HwsimSkip("SAE not supported")
448 params = hostapd.wpa2_params(ssid="test-sae",
449 passphrase="12345678")
450 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 451 hapd = hostapd.add_ap(apdev[0], params)
5527a391
JM		 452 bssid = apdev[0]['bssid']
453
454 dev[0].request("SET sae_groups 19")
455
456 tests = [ ("Confirm mismatch",
457 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
458 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240"),
459 ("Commit without even full cyclic group field",
460 "13",
461 None),
462 ("Too short commit",
463 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02",
464 None),
465 ("Invalid commit scalar (0)",
466 "1300" + "0000000000000000000000000000000000000000000000000000000000000000" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
467 None),
17ce7bb9
JM		 468 ("Invalid commit scalar (1)",
469 "1300" + "0000000000000000000000000000000000000000000000000000000000000001" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
470 None),
5527a391
JM		 471 ("Invalid commit scalar (> r)",
472 "1300" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
473 None),
474 ("Commit element not on curve",
475 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000",
476 None),
477 ("Invalid commit element (y coordinate > P)",
478 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
479 None),
480 ("Invalid commit element (x coordinate > P)",
481 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
482 None),
483 ("Different group in commit",
484 "1400" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
485 None),
486 ("Too short confirm",
487 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
488 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42")]
489 for (note, commit, confirm) in tests:
490 logger.info(note)
491 dev[0].scan_for_bss(bssid, freq=2412)
492 hapd.set("ext_mgmt_frame_handling", "1")
493 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
494 scan_freq="2412", wait_connect=False)
495
496 logger.info("Commit")
497 for i in range(0, 10):
498 req = hapd.mgmt_rx()
499 if req is None:
500 raise Exception("MGMT RX wait timed out (commit)")
501 if req['subtype'] == 11:
502 break
503 req = None
504 if not req:
505 raise Exception("Authentication frame (commit) not received")
506
507 hapd.dump_monitor()
508 resp = {}
509 resp['fc'] = req['fc']
510 resp['da'] = req['sa']
511 resp['sa'] = req['da']
512 resp['bssid'] = req['bssid']
513 resp['payload'] = binascii.unhexlify("030001000000" + commit)
514 hapd.mgmt_tx(resp)
515
516 if confirm:
517 logger.info("Confirm")
518 for i in range(0, 10):
519 req = hapd.mgmt_rx()
520 if req is None:
521 raise Exception("MGMT RX wait timed out (confirm)")
522 if req['subtype'] == 11:
523 break
524 req = None
525 if not req:
526 raise Exception("Authentication frame (confirm) not received")
527
528 hapd.dump_monitor()
529 resp = {}
530 resp['fc'] = req['fc']
531 resp['da'] = req['sa']
532 resp['sa'] = req['da']
533 resp['bssid'] = req['bssid']
534 resp['payload'] = binascii.unhexlify("030002000000" + confirm)
535 hapd.mgmt_tx(resp)
536
537 time.sleep(0.1)
538 dev[0].request("REMOVE_NETWORK all")
539 hapd.set("ext_mgmt_frame_handling", "0")
540 hapd.dump_monitor()
541
9fd6804d 542@remote_compatible
5527a391
JM		 543def test_sae_proto_ffc(dev, apdev):
544 """SAE protocol testing (FFC)"""
545 if "SAE" not in dev[0].get_capability("auth_alg"):
546 raise HwsimSkip("SAE not supported")
547 params = hostapd.wpa2_params(ssid="test-sae",
548 passphrase="12345678")
549 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 550 hapd = hostapd.add_ap(apdev[0], params)
5527a391
JM		 551 bssid = apdev[0]['bssid']
552
553 dev[0].request("SET sae_groups 2")
554
555 tests = [ ("Confirm mismatch",
556 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486",
557 "0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251"),
558 ("Too short commit",
559 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174",
560 None),
561 ("Invalid element (0) in commit",
562 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
563 None),
564 ("Invalid element (1) in commit",
565 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
566 None),
567 ("Invalid element (> P) in commit",
568 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
569 None) ]
570 for (note, commit, confirm) in tests:
571 logger.info(note)
572 dev[0].scan_for_bss(bssid, freq=2412)
573 hapd.set("ext_mgmt_frame_handling", "1")
574 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
575 scan_freq="2412", wait_connect=False)
576
577 logger.info("Commit")
578 for i in range(0, 10):
579 req = hapd.mgmt_rx()
580 if req is None:
581 raise Exception("MGMT RX wait timed out (commit)")
582 if req['subtype'] == 11:
583 break
584 req = None
585 if not req:
586 raise Exception("Authentication frame (commit) not received")
587
588 hapd.dump_monitor()
589 resp = {}
590 resp['fc'] = req['fc']
591 resp['da'] = req['sa']
592 resp['sa'] = req['da']
593 resp['bssid'] = req['bssid']
594 resp['payload'] = binascii.unhexlify("030001000000" + commit)
595 hapd.mgmt_tx(resp)
596
597 if confirm:
598 logger.info("Confirm")
599 for i in range(0, 10):
600 req = hapd.mgmt_rx()
601 if req is None:
602 raise Exception("MGMT RX wait timed out (confirm)")
603 if req['subtype'] == 11:
604 break
605 req = None
606 if not req:
607 raise Exception("Authentication frame (confirm) not received")
608
609 hapd.dump_monitor()
610 resp = {}
611 resp['fc'] = req['fc']
612 resp['da'] = req['sa']
613 resp['sa'] = req['da']
614 resp['bssid'] = req['bssid']
615 resp['payload'] = binascii.unhexlify("030002000000" + confirm)
616 hapd.mgmt_tx(resp)
617
618 time.sleep(0.1)
619 dev[0].request("REMOVE_NETWORK all")
620 hapd.set("ext_mgmt_frame_handling", "0")
621 hapd.dump_monitor()
622
7a92dbd7
JM		 623def test_sae_proto_hostapd(dev, apdev):
624 """SAE protocol testing with hostapd"""
625 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
626 params['wpa_key_mgmt'] = 'SAE'
627 params['sae_groups'] = "19 65535"
628 hapd = hostapd.add_ap(apdev[0], params)
629 hapd.set("ext_mgmt_frame_handling", "1")
630 bssid = hapd.own_addr().replace(':', '')
631 addr = "020000000000"
632 addr2 = "020000000001"
633 hdr = "b0003a01" + bssid + addr + bssid + "1000"
634 hdr2 = "b0003a01" + bssid + addr2 + bssid + "1000"
635 group = "1300"
636 scalar = "f7df19f4a7fef1d3b895ea1de150b7c5a7a705c8ebb31a52b623e0057908bd93"
637 element_x = "21931572027f2e953e2a49fab3d992944102cc95aa19515fc068b394fb25ae3c"
638 element_y = "cb4eeb94d7b0b789abfdb73a67ab9d6d5efa94dd553e0e724a6289821cbce530"
639 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + "030001000000" + group + scalar + element_x + element_y)
640 # "SAE: Not enough data for scalar"
641 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + "030001000000" + group + scalar[:-2])
642 # "SAE: Do not allow group to be changed"
643 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + "030001000000" + "ffff" + scalar[:-2])
644 # "SAE: Unsupported Finite Cyclic Group 65535"
645 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr2 + "030001000000" + "ffff" + scalar[:-2])
646
9fd6804d 647@remote_compatible
5527a391
JM		 648def test_sae_no_ffc_by_default(dev, apdev):
649 """SAE and default groups rejecting FFC"""
650 if "SAE" not in dev[0].get_capability("auth_alg"):
651 raise HwsimSkip("SAE not supported")
652 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
653 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 654 hapd = hostapd.add_ap(apdev[0], params)
5527a391
JM		 655
656 dev[0].request("SET sae_groups 5")
657 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
658 wait_connect=False)
659 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=3)
660 if ev is None:
661 raise Exception("Did not try to authenticate")
662 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=3)
663 if ev is None:
664 raise Exception("Did not try to authenticate (2)")
665 dev[0].request("REMOVE_NETWORK all")
939527b5
JM		 666
667def sae_reflection_attack(apdev, dev, group):
668 if "SAE" not in dev.get_capability("auth_alg"):
669 raise HwsimSkip("SAE not supported")
670 params = hostapd.wpa2_params(ssid="test-sae",
671 passphrase="no-knowledge-of-passphrase")
672 params['wpa_key_mgmt'] = 'SAE'
afc26df2 673 hapd = hostapd.add_ap(apdev, params)
939527b5
JM		 674 bssid = apdev['bssid']
675
676 dev.scan_for_bss(bssid, freq=2412)
677 hapd.set("ext_mgmt_frame_handling", "1")
678
679 dev.request("SET sae_groups %d" % group)
680 dev.connect("test-sae", psk="reflection-attack", key_mgmt="SAE",
681 scan_freq="2412", wait_connect=False)
682
683 # Commit
684 for i in range(0, 10):
685 req = hapd.mgmt_rx()
686 if req is None:
687 raise Exception("MGMT RX wait timed out")
688 if req['subtype'] == 11:
689 break
690 req = None
691 if not req:
692 raise Exception("Authentication frame not received")
693
694 resp = {}
695 resp['fc'] = req['fc']
696 resp['da'] = req['sa']
697 resp['sa'] = req['da']
698 resp['bssid'] = req['bssid']
699 resp['payload'] = req['payload']
700 hapd.mgmt_tx(resp)
701
702 # Confirm
703 req = hapd.mgmt_rx(timeout=0.5)
704 if req is not None:
705 if req['subtype'] == 11:
706 raise Exception("Unexpected Authentication frame seen")
707
9fd6804d 708@remote_compatible
939527b5
JM		 709def test_sae_reflection_attack_ecc(dev, apdev):
710 """SAE reflection attack (ECC)"""
711 sae_reflection_attack(apdev[0], dev[0], 19)
712
9fd6804d 713@remote_compatible
939527b5
JM		 714def test_sae_reflection_attack_ffc(dev, apdev):
715 """SAE reflection attack (FFC)"""
716 sae_reflection_attack(apdev[0], dev[0], 5)
1965e196 717
1342c47a
JM		 718def sae_reflection_attack_internal(apdev, dev, group):
719 if "SAE" not in dev.get_capability("auth_alg"):
720 raise HwsimSkip("SAE not supported")
721 params = hostapd.wpa2_params(ssid="test-sae",
722 passphrase="no-knowledge-of-passphrase")
723 params['wpa_key_mgmt'] = 'SAE'
724 params['sae_reflection_attack'] = '1'
725 hapd = hostapd.add_ap(apdev, params)
726 bssid = apdev['bssid']
727
728 dev.scan_for_bss(bssid, freq=2412)
729 dev.request("SET sae_groups %d" % group)
730 dev.connect("test-sae", psk="reflection-attack", key_mgmt="SAE",
731 scan_freq="2412", wait_connect=False)
732 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
733 if ev is not None:
734 raise Exception("Unexpected connection")
735
736@remote_compatible
737def test_sae_reflection_attack_ecc_internal(dev, apdev):
738 """SAE reflection attack (ECC) - internal"""
739 sae_reflection_attack_internal(apdev[0], dev[0], 19)
740
741@remote_compatible
742def test_sae_reflection_attack_ffc_internal(dev, apdev):
743 """SAE reflection attack (FFC) - internal"""
744 sae_reflection_attack_internal(apdev[0], dev[0], 5)
745
cd06e266
JM		 746@remote_compatible
747def test_sae_commit_override(dev, apdev):
748 """SAE commit override (hostapd)"""
749 if "SAE" not in dev[0].get_capability("auth_alg"):
750 raise HwsimSkip("SAE not supported")
751 params = hostapd.wpa2_params(ssid="test-sae",
752 passphrase="12345678")
753 params['wpa_key_mgmt'] = 'SAE'
754 params['sae_commit_override'] = '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514'
755 hapd = hostapd.add_ap(apdev[0], params)
756 dev[0].request("SET sae_groups ")
757 dev[0].connect("test-sae", psk="test-sae", key_mgmt="SAE",
758 scan_freq="2412", wait_connect=False)
759 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
760 if ev is not None:
761 raise Exception("Unexpected connection")
762
eea62048
JM		 763@remote_compatible
764def test_sae_commit_override2(dev, apdev):
765 """SAE commit override (wpa_supplicant)"""
766 if "SAE" not in dev[0].get_capability("auth_alg"):
767 raise HwsimSkip("SAE not supported")
768 params = hostapd.wpa2_params(ssid="test-sae",
769 passphrase="12345678")
770 params['wpa_key_mgmt'] = 'SAE'
771 hapd = hostapd.add_ap(apdev[0], params)
772 dev[0].request("SET sae_groups ")
773 dev[0].set('sae_commit_override', '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514')
774 dev[0].connect("test-sae", psk="test-sae", key_mgmt="SAE",
775 scan_freq="2412", wait_connect=False)
776 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
777 if ev is not None:
778 raise Exception("Unexpected connection")
779
9fd6804d 780@remote_compatible
1965e196
JM		 781def test_sae_anti_clogging_proto(dev, apdev):
782 """SAE anti clogging protocol testing"""
783 if "SAE" not in dev[0].get_capability("auth_alg"):
784 raise HwsimSkip("SAE not supported")
785 params = hostapd.wpa2_params(ssid="test-sae",
786 passphrase="no-knowledge-of-passphrase")
787 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 788 hapd = hostapd.add_ap(apdev[0], params)
1965e196
JM		 789 bssid = apdev[0]['bssid']
790
791 dev[0].scan_for_bss(bssid, freq=2412)
792 hapd.set("ext_mgmt_frame_handling", "1")
793
794 dev[0].request("SET sae_groups ")
795 dev[0].connect("test-sae", psk="anti-cloggign", key_mgmt="SAE",
796 scan_freq="2412", wait_connect=False)
797
798 # Commit
799 for i in range(0, 10):
800 req = hapd.mgmt_rx()
801 if req is None:
802 raise Exception("MGMT RX wait timed out")
803 if req['subtype'] == 11:
804 break
805 req = None
806 if not req:
807 raise Exception("Authentication frame not received")
808
809 resp = {}
810 resp['fc'] = req['fc']
811 resp['da'] = req['sa']
812 resp['sa'] = req['da']
813 resp['bssid'] = req['bssid']
814 resp['payload'] = binascii.unhexlify("030001004c00" + "ffff00")
815 hapd.mgmt_tx(resp)
816
817 # Confirm (not received due to DH group being rejected)
818 req = hapd.mgmt_rx(timeout=0.5)
819 if req is not None:
820 if req['subtype'] == 11:
821 raise Exception("Unexpected Authentication frame seen")
10ba4ae4 822
9fd6804d 823@remote_compatible
10ba4ae4
JM		 824def test_sae_no_random(dev, apdev):
825 """SAE and no random numbers available"""
826 if "SAE" not in dev[0].get_capability("auth_alg"):
827 raise HwsimSkip("SAE not supported")
828 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
829 params['wpa_key_mgmt'] = 'SAE'
8b8a1864 830 hapd = hostapd.add_ap(apdev[0], params)
10ba4ae4
JM		 831
832 dev[0].request("SET sae_groups ")
833 tests = [ (1, "os_get_random;sae_get_rand"),
834 (1, "os_get_random;get_rand_1_to_p_1"),
835 (1, "os_get_random;get_random_qr_qnr"),
836 (1, "os_get_random;sae_derive_pwe_ecc") ]
837 for count, func in tests:
838 with fail_test(dev[0], count, func):
839 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
840 scan_freq="2412")
841 dev[0].request("REMOVE_NETWORK all")
842 dev[0].wait_disconnected()
4f6985de 843
9fd6804d 844@remote_compatible
4f6985de
JM		 845def test_sae_pwe_failure(dev, apdev):
846 """SAE and pwe failure"""
847 if "SAE" not in dev[0].get_capability("auth_alg"):
848 raise HwsimSkip("SAE not supported")
849 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
850 params['wpa_key_mgmt'] = 'SAE'
851 params['sae_groups'] = '19 5'
8b8a1864 852 hapd = hostapd.add_ap(apdev[0], params)
4f6985de
JM		 853
854 dev[0].request("SET sae_groups 19")
855 with fail_test(dev[0], 1, "hmac_sha256_vector;sae_derive_pwe_ecc"):
856 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
857 scan_freq="2412")
858 dev[0].request("REMOVE_NETWORK all")
859 dev[0].wait_disconnected()
51761ba2
JM		 860 with fail_test(dev[0], 1, "sae_test_pwd_seed_ecc"):
861 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
862 scan_freq="2412")
863 dev[0].request("REMOVE_NETWORK all")
864 dev[0].wait_disconnected()
4f6985de
JM		 865
866 dev[0].request("SET sae_groups 5")
867 with fail_test(dev[0], 1, "hmac_sha256_vector;sae_derive_pwe_ffc"):
868 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
869 scan_freq="2412")
870 dev[0].request("REMOVE_NETWORK all")
871 dev[0].wait_disconnected()
872
873 dev[0].request("SET sae_groups 5")
874 with fail_test(dev[0], 1, "sae_test_pwd_seed_ffc"):
875 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
876 scan_freq="2412")
877 dev[0].request("REMOVE_NETWORK all")
878 dev[0].wait_disconnected()
879 with fail_test(dev[0], 2, "sae_test_pwd_seed_ffc"):
880 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
881 scan_freq="2412")
882 dev[0].request("REMOVE_NETWORK all")
883 dev[0].wait_disconnected()
51761ba2 884
9fd6804d 885@remote_compatible
51761ba2
JM		 886def test_sae_bignum_failure(dev, apdev):
887 """SAE and bignum failure"""
888 if "SAE" not in dev[0].get_capability("auth_alg"):
889 raise HwsimSkip("SAE not supported")
890 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
891 params['wpa_key_mgmt'] = 'SAE'
892 params['sae_groups'] = '19 5 22'
8b8a1864 893 hapd = hostapd.add_ap(apdev[0], params)
51761ba2
JM		 894
895 dev[0].request("SET sae_groups 19")
896 tests = [ (1, "crypto_bignum_init_set;get_rand_1_to_p_1"),
897 (1, "crypto_bignum_init;is_quadratic_residue_blind"),
898 (1, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
899 (2, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
900 (3, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
901 (1, "crypto_bignum_legendre;is_quadratic_residue_blind"),
902 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ecc"),
903 (1, "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc"),
904 (1, "crypto_bignum_init_set;get_random_qr_qnr"),
905 (1, "crypto_bignum_to_bin;sae_derive_pwe_ecc"),
906 (1, "crypto_ec_point_init;sae_derive_pwe_ecc"),
907 (1, "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc"),
908 (1, "crypto_ec_point_init;sae_derive_commit_element_ecc"),
909 (1, "crypto_ec_point_mul;sae_derive_commit_element_ecc"),
910 (1, "crypto_ec_point_invert;sae_derive_commit_element_ecc"),
911 (1, "crypto_bignum_init;=sae_derive_commit"),
912 (1, "crypto_ec_point_init;sae_derive_k_ecc"),
913 (1, "crypto_ec_point_mul;sae_derive_k_ecc"),
914 (1, "crypto_ec_point_add;sae_derive_k_ecc"),
915 (2, "crypto_ec_point_mul;sae_derive_k_ecc"),
916 (1, "crypto_ec_point_to_bin;sae_derive_k_ecc"),
917 (1, "crypto_bignum_legendre;get_random_qr_qnr"),
918 (1, "sha256_prf;sae_derive_keys"),
919 (1, "crypto_bignum_init;sae_derive_keys"),
920 (1, "crypto_bignum_init_set;sae_parse_commit_scalar"),
921 (1, "crypto_bignum_to_bin;sae_parse_commit_element_ecc"),
922 (1, "crypto_ec_point_from_bin;sae_parse_commit_element_ecc") ]
923 for count, func in tests:
924 with fail_test(dev[0], count, func):
925 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
926 scan_freq="2412", wait_connect=False)
927 wait_fail_trigger(dev[0], "GET_FAIL")
928 dev[0].request("REMOVE_NETWORK all")
929
930 dev[0].request("SET sae_groups 5")
931 tests = [ (1, "crypto_bignum_init_set;sae_set_group"),
932 (2, "crypto_bignum_init_set;sae_set_group"),
933 (1, "crypto_bignum_init_set;sae_get_rand"),
934 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
935 (1, "crypto_bignum_exptmod;sae_test_pwd_seed_ffc"),
936 (1, "crypto_bignum_init;sae_derive_pwe_ffc"),
937 (1, "crypto_bignum_init;sae_derive_commit_element_ffc"),
938 (1, "crypto_bignum_exptmod;sae_derive_commit_element_ffc"),
939 (1, "crypto_bignum_inverse;sae_derive_commit_element_ffc"),
940 (1, "crypto_bignum_init;sae_derive_k_ffc"),
941 (1, "crypto_bignum_exptmod;sae_derive_k_ffc"),
942 (1, "crypto_bignum_mulmod;sae_derive_k_ffc"),
943 (2, "crypto_bignum_exptmod;sae_derive_k_ffc"),
944 (1, "crypto_bignum_to_bin;sae_derive_k_ffc"),
945 (1, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
946 (1, "crypto_bignum_init;sae_parse_commit_element_ffc"),
947 (2, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
948 (1, "crypto_bignum_exptmod;sae_parse_commit_element_ffc") ]
949 for count, func in tests:
950 with fail_test(dev[0], count, func):
951 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
952 scan_freq="2412", wait_connect=False)
953 wait_fail_trigger(dev[0], "GET_FAIL")
954 dev[0].request("REMOVE_NETWORK all")
955
956 dev[0].request("SET sae_groups 22")
957 tests = [ (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
958 (1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
959 (1, "crypto_bignum_div;sae_test_pwd_seed_ffc") ]
960 for count, func in tests:
961 with fail_test(dev[0], count, func):
962 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
963 scan_freq="2412", wait_connect=False)
964 wait_fail_trigger(dev[0], "GET_FAIL")
965 dev[0].request("REMOVE_NETWORK all")
28be769b
JM		 966
967def test_sae_invalid_anti_clogging_token_req(dev, apdev):
968 """SAE and invalid anti-clogging token request"""
969 if "SAE" not in dev[0].get_capability("auth_alg"):
970 raise HwsimSkip("SAE not supported")
971 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
972 params['wpa_key_mgmt'] = 'SAE'
973 hapd = hostapd.add_ap(apdev[0], params)
974 bssid = apdev[0]['bssid']
975
976 dev[0].request("SET sae_groups 19")
977 dev[0].scan_for_bss(bssid, freq=2412)
978 hapd.set("ext_mgmt_frame_handling", "1")
979 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
980 scan_freq="2412", wait_connect=False)
981 ev = dev[0].wait_event(["SME: Trying to authenticate"])
982 if ev is None:
983 raise Exception("No authentication attempt seen")
984 dev[0].dump_monitor()
985
986 for i in range(0, 10):
987 req = hapd.mgmt_rx()
988 if req is None:
989 raise Exception("MGMT RX wait timed out (commit)")
990 if req['subtype'] == 11:
991 break
992 req = None
993 if not req:
994 raise Exception("Authentication frame (commit) not received")
995
996 hapd.dump_monitor()
997 resp = {}
998 resp['fc'] = req['fc']
999 resp['da'] = req['sa']
1000 resp['sa'] = req['da']
1001 resp['bssid'] = req['bssid']
1002 resp['payload'] = binascii.unhexlify("030001004c0013")
1003 hapd.mgmt_tx(resp)
1004
1005 ev = dev[0].wait_event(["SME: Trying to authenticate"])
1006 if ev is None:
1007 raise Exception("No authentication attempt seen")
1008 dev[0].dump_monitor()
1009
1010 for i in range(0, 10):
1011 req = hapd.mgmt_rx()
1012 if req is None:
1013 raise Exception("MGMT RX wait timed out (commit) (2)")
1014 if req['subtype'] == 11:
1015 break
1016 req = None
1017 if not req:
1018 raise Exception("Authentication frame (commit) not received (2)")
1019
1020 hapd.dump_monitor()
1021 resp = {}
1022 resp['fc'] = req['fc']
1023 resp['da'] = req['sa']
1024 resp['sa'] = req['da']
1025 resp['bssid'] = req['bssid']
1026 resp['payload'] = binascii.unhexlify("030001000100")
1027 hapd.mgmt_tx(resp)
1028
1029 ev = dev[0].wait_event(["SME: Trying to authenticate"])
1030 if ev is None:
1031 raise Exception("No authentication attempt seen")
1032 dev[0].dump_monitor()
1033
1034 dev[0].request("DISCONNECT")
606ef7d3
JM		 1035
1036def test_sae_password(dev, apdev):
1037 """SAE and sae_password in hostapd configuration"""
1038 if "SAE" not in dev[0].get_capability("auth_alg"):
1039 raise HwsimSkip("SAE not supported")
1040 params = hostapd.wpa2_params(ssid="test-sae",
1041 passphrase="12345678")
1042 params['wpa_key_mgmt'] = 'SAE WPA-PSK'
1043 params['sae_password'] = "sae-password"
1044 hapd = hostapd.add_ap(apdev[0], params)
1045
1046 dev[0].request("SET sae_groups ")
1047 dev[0].connect("test-sae", psk="sae-password", key_mgmt="SAE",
1048 scan_freq="2412")
1049 dev[1].connect("test-sae", psk="12345678", scan_freq="2412")
1050 dev[2].request("SET sae_groups ")
1051 dev[2].connect("test-sae", sae_password="sae-password", key_mgmt="SAE",
1052 scan_freq="2412")
1053
1054def test_sae_password_short(dev, apdev):
1055 """SAE and short password"""
1056 if "SAE" not in dev[0].get_capability("auth_alg"):
1057 raise HwsimSkip("SAE not supported")
1058 params = hostapd.wpa2_params(ssid="test-sae")
1059 params['wpa_key_mgmt'] = 'SAE'
1060 params['sae_password'] = "secret"
1061 hapd = hostapd.add_ap(apdev[0], params)
1062
1063 dev[0].request("SET sae_groups ")
1064 dev[0].connect("test-sae", sae_password="secret", key_mgmt="SAE",
1065 scan_freq="2412")
1066
1067def test_sae_password_long(dev, apdev):
1068 """SAE and long password"""
1069 if "SAE" not in dev[0].get_capability("auth_alg"):
1070 raise HwsimSkip("SAE not supported")
1071 params = hostapd.wpa2_params(ssid="test-sae")
1072 params['wpa_key_mgmt'] = 'SAE'
1073 params['sae_password'] = 100*"A"
1074 hapd = hostapd.add_ap(apdev[0], params)
1075
1076 dev[0].request("SET sae_groups ")
1077 dev[0].connect("test-sae", sae_password=100*"A", key_mgmt="SAE",
1078 scan_freq="2412")
Unnamed repository; edit this file 'description' to name the repository.