]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_sae.py
2 # Copyright (c) 2013-2016, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
7 from remotehost
import remote_compatible
12 logger
= logging
.getLogger()
16 from utils
import HwsimSkip
, alloc_fail
, fail_test
, wait_fail_trigger
17 from test_ap_psk
import find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
20 def test_sae(dev
, apdev
):
21 """SAE with default group"""
22 if "SAE" not in dev
[0].get_capability("auth_alg"):
23 raise HwsimSkip("SAE not supported")
24 params
= hostapd
.wpa2_params(ssid
="test-sae",
25 passphrase
="12345678")
26 params
['wpa_key_mgmt'] = 'SAE'
27 hapd
= hostapd
.add_ap(apdev
[0], params
)
28 key_mgmt
= hapd
.get_config()['key_mgmt']
29 if key_mgmt
.split(' ')[0] != "SAE":
30 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
32 dev
[0].request("SET sae_groups ")
33 id = dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
35 if dev
[0].get_status_field('sae_group') != '19':
36 raise Exception("Expected default SAE group not used")
37 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
38 if 'flags' not in bss
:
39 raise Exception("Could not get BSS flags from BSS table")
40 if "[WPA2-SAE-CCMP]" not in bss
['flags']:
41 raise Exception("Unexpected BSS flags: " + bss
['flags'])
43 res
= hapd
.request("STA-FIRST")
44 if "sae_group=19" not in res
.splitlines():
45 raise Exception("hostapd STA output did not specify SAE group")
48 def test_sae_password_ecc(dev
, apdev
):
49 """SAE with number of different passwords (ECC)"""
50 if "SAE" not in dev
[0].get_capability("auth_alg"):
51 raise HwsimSkip("SAE not supported")
52 params
= hostapd
.wpa2_params(ssid
="test-sae",
53 passphrase
="12345678")
54 params
['wpa_key_mgmt'] = 'SAE'
55 hapd
= hostapd
.add_ap(apdev
[0], params
)
57 dev
[0].request("SET sae_groups 19")
60 password
= "12345678-" + str(i
)
61 hapd
.set("wpa_passphrase", password
)
62 dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
64 dev
[0].request("REMOVE_NETWORK all")
65 dev
[0].wait_disconnected()
68 def test_sae_password_ffc(dev
, apdev
):
69 """SAE with number of different passwords (FFC)"""
70 if "SAE" not in dev
[0].get_capability("auth_alg"):
71 raise HwsimSkip("SAE not supported")
72 params
= hostapd
.wpa2_params(ssid
="test-sae",
73 passphrase
="12345678")
74 params
['wpa_key_mgmt'] = 'SAE'
75 params
['sae_groups'] = '22'
76 hapd
= hostapd
.add_ap(apdev
[0], params
)
78 dev
[0].request("SET sae_groups 22")
81 password
= "12345678-" + str(i
)
82 hapd
.set("wpa_passphrase", password
)
83 dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
85 dev
[0].request("REMOVE_NETWORK all")
86 dev
[0].wait_disconnected()
89 def test_sae_pmksa_caching(dev
, apdev
):
90 """SAE and PMKSA caching"""
91 if "SAE" not in dev
[0].get_capability("auth_alg"):
92 raise HwsimSkip("SAE not supported")
93 params
= hostapd
.wpa2_params(ssid
="test-sae",
94 passphrase
="12345678")
95 params
['wpa_key_mgmt'] = 'SAE'
96 hapd
= hostapd
.add_ap(apdev
[0], params
)
98 dev
[0].request("SET sae_groups ")
99 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
101 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
103 raise Exception("No connection event received from hostapd")
104 dev
[0].request("DISCONNECT")
105 dev
[0].wait_disconnected()
106 dev
[0].request("RECONNECT")
107 dev
[0].wait_connected(timeout
=15, error
="Reconnect timed out")
108 if dev
[0].get_status_field('sae_group') is not None:
109 raise Exception("SAE group claimed to have been used")
112 def test_sae_pmksa_caching_disabled(dev
, apdev
):
113 """SAE and PMKSA caching disabled"""
114 if "SAE" not in dev
[0].get_capability("auth_alg"):
115 raise HwsimSkip("SAE not supported")
116 params
= hostapd
.wpa2_params(ssid
="test-sae",
117 passphrase
="12345678")
118 params
['wpa_key_mgmt'] = 'SAE'
119 params
['disable_pmksa_caching'] = '1'
120 hapd
= hostapd
.add_ap(apdev
[0], params
)
122 dev
[0].request("SET sae_groups ")
123 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
125 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
127 raise Exception("No connection event received from hostapd")
128 dev
[0].request("DISCONNECT")
129 dev
[0].wait_disconnected()
130 dev
[0].request("RECONNECT")
131 dev
[0].wait_connected(timeout
=15, error
="Reconnect timed out")
132 if dev
[0].get_status_field('sae_group') != '19':
133 raise Exception("Expected default SAE group not used")
135 def test_sae_groups(dev
, apdev
):
136 """SAE with all supported groups"""
137 if "SAE" not in dev
[0].get_capability("auth_alg"):
138 raise HwsimSkip("SAE not supported")
139 # This is the full list of supported groups, but groups 14-16 (2048-4096 bit
140 # MODP) and group 21 (521-bit random ECP group) are a bit too slow on some
141 # VMs and can result in hitting the mac80211 authentication timeout, so
142 # allow them to fail and just report such failures in the debug log.
143 sae_groups
= [ 19, 25, 26, 20, 21, 2, 5, 14, 15, 16, 22, 23, 24 ]
144 tls
= dev
[0].request("GET tls_library")
145 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
146 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
147 sae_groups
+= [ 27, 28, 29, 30 ]
148 heavy_groups
= [ 14, 15, 16 ]
149 groups
= [str(g
) for g
in sae_groups
]
150 params
= hostapd
.wpa2_params(ssid
="test-sae-groups",
151 passphrase
="12345678")
152 params
['wpa_key_mgmt'] = 'SAE'
153 params
['sae_groups'] = ' '.join(groups
)
154 hostapd
.add_ap(apdev
[0], params
)
157 logger
.info("Testing SAE group " + g
)
158 dev
[0].request("SET sae_groups " + g
)
159 id = dev
[0].connect("test-sae-groups", psk
="12345678", key_mgmt
="SAE",
160 scan_freq
="2412", wait_connect
=False)
161 if int(g
) in heavy_groups
:
162 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=5)
164 logger
.info("No connection with heavy SAE group %s did not connect - likely hitting timeout in mac80211" % g
)
165 dev
[0].remove_network(id)
167 dev
[0].dump_monitor()
169 logger
.info("Connection with heavy SAE group " + g
)
171 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
173 if "BoringSSL" in tls
and int(g
) in [ 25 ]:
174 logger
.info("Ignore connection failure with group " + g
+ " with BoringSSL")
175 dev
[0].remove_network(id)
176 dev
[0].dump_monitor()
178 raise Exception("Connection timed out with group " + g
)
179 if dev
[0].get_status_field('sae_group') != g
:
180 raise Exception("Expected SAE group not used")
181 dev
[0].remove_network(id)
182 dev
[0].wait_disconnected()
183 dev
[0].dump_monitor()
186 def test_sae_group_nego(dev
, apdev
):
187 """SAE group negotiation"""
188 if "SAE" not in dev
[0].get_capability("auth_alg"):
189 raise HwsimSkip("SAE not supported")
190 params
= hostapd
.wpa2_params(ssid
="test-sae-group-nego",
191 passphrase
="12345678")
192 params
['wpa_key_mgmt'] = 'SAE'
193 params
['sae_groups'] = '19'
194 hostapd
.add_ap(apdev
[0], params
)
196 dev
[0].request("SET sae_groups 25 26 20 19")
197 dev
[0].connect("test-sae-group-nego", psk
="12345678", key_mgmt
="SAE",
199 if dev
[0].get_status_field('sae_group') != '19':
200 raise Exception("Expected SAE group not used")
203 def test_sae_anti_clogging(dev
, apdev
):
204 """SAE anti clogging"""
205 if "SAE" not in dev
[0].get_capability("auth_alg"):
206 raise HwsimSkip("SAE not supported")
207 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
208 params
['wpa_key_mgmt'] = 'SAE'
209 params
['sae_anti_clogging_threshold'] = '1'
210 hostapd
.add_ap(apdev
[0], params
)
212 dev
[0].request("SET sae_groups ")
213 dev
[1].request("SET sae_groups ")
215 for i
in range(0, 2):
216 dev
[i
].scan(freq
="2412")
217 id[i
] = dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
218 scan_freq
="2412", only_add_network
=True)
219 for i
in range(0, 2):
220 dev
[i
].select_network(id[i
])
221 for i
in range(0, 2):
222 dev
[i
].wait_connected(timeout
=10)
224 def test_sae_forced_anti_clogging(dev
, apdev
):
225 """SAE anti clogging (forced)"""
226 if "SAE" not in dev
[0].get_capability("auth_alg"):
227 raise HwsimSkip("SAE not supported")
228 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
229 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
230 params
['sae_anti_clogging_threshold'] = '0'
231 hostapd
.add_ap(apdev
[0], params
)
232 dev
[2].connect("test-sae", psk
="12345678", scan_freq
="2412")
233 for i
in range(0, 2):
234 dev
[i
].request("SET sae_groups ")
235 dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
238 def test_sae_mixed(dev
, apdev
):
239 """Mixed SAE and non-SAE network"""
240 if "SAE" not in dev
[0].get_capability("auth_alg"):
241 raise HwsimSkip("SAE not supported")
242 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
243 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
244 params
['sae_anti_clogging_threshold'] = '0'
245 hostapd
.add_ap(apdev
[0], params
)
247 dev
[2].connect("test-sae", psk
="12345678", scan_freq
="2412")
248 for i
in range(0, 2):
249 dev
[i
].request("SET sae_groups ")
250 dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
254 def test_sae_missing_password(dev
, apdev
):
255 """SAE and missing password"""
256 if "SAE" not in dev
[0].get_capability("auth_alg"):
257 raise HwsimSkip("SAE not supported")
258 params
= hostapd
.wpa2_params(ssid
="test-sae",
259 passphrase
="12345678")
260 params
['wpa_key_mgmt'] = 'SAE'
261 hapd
= hostapd
.add_ap(apdev
[0], params
)
263 dev
[0].request("SET sae_groups ")
264 id = dev
[0].connect("test-sae",
265 raw_psk
="46b4a73b8a951ad53ebd2e0afdb9c5483257edd4c21d12b7710759da70945858",
266 key_mgmt
="SAE", scan_freq
="2412", wait_connect
=False)
267 ev
= dev
[0].wait_event(['CTRL-EVENT-SSID-TEMP-DISABLED'], timeout
=10)
269 raise Exception("Invalid network not temporarily disabled")
272 def test_sae_key_lifetime_in_memory(dev
, apdev
, params
):
273 """SAE and key lifetime in memory"""
274 if "SAE" not in dev
[0].get_capability("auth_alg"):
275 raise HwsimSkip("SAE not supported")
276 password
= "5ad144a7c1f5a5503baa6fa01dabc15b1843e8c01662d78d16b70b5cd23cf8b"
277 p
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
=password
)
278 p
['wpa_key_mgmt'] = 'SAE'
279 hapd
= hostapd
.add_ap(apdev
[0], p
)
281 pid
= find_wpas_process(dev
[0])
283 dev
[0].request("SET sae_groups ")
284 id = dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
287 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
288 # event has been delivered, so verify that wpa_supplicant has returned to
289 # eloop before reading process memory.
292 buf
= read_process_memory(pid
, password
)
294 dev
[0].request("DISCONNECT")
295 dev
[0].wait_disconnected()
304 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
305 for l
in f
.readlines():
306 if "SAE: k - hexdump" in l
:
307 val
= l
.strip().split(':')[3].replace(' ', '')
308 sae_k
= binascii
.unhexlify(val
)
309 if "SAE: keyseed - hexdump" in l
:
310 val
= l
.strip().split(':')[3].replace(' ', '')
311 sae_keyseed
= binascii
.unhexlify(val
)
312 if "SAE: KCK - hexdump" in l
:
313 val
= l
.strip().split(':')[3].replace(' ', '')
314 sae_kck
= binascii
.unhexlify(val
)
315 if "SAE: PMK - hexdump" in l
:
316 val
= l
.strip().split(':')[3].replace(' ', '')
317 pmk
= binascii
.unhexlify(val
)
318 if "WPA: PTK - hexdump" in l
:
319 val
= l
.strip().split(':')[3].replace(' ', '')
320 ptk
= binascii
.unhexlify(val
)
321 if "WPA: Group Key - hexdump" in l
:
322 val
= l
.strip().split(':')[3].replace(' ', '')
323 gtk
= binascii
.unhexlify(val
)
324 if not sae_k
or not sae_keyseed
or not sae_kck
or not pmk
or not ptk
or not gtk
:
325 raise Exception("Could not find keys from debug log")
327 raise Exception("Unexpected GTK length")
333 fname
= os
.path
.join(params
['logdir'],
334 'sae_key_lifetime_in_memory.memctx-')
336 logger
.info("Checking keys in memory while associated")
337 get_key_locations(buf
, password
, "Password")
338 get_key_locations(buf
, pmk
, "PMK")
339 if password
not in buf
:
340 raise HwsimSkip("Password not found while associated")
342 raise HwsimSkip("PMK not found while associated")
344 raise Exception("KCK not found while associated")
346 raise Exception("KEK not found while associated")
348 # raise Exception("TK found from memory")
349 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
350 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
351 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
353 logger
.info("Checking keys in memory after disassociation")
354 buf
= read_process_memory(pid
, password
)
356 # Note: Password is still present in network configuration
357 # Note: PMK is in PMKSA cache
359 get_key_locations(buf
, password
, "Password")
360 get_key_locations(buf
, pmk
, "PMK")
361 verify_not_present(buf
, kck
, fname
, "KCK")
362 verify_not_present(buf
, kek
, fname
, "KEK")
363 verify_not_present(buf
, tk
, fname
, "TK")
365 get_key_locations(buf
, gtk
, "GTK")
366 verify_not_present(buf
, gtk
, fname
, "GTK")
367 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
368 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
369 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
371 dev
[0].request("PMKSA_FLUSH")
372 logger
.info("Checking keys in memory after PMKSA cache flush")
373 buf
= read_process_memory(pid
, password
)
374 get_key_locations(buf
, password
, "Password")
375 get_key_locations(buf
, pmk
, "PMK")
376 verify_not_present(buf
, pmk
, fname
, "PMK")
378 dev
[0].request("REMOVE_NETWORK all")
380 logger
.info("Checking keys in memory after network profile removal")
381 buf
= read_process_memory(pid
, password
)
383 get_key_locations(buf
, password
, "Password")
384 get_key_locations(buf
, pmk
, "PMK")
385 verify_not_present(buf
, password
, fname
, "password")
386 verify_not_present(buf
, pmk
, fname
, "PMK")
387 verify_not_present(buf
, kck
, fname
, "KCK")
388 verify_not_present(buf
, kek
, fname
, "KEK")
389 verify_not_present(buf
, tk
, fname
, "TK")
390 verify_not_present(buf
, gtk
, fname
, "GTK")
391 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
392 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
393 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
396 def test_sae_oom_wpas(dev
, apdev
):
397 """SAE and OOM in wpa_supplicant"""
398 if "SAE" not in dev
[0].get_capability("auth_alg"):
399 raise HwsimSkip("SAE not supported")
400 params
= hostapd
.wpa2_params(ssid
="test-sae",
401 passphrase
="12345678")
402 params
['wpa_key_mgmt'] = 'SAE'
403 hapd
= hostapd
.add_ap(apdev
[0], params
)
405 dev
[0].request("SET sae_groups 25")
406 tls
= dev
[0].request("GET tls_library")
407 if "BoringSSL" in tls
:
408 dev
[0].request("SET sae_groups 26")
409 with
alloc_fail(dev
[0], 1, "sae_set_group"):
410 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
412 dev
[0].request("REMOVE_NETWORK all")
414 dev
[0].request("SET sae_groups ")
415 with
alloc_fail(dev
[0], 2, "sae_set_group"):
416 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
418 dev
[0].request("REMOVE_NETWORK all")
420 with
alloc_fail(dev
[0], 1, "wpabuf_alloc;sme_auth_build_sae_commit"):
421 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
423 dev
[0].request("REMOVE_NETWORK all")
425 with
alloc_fail(dev
[0], 1, "wpabuf_alloc;sme_auth_build_sae_confirm"):
426 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
427 scan_freq
="2412", wait_connect
=False)
428 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
429 dev
[0].request("REMOVE_NETWORK all")
431 with
alloc_fail(dev
[0], 1, "=sme_authenticate"):
432 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
433 scan_freq
="2412", wait_connect
=False)
434 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
435 dev
[0].request("REMOVE_NETWORK all")
437 with
alloc_fail(dev
[0], 1, "radio_add_work;sme_authenticate"):
438 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
439 scan_freq
="2412", wait_connect
=False)
440 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
441 dev
[0].request("REMOVE_NETWORK all")
444 def test_sae_proto_ecc(dev
, apdev
):
445 """SAE protocol testing (ECC)"""
446 if "SAE" not in dev
[0].get_capability("auth_alg"):
447 raise HwsimSkip("SAE not supported")
448 params
= hostapd
.wpa2_params(ssid
="test-sae",
449 passphrase
="12345678")
450 params
['wpa_key_mgmt'] = 'SAE'
451 hapd
= hostapd
.add_ap(apdev
[0], params
)
452 bssid
= apdev
[0]['bssid']
454 dev
[0].request("SET sae_groups 19")
456 tests
= [ ("Confirm mismatch",
457 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
458 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240"),
459 ("Commit without even full cyclic group field",
463 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02",
465 ("Invalid commit scalar (0)",
466 "1300" + "0000000000000000000000000000000000000000000000000000000000000000" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
468 ("Invalid commit scalar (1)",
469 "1300" + "0000000000000000000000000000000000000000000000000000000000000001" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
471 ("Invalid commit scalar (> r)",
472 "1300" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
474 ("Commit element not on curve",
475 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000",
477 ("Invalid commit element (y coordinate > P)",
478 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
480 ("Invalid commit element (x coordinate > P)",
481 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
483 ("Different group in commit",
484 "1400" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
486 ("Too short confirm",
487 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
488 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42")]
489 for (note
, commit
, confirm
) in tests
:
491 dev
[0].scan_for_bss(bssid
, freq
=2412)
492 hapd
.set("ext_mgmt_frame_handling", "1")
493 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
494 scan_freq
="2412", wait_connect
=False)
496 logger
.info("Commit")
497 for i
in range(0, 10):
500 raise Exception("MGMT RX wait timed out (commit)")
501 if req
['subtype'] == 11:
505 raise Exception("Authentication frame (commit) not received")
509 resp
['fc'] = req
['fc']
510 resp
['da'] = req
['sa']
511 resp
['sa'] = req
['da']
512 resp
['bssid'] = req
['bssid']
513 resp
['payload'] = binascii
.unhexlify("030001000000" + commit
)
517 logger
.info("Confirm")
518 for i
in range(0, 10):
521 raise Exception("MGMT RX wait timed out (confirm)")
522 if req
['subtype'] == 11:
526 raise Exception("Authentication frame (confirm) not received")
530 resp
['fc'] = req
['fc']
531 resp
['da'] = req
['sa']
532 resp
['sa'] = req
['da']
533 resp
['bssid'] = req
['bssid']
534 resp
['payload'] = binascii
.unhexlify("030002000000" + confirm
)
538 dev
[0].request("REMOVE_NETWORK all")
539 hapd
.set("ext_mgmt_frame_handling", "0")
543 def test_sae_proto_ffc(dev
, apdev
):
544 """SAE protocol testing (FFC)"""
545 if "SAE" not in dev
[0].get_capability("auth_alg"):
546 raise HwsimSkip("SAE not supported")
547 params
= hostapd
.wpa2_params(ssid
="test-sae",
548 passphrase
="12345678")
549 params
['wpa_key_mgmt'] = 'SAE'
550 hapd
= hostapd
.add_ap(apdev
[0], params
)
551 bssid
= apdev
[0]['bssid']
553 dev
[0].request("SET sae_groups 2")
555 tests
= [ ("Confirm mismatch",
556 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486",
557 "0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251"),
559 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174",
561 ("Invalid element (0) in commit",
562 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
564 ("Invalid element (1) in commit",
565 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
567 ("Invalid element (> P) in commit",
568 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
570 for (note
, commit
, confirm
) in tests
:
572 dev
[0].scan_for_bss(bssid
, freq
=2412)
573 hapd
.set("ext_mgmt_frame_handling", "1")
574 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
575 scan_freq
="2412", wait_connect
=False)
577 logger
.info("Commit")
578 for i
in range(0, 10):
581 raise Exception("MGMT RX wait timed out (commit)")
582 if req
['subtype'] == 11:
586 raise Exception("Authentication frame (commit) not received")
590 resp
['fc'] = req
['fc']
591 resp
['da'] = req
['sa']
592 resp
['sa'] = req
['da']
593 resp
['bssid'] = req
['bssid']
594 resp
['payload'] = binascii
.unhexlify("030001000000" + commit
)
598 logger
.info("Confirm")
599 for i
in range(0, 10):
602 raise Exception("MGMT RX wait timed out (confirm)")
603 if req
['subtype'] == 11:
607 raise Exception("Authentication frame (confirm) not received")
611 resp
['fc'] = req
['fc']
612 resp
['da'] = req
['sa']
613 resp
['sa'] = req
['da']
614 resp
['bssid'] = req
['bssid']
615 resp
['payload'] = binascii
.unhexlify("030002000000" + confirm
)
619 dev
[0].request("REMOVE_NETWORK all")
620 hapd
.set("ext_mgmt_frame_handling", "0")
623 def test_sae_proto_hostapd(dev
, apdev
):
624 """SAE protocol testing with hostapd"""
625 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
626 params
['wpa_key_mgmt'] = 'SAE'
627 params
['sae_groups'] = "19 65535"
628 hapd
= hostapd
.add_ap(apdev
[0], params
)
629 hapd
.set("ext_mgmt_frame_handling", "1")
630 bssid
= hapd
.own_addr().replace(':', '')
631 addr
= "020000000000"
632 addr2
= "020000000001"
633 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
634 hdr2
= "b0003a01" + bssid
+ addr2
+ bssid
+ "1000"
636 scalar
= "f7df19f4a7fef1d3b895ea1de150b7c5a7a705c8ebb31a52b623e0057908bd93"
637 element_x
= "21931572027f2e953e2a49fab3d992944102cc95aa19515fc068b394fb25ae3c"
638 element_y
= "cb4eeb94d7b0b789abfdb73a67ab9d6d5efa94dd553e0e724a6289821cbce530"
639 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
+ element_x
+ element_y
)
640 # "SAE: Not enough data for scalar"
641 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
[:-2])
642 # "SAE: Do not allow group to be changed"
643 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + "ffff" + scalar
[:-2])
644 # "SAE: Unsupported Finite Cyclic Group 65535"
645 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr2
+ "030001000000" + "ffff" + scalar
[:-2])
648 def test_sae_no_ffc_by_default(dev
, apdev
):
649 """SAE and default groups rejecting FFC"""
650 if "SAE" not in dev
[0].get_capability("auth_alg"):
651 raise HwsimSkip("SAE not supported")
652 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
653 params
['wpa_key_mgmt'] = 'SAE'
654 hapd
= hostapd
.add_ap(apdev
[0], params
)
656 dev
[0].request("SET sae_groups 5")
657 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE", scan_freq
="2412",
659 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=3)
661 raise Exception("Did not try to authenticate")
662 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=3)
664 raise Exception("Did not try to authenticate (2)")
665 dev
[0].request("REMOVE_NETWORK all")
667 def sae_reflection_attack(apdev
, dev
, group
):
668 if "SAE" not in dev
.get_capability("auth_alg"):
669 raise HwsimSkip("SAE not supported")
670 params
= hostapd
.wpa2_params(ssid
="test-sae",
671 passphrase
="no-knowledge-of-passphrase")
672 params
['wpa_key_mgmt'] = 'SAE'
673 hapd
= hostapd
.add_ap(apdev
, params
)
674 bssid
= apdev
['bssid']
676 dev
.scan_for_bss(bssid
, freq
=2412)
677 hapd
.set("ext_mgmt_frame_handling", "1")
679 dev
.request("SET sae_groups %d" % group
)
680 dev
.connect("test-sae", psk
="reflection-attack", key_mgmt
="SAE",
681 scan_freq
="2412", wait_connect
=False)
684 for i
in range(0, 10):
687 raise Exception("MGMT RX wait timed out")
688 if req
['subtype'] == 11:
692 raise Exception("Authentication frame not received")
695 resp
['fc'] = req
['fc']
696 resp
['da'] = req
['sa']
697 resp
['sa'] = req
['da']
698 resp
['bssid'] = req
['bssid']
699 resp
['payload'] = req
['payload']
703 req
= hapd
.mgmt_rx(timeout
=0.5)
705 if req
['subtype'] == 11:
706 raise Exception("Unexpected Authentication frame seen")
709 def test_sae_reflection_attack_ecc(dev
, apdev
):
710 """SAE reflection attack (ECC)"""
711 sae_reflection_attack(apdev
[0], dev
[0], 19)
714 def test_sae_reflection_attack_ffc(dev
, apdev
):
715 """SAE reflection attack (FFC)"""
716 sae_reflection_attack(apdev
[0], dev
[0], 5)
718 def sae_reflection_attack_internal(apdev
, dev
, group
):
719 if "SAE" not in dev
.get_capability("auth_alg"):
720 raise HwsimSkip("SAE not supported")
721 params
= hostapd
.wpa2_params(ssid
="test-sae",
722 passphrase
="no-knowledge-of-passphrase")
723 params
['wpa_key_mgmt'] = 'SAE'
724 params
['sae_reflection_attack'] = '1'
725 hapd
= hostapd
.add_ap(apdev
, params
)
726 bssid
= apdev
['bssid']
728 dev
.scan_for_bss(bssid
, freq
=2412)
729 dev
.request("SET sae_groups %d" % group
)
730 dev
.connect("test-sae", psk
="reflection-attack", key_mgmt
="SAE",
731 scan_freq
="2412", wait_connect
=False)
732 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
734 raise Exception("Unexpected connection")
737 def test_sae_reflection_attack_ecc_internal(dev
, apdev
):
738 """SAE reflection attack (ECC) - internal"""
739 sae_reflection_attack_internal(apdev
[0], dev
[0], 19)
742 def test_sae_reflection_attack_ffc_internal(dev
, apdev
):
743 """SAE reflection attack (FFC) - internal"""
744 sae_reflection_attack_internal(apdev
[0], dev
[0], 5)
747 def test_sae_commit_override(dev
, apdev
):
748 """SAE commit override (hostapd)"""
749 if "SAE" not in dev
[0].get_capability("auth_alg"):
750 raise HwsimSkip("SAE not supported")
751 params
= hostapd
.wpa2_params(ssid
="test-sae",
752 passphrase
="12345678")
753 params
['wpa_key_mgmt'] = 'SAE'
754 params
['sae_commit_override'] = '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514'
755 hapd
= hostapd
.add_ap(apdev
[0], params
)
756 dev
[0].request("SET sae_groups ")
757 dev
[0].connect("test-sae", psk
="test-sae", key_mgmt
="SAE",
758 scan_freq
="2412", wait_connect
=False)
759 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
761 raise Exception("Unexpected connection")
764 def test_sae_commit_override2(dev
, apdev
):
765 """SAE commit override (wpa_supplicant)"""
766 if "SAE" not in dev
[0].get_capability("auth_alg"):
767 raise HwsimSkip("SAE not supported")
768 params
= hostapd
.wpa2_params(ssid
="test-sae",
769 passphrase
="12345678")
770 params
['wpa_key_mgmt'] = 'SAE'
771 hapd
= hostapd
.add_ap(apdev
[0], params
)
772 dev
[0].request("SET sae_groups ")
773 dev
[0].set('sae_commit_override', '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514')
774 dev
[0].connect("test-sae", psk
="test-sae", key_mgmt
="SAE",
775 scan_freq
="2412", wait_connect
=False)
776 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
778 raise Exception("Unexpected connection")
781 def test_sae_anti_clogging_proto(dev
, apdev
):
782 """SAE anti clogging protocol testing"""
783 if "SAE" not in dev
[0].get_capability("auth_alg"):
784 raise HwsimSkip("SAE not supported")
785 params
= hostapd
.wpa2_params(ssid
="test-sae",
786 passphrase
="no-knowledge-of-passphrase")
787 params
['wpa_key_mgmt'] = 'SAE'
788 hapd
= hostapd
.add_ap(apdev
[0], params
)
789 bssid
= apdev
[0]['bssid']
791 dev
[0].scan_for_bss(bssid
, freq
=2412)
792 hapd
.set("ext_mgmt_frame_handling", "1")
794 dev
[0].request("SET sae_groups ")
795 dev
[0].connect("test-sae", psk
="anti-cloggign", key_mgmt
="SAE",
796 scan_freq
="2412", wait_connect
=False)
799 for i
in range(0, 10):
802 raise Exception("MGMT RX wait timed out")
803 if req
['subtype'] == 11:
807 raise Exception("Authentication frame not received")
810 resp
['fc'] = req
['fc']
811 resp
['da'] = req
['sa']
812 resp
['sa'] = req
['da']
813 resp
['bssid'] = req
['bssid']
814 resp
['payload'] = binascii
.unhexlify("030001004c00" + "ffff00")
817 # Confirm (not received due to DH group being rejected)
818 req
= hapd
.mgmt_rx(timeout
=0.5)
820 if req
['subtype'] == 11:
821 raise Exception("Unexpected Authentication frame seen")
824 def test_sae_no_random(dev
, apdev
):
825 """SAE and no random numbers available"""
826 if "SAE" not in dev
[0].get_capability("auth_alg"):
827 raise HwsimSkip("SAE not supported")
828 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
829 params
['wpa_key_mgmt'] = 'SAE'
830 hapd
= hostapd
.add_ap(apdev
[0], params
)
832 dev
[0].request("SET sae_groups ")
833 tests
= [ (1, "os_get_random;sae_get_rand"),
834 (1, "os_get_random;get_rand_1_to_p_1"),
835 (1, "os_get_random;get_random_qr_qnr"),
836 (1, "os_get_random;sae_derive_pwe_ecc") ]
837 for count
, func
in tests
:
838 with
fail_test(dev
[0], count
, func
):
839 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
841 dev
[0].request("REMOVE_NETWORK all")
842 dev
[0].wait_disconnected()
845 def test_sae_pwe_failure(dev
, apdev
):
846 """SAE and pwe failure"""
847 if "SAE" not in dev
[0].get_capability("auth_alg"):
848 raise HwsimSkip("SAE not supported")
849 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
850 params
['wpa_key_mgmt'] = 'SAE'
851 params
['sae_groups'] = '19 5'
852 hapd
= hostapd
.add_ap(apdev
[0], params
)
854 dev
[0].request("SET sae_groups 19")
855 with
fail_test(dev
[0], 1, "hmac_sha256_vector;sae_derive_pwe_ecc"):
856 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
858 dev
[0].request("REMOVE_NETWORK all")
859 dev
[0].wait_disconnected()
860 with
fail_test(dev
[0], 1, "sae_test_pwd_seed_ecc"):
861 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
863 dev
[0].request("REMOVE_NETWORK all")
864 dev
[0].wait_disconnected()
866 dev
[0].request("SET sae_groups 5")
867 with
fail_test(dev
[0], 1, "hmac_sha256_vector;sae_derive_pwe_ffc"):
868 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
870 dev
[0].request("REMOVE_NETWORK all")
871 dev
[0].wait_disconnected()
873 dev
[0].request("SET sae_groups 5")
874 with
fail_test(dev
[0], 1, "sae_test_pwd_seed_ffc"):
875 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
877 dev
[0].request("REMOVE_NETWORK all")
878 dev
[0].wait_disconnected()
879 with
fail_test(dev
[0], 2, "sae_test_pwd_seed_ffc"):
880 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
882 dev
[0].request("REMOVE_NETWORK all")
883 dev
[0].wait_disconnected()
886 def test_sae_bignum_failure(dev
, apdev
):
887 """SAE and bignum failure"""
888 if "SAE" not in dev
[0].get_capability("auth_alg"):
889 raise HwsimSkip("SAE not supported")
890 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
891 params
['wpa_key_mgmt'] = 'SAE'
892 params
['sae_groups'] = '19 5 22'
893 hapd
= hostapd
.add_ap(apdev
[0], params
)
895 dev
[0].request("SET sae_groups 19")
896 tests
= [ (1, "crypto_bignum_init_set;get_rand_1_to_p_1"),
897 (1, "crypto_bignum_init;is_quadratic_residue_blind"),
898 (1, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
899 (2, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
900 (3, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
901 (1, "crypto_bignum_legendre;is_quadratic_residue_blind"),
902 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ecc"),
903 (1, "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc"),
904 (1, "crypto_bignum_init_set;get_random_qr_qnr"),
905 (1, "crypto_bignum_to_bin;sae_derive_pwe_ecc"),
906 (1, "crypto_ec_point_init;sae_derive_pwe_ecc"),
907 (1, "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc"),
908 (1, "crypto_ec_point_init;sae_derive_commit_element_ecc"),
909 (1, "crypto_ec_point_mul;sae_derive_commit_element_ecc"),
910 (1, "crypto_ec_point_invert;sae_derive_commit_element_ecc"),
911 (1, "crypto_bignum_init;=sae_derive_commit"),
912 (1, "crypto_ec_point_init;sae_derive_k_ecc"),
913 (1, "crypto_ec_point_mul;sae_derive_k_ecc"),
914 (1, "crypto_ec_point_add;sae_derive_k_ecc"),
915 (2, "crypto_ec_point_mul;sae_derive_k_ecc"),
916 (1, "crypto_ec_point_to_bin;sae_derive_k_ecc"),
917 (1, "crypto_bignum_legendre;get_random_qr_qnr"),
918 (1, "sha256_prf;sae_derive_keys"),
919 (1, "crypto_bignum_init;sae_derive_keys"),
920 (1, "crypto_bignum_init_set;sae_parse_commit_scalar"),
921 (1, "crypto_bignum_to_bin;sae_parse_commit_element_ecc"),
922 (1, "crypto_ec_point_from_bin;sae_parse_commit_element_ecc") ]
923 for count
, func
in tests
:
924 with
fail_test(dev
[0], count
, func
):
925 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
926 scan_freq
="2412", wait_connect
=False)
927 wait_fail_trigger(dev
[0], "GET_FAIL")
928 dev
[0].request("REMOVE_NETWORK all")
930 dev
[0].request("SET sae_groups 5")
931 tests
= [ (1, "crypto_bignum_init_set;sae_set_group"),
932 (2, "crypto_bignum_init_set;sae_set_group"),
933 (1, "crypto_bignum_init_set;sae_get_rand"),
934 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
935 (1, "crypto_bignum_exptmod;sae_test_pwd_seed_ffc"),
936 (1, "crypto_bignum_init;sae_derive_pwe_ffc"),
937 (1, "crypto_bignum_init;sae_derive_commit_element_ffc"),
938 (1, "crypto_bignum_exptmod;sae_derive_commit_element_ffc"),
939 (1, "crypto_bignum_inverse;sae_derive_commit_element_ffc"),
940 (1, "crypto_bignum_init;sae_derive_k_ffc"),
941 (1, "crypto_bignum_exptmod;sae_derive_k_ffc"),
942 (1, "crypto_bignum_mulmod;sae_derive_k_ffc"),
943 (2, "crypto_bignum_exptmod;sae_derive_k_ffc"),
944 (1, "crypto_bignum_to_bin;sae_derive_k_ffc"),
945 (1, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
946 (1, "crypto_bignum_init;sae_parse_commit_element_ffc"),
947 (2, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
948 (1, "crypto_bignum_exptmod;sae_parse_commit_element_ffc") ]
949 for count
, func
in tests
:
950 with
fail_test(dev
[0], count
, func
):
951 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
952 scan_freq
="2412", wait_connect
=False)
953 wait_fail_trigger(dev
[0], "GET_FAIL")
954 dev
[0].request("REMOVE_NETWORK all")
956 dev
[0].request("SET sae_groups 22")
957 tests
= [ (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
958 (1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
959 (1, "crypto_bignum_div;sae_test_pwd_seed_ffc") ]
960 for count
, func
in tests
:
961 with
fail_test(dev
[0], count
, func
):
962 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
963 scan_freq
="2412", wait_connect
=False)
964 wait_fail_trigger(dev
[0], "GET_FAIL")
965 dev
[0].request("REMOVE_NETWORK all")
967 def test_sae_invalid_anti_clogging_token_req(dev
, apdev
):
968 """SAE and invalid anti-clogging token request"""
969 if "SAE" not in dev
[0].get_capability("auth_alg"):
970 raise HwsimSkip("SAE not supported")
971 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
972 params
['wpa_key_mgmt'] = 'SAE'
973 hapd
= hostapd
.add_ap(apdev
[0], params
)
974 bssid
= apdev
[0]['bssid']
976 dev
[0].request("SET sae_groups 19")
977 dev
[0].scan_for_bss(bssid
, freq
=2412)
978 hapd
.set("ext_mgmt_frame_handling", "1")
979 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
980 scan_freq
="2412", wait_connect
=False)
981 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
983 raise Exception("No authentication attempt seen")
984 dev
[0].dump_monitor()
986 for i
in range(0, 10):
989 raise Exception("MGMT RX wait timed out (commit)")
990 if req
['subtype'] == 11:
994 raise Exception("Authentication frame (commit) not received")
998 resp
['fc'] = req
['fc']
999 resp
['da'] = req
['sa']
1000 resp
['sa'] = req
['da']
1001 resp
['bssid'] = req
['bssid']
1002 resp
['payload'] = binascii
.unhexlify("030001004c0013")
1005 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1007 raise Exception("No authentication attempt seen")
1008 dev
[0].dump_monitor()
1010 for i
in range(0, 10):
1011 req
= hapd
.mgmt_rx()
1013 raise Exception("MGMT RX wait timed out (commit) (2)")
1014 if req
['subtype'] == 11:
1018 raise Exception("Authentication frame (commit) not received (2)")
1022 resp
['fc'] = req
['fc']
1023 resp
['da'] = req
['sa']
1024 resp
['sa'] = req
['da']
1025 resp
['bssid'] = req
['bssid']
1026 resp
['payload'] = binascii
.unhexlify("030001000100")
1029 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1031 raise Exception("No authentication attempt seen")
1032 dev
[0].dump_monitor()
1034 dev
[0].request("DISCONNECT")
1036 def test_sae_password(dev
, apdev
):
1037 """SAE and sae_password in hostapd configuration"""
1038 if "SAE" not in dev
[0].get_capability("auth_alg"):
1039 raise HwsimSkip("SAE not supported")
1040 params
= hostapd
.wpa2_params(ssid
="test-sae",
1041 passphrase
="12345678")
1042 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
1043 params
['sae_password'] = "sae-password"
1044 hapd
= hostapd
.add_ap(apdev
[0], params
)
1046 dev
[0].request("SET sae_groups ")
1047 dev
[0].connect("test-sae", psk
="sae-password", key_mgmt
="SAE",
1049 dev
[1].connect("test-sae", psk
="12345678", scan_freq
="2412")
1050 dev
[2].request("SET sae_groups ")
1051 dev
[2].connect("test-sae", sae_password
="sae-password", key_mgmt
="SAE",
1054 def test_sae_password_short(dev
, apdev
):
1055 """SAE and short password"""
1056 if "SAE" not in dev
[0].get_capability("auth_alg"):
1057 raise HwsimSkip("SAE not supported")
1058 params
= hostapd
.wpa2_params(ssid
="test-sae")
1059 params
['wpa_key_mgmt'] = 'SAE'
1060 params
['sae_password'] = "secret"
1061 hapd
= hostapd
.add_ap(apdev
[0], params
)
1063 dev
[0].request("SET sae_groups ")
1064 dev
[0].connect("test-sae", sae_password
="secret", key_mgmt
="SAE",
1067 def test_sae_password_long(dev
, apdev
):
1068 """SAE and long password"""
1069 if "SAE" not in dev
[0].get_capability("auth_alg"):
1070 raise HwsimSkip("SAE not supported")
1071 params
= hostapd
.wpa2_params(ssid
="test-sae")
1072 params
['wpa_key_mgmt'] = 'SAE'
1073 params
['sae_password'] = 100*"A"
1074 hapd
= hostapd
.add_ap(apdev
[0], params
)
1076 dev
[0].request("SET sae_groups ")
1077 dev
[0].connect("test-sae", sae_password
=100*"A", key_mgmt
="SAE",