]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_sae.py
d54f0ec95e0f554bbcce7ceff85abc97443dfcd9
2 # Copyright (c) 2013-2020, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
7 from remotehost
import remote_compatible
12 logger
= logging
. getLogger ()
19 from wpasupplicant
import WpaSupplicant
20 from utils
import HwsimSkip
, alloc_fail
, fail_test
, wait_fail_trigger
, start_monitor
, stop_monitor
, radiotap_build
21 from test_ap_psk
import find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
23 def check_sae_capab ( dev
):
24 if "SAE" not in dev
. get_capability ( "auth_alg" ):
25 raise HwsimSkip ( "SAE not supported" )
28 def test_sae ( dev
, apdev
):
29 """SAE with default group"""
30 check_sae_capab ( dev
[ 0 ])
31 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
32 passphrase
= "12345678" )
33 params
[ 'wpa_key_mgmt' ] = 'SAE'
34 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
35 key_mgmt
= hapd
. get_config ()[ 'key_mgmt' ]
36 if key_mgmt
. split ( ' ' )[ 0 ] != "SAE" :
37 raise Exception ( "Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
39 dev
[ 0 ]. request ( "SET sae_groups " )
40 id = dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
43 if dev
[ 0 ]. get_status_field ( 'sae_group' ) != '19' :
44 raise Exception ( "Expected default SAE group not used" )
45 bss
= dev
[ 0 ]. get_bss ( apdev
[ 0 ][ 'bssid' ])
46 if 'flags' not in bss
:
47 raise Exception ( "Could not get BSS flags from BSS table" )
48 if "[WPA2-SAE-CCMP]" not in bss
[ 'flags' ]:
49 raise Exception ( "Unexpected BSS flags: " + bss
[ 'flags' ])
51 res
= hapd
. request ( "STA-FIRST" )
52 if "sae_group=19" not in res
. splitlines ():
53 raise Exception ( "hostapd STA output did not specify SAE group" )
55 pmk_h
= hapd
. request ( "GET_PMK " + dev
[ 0 ]. own_addr ())
56 pmk_w
= dev
[ 0 ]. get_pmk ( id )
58 raise Exception ( "Fetched PMK does not match: hostapd %s , wpa_supplicant %s " % ( pmk_h
, pmk_w
))
61 def test_sae_password_ecc ( dev
, apdev
):
62 """SAE with number of different passwords (ECC)"""
63 check_sae_capab ( dev
[ 0 ])
64 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
65 passphrase
= "12345678" )
66 params
[ 'wpa_key_mgmt' ] = 'SAE'
67 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
69 dev
[ 0 ]. request ( "SET sae_groups 19" )
72 password
= "12345678-" + str ( i
)
73 hapd
. set ( "wpa_passphrase" , password
)
74 dev
[ 0 ]. connect ( "test-sae" , psk
= password
, key_mgmt
= "SAE" ,
76 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
77 dev
[ 0 ]. wait_disconnected ()
80 def test_sae_password_ffc ( dev
, apdev
):
81 """SAE with number of different passwords (FFC)"""
82 check_sae_capab ( dev
[ 0 ])
83 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
84 passphrase
= "12345678" )
85 params
[ 'wpa_key_mgmt' ] = 'SAE'
86 params
[ 'sae_groups' ] = '15'
87 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
89 dev
[ 0 ]. request ( "SET sae_groups 15" )
92 password
= "12345678-" + str ( i
)
93 hapd
. set ( "wpa_passphrase" , password
)
94 dev
[ 0 ]. connect ( "test-sae" , psk
= password
, key_mgmt
= "SAE" ,
96 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
97 dev
[ 0 ]. wait_disconnected ()
100 def test_sae_pmksa_caching ( dev
, apdev
):
101 """SAE and PMKSA caching"""
102 run_sae_pmksa_caching ( dev
, apdev
)
105 def test_sae_pmksa_caching_pmkid ( dev
, apdev
):
106 """SAE and PMKSA caching (PMKID in AssocReq after SAE)"""
108 dev
[ 0 ]. set ( "sae_pmkid_in_assoc" , "1" )
109 run_sae_pmksa_caching ( dev
, apdev
)
111 dev
[ 0 ]. set ( "sae_pmkid_in_assoc" , "0" )
113 def run_sae_pmksa_caching ( dev
, apdev
):
114 check_sae_capab ( dev
[ 0 ])
115 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
116 passphrase
= "12345678" )
117 params
[ 'wpa_key_mgmt' ] = 'SAE'
118 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
120 dev
[ 0 ]. request ( "SET sae_groups " )
121 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
123 ev
= hapd
. wait_event ([ "AP-STA-CONNECTED" ], timeout
= 5 )
125 raise Exception ( "No connection event received from hostapd" )
126 sta0
= hapd
. get_sta ( dev
[ 0 ]. own_addr ())
127 if sta0
[ 'wpa' ] != '2' or sta0
[ 'AKMSuiteSelector' ] != '00-0f-ac-8' :
128 raise Exception ( "SAE STA(0) AKM suite selector reported incorrectly" )
129 dev
[ 0 ]. request ( "DISCONNECT" )
130 dev
[ 0 ]. wait_disconnected ()
131 dev
[ 0 ]. request ( "RECONNECT" )
132 dev
[ 0 ]. wait_connected ( timeout
= 15 , error
= "Reconnect timed out" )
133 if dev
[ 0 ]. get_status_field ( 'sae_group' ) is not None :
134 raise Exception ( "SAE group claimed to have been used" )
135 sta0
= hapd
. get_sta ( dev
[ 0 ]. own_addr ())
136 if sta0
[ 'wpa' ] != '2' or sta0
[ 'AKMSuiteSelector' ] != '00-0f-ac-8' :
137 raise Exception ( "SAE STA(0) AKM suite selector reported incorrectly after PMKSA caching" )
140 def test_sae_pmksa_caching_disabled ( dev
, apdev
):
141 """SAE and PMKSA caching disabled"""
142 check_sae_capab ( dev
[ 0 ])
143 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
144 passphrase
= "12345678" )
145 params
[ 'wpa_key_mgmt' ] = 'SAE'
146 params
[ 'disable_pmksa_caching' ] = '1'
147 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
149 dev
[ 0 ]. request ( "SET sae_groups " )
150 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
152 ev
= hapd
. wait_event ([ "AP-STA-CONNECTED" ], timeout
= 5 )
154 raise Exception ( "No connection event received from hostapd" )
155 dev
[ 0 ]. request ( "DISCONNECT" )
156 dev
[ 0 ]. wait_disconnected ()
157 dev
[ 0 ]. request ( "RECONNECT" )
158 dev
[ 0 ]. wait_connected ( timeout
= 15 , error
= "Reconnect timed out" )
159 if dev
[ 0 ]. get_status_field ( 'sae_group' ) != '19' :
160 raise Exception ( "Expected default SAE group not used" )
162 def test_sae_groups ( dev
, apdev
):
163 """SAE with all supported groups"""
164 check_sae_capab ( dev
[ 0 ])
165 # This is the full list of supported groups, but groups 14-16 (2048-4096 bit
166 # MODP) and group 21 (521-bit random ECP group) are a bit too slow on some
167 # VMs and can result in hitting the mac80211 authentication timeout, so
168 # allow them to fail and just report such failures in the debug log.
169 sae_groups
= [ 19 , 25 , 26 , 20 , 21 , 1 , 2 , 5 , 14 , 15 , 16 , 22 , 23 , 24 ]
170 tls
= dev
[ 0 ]. request ( "GET tls_library" )
171 if tls
. startswith ( "OpenSSL" ) and "run=OpenSSL 1." in tls
:
172 logger
. info ( "Add Brainpool EC groups since OpenSSL is new enough" )
173 sae_groups
+= [ 27 , 28 , 29 , 30 ]
174 heavy_groups
= [ 14 , 15 , 16 ]
175 suitable_groups
= [ 15 , 16 , 17 , 18 , 19 , 20 , 21 ]
176 groups
= [ str ( g
) for g
in sae_groups
]
177 params
= hostapd
. wpa2_params ( ssid
= "test-sae-groups" ,
178 passphrase
= "12345678" )
179 params
[ 'wpa_key_mgmt' ] = 'SAE'
180 params
[ 'sae_groups' ] = ' ' . join ( groups
)
181 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
184 logger
. info ( "Testing SAE group " + g
)
185 dev
[ 0 ]. request ( "SET sae_groups " + g
)
186 id = dev
[ 0 ]. connect ( "test-sae-groups" , psk
= "12345678" , key_mgmt
= "SAE" ,
187 scan_freq
= "2412" , wait_connect
= False )
188 if int ( g
) in heavy_groups
:
189 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 5 )
191 logger
. info ( "No connection with heavy SAE group %s did not connect - likely hitting timeout in mac80211" % g
)
192 dev
[ 0 ]. remove_network ( id )
194 dev
[ 0 ]. dump_monitor ()
196 logger
. info ( "Connection with heavy SAE group " + g
)
198 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 10 )
200 if "BoringSSL" in tls
and int ( g
) in [ 25 ]:
201 logger
. info ( "Ignore connection failure with group " + g
+ " with BoringSSL" )
202 dev
[ 0 ]. remove_network ( id )
203 dev
[ 0 ]. dump_monitor ()
205 if int ( g
) not in suitable_groups
:
206 logger
. info ( "Ignore connection failure with unsuitable group " + g
)
207 dev
[ 0 ]. remove_network ( id )
208 dev
[ 0 ]. dump_monitor ()
210 raise Exception ( "Connection timed out with group " + g
)
211 if dev
[ 0 ]. get_status_field ( 'sae_group' ) != g
:
212 raise Exception ( "Expected SAE group not used" )
213 pmksa
= dev
[ 0 ]. get_pmksa ( hapd
. own_addr ())
215 raise Exception ( "No PMKSA cache entry added" )
216 if pmksa
[ 'pmkid' ] == '00000000000000000000000000000000' :
217 raise Exception ( "All zeros PMKID derived for group %s " % g
)
218 dev
[ 0 ]. remove_network ( id )
219 dev
[ 0 ]. wait_disconnected ()
220 dev
[ 0 ]. dump_monitor ()
223 def test_sae_group_nego ( dev
, apdev
):
224 """SAE group negotiation"""
225 check_sae_capab ( dev
[ 0 ])
226 params
= hostapd
. wpa2_params ( ssid
= "test-sae-group-nego" ,
227 passphrase
= "12345678" )
228 params
[ 'wpa_key_mgmt' ] = 'SAE'
229 params
[ 'sae_groups' ] = '19'
230 hostapd
. add_ap ( apdev
[ 0 ], params
)
232 dev
[ 0 ]. request ( "SET sae_groups 25 26 20 19" )
233 dev
[ 0 ]. connect ( "test-sae-group-nego" , psk
= "12345678" , key_mgmt
= "SAE" ,
235 if dev
[ 0 ]. get_status_field ( 'sae_group' ) != '19' :
236 raise Exception ( "Expected SAE group not used" )
238 def test_sae_group_nego_no_match ( dev
, apdev
):
239 """SAE group negotiation (no match)"""
240 check_sae_capab ( dev
[ 0 ])
241 params
= hostapd
. wpa2_params ( ssid
= "test-sae-group-nego" ,
242 passphrase
= "12345678" )
243 params
[ 'wpa_key_mgmt' ] = 'SAE'
244 # None-existing SAE group to force all attempts to be rejected
245 params
[ 'sae_groups' ] = '0'
246 hostapd
. add_ap ( apdev
[ 0 ], params
)
248 dev
[ 0 ]. request ( "SET sae_groups " )
249 dev
[ 0 ]. connect ( "test-sae-group-nego" , psk
= "12345678" , key_mgmt
= "SAE" ,
250 scan_freq
= "2412" , wait_connect
= False )
251 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-SSID-TEMP-DISABLED" ], timeout
= 10 )
252 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
254 raise Exception ( "Network profile disabling not reported" )
257 def test_sae_anti_clogging ( dev
, apdev
):
258 """SAE anti clogging"""
259 check_sae_capab ( dev
[ 0 ])
260 check_sae_capab ( dev
[ 1 ])
261 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
262 params
[ 'wpa_key_mgmt' ] = 'SAE'
263 params
[ 'sae_anti_clogging_threshold' ] = '1'
264 hostapd
. add_ap ( apdev
[ 0 ], params
)
266 dev
[ 0 ]. request ( "SET sae_groups " )
267 dev
[ 1 ]. request ( "SET sae_groups " )
269 for i
in range ( 0 , 2 ):
270 dev
[ i
]. scan ( freq
= "2412" )
271 id [ i
] = dev
[ i
]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
272 scan_freq
= "2412" , only_add_network
= True )
273 for i
in range ( 0 , 2 ):
274 dev
[ i
]. select_network ( id [ i
])
275 for i
in range ( 0 , 2 ):
276 dev
[ i
]. wait_connected ( timeout
= 10 )
278 def test_sae_forced_anti_clogging ( dev
, apdev
):
279 """SAE anti clogging (forced)"""
280 check_sae_capab ( dev
[ 0 ])
281 check_sae_capab ( dev
[ 1 ])
282 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
283 params
[ 'wpa_key_mgmt' ] = 'SAE WPA-PSK'
284 params
[ 'sae_anti_clogging_threshold' ] = '0'
285 hostapd
. add_ap ( apdev
[ 0 ], params
)
286 dev
[ 2 ]. connect ( "test-sae" , psk
= "12345678" , scan_freq
= "2412" )
287 for i
in range ( 0 , 2 ):
288 dev
[ i
]. request ( "SET sae_groups " )
289 dev
[ i
]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
292 def test_sae_mixed ( dev
, apdev
):
293 """Mixed SAE and non-SAE network"""
294 check_sae_capab ( dev
[ 0 ])
295 check_sae_capab ( dev
[ 1 ])
296 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
297 params
[ 'wpa_key_mgmt' ] = 'SAE WPA-PSK'
298 params
[ 'sae_anti_clogging_threshold' ] = '0'
299 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
301 dev
[ 2 ]. connect ( "test-sae" , psk
= "12345678" , scan_freq
= "2412" )
302 for i
in range ( 0 , 2 ):
303 dev
[ i
]. request ( "SET sae_groups " )
304 dev
[ i
]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
306 sta0
= hapd
. get_sta ( dev
[ 0 ]. own_addr ())
307 sta2
= hapd
. get_sta ( dev
[ 2 ]. own_addr ())
308 if sta0
[ 'wpa' ] != '2' or sta0
[ 'AKMSuiteSelector' ] != '00-0f-ac-8' :
309 raise Exception ( "SAE STA(0) AKM suite selector reported incorrectly" )
310 if sta2
[ 'wpa' ] != '2' or sta2
[ 'AKMSuiteSelector' ] != '00-0f-ac-2' :
311 raise Exception ( "PSK STA(2) AKM suite selector reported incorrectly" )
313 def test_sae_and_psk ( dev
, apdev
):
314 """SAE and PSK enabled in network profile"""
315 check_sae_capab ( dev
[ 0 ])
316 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
317 params
[ 'wpa_key_mgmt' ] = 'SAE'
318 hostapd
. add_ap ( apdev
[ 0 ], params
)
320 dev
[ 0 ]. request ( "SET sae_groups " )
321 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE WPA-PSK" ,
324 def test_sae_and_psk2 ( dev
, apdev
):
325 """SAE and PSK enabled in network profile (use PSK)"""
326 check_sae_capab ( dev
[ 0 ])
327 params
= hostapd
. wpa2_params ( ssid
= "test-psk" , passphrase
= "12345678" )
328 hostapd
. add_ap ( apdev
[ 0 ], params
)
330 dev
[ 0 ]. request ( "SET sae_groups " )
331 dev
[ 0 ]. connect ( "test-psk" , psk
= "12345678" , key_mgmt
= "SAE WPA-PSK" ,
334 def test_sae_mixed_mfp ( dev
, apdev
):
335 """Mixed SAE and non-SAE network and MFP required with SAE"""
336 check_sae_capab ( dev
[ 0 ])
337 check_sae_capab ( dev
[ 1 ])
338 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
339 params
[ 'wpa_key_mgmt' ] = 'SAE WPA-PSK'
340 params
[ "ieee80211w" ] = "1"
341 params
[ 'sae_require_mfp' ] = '1'
342 hostapd
. add_ap ( apdev
[ 0 ], params
)
344 dev
[ 0 ]. request ( "SET sae_groups " )
345 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" , ieee80211w
= "2" ,
347 dev
[ 0 ]. dump_monitor ()
349 dev
[ 1 ]. request ( "SET sae_groups " )
350 dev
[ 1 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" , ieee80211w
= "0" ,
351 scan_freq
= "2412" , wait_connect
= False )
352 ev
= dev
[ 1 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
353 "CTRL-EVENT-ASSOC-REJECT" ], timeout
= 10 )
355 raise Exception ( "No connection result reported" )
356 if "CTRL-EVENT-ASSOC-REJECT" not in ev
:
357 raise Exception ( "SAE connection without MFP was not rejected" )
358 if "status_code=31" not in ev
:
359 raise Exception ( "Unexpected status code in rejection: " + ev
)
360 dev
[ 1 ]. request ( "DISCONNECT" )
361 dev
[ 1 ]. dump_monitor ()
363 dev
[ 2 ]. connect ( "test-sae" , psk
= "12345678" , ieee80211w
= "0" , scan_freq
= "2412" )
364 dev
[ 2 ]. dump_monitor ()
366 def test_sae_mfp ( dev
, apdev
):
367 """SAE and MFP enabled without sae_require_mfp"""
368 check_sae_capab ( dev
[ 0 ])
369 check_sae_capab ( dev
[ 1 ])
370 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
371 params
[ 'wpa_key_mgmt' ] = 'SAE'
372 params
[ "ieee80211w" ] = "1"
373 hostapd
. add_ap ( apdev
[ 0 ], params
)
375 dev
[ 0 ]. request ( "SET sae_groups " )
376 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" , ieee80211w
= "2" ,
379 dev
[ 1 ]. request ( "SET sae_groups " )
380 dev
[ 1 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" , ieee80211w
= "0" ,
384 def test_sae_missing_password ( dev
, apdev
):
385 """SAE and missing password"""
386 check_sae_capab ( dev
[ 0 ])
387 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
388 passphrase
= "12345678" )
389 params
[ 'wpa_key_mgmt' ] = 'SAE'
390 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
392 dev
[ 0 ]. request ( "SET sae_groups " )
393 id = dev
[ 0 ]. connect ( "test-sae" ,
394 raw_psk
= "46b4a73b8a951ad53ebd2e0afdb9c5483257edd4c21d12b7710759da70945858" ,
395 key_mgmt
= "SAE" , scan_freq
= "2412" , wait_connect
= False )
396 ev
= dev
[ 0 ]. wait_event ([ 'CTRL-EVENT-SSID-TEMP-DISABLED' ], timeout
= 10 )
398 raise Exception ( "Invalid network not temporarily disabled" )
401 def test_sae_key_lifetime_in_memory ( dev
, apdev
, params
):
402 """SAE and key lifetime in memory"""
403 check_sae_capab ( dev
[ 0 ])
404 password
= "5ad144a7c1f5a5503baa6fa01dabc15b1843e8c01662d78d16b70b5cd23cf8b"
405 p
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= password
)
406 p
[ 'wpa_key_mgmt' ] = 'SAE'
407 hapd
= hostapd
. add_ap ( apdev
[ 0 ], p
)
409 pid
= find_wpas_process ( dev
[ 0 ])
411 dev
[ 0 ]. request ( "SET sae_groups " )
412 id = dev
[ 0 ]. connect ( "test-sae" , psk
= password
, key_mgmt
= "SAE" ,
415 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
416 # event has been delivered, so verify that wpa_supplicant has returned to
417 # eloop before reading process memory.
420 password
= password
. encode ()
421 buf
= read_process_memory ( pid
, password
)
423 dev
[ 0 ]. request ( "DISCONNECT" )
424 dev
[ 0 ]. wait_disconnected ()
433 with
open ( os
. path
. join ( params
[ 'logdir' ], 'log0' ), 'r' ) as f
:
434 for l
in f
. readlines ():
435 if "SAE: k - hexdump" in l
:
436 val
= l
. strip (). split ( ':' )[ 3 ]. replace ( ' ' , '' )
437 sae_k
= binascii
. unhexlify ( val
)
438 if "SAE: keyseed - hexdump" in l
:
439 val
= l
. strip (). split ( ':' )[ 3 ]. replace ( ' ' , '' )
440 sae_keyseed
= binascii
. unhexlify ( val
)
441 if "SAE: KCK - hexdump" in l
:
442 val
= l
. strip (). split ( ':' )[ 3 ]. replace ( ' ' , '' )
443 sae_kck
= binascii
. unhexlify ( val
)
444 if "SAE: PMK - hexdump" in l
:
445 val
= l
. strip (). split ( ':' )[ 3 ]. replace ( ' ' , '' )
446 pmk
= binascii
. unhexlify ( val
)
447 if "WPA: PTK - hexdump" in l
:
448 val
= l
. strip (). split ( ':' )[ 3 ]. replace ( ' ' , '' )
449 ptk
= binascii
. unhexlify ( val
)
450 if "WPA: Group Key - hexdump" in l
:
451 val
= l
. strip (). split ( ':' )[ 3 ]. replace ( ' ' , '' )
452 gtk
= binascii
. unhexlify ( val
)
453 if not sae_k
or not sae_keyseed
or not sae_kck
or not pmk
or not ptk
or not gtk
:
454 raise Exception ( "Could not find keys from debug log" )
456 raise Exception ( "Unexpected GTK length" )
462 fname
= os
. path
. join ( params
[ 'logdir' ],
463 'sae_key_lifetime_in_memory.memctx-' )
465 logger
. info ( "Checking keys in memory while associated" )
466 get_key_locations ( buf
, password
, "Password" )
467 get_key_locations ( buf
, pmk
, "PMK" )
468 if password
not in buf
:
469 raise HwsimSkip ( "Password not found while associated" )
471 raise HwsimSkip ( "PMK not found while associated" )
473 raise Exception ( "KCK not found while associated" )
475 raise Exception ( "KEK not found while associated" )
477 # raise Exception("TK found from memory")
478 verify_not_present ( buf
, sae_k
, fname
, "SAE(k)" )
479 verify_not_present ( buf
, sae_keyseed
, fname
, "SAE(keyseed)" )
480 verify_not_present ( buf
, sae_kck
, fname
, "SAE(KCK)" )
482 logger
. info ( "Checking keys in memory after disassociation" )
483 buf
= read_process_memory ( pid
, password
)
485 # Note: Password is still present in network configuration
486 # Note: PMK is in PMKSA cache
488 get_key_locations ( buf
, password
, "Password" )
489 get_key_locations ( buf
, pmk
, "PMK" )
490 verify_not_present ( buf
, kck
, fname
, "KCK" )
491 verify_not_present ( buf
, kek
, fname
, "KEK" )
492 verify_not_present ( buf
, tk
, fname
, "TK" )
494 get_key_locations ( buf
, gtk
, "GTK" )
495 verify_not_present ( buf
, gtk
, fname
, "GTK" )
496 verify_not_present ( buf
, sae_k
, fname
, "SAE(k)" )
497 verify_not_present ( buf
, sae_keyseed
, fname
, "SAE(keyseed)" )
498 verify_not_present ( buf
, sae_kck
, fname
, "SAE(KCK)" )
500 dev
[ 0 ]. request ( "PMKSA_FLUSH" )
501 logger
. info ( "Checking keys in memory after PMKSA cache flush" )
502 buf
= read_process_memory ( pid
, password
)
503 get_key_locations ( buf
, password
, "Password" )
504 get_key_locations ( buf
, pmk
, "PMK" )
505 verify_not_present ( buf
, pmk
, fname
, "PMK" )
507 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
509 logger
. info ( "Checking keys in memory after network profile removal" )
510 buf
= read_process_memory ( pid
, password
)
512 get_key_locations ( buf
, password
, "Password" )
513 get_key_locations ( buf
, pmk
, "PMK" )
514 verify_not_present ( buf
, password
, fname
, "password" )
515 verify_not_present ( buf
, pmk
, fname
, "PMK" )
516 verify_not_present ( buf
, kck
, fname
, "KCK" )
517 verify_not_present ( buf
, kek
, fname
, "KEK" )
518 verify_not_present ( buf
, tk
, fname
, "TK" )
519 verify_not_present ( buf
, gtk
, fname
, "GTK" )
520 verify_not_present ( buf
, sae_k
, fname
, "SAE(k)" )
521 verify_not_present ( buf
, sae_keyseed
, fname
, "SAE(keyseed)" )
522 verify_not_present ( buf
, sae_kck
, fname
, "SAE(KCK)" )
525 def test_sae_oom_wpas ( dev
, apdev
):
526 """SAE and OOM in wpa_supplicant"""
527 check_sae_capab ( dev
[ 0 ])
528 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
529 passphrase
= "12345678" )
530 params
[ 'wpa_key_mgmt' ] = 'SAE'
531 params
[ 'sae_groups' ] = '19 25 26 20'
532 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
534 dev
[ 0 ]. request ( "SET sae_groups 20" )
535 with
alloc_fail ( dev
[ 0 ], 1 , "sae_set_group" ):
536 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
538 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
540 dev
[ 0 ]. request ( "SET sae_groups " )
541 with
alloc_fail ( dev
[ 0 ], 2 , "sae_set_group" ):
542 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
544 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
546 with
alloc_fail ( dev
[ 0 ], 1 , "wpabuf_alloc;sme_auth_build_sae_commit" ):
547 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
549 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
551 with
alloc_fail ( dev
[ 0 ], 1 , "wpabuf_alloc;sme_auth_build_sae_confirm" ):
552 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
553 scan_freq
= "2412" , wait_connect
= False )
554 wait_fail_trigger ( dev
[ 0 ], "GET_ALLOC_FAIL" )
555 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
557 with
alloc_fail ( dev
[ 0 ], 1 , "=sme_authenticate" ):
558 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
559 scan_freq
= "2412" , wait_connect
= False )
560 wait_fail_trigger ( dev
[ 0 ], "GET_ALLOC_FAIL" )
561 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
563 with
alloc_fail ( dev
[ 0 ], 1 , "radio_add_work;sme_authenticate" ):
564 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
565 scan_freq
= "2412" , wait_connect
= False )
566 wait_fail_trigger ( dev
[ 0 ], "GET_ALLOC_FAIL" )
567 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
570 def test_sae_proto_ecc ( dev
, apdev
):
571 """SAE protocol testing (ECC)"""
572 check_sae_capab ( dev
[ 0 ])
573 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
574 passphrase
= "12345678" )
575 params
[ 'wpa_key_mgmt' ] = 'SAE'
576 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
577 bssid
= apdev
[ 0 ][ 'bssid' ]
579 dev
[ 0 ]. request ( "SET sae_groups 19" )
581 tests
= [( "Confirm mismatch" ,
582 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8" ,
583 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240" ),
584 ( "Commit without even full cyclic group field" ,
588 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02" ,
590 ( "Invalid commit scalar (0)" ,
591 "1300" + "0000000000000000000000000000000000000000000000000000000000000000" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8" ,
593 ( "Invalid commit scalar (1)" ,
594 "1300" + "0000000000000000000000000000000000000000000000000000000000000001" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8" ,
596 ( "Invalid commit scalar (> r)" ,
597 "1300" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8" ,
599 ( "Commit element not on curve" ,
600 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000" ,
602 ( "Invalid commit element (y coordinate > P)" ,
603 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" ,
605 ( "Invalid commit element (x coordinate > P)" ,
606 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8" ,
608 ( "Different group in commit" ,
609 "1400" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8" ,
611 ( "Too short confirm" ,
612 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8" ,
613 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42" )]
614 for ( note
, commit
, confirm
) in tests
:
616 dev
[ 0 ]. scan_for_bss ( bssid
, freq
= 2412 )
617 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
618 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
619 scan_freq
= "2412" , wait_connect
= False )
621 logger
. info ( "Commit" )
622 for i
in range ( 0 , 10 ):
625 raise Exception ( "MGMT RX wait timed out (commit)" )
626 if req
[ 'subtype' ] == 11 :
630 raise Exception ( "Authentication frame (commit) not received" )
634 resp
[ 'fc' ] = req
[ 'fc' ]
635 resp
[ 'da' ] = req
[ 'sa' ]
636 resp
[ 'sa' ] = req
[ 'da' ]
637 resp
[ 'bssid' ] = req
[ 'bssid' ]
638 resp
[ 'payload' ] = binascii
. unhexlify ( "030001000000" + commit
)
642 logger
. info ( "Confirm" )
643 for i
in range ( 0 , 10 ):
646 raise Exception ( "MGMT RX wait timed out (confirm)" )
647 if req
[ 'subtype' ] == 11 :
651 raise Exception ( "Authentication frame (confirm) not received" )
655 resp
[ 'fc' ] = req
[ 'fc' ]
656 resp
[ 'da' ] = req
[ 'sa' ]
657 resp
[ 'sa' ] = req
[ 'da' ]
658 resp
[ 'bssid' ] = req
[ 'bssid' ]
659 resp
[ 'payload' ] = binascii
. unhexlify ( "030002000000" + confirm
)
663 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
664 hapd
. set ( "ext_mgmt_frame_handling" , "0" )
668 def test_sae_proto_ffc ( dev
, apdev
):
669 """SAE protocol testing (FFC)"""
670 check_sae_capab ( dev
[ 0 ])
671 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
672 passphrase
= "12345678" )
673 params
[ 'wpa_key_mgmt' ] = 'SAE'
674 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
675 bssid
= apdev
[ 0 ][ 'bssid' ]
677 dev
[ 0 ]. request ( "SET sae_groups 2" )
679 tests
= [( "Confirm mismatch" ,
680 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486" ,
681 "0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251" ),
683 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174" ,
685 ( "Invalid element (0) in commit" ,
686 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" ,
688 ( "Invalid element (1) in commit" ,
689 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001" ,
691 ( "Invalid element (> P) in commit" ,
692 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" ,
694 for ( note
, commit
, confirm
) in tests
:
696 dev
[ 0 ]. scan_for_bss ( bssid
, freq
= 2412 )
697 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
698 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
699 scan_freq
= "2412" , wait_connect
= False )
701 logger
. info ( "Commit" )
702 for i
in range ( 0 , 10 ):
705 raise Exception ( "MGMT RX wait timed out (commit)" )
706 if req
[ 'subtype' ] == 11 :
710 raise Exception ( "Authentication frame (commit) not received" )
714 resp
[ 'fc' ] = req
[ 'fc' ]
715 resp
[ 'da' ] = req
[ 'sa' ]
716 resp
[ 'sa' ] = req
[ 'da' ]
717 resp
[ 'bssid' ] = req
[ 'bssid' ]
718 resp
[ 'payload' ] = binascii
. unhexlify ( "030001000000" + commit
)
722 logger
. info ( "Confirm" )
723 for i
in range ( 0 , 10 ):
726 raise Exception ( "MGMT RX wait timed out (confirm)" )
727 if req
[ 'subtype' ] == 11 :
731 raise Exception ( "Authentication frame (confirm) not received" )
735 resp
[ 'fc' ] = req
[ 'fc' ]
736 resp
[ 'da' ] = req
[ 'sa' ]
737 resp
[ 'sa' ] = req
[ 'da' ]
738 resp
[ 'bssid' ] = req
[ 'bssid' ]
739 resp
[ 'payload' ] = binascii
. unhexlify ( "030002000000" + confirm
)
743 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
744 hapd
. set ( "ext_mgmt_frame_handling" , "0" )
748 def test_sae_proto_commit_delayed ( dev
, apdev
):
749 """SAE protocol testing - Commit delayed"""
750 check_sae_capab ( dev
[ 0 ])
751 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
752 passphrase
= "12345678" )
753 params
[ 'wpa_key_mgmt' ] = 'SAE'
754 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
755 bssid
= apdev
[ 0 ][ 'bssid' ]
757 dev
[ 0 ]. request ( "SET sae_groups 19" )
759 dev
[ 0 ]. scan_for_bss ( bssid
, freq
= 2412 )
760 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
761 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
762 scan_freq
= "2412" , wait_connect
= False )
764 logger
. info ( "Commit" )
765 for i
in range ( 0 , 10 ):
768 raise Exception ( "MGMT RX wait timed out (commit)" )
769 if req
[ 'subtype' ] == 11 :
773 raise Exception ( "Authentication frame (commit) not received" )
777 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
779 logger
. info ( "Commit/Confirm" )
780 for i
in range ( 0 , 10 ):
783 raise Exception ( "MGMT RX wait timed out (confirm)" )
784 if req
[ 'subtype' ] == 11 :
785 trans
, = struct
. unpack ( '<H' , req
[ 'payload' ][ 2 : 4 ])
787 logger
. info ( "Extra Commit" )
788 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
793 raise Exception ( "Authentication frame (confirm) not received" )
796 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
798 logger
. info ( "Association Request" )
799 for i
in range ( 0 , 10 ):
802 raise Exception ( "MGMT RX wait timed out (AssocReq)" )
803 if req
[ 'subtype' ] == 0 :
807 raise Exception ( "Association Request frame not received" )
810 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
811 ev
= hapd
. wait_event ([ "MGMT-TX-STATUS" ], timeout
= 5 )
813 raise Exception ( "Management frame TX status not reported (1)" )
814 if "stype=1 ok=1" not in ev
:
815 raise Exception ( "Unexpected management frame TX status (1): " + ev
)
816 cmd
= "MGMT_TX_STATUS_PROCESS %s " % ( " " . join ( ev
. split ( ' ' )[ 1 : 4 ]))
817 if "OK" not in hapd
. request ( cmd
):
818 raise Exception ( "MGMT_TX_STATUS_PROCESS failed" )
820 hapd
. set ( "ext_mgmt_frame_handling" , "0" )
822 dev
[ 0 ]. wait_connected ()
824 def test_sae_proto_commit_replay ( dev
, apdev
):
825 """SAE protocol testing - Commit replay"""
826 check_sae_capab ( dev
[ 0 ])
827 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
828 passphrase
= "12345678" )
829 params
[ 'wpa_key_mgmt' ] = 'SAE'
830 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
831 bssid
= apdev
[ 0 ][ 'bssid' ]
833 dev
[ 0 ]. request ( "SET sae_groups 19" )
835 dev
[ 0 ]. scan_for_bss ( bssid
, freq
= 2412 )
836 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
837 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
838 scan_freq
= "2412" , wait_connect
= False )
840 logger
. info ( "Commit" )
841 for i
in range ( 0 , 10 ):
844 raise Exception ( "MGMT RX wait timed out (commit)" )
845 if req
[ 'subtype' ] == 11 :
849 raise Exception ( "Authentication frame (commit) not received" )
852 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
853 logger
. info ( "Replay Commit" )
854 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
856 logger
. info ( "Confirm" )
857 for i
in range ( 0 , 10 ):
860 raise Exception ( "MGMT RX wait timed out (confirm)" )
861 if req
[ 'subtype' ] == 11 :
862 trans
, = struct
. unpack ( '<H' , req
[ 'payload' ][ 2 : 4 ])
864 logger
. info ( "Extra Commit" )
865 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
870 raise Exception ( "Authentication frame (confirm) not received" )
873 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
875 logger
. info ( "Association Request" )
876 for i
in range ( 0 , 10 ):
879 raise Exception ( "MGMT RX wait timed out (AssocReq)" )
880 if req
[ 'subtype' ] == 0 :
884 raise Exception ( "Association Request frame not received" )
887 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
888 for i
in range ( 0 , 10 ):
889 ev
= hapd
. wait_event ([ "MGMT-TX-STATUS" ], timeout
= 5 )
891 raise Exception ( "Management frame TX status not reported (1)" )
892 if "stype=11 ok=1" in ev
:
894 if "stype=12 ok=1" in ev
:
896 if "stype=1 ok=1" not in ev
:
897 raise Exception ( "Unexpected management frame TX status (1): " + ev
)
898 cmd
= "MGMT_TX_STATUS_PROCESS %s " % ( " " . join ( ev
. split ( ' ' )[ 1 : 4 ]))
899 if "OK" not in hapd
. request ( cmd
):
900 raise Exception ( "MGMT_TX_STATUS_PROCESS failed" )
903 hapd
. set ( "ext_mgmt_frame_handling" , "0" )
905 dev
[ 0 ]. wait_connected ()
907 def test_sae_proto_confirm_replay ( dev
, apdev
):
908 """SAE protocol testing - Confirm replay"""
909 check_sae_capab ( dev
[ 0 ])
910 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
911 passphrase
= "12345678" )
912 params
[ 'wpa_key_mgmt' ] = 'SAE'
913 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
914 bssid
= apdev
[ 0 ][ 'bssid' ]
916 dev
[ 0 ]. request ( "SET sae_groups 19" )
918 dev
[ 0 ]. scan_for_bss ( bssid
, freq
= 2412 )
919 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
920 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
921 scan_freq
= "2412" , wait_connect
= False )
923 logger
. info ( "Commit" )
924 for i
in range ( 0 , 10 ):
927 raise Exception ( "MGMT RX wait timed out (commit)" )
928 if req
[ 'subtype' ] == 11 :
932 raise Exception ( "Authentication frame (commit) not received" )
935 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
937 logger
. info ( "Confirm" )
938 for i
in range ( 0 , 10 ):
941 raise Exception ( "MGMT RX wait timed out (confirm)" )
942 if req
[ 'subtype' ] == 11 :
946 raise Exception ( "Authentication frame (confirm) not received" )
949 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
951 logger
. info ( "Replay Confirm" )
952 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
954 logger
. info ( "Association Request" )
955 for i
in range ( 0 , 10 ):
958 raise Exception ( "MGMT RX wait timed out (AssocReq)" )
959 if req
[ 'subtype' ] == 0 :
963 raise Exception ( "Association Request frame not received" )
966 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + binascii
. hexlify ( req
[ 'frame' ]). decode ())
967 ev
= hapd
. wait_event ([ "MGMT-TX-STATUS" ], timeout
= 5 )
969 raise Exception ( "Management frame TX status not reported (1)" )
970 if "stype=1 ok=1" not in ev
:
971 raise Exception ( "Unexpected management frame TX status (1): " + ev
)
972 cmd
= "MGMT_TX_STATUS_PROCESS %s " % ( " " . join ( ev
. split ( ' ' )[ 1 : 4 ]))
973 if "OK" not in hapd
. request ( cmd
):
974 raise Exception ( "MGMT_TX_STATUS_PROCESS failed" )
976 hapd
. set ( "ext_mgmt_frame_handling" , "0" )
978 dev
[ 0 ]. wait_connected ()
980 def test_sae_proto_hostapd ( dev
, apdev
):
981 """SAE protocol testing with hostapd"""
982 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
983 params
[ 'wpa_key_mgmt' ] = 'SAE'
984 params
[ 'sae_groups' ] = "19 65535"
985 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
986 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
987 bssid
= hapd
. own_addr (). replace ( ':' , '' )
988 addr
= "020000000000"
989 addr2
= "020000000001"
990 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
991 hdr2
= "b0003a01" + bssid
+ addr2
+ bssid
+ "1000"
993 scalar
= "f7df19f4a7fef1d3b895ea1de150b7c5a7a705c8ebb31a52b623e0057908bd93"
994 element_x
= "21931572027f2e953e2a49fab3d992944102cc95aa19515fc068b394fb25ae3c"
995 element_y
= "cb4eeb94d7b0b789abfdb73a67ab9d6d5efa94dd553e0e724a6289821cbce530"
996 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
+ element_x
+ element_y
)
997 # "SAE: Not enough data for scalar"
998 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
[:- 2 ])
999 # "SAE: Do not allow group to be changed"
1000 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + "ffff" + scalar
[:- 2 ])
1001 # "SAE: Unsupported Finite Cyclic Group 65535"
1002 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr2
+ "030001000000" + "ffff" + scalar
[:- 2 ])
1004 def test_sae_proto_hostapd_ecc ( dev
, apdev
):
1005 """SAE protocol testing with hostapd (ECC)"""
1006 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "foofoofoo" )
1007 params
[ 'wpa_key_mgmt' ] = 'SAE'
1008 params
[ 'sae_groups' ] = "19"
1009 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1010 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
1011 bssid
= hapd
. own_addr (). replace ( ':' , '' )
1012 addr
= "020000000000"
1013 addr2
= "020000000001"
1014 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
1015 hdr2
= "b0003a01" + bssid
+ addr2
+ bssid
+ "1000"
1017 scalar
= "9e9a959bf2dda875a4a29ce9b2afef46f2d83060930124cd9e39ddce798cd69a"
1018 element_x
= "dfc55fd8622b91d362f4d1fc9646474d7fba0ff7cce6ca58b8e96a931e070220"
1019 element_y
= "dac8a4e80724f167c1349cc9e1f9dd82a7c77b29d49789b63b72b4c849301a28"
1020 # sae_parse_commit_element_ecc() failure to parse peer element
1021 # (depending on crypto library, either crypto_ec_point_from_bin() failure
1022 # or crypto_ec_point_is_on_curve() returning 0)
1023 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
+ element_x
+ element_y
)
1024 # Unexpected continuation of the connection attempt with confirm
1025 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030002000000" + "0000" + "fd7b081ff4e8676f03612a4140eedcd3c179ab3a13b93863c6f7ca451340b9ae" )
1027 def test_sae_proto_hostapd_ffc ( dev
, apdev
):
1028 """SAE protocol testing with hostapd (FFC)"""
1029 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "foofoofoo" )
1030 params
[ 'wpa_key_mgmt' ] = 'SAE'
1031 params
[ 'sae_groups' ] = "22"
1032 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1033 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
1034 bssid
= hapd
. own_addr (). replace ( ':' , '' )
1035 addr
= "020000000000"
1036 addr2
= "020000000001"
1037 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
1038 hdr2
= "b0003a01" + bssid
+ addr2
+ bssid
+ "1000"
1040 scalar
= "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000044cc46a73c07ef479dc66ec1f5e8ccf25131fa40"
1041 element
= "0f1d67025e12fc874cf718c35b19d1ab2db858215623f1ce661cbd1d7b1d7a09ceda7dba46866cf37044259b5cac4db15e7feb778edc8098854b93a84347c1850c02ee4d7dac46db79c477c731085d5b39f56803cda1eeac4a2fbbccb9a546379e258c00ebe93dfdd0a34cf8ce5c55cf905a89564a590b7e159fb89198e9d5cd"
1042 # sae_parse_commit_element_ffc() failure to parse peer element
1043 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
+ element
)
1044 # Unexpected continuation of the connection attempt with confirm
1045 hapd
. request ( "MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030002000000" + "0000" + "fd7b081ff4e8676f03612a4140eedcd3c179ab3a13b93863c6f7ca451340b9ae" )
1048 def test_sae_no_ffc_by_default ( dev
, apdev
):
1049 """SAE and default groups rejecting FFC"""
1050 check_sae_capab ( dev
[ 0 ])
1051 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1052 params
[ 'wpa_key_mgmt' ] = 'SAE'
1053 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1055 dev
[ 0 ]. request ( "SET sae_groups 15" )
1056 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" , scan_freq
= "2412" ,
1058 ev
= dev
[ 0 ]. wait_event ([ "SME: Trying to authenticate" ], timeout
= 3 )
1060 raise Exception ( "Did not try to authenticate" )
1061 ev
= dev
[ 0 ]. wait_event ([ "SME: Trying to authenticate" ], timeout
= 3 )
1063 raise Exception ( "Did not try to authenticate (2)" )
1064 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1066 def sae_reflection_attack ( apdev
, dev
, group
):
1067 check_sae_capab ( dev
)
1068 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1069 passphrase
= "no-knowledge-of-passphrase" )
1070 params
[ 'wpa_key_mgmt' ] = 'SAE'
1071 hapd
= hostapd
. add_ap ( apdev
, params
)
1072 bssid
= apdev
[ 'bssid' ]
1074 dev
. scan_for_bss ( bssid
, freq
= 2412 )
1075 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
1077 dev
. request ( "SET sae_groups %d " % group
)
1078 dev
. connect ( "test-sae" , psk
= "reflection-attack" , key_mgmt
= "SAE" ,
1079 scan_freq
= "2412" , wait_connect
= False )
1082 for i
in range ( 0 , 10 ):
1083 req
= hapd
. mgmt_rx ()
1085 raise Exception ( "MGMT RX wait timed out" )
1086 if req
[ 'subtype' ] == 11 :
1090 raise Exception ( "Authentication frame not received" )
1093 resp
[ 'fc' ] = req
[ 'fc' ]
1094 resp
[ 'da' ] = req
[ 'sa' ]
1095 resp
[ 'sa' ] = req
[ 'da' ]
1096 resp
[ 'bssid' ] = req
[ 'bssid' ]
1097 resp
[ 'payload' ] = req
[ 'payload' ]
1101 req
= hapd
. mgmt_rx ( timeout
= 0.5 )
1103 if req
[ 'subtype' ] == 11 :
1104 raise Exception ( "Unexpected Authentication frame seen" )
1107 def test_sae_reflection_attack_ecc ( dev
, apdev
):
1108 """SAE reflection attack (ECC)"""
1109 sae_reflection_attack ( apdev
[ 0 ], dev
[ 0 ], 19 )
1112 def test_sae_reflection_attack_ffc ( dev
, apdev
):
1113 """SAE reflection attack (FFC)"""
1114 sae_reflection_attack ( apdev
[ 0 ], dev
[ 0 ], 15 )
1116 def sae_reflection_attack_internal ( apdev
, dev
, group
):
1117 check_sae_capab ( dev
)
1118 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1119 passphrase
= "no-knowledge-of-passphrase" )
1120 params
[ 'wpa_key_mgmt' ] = 'SAE'
1121 params
[ 'sae_reflection_attack' ] = '1'
1122 hapd
= hostapd
. add_ap ( apdev
, params
)
1123 bssid
= apdev
[ 'bssid' ]
1125 dev
. scan_for_bss ( bssid
, freq
= 2412 )
1126 dev
. request ( "SET sae_groups %d " % group
)
1127 dev
. connect ( "test-sae" , psk
= "reflection-attack" , key_mgmt
= "SAE" ,
1128 scan_freq
= "2412" , wait_connect
= False )
1129 ev
= dev
. wait_event ([ "SME: Trying to authenticate" ], timeout
= 10 )
1131 raise Exception ( "No authentication attempt seen" )
1132 ev
= dev
. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1134 raise Exception ( "Unexpected connection" )
1137 def test_sae_reflection_attack_ecc_internal ( dev
, apdev
):
1138 """SAE reflection attack (ECC) - internal"""
1139 sae_reflection_attack_internal ( apdev
[ 0 ], dev
[ 0 ], 19 )
1142 def test_sae_reflection_attack_ffc_internal ( dev
, apdev
):
1143 """SAE reflection attack (FFC) - internal"""
1144 sae_reflection_attack_internal ( apdev
[ 0 ], dev
[ 0 ], 15 )
1147 def test_sae_commit_override ( dev
, apdev
):
1148 """SAE commit override (hostapd)"""
1149 check_sae_capab ( dev
[ 0 ])
1150 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1151 passphrase
= "12345678" )
1152 params
[ 'wpa_key_mgmt' ] = 'SAE'
1153 params
[ 'sae_commit_override' ] = '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514'
1154 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1155 dev
[ 0 ]. request ( "SET sae_groups " )
1156 dev
[ 0 ]. connect ( "test-sae" , psk
= "test-sae" , key_mgmt
= "SAE" ,
1157 scan_freq
= "2412" , wait_connect
= False )
1158 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1160 raise Exception ( "Unexpected connection" )
1163 def test_sae_commit_override2 ( dev
, apdev
):
1164 """SAE commit override (wpa_supplicant)"""
1165 check_sae_capab ( dev
[ 0 ])
1166 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1167 passphrase
= "12345678" )
1168 params
[ 'wpa_key_mgmt' ] = 'SAE'
1169 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1170 dev
[ 0 ]. request ( "SET sae_groups " )
1171 dev
[ 0 ]. set ( 'sae_commit_override' , '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514' )
1172 dev
[ 0 ]. connect ( "test-sae" , psk
= "test-sae" , key_mgmt
= "SAE" ,
1173 scan_freq
= "2412" , wait_connect
= False )
1174 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1176 raise Exception ( "Unexpected connection" )
1178 def test_sae_commit_invalid_scalar_element_ap ( dev
, apdev
):
1179 """SAE commit invalid scalar/element from AP"""
1180 check_sae_capab ( dev
[ 0 ])
1181 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1182 passphrase
= "12345678" )
1183 params
[ 'wpa_key_mgmt' ] = 'SAE'
1184 params
[ 'sae_commit_override' ] = '1300' + 96 * '00'
1185 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1186 dev
[ 0 ]. request ( "SET sae_groups " )
1187 dev
[ 0 ]. connect ( "test-sae" , psk
= "test-sae" , key_mgmt
= "SAE" ,
1188 scan_freq
= "2412" , wait_connect
= False )
1189 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1191 raise Exception ( "Unexpected connection" )
1193 def test_sae_commit_invalid_element_ap ( dev
, apdev
):
1194 """SAE commit invalid element from AP"""
1195 check_sae_capab ( dev
[ 0 ])
1196 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1197 passphrase
= "12345678" )
1198 params
[ 'wpa_key_mgmt' ] = 'SAE'
1199 params
[ 'sae_commit_override' ] = '1300' + 31 * '00' + '02' + 64 * '00'
1200 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1201 dev
[ 0 ]. request ( "SET sae_groups " )
1202 dev
[ 0 ]. connect ( "test-sae" , psk
= "test-sae" , key_mgmt
= "SAE" ,
1203 scan_freq
= "2412" , wait_connect
= False )
1204 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1206 raise Exception ( "Unexpected connection" )
1208 def test_sae_commit_invalid_scalar_element_sta ( dev
, apdev
):
1209 """SAE commit invalid scalar/element from STA"""
1210 check_sae_capab ( dev
[ 0 ])
1211 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1212 passphrase
= "12345678" )
1213 params
[ 'wpa_key_mgmt' ] = 'SAE'
1214 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1215 dev
[ 0 ]. request ( "SET sae_groups " )
1216 dev
[ 0 ]. set ( 'sae_commit_override' , '1300' + 96 * '00' )
1217 dev
[ 0 ]. connect ( "test-sae" , psk
= "test-sae" , key_mgmt
= "SAE" ,
1218 scan_freq
= "2412" , wait_connect
= False )
1219 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1221 raise Exception ( "Unexpected connection" )
1223 def test_sae_commit_invalid_element_sta ( dev
, apdev
):
1224 """SAE commit invalid element from STA"""
1225 check_sae_capab ( dev
[ 0 ])
1226 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1227 passphrase
= "12345678" )
1228 params
[ 'wpa_key_mgmt' ] = 'SAE'
1229 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1230 dev
[ 0 ]. request ( "SET sae_groups " )
1231 dev
[ 0 ]. set ( 'sae_commit_override' , '1300' + 31 * '00' + '02' + 64 * '00' )
1232 dev
[ 0 ]. connect ( "test-sae" , psk
= "test-sae" , key_mgmt
= "SAE" ,
1233 scan_freq
= "2412" , wait_connect
= False )
1234 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1236 raise Exception ( "Unexpected connection" )
1239 def test_sae_anti_clogging_proto ( dev
, apdev
):
1240 """SAE anti clogging protocol testing"""
1241 check_sae_capab ( dev
[ 0 ])
1242 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1243 passphrase
= "no-knowledge-of-passphrase" )
1244 params
[ 'wpa_key_mgmt' ] = 'SAE'
1245 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1246 bssid
= apdev
[ 0 ][ 'bssid' ]
1248 dev
[ 0 ]. scan_for_bss ( bssid
, freq
= 2412 )
1249 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
1251 dev
[ 0 ]. request ( "SET sae_groups " )
1252 dev
[ 0 ]. connect ( "test-sae" , psk
= "anti-cloggign" , key_mgmt
= "SAE" ,
1253 scan_freq
= "2412" , wait_connect
= False )
1256 for i
in range ( 0 , 10 ):
1257 req
= hapd
. mgmt_rx ()
1259 raise Exception ( "MGMT RX wait timed out" )
1260 if req
[ 'subtype' ] == 11 :
1264 raise Exception ( "Authentication frame not received" )
1267 resp
[ 'fc' ] = req
[ 'fc' ]
1268 resp
[ 'da' ] = req
[ 'sa' ]
1269 resp
[ 'sa' ] = req
[ 'da' ]
1270 resp
[ 'bssid' ] = req
[ 'bssid' ]
1271 resp
[ 'payload' ] = binascii
. unhexlify ( "030001004c00" + "ffff00" )
1274 # Confirm (not received due to DH group being rejected)
1275 req
= hapd
. mgmt_rx ( timeout
= 0.5 )
1277 if req
[ 'subtype' ] == 11 :
1278 raise Exception ( "Unexpected Authentication frame seen" )
1281 def test_sae_no_random ( dev
, apdev
):
1282 """SAE and no random numbers available"""
1283 check_sae_capab ( dev
[ 0 ])
1284 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1285 params
[ 'wpa_key_mgmt' ] = 'SAE'
1286 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1288 dev
[ 0 ]. request ( "SET sae_groups " )
1289 tests
= [( 1 , "os_get_random;sae_derive_pwe_ecc" )]
1290 for count
, func
in tests
:
1291 with
fail_test ( dev
[ 0 ], count
, func
):
1292 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1294 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1295 dev
[ 0 ]. wait_disconnected ()
1298 def test_sae_pwe_failure ( dev
, apdev
):
1299 """SAE and pwe failure"""
1300 check_sae_capab ( dev
[ 0 ])
1301 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1302 params
[ 'wpa_key_mgmt' ] = 'SAE'
1303 params
[ 'sae_groups' ] = '19 15'
1304 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1306 dev
[ 0 ]. request ( "SET sae_groups 19" )
1307 with
fail_test ( dev
[ 0 ], 1 , "hmac_sha256_vector;sae_derive_pwe_ecc" ):
1308 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1310 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1311 dev
[ 0 ]. wait_disconnected ()
1312 with
fail_test ( dev
[ 0 ], 1 , "sae_test_pwd_seed_ecc" ):
1313 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1315 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1316 dev
[ 0 ]. wait_disconnected ()
1318 dev
[ 0 ]. request ( "SET sae_groups 15" )
1319 with
fail_test ( dev
[ 0 ], 1 , "hmac_sha256_vector;sae_derive_pwe_ffc" ):
1320 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1322 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1323 dev
[ 0 ]. wait_disconnected ()
1325 dev
[ 0 ]. request ( "SET sae_groups 15" )
1326 with
fail_test ( dev
[ 0 ], 1 , "sae_test_pwd_seed_ffc" ):
1327 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1329 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1330 dev
[ 0 ]. wait_disconnected ()
1331 with
fail_test ( dev
[ 0 ], 2 , "sae_test_pwd_seed_ffc" ):
1332 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1334 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1335 dev
[ 0 ]. wait_disconnected ()
1338 def test_sae_bignum_failure ( dev
, apdev
):
1339 """SAE and bignum failure"""
1340 check_sae_capab ( dev
[ 0 ])
1341 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1342 params
[ 'wpa_key_mgmt' ] = 'SAE'
1343 params
[ 'sae_groups' ] = '19 15 22'
1344 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1346 dev
[ 0 ]. request ( "SET sae_groups 19" )
1347 tests
= [( 1 , "crypto_bignum_init_set;dragonfly_get_rand_1_to_p_1" ),
1348 ( 1 , "crypto_bignum_init;dragonfly_is_quadratic_residue_blind" ),
1349 ( 1 , "crypto_bignum_mulmod;dragonfly_is_quadratic_residue_blind" ),
1350 ( 2 , "crypto_bignum_mulmod;dragonfly_is_quadratic_residue_blind" ),
1351 ( 3 , "crypto_bignum_mulmod;dragonfly_is_quadratic_residue_blind" ),
1352 ( 1 , "crypto_bignum_legendre;dragonfly_is_quadratic_residue_blind" ),
1353 ( 1 , "crypto_bignum_init_set;sae_test_pwd_seed_ecc" ),
1354 ( 1 , "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc" ),
1355 ( 1 , "crypto_bignum_to_bin;sae_derive_pwe_ecc" ),
1356 ( 1 , "crypto_ec_point_init;sae_derive_pwe_ecc" ),
1357 ( 1 , "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc" ),
1358 ( 1 , "crypto_ec_point_init;sae_derive_commit_element_ecc" ),
1359 ( 1 , "crypto_ec_point_mul;sae_derive_commit_element_ecc" ),
1360 ( 1 , "crypto_ec_point_invert;sae_derive_commit_element_ecc" ),
1361 ( 1 , "crypto_bignum_init;=sae_derive_commit" ),
1362 ( 1 , "crypto_ec_point_init;sae_derive_k_ecc" ),
1363 ( 1 , "crypto_ec_point_mul;sae_derive_k_ecc" ),
1364 ( 1 , "crypto_ec_point_add;sae_derive_k_ecc" ),
1365 ( 2 , "crypto_ec_point_mul;sae_derive_k_ecc" ),
1366 ( 1 , "crypto_ec_point_to_bin;sae_derive_k_ecc" ),
1367 ( 1 , "crypto_bignum_legendre;dragonfly_get_random_qr_qnr" ),
1368 ( 1 , "sha256_prf;sae_derive_keys" ),
1369 ( 1 , "crypto_bignum_init;sae_derive_keys" ),
1370 ( 1 , "crypto_bignum_init_set;sae_parse_commit_scalar" ),
1371 ( 1 , "crypto_bignum_to_bin;sae_parse_commit_element_ecc" ),
1372 ( 1 , "crypto_ec_point_from_bin;sae_parse_commit_element_ecc" )]
1373 for count
, func
in tests
:
1374 with
fail_test ( dev
[ 0 ], count
, func
):
1375 hapd
. request ( "NOTE STA failure testing %d : %s " % ( count
, func
))
1376 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1377 scan_freq
= "2412" , wait_connect
= False )
1378 wait_fail_trigger ( dev
[ 0 ], "GET_FAIL" , timeout
= 0.1 )
1379 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1380 dev
[ 0 ]. dump_monitor ()
1383 dev
[ 0 ]. request ( "SET sae_groups 15" )
1384 tests
= [( 1 , "crypto_bignum_init_set;sae_set_group" ),
1385 ( 2 , "crypto_bignum_init_set;sae_set_group" ),
1386 ( 1 , "crypto_bignum_init;sae_derive_commit" ),
1387 ( 2 , "crypto_bignum_init;sae_derive_commit" ),
1388 ( 1 , "crypto_bignum_init_set;sae_test_pwd_seed_ffc" ),
1389 ( 1 , "crypto_bignum_exptmod;sae_test_pwd_seed_ffc" ),
1390 ( 1 , "crypto_bignum_init;sae_derive_pwe_ffc" ),
1391 ( 1 , "crypto_bignum_init;sae_derive_commit_element_ffc" ),
1392 ( 1 , "crypto_bignum_exptmod;sae_derive_commit_element_ffc" ),
1393 ( 1 , "crypto_bignum_inverse;sae_derive_commit_element_ffc" ),
1394 ( 1 , "crypto_bignum_init;sae_derive_k_ffc" ),
1395 ( 1 , "crypto_bignum_exptmod;sae_derive_k_ffc" ),
1396 ( 1 , "crypto_bignum_mulmod;sae_derive_k_ffc" ),
1397 ( 2 , "crypto_bignum_exptmod;sae_derive_k_ffc" ),
1398 ( 1 , "crypto_bignum_to_bin;sae_derive_k_ffc" ),
1399 ( 1 , "crypto_bignum_init_set;sae_parse_commit_element_ffc" ),
1400 ( 1 , "crypto_bignum_init;sae_parse_commit_element_ffc" ),
1401 ( 2 , "crypto_bignum_init_set;sae_parse_commit_element_ffc" ),
1402 ( 1 , "crypto_bignum_exptmod;sae_parse_commit_element_ffc" )]
1403 for count
, func
in tests
:
1404 with
fail_test ( dev
[ 0 ], count
, func
):
1405 hapd
. request ( "NOTE STA failure testing %d : %s " % ( count
, func
))
1406 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1407 scan_freq
= "2412" , wait_connect
= False )
1408 wait_fail_trigger ( dev
[ 0 ], "GET_FAIL" , timeout
= 0.1 )
1409 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1410 dev
[ 0 ]. dump_monitor ()
1413 def test_sae_bignum_failure_unsafe_group ( dev
, apdev
):
1414 """SAE and bignum failure unsafe group"""
1415 check_sae_capab ( dev
[ 0 ])
1416 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1417 params
[ 'wpa_key_mgmt' ] = 'SAE'
1418 params
[ 'sae_groups' ] = '22'
1419 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1421 dev
[ 0 ]. request ( "SET sae_groups 22" )
1422 tests
= [( 1 , "crypto_bignum_init_set;sae_test_pwd_seed_ffc" ),
1423 ( 1 , "crypto_bignum_sub;sae_test_pwd_seed_ffc" ),
1424 ( 1 , "crypto_bignum_div;sae_test_pwd_seed_ffc" )]
1425 for count
, func
in tests
:
1426 with
fail_test ( dev
[ 0 ], count
, func
):
1427 hapd
. request ( "NOTE STA failure testing %d : %s " % ( count
, func
))
1428 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1429 scan_freq
= "2412" , wait_connect
= False )
1430 wait_fail_trigger ( dev
[ 0 ], "GET_FAIL" )
1431 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1432 dev
[ 0 ]. dump_monitor ()
1435 def test_sae_invalid_anti_clogging_token_req ( dev
, apdev
):
1436 """SAE and invalid anti-clogging token request"""
1437 check_sae_capab ( dev
[ 0 ])
1438 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1439 params
[ 'wpa_key_mgmt' ] = 'SAE'
1440 # Beacon more frequently since Probe Request frames are practically ignored
1441 # in this test setup (ext_mgmt_frame_handled=1 on hostapd side) and
1442 # wpa_supplicant scans may end up getting ignored if no new results are
1443 # available due to the missing Probe Response frames.
1444 params
[ 'beacon_int' ] = '20'
1445 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1446 bssid
= apdev
[ 0 ][ 'bssid' ]
1448 dev
[ 0 ]. request ( "SET sae_groups 19" )
1449 dev
[ 0 ]. scan_for_bss ( bssid
, freq
= 2412 )
1450 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
1451 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1452 scan_freq
= "2412" , wait_connect
= False )
1453 ev
= dev
[ 0 ]. wait_event ([ "SME: Trying to authenticate" ])
1455 raise Exception ( "No authentication attempt seen (1)" )
1456 dev
[ 0 ]. dump_monitor ()
1458 for i
in range ( 0 , 10 ):
1459 req
= hapd
. mgmt_rx ()
1461 raise Exception ( "MGMT RX wait timed out (commit)" )
1462 if req
[ 'subtype' ] == 11 :
1466 raise Exception ( "Authentication frame (commit) not received" )
1470 resp
[ 'fc' ] = req
[ 'fc' ]
1471 resp
[ 'da' ] = req
[ 'sa' ]
1472 resp
[ 'sa' ] = req
[ 'da' ]
1473 resp
[ 'bssid' ] = req
[ 'bssid' ]
1474 resp
[ 'payload' ] = binascii
. unhexlify ( "030001004c0013" )
1476 ev
= hapd
. wait_event ([ "MGMT-TX-STATUS" ], timeout
= 5 )
1478 raise Exception ( "Management frame TX status not reported (1)" )
1479 if "stype=11 ok=1" not in ev
:
1480 raise Exception ( "Unexpected management frame TX status (1): " + ev
)
1482 ev
= dev
[ 0 ]. wait_event ([ "SME: Trying to authenticate" ])
1484 raise Exception ( "No authentication attempt seen (2)" )
1485 dev
[ 0 ]. dump_monitor ()
1487 for i
in range ( 0 , 10 ):
1488 req
= hapd
. mgmt_rx ()
1490 raise Exception ( "MGMT RX wait timed out (commit) (2)" )
1491 if req
[ 'subtype' ] == 11 :
1495 raise Exception ( "Authentication frame (commit) not received (2)" )
1499 resp
[ 'fc' ] = req
[ 'fc' ]
1500 resp
[ 'da' ] = req
[ 'sa' ]
1501 resp
[ 'sa' ] = req
[ 'da' ]
1502 resp
[ 'bssid' ] = req
[ 'bssid' ]
1503 resp
[ 'payload' ] = binascii
. unhexlify ( "030001000100" )
1505 ev
= hapd
. wait_event ([ "MGMT-TX-STATUS" ], timeout
= 5 )
1507 raise Exception ( "Management frame TX status not reported (1)" )
1508 if "stype=11 ok=1" not in ev
:
1509 raise Exception ( "Unexpected management frame TX status (1): " + ev
)
1511 ev
= dev
[ 0 ]. wait_event ([ "SME: Trying to authenticate" ])
1513 raise Exception ( "No authentication attempt seen (3)" )
1514 dev
[ 0 ]. dump_monitor ()
1516 dev
[ 0 ]. request ( "DISCONNECT" )
1518 def test_sae_password ( dev
, apdev
):
1519 """SAE and sae_password in hostapd configuration"""
1520 check_sae_capab ( dev
[ 0 ])
1521 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1522 passphrase
= "12345678" )
1523 params
[ 'wpa_key_mgmt' ] = 'SAE WPA-PSK'
1524 params
[ 'sae_password' ] = "sae-password"
1525 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1527 dev
[ 0 ]. request ( "SET sae_groups " )
1528 dev
[ 0 ]. connect ( "test-sae" , psk
= "sae-password" , key_mgmt
= "SAE" ,
1530 dev
[ 1 ]. connect ( "test-sae" , psk
= "12345678" , scan_freq
= "2412" )
1531 dev
[ 2 ]. request ( "SET sae_groups " )
1532 dev
[ 2 ]. connect ( "test-sae" , sae_password
= "sae-password" , key_mgmt
= "SAE" ,
1535 def test_sae_password_short ( dev
, apdev
):
1536 """SAE and short password"""
1537 check_sae_capab ( dev
[ 0 ])
1538 params
= hostapd
. wpa2_params ( ssid
= "test-sae" )
1539 params
[ 'wpa_key_mgmt' ] = 'SAE'
1540 params
[ 'sae_password' ] = "secret"
1541 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1543 dev
[ 0 ]. request ( "SET sae_groups " )
1544 dev
[ 0 ]. connect ( "test-sae" , sae_password
= "secret" , key_mgmt
= "SAE" ,
1547 def test_sae_password_long ( dev
, apdev
):
1548 """SAE and long password"""
1549 check_sae_capab ( dev
[ 0 ])
1550 params
= hostapd
. wpa2_params ( ssid
= "test-sae" )
1551 params
[ 'wpa_key_mgmt' ] = 'SAE'
1552 params
[ 'sae_password' ] = 100 * "A"
1553 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1555 dev
[ 0 ]. request ( "SET sae_groups " )
1556 dev
[ 0 ]. connect ( "test-sae" , sae_password
= 100 * "A" , key_mgmt
= "SAE" ,
1559 def test_sae_connect_cmd ( dev
, apdev
):
1560 """SAE with connect command"""
1561 wpas
= WpaSupplicant ( global_iface
= '/tmp/wpas-wlan5' )
1562 wpas
. interface_add ( "wlan5" , drv_params
= "force_connect_cmd=1" )
1563 check_sae_capab ( wpas
)
1564 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1565 params
[ 'wpa_key_mgmt' ] = 'SAE'
1566 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1568 wpas
. request ( "SET sae_groups " )
1569 wpas
. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1570 scan_freq
= "2412" , wait_connect
= False )
1571 # mac80211_hwsim does not support SAE offload, so accept both a successful
1572 # connection and association rejection.
1573 ev
= wpas
. wait_event ([ "CTRL-EVENT-CONNECTED" , "CTRL-EVENT-ASSOC-REJECT" ,
1574 "Association request to the driver failed" ],
1577 raise Exception ( "No connection result reported" )
1579 def run_sae_password_id ( dev
, apdev
, groups
= None ):
1580 check_sae_capab ( dev
[ 0 ])
1581 params
= hostapd
. wpa2_params ( ssid
= "test-sae" )
1582 params
[ 'wpa_key_mgmt' ] = 'SAE'
1584 params
[ 'sae_groups' ] = groups
1587 params
[ 'sae_password' ] = [ 'secret|mac=ff:ff:ff:ff:ff:ff|id=pw id' ,
1588 'foo|mac=02:02:02:02:02:02' ,
1589 'another secret|mac=ff:ff:ff:ff:ff:ff|id=' + 29 * 'A' ]
1590 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1592 dev
[ 0 ]. request ( "SET sae_groups " + groups
)
1593 dev
[ 0 ]. connect ( "test-sae" , sae_password
= "secret" , sae_password_id
= "pw id" ,
1594 key_mgmt
= "SAE" , scan_freq
= "2412" )
1595 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1596 dev
[ 0 ]. wait_disconnected ()
1598 # SAE Password Identifier element with the exact same length as the
1599 # optional Anti-Clogging Token field
1600 dev
[ 0 ]. connect ( "test-sae" , sae_password
= "another secret" ,
1601 sae_password_id
= 29 * 'A' ,
1602 key_mgmt
= "SAE" , scan_freq
= "2412" )
1603 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1604 dev
[ 0 ]. wait_disconnected ()
1606 dev
[ 0 ]. connect ( "test-sae" , sae_password
= "secret" , sae_password_id
= "unknown" ,
1607 key_mgmt
= "SAE" , scan_freq
= "2412" , wait_connect
= False )
1609 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-SAE-UNKNOWN-PASSWORD-IDENTIFIER" ],
1612 raise Exception ( "Unknown password identifier not reported" )
1613 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1615 def test_sae_password_id ( dev
, apdev
):
1616 """SAE and password identifier"""
1617 run_sae_password_id ( dev
, apdev
, "" )
1619 def test_sae_password_id_ecc ( dev
, apdev
):
1620 """SAE and password identifier (ECC)"""
1621 run_sae_password_id ( dev
, apdev
, "19" )
1623 def test_sae_password_id_ffc ( dev
, apdev
):
1624 """SAE and password identifier (FFC)"""
1625 run_sae_password_id ( dev
, apdev
, "15" )
1627 def test_sae_password_id_only ( dev
, apdev
):
1628 """SAE and password identifier (exclusively)"""
1629 check_sae_capab ( dev
[ 0 ])
1630 params
= hostapd
. wpa2_params ( ssid
= "test-sae" )
1631 params
[ 'wpa_key_mgmt' ] = 'SAE'
1632 params
[ 'sae_password' ] = 'secret|id=pw id'
1633 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1635 dev
[ 0 ]. request ( "SET sae_groups " )
1636 dev
[ 0 ]. connect ( "test-sae" , sae_password
= "secret" , sae_password_id
= "pw id" ,
1637 key_mgmt
= "SAE" , scan_freq
= "2412" )
1639 def test_sae_forced_anti_clogging_pw_id ( dev
, apdev
):
1640 """SAE anti clogging (forced and Password Identifier)"""
1641 check_sae_capab ( dev
[ 0 ])
1642 params
= hostapd
. wpa2_params ( ssid
= "test-sae" )
1643 params
[ 'wpa_key_mgmt' ] = 'SAE'
1644 params
[ 'sae_anti_clogging_threshold' ] = '0'
1645 params
[ 'sae_password' ] = 'secret|id=' + 29 * 'A'
1646 hostapd
. add_ap ( apdev
[ 0 ], params
)
1647 for i
in range ( 0 , 2 ):
1648 dev
[ i
]. request ( "SET sae_groups " )
1649 dev
[ i
]. connect ( "test-sae" , sae_password
= "secret" ,
1650 sae_password_id
= 29 * 'A' , key_mgmt
= "SAE" , scan_freq
= "2412" )
1652 def test_sae_reauth ( dev
, apdev
):
1653 """SAE reauthentication"""
1654 check_sae_capab ( dev
[ 0 ])
1655 params
= hostapd
. wpa2_params ( ssid
= "test-sae" ,
1656 passphrase
= "12345678" )
1657 params
[ 'wpa_key_mgmt' ] = 'SAE'
1658 params
[ "ieee80211w" ] = "2"
1659 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1661 dev
[ 0 ]. request ( "SET sae_groups " )
1662 id = dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1663 ieee80211w
= "2" , scan_freq
= "2412" )
1665 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
1666 dev
[ 0 ]. request ( "DISCONNECT" )
1667 dev
[ 0 ]. wait_disconnected ( timeout
= 10 )
1668 hapd
. set ( "ext_mgmt_frame_handling" , "0" )
1669 dev
[ 0 ]. request ( "PMKSA_FLUSH" )
1670 dev
[ 0 ]. request ( "REASSOCIATE" )
1671 dev
[ 0 ]. wait_connected ( timeout
= 10 , error
= "Timeout on re-connection" )
1673 def test_sae_anti_clogging_during_attack ( dev
, apdev
):
1674 """SAE anti clogging during an attack"""
1676 run_sae_anti_clogging_during_attack ( dev
, apdev
)
1678 stop_monitor ( apdev
[ 1 ][ "ifname" ])
1680 def build_sae_commit ( bssid
, addr
, group
= 21 , token
= None ):
1682 scalar
= binascii
. unhexlify ( "7332d3ebff24804005ccd8c56141e3ed8d84f40638aa31cd2fac11d4d2e89e7b" )
1683 element
= binascii
. unhexlify ( "954d0f4457066bff3168376a1d7174f4e66620d1792406f613055b98513a7f03a538c13dfbaf2029e2adc6aa96aa0ddcf08ac44887b02f004b7f29b9dbf4b7d9" )
1685 scalar
= binascii
. unhexlify ( "001eec673111b902f5c8a61c8cb4c1c4793031aeea8c8c319410903bc64bcbaea134ab01c4e016d51436f5b5426f7e2af635759a3033fb4031ea79f89a62a3e2f828" )
1686 element
= binascii
. unhexlify ( "00580eb4b448ea600ea277d5e66e4ed37db82bb04ac90442e9c3727489f366ba4b82f0a472d02caf4cdd142e96baea5915d71374660ee23acbaca38cf3fe8c5fb94b01abbc5278121635d7c06911c5dad8f18d516e1fbe296c179b7c87a1dddfab393337d3d215ed333dd396da6d8f20f798c60d054f1093c24d9c2d98e15c030cc375f0" )
1688 frame
= binascii
. unhexlify ( "b0003a01" )
1689 frame
+= bssid
+ addr
+ bssid
1690 frame
+= binascii
. unhexlify ( "1000" )
1694 frame
+= struct
. pack ( "<HHHH" , auth_alg
, transact
, status
, group
)
1697 frame
+= scalar
+ element
1700 def sae_rx_commit_token_req ( sock
, radiotap
, send_two
= False ):
1701 msg
= sock
. recv ( 1500 )
1702 ver
, pad
, len , present
= struct
. unpack ( '<BBHL' , msg
[ 0 : 8 ])
1704 fc
, duration
= struct
. unpack ( '<HH' , frame
[ 0 : 4 ])
1712 bssid
= frame
[ 12 : 18 ]
1715 alg
, seq
, status
, group
= struct
. unpack ( '<HHHH' , body
[ 0 : 8 ])
1716 if alg
!= 3 or seq
!= 1 or status
!= 76 :
1720 frame
= build_sae_commit ( bssid
, da
, token
= token
)
1721 sock
. send ( radiotap
+ frame
)
1723 sock
. send ( radiotap
+ frame
)
1726 def run_sae_anti_clogging_during_attack ( dev
, apdev
):
1727 check_sae_capab ( dev
[ 0 ])
1728 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1729 params
[ 'wpa_key_mgmt' ] = 'SAE'
1730 params
[ 'sae_groups' ] = '21'
1731 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1733 dev
[ 0 ]. scan_for_bss ( hapd
. own_addr (), freq
= 2412 )
1734 dev
[ 0 ]. request ( "SET sae_groups 21" )
1735 dev
[ 1 ]. scan_for_bss ( hapd
. own_addr (), freq
= 2412 )
1736 dev
[ 1 ]. request ( "SET sae_groups 21" )
1738 sock
= start_monitor ( apdev
[ 1 ][ "ifname" ])
1739 radiotap
= radiotap_build ()
1741 bssid
= binascii
. unhexlify ( hapd
. own_addr (). replace ( ':' , '' ))
1743 addr
= binascii
. unhexlify ( "f2 %0 10x" % i
)
1744 frame
= build_sae_commit ( bssid
, addr
)
1745 sock
. send ( radiotap
+ frame
)
1746 sock
. send ( radiotap
+ frame
)
1749 for i
in range ( 150 ):
1750 if sae_rx_commit_token_req ( sock
, radiotap
, send_two
= True ):
1752 logger
. info ( "Number of token responses sent: %d " % count
)
1754 raise Exception ( "Too few token responses seen: %d " % count
)
1757 addr
= binascii
. unhexlify ( "f201 %0 8x" % i
)
1758 frame
= build_sae_commit ( bssid
, addr
)
1759 sock
. send ( radiotap
+ frame
)
1762 for i
in range ( 150 ):
1763 if sae_rx_commit_token_req ( sock
, radiotap
):
1768 raise Exception ( "Too few token responses in second round: %d " % count
)
1770 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1771 scan_freq
= "2412" , wait_connect
= False )
1772 dev
[ 1 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1773 scan_freq
= "2412" , wait_connect
= False )
1778 for i
in range ( 1000 ):
1779 if sae_rx_commit_token_req ( sock
, radiotap
):
1781 addr
= binascii
. unhexlify ( "f202 %0 8x" % i
)
1782 frame
= build_sae_commit ( bssid
, addr
)
1783 sock
. send ( radiotap
+ frame
)
1784 while dev
[ 0 ]. mon
. pending ():
1785 ev
= dev
[ 0 ]. mon
. recv ()
1786 logger
. debug ( "EV0: " + ev
)
1787 if "CTRL-EVENT-CONNECTED" in ev
:
1789 while dev
[ 1 ]. mon
. pending ():
1790 ev
= dev
[ 1 ]. mon
. recv ()
1791 logger
. debug ( "EV1: " + ev
)
1792 if "CTRL-EVENT-CONNECTED" in ev
:
1794 if connected0
and connected1
:
1796 time
. sleep ( 0.00000001 )
1798 raise Exception ( "Real station(0) did not get connected" )
1800 raise Exception ( "Real station(1) did not get connected" )
1802 raise Exception ( "Too few token responses in third round: %d " % count
)
1804 def test_sae_sync ( dev
, apdev
):
1805 """SAE dot11RSNASAESync"""
1806 check_sae_capab ( dev
[ 0 ])
1807 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1808 params
[ 'wpa_key_mgmt' ] = 'SAE'
1809 params
[ 'sae_sync' ] = '1'
1810 hostapd
. add_ap ( apdev
[ 0 ], params
)
1812 # TODO: More complete dot11RSNASAESync testing. For now, this is really only
1813 # checking that sae_sync config parameter is accepted.
1814 dev
[ 0 ]. request ( "SET sae_groups " )
1815 dev
[ 1 ]. request ( "SET sae_groups " )
1817 for i
in range ( 0 , 2 ):
1818 dev
[ i
]. scan ( freq
= "2412" )
1819 id [ i
] = dev
[ i
]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
1820 scan_freq
= "2412" , only_add_network
= True )
1821 for i
in range ( 0 , 2 ):
1822 dev
[ i
]. select_network ( id [ i
])
1823 for i
in range ( 0 , 2 ):
1824 dev
[ i
]. wait_connected ( timeout
= 10 )
1826 def test_sae_confirm_immediate ( dev
, apdev
):
1827 """SAE and AP sending Confirm message without waiting STA"""
1828 check_sae_capab ( dev
[ 0 ])
1829 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1830 params
[ 'wpa_key_mgmt' ] = 'SAE'
1831 params
[ 'sae_confirm_immediate' ] = '1'
1832 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1834 dev
[ 0 ]. request ( "SET sae_groups " )
1835 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" , scan_freq
= "2412" )
1837 def test_sae_confirm_immediate2 ( dev
, apdev
):
1838 """SAE and AP sending Confirm message without waiting STA (2)"""
1839 check_sae_capab ( dev
[ 0 ])
1840 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
1841 params
[ 'wpa_key_mgmt' ] = 'SAE'
1842 params
[ 'sae_confirm_immediate' ] = '2'
1843 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1845 dev
[ 0 ]. request ( "SET sae_groups " )
1846 dev
[ 0 ]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" , scan_freq
= "2412" )
1848 def test_sae_pwe_group_19 ( dev
, apdev
):
1849 """SAE PWE derivation options with group 19"""
1850 run_sae_pwe_group ( dev
, apdev
, 19 )
1852 def test_sae_pwe_group_20 ( dev
, apdev
):
1853 """SAE PWE derivation options with group 20"""
1854 run_sae_pwe_group ( dev
, apdev
, 20 )
1856 def test_sae_pwe_group_21 ( dev
, apdev
):
1857 """SAE PWE derivation options with group 21"""
1858 run_sae_pwe_group ( dev
, apdev
, 21 )
1860 def test_sae_pwe_group_25 ( dev
, apdev
):
1861 """SAE PWE derivation options with group 25"""
1862 run_sae_pwe_group ( dev
, apdev
, 25 )
1864 def test_sae_pwe_group_28 ( dev
, apdev
):
1865 """SAE PWE derivation options with group 28"""
1866 run_sae_pwe_group ( dev
, apdev
, 28 )
1868 def test_sae_pwe_group_29 ( dev
, apdev
):
1869 """SAE PWE derivation options with group 29"""
1870 run_sae_pwe_group ( dev
, apdev
, 29 )
1872 def test_sae_pwe_group_30 ( dev
, apdev
):
1873 """SAE PWE derivation options with group 30"""
1874 run_sae_pwe_group ( dev
, apdev
, 30 )
1876 def test_sae_pwe_group_1 ( dev
, apdev
):
1877 """SAE PWE derivation options with group 1"""
1878 run_sae_pwe_group ( dev
, apdev
, 1 )
1880 def test_sae_pwe_group_2 ( dev
, apdev
):
1881 """SAE PWE derivation options with group 2"""
1882 run_sae_pwe_group ( dev
, apdev
, 2 )
1884 def test_sae_pwe_group_5 ( dev
, apdev
):
1885 """SAE PWE derivation options with group 5"""
1886 run_sae_pwe_group ( dev
, apdev
, 5 )
1888 def test_sae_pwe_group_14 ( dev
, apdev
):
1889 """SAE PWE derivation options with group 14"""
1890 run_sae_pwe_group ( dev
, apdev
, 14 )
1892 def test_sae_pwe_group_15 ( dev
, apdev
):
1893 """SAE PWE derivation options with group 15"""
1894 run_sae_pwe_group ( dev
, apdev
, 15 )
1896 def test_sae_pwe_group_16 ( dev
, apdev
):
1897 """SAE PWE derivation options with group 16"""
1898 run_sae_pwe_group ( dev
, apdev
, 16 )
1900 def test_sae_pwe_group_22 ( dev
, apdev
):
1901 """SAE PWE derivation options with group 22"""
1902 run_sae_pwe_group ( dev
, apdev
, 22 )
1904 def test_sae_pwe_group_23 ( dev
, apdev
):
1905 """SAE PWE derivation options with group 23"""
1906 run_sae_pwe_group ( dev
, apdev
, 23 )
1908 def test_sae_pwe_group_24 ( dev
, apdev
):
1909 """SAE PWE derivation options with group 24"""
1910 run_sae_pwe_group ( dev
, apdev
, 24 )
1912 def start_sae_pwe_ap ( apdev
, group
, sae_pwe
):
1913 params
= hostapd
. wpa2_params ( ssid
= "sae-pwe" , passphrase
= "12345678" )
1914 params
[ 'wpa_key_mgmt' ] = 'SAE'
1915 params
[ 'sae_groups' ] = str ( group
)
1916 params
[ 'sae_pwe' ] = str ( sae_pwe
)
1917 return hostapd
. add_ap ( apdev
, params
)
1919 def run_sae_pwe_group ( dev
, apdev
, group
):
1920 check_sae_capab ( dev
[ 0 ])
1921 tls
= dev
[ 0 ]. request ( "GET tls_library" )
1922 if group
in [ 27 , 28 , 29 , 30 ]:
1923 if tls
. startswith ( "OpenSSL" ) and "run=OpenSSL 1." in tls
:
1924 logger
. info ( "Add Brainpool EC groups since OpenSSL is new enough" )
1926 raise HwsimSkip ( "Brainpool curve not supported" )
1927 start_sae_pwe_ap ( apdev
[ 0 ], group
, 2 )
1929 check_sae_pwe_group ( dev
[ 0 ], group
, 0 )
1930 check_sae_pwe_group ( dev
[ 0 ], group
, 1 )
1931 check_sae_pwe_group ( dev
[ 0 ], group
, 2 )
1933 dev
[ 0 ]. set ( "sae_groups" , "" )
1934 dev
[ 0 ]. set ( "sae_pwe" , "0" )
1936 def check_sae_pwe_group ( dev
, group
, sae_pwe
):
1937 dev
. set ( "sae_groups" , str ( group
))
1938 dev
. set ( "sae_pwe" , str ( sae_pwe
))
1939 dev
. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" , scan_freq
= "2412" )
1940 dev
. request ( "REMOVE_NETWORK all" )
1941 dev
. wait_disconnected ()
1944 def test_sae_pwe_h2e_only_ap ( dev
, apdev
):
1945 """SAE PWE derivation with H2E-only AP"""
1946 check_sae_capab ( dev
[ 0 ])
1947 start_sae_pwe_ap ( apdev
[ 0 ], 19 , 1 )
1949 check_sae_pwe_group ( dev
[ 0 ], 19 , 1 )
1950 check_sae_pwe_group ( dev
[ 0 ], 19 , 2 )
1952 dev
[ 0 ]. set ( "sae_groups" , "" )
1953 dev
[ 0 ]. set ( "sae_pwe" , "0" )
1955 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" , scan_freq
= "2412" ,
1957 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-NETWORK-NOT-FOUND" ], timeout
= 10 )
1959 raise Exception ( "No indication of mismatching network seen" )
1961 def test_sae_pwe_h2e_only_ap_sta_forcing_loop ( dev
, apdev
):
1962 """SAE PWE derivation with H2E-only AP and STA forcing loop"""
1963 check_sae_capab ( dev
[ 0 ])
1964 start_sae_pwe_ap ( apdev
[ 0 ], 19 , 1 )
1965 dev
[ 0 ]. set ( "ignore_sae_h2e_only" , "1" )
1966 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" , scan_freq
= "2412" ,
1968 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-SSID-TEMP-DISABLED" ], timeout
= 10 )
1969 dev
[ 0 ]. request ( "DISCONNECT" )
1971 raise Exception ( "No indication of temporary disabled network seen" )
1973 def test_sae_pwe_loop_only_ap ( dev
, apdev
):
1974 """SAE PWE derivation with loop-only AP"""
1975 check_sae_capab ( dev
[ 0 ])
1976 start_sae_pwe_ap ( apdev
[ 0 ], 19 , 0 )
1978 check_sae_pwe_group ( dev
[ 0 ], 19 , 0 )
1979 check_sae_pwe_group ( dev
[ 0 ], 19 , 2 )
1980 dev
[ 0 ]. set ( "sae_pwe" , "1" )
1981 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" ,
1982 scan_freq
= "2412" , wait_connect
= False )
1983 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-NETWORK-NOT-FOUND" ], timeout
= 10 )
1985 raise Exception ( "No indication of mismatching network seen" )
1987 dev
[ 0 ]. set ( "sae_groups" , "" )
1988 dev
[ 0 ]. set ( "sae_pwe" , "0" )
1990 def test_sae_h2e_rejected_groups ( dev
, apdev
):
1991 """SAE H2E and rejected groups indication"""
1992 check_sae_capab ( dev
[ 0 ])
1993 params
= hostapd
. wpa2_params ( ssid
= "sae-pwe" , passphrase
= "12345678" )
1994 params
[ 'wpa_key_mgmt' ] = 'SAE'
1995 params
[ 'sae_groups' ] = "19"
1996 params
[ 'sae_pwe' ] = "1"
1997 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
1999 dev
[ 0 ]. set ( "sae_groups" , "21 20 19" )
2000 dev
[ 0 ]. set ( "sae_pwe" , "1" )
2001 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" ,
2003 addr
= dev
[ 0 ]. own_addr ()
2005 sta
= hapd
. get_sta ( addr
)
2006 if 'sae_rejected_groups' not in sta
:
2007 raise Exception ( "No sae_rejected_groups" )
2008 val
= sta
[ 'sae_rejected_groups' ]
2010 raise Exception ( "Unexpected sae_rejected_groups value: " + val
)
2012 dev
[ 0 ]. set ( "sae_groups" , "" )
2013 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2015 def test_sae_h2e_rejected_groups_unexpected ( dev
, apdev
):
2016 """SAE H2E and rejected groups indication (unexpected group)"""
2017 check_sae_capab ( dev
[ 0 ])
2018 params
= hostapd
. wpa2_params ( ssid
= "sae-pwe" , passphrase
= "12345678" )
2019 params
[ 'wpa_key_mgmt' ] = 'SAE'
2020 params
[ 'sae_groups' ] = "19 20"
2021 params
[ 'sae_pwe' ] = "1"
2022 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2024 dev
[ 0 ]. set ( "sae_groups" , "21 19" )
2025 dev
[ 0 ]. set ( "extra_sae_rejected_groups" , "19" )
2026 dev
[ 0 ]. set ( "sae_pwe" , "1" )
2027 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" ,
2028 scan_freq
= "2412" , wait_connect
= False )
2029 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
2030 "CTRL-EVENT-SSID-TEMP-DISABLED" ], timeout
= 10 )
2031 dev
[ 0 ]. request ( "DISCONNECT" )
2033 raise Exception ( "No indication of temporary disabled network seen" )
2034 if "CTRL-EVENT-CONNECTED" in ev
:
2035 raise Exception ( "Unexpected connection" )
2037 dev
[ 0 ]. set ( "sae_groups" , "" )
2038 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2040 def test_sae_h2e_password_id ( dev
, apdev
):
2041 """SAE H2E and password identifier"""
2042 check_sae_capab ( dev
[ 0 ])
2043 params
= hostapd
. wpa2_params ( ssid
= "test-sae" )
2044 params
[ 'wpa_key_mgmt' ] = 'SAE'
2045 params
[ 'sae_pwe' ] = '1'
2046 params
[ 'sae_password' ] = 'secret|id=pw id'
2047 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2050 dev
[ 0 ]. request ( "SET sae_groups " )
2051 dev
[ 0 ]. set ( "sae_pwe" , "1" )
2052 dev
[ 0 ]. connect ( "test-sae" , sae_password
= "secret" ,
2053 sae_password_id
= "pw id" ,
2054 key_mgmt
= "SAE" , scan_freq
= "2412" )
2056 dev
[ 0 ]. set ( "sae_groups" , "" )
2057 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2059 def test_sae_pwe_in_psk_ap ( dev
, apdev
):
2060 """sae_pwe parameter in PSK-only-AP"""
2061 params
= hostapd
. wpa2_params ( ssid
= "test-psk" , passphrase
= "12345678" )
2062 params
[ 'sae_pwe' ] = '1'
2063 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2065 dev
[ 0 ]. connect ( "test-psk" , psk
= "12345678" , scan_freq
= "2412" )
2067 def test_sae_auth_restart ( dev
, apdev
):
2068 """SAE and authentication restarts with H2E/looping"""
2069 check_sae_capab ( dev
[ 0 ])
2070 params
= hostapd
. wpa2_params ( ssid
= "test-sae" )
2071 params
[ 'wpa_key_mgmt' ] = 'SAE'
2072 params
[ 'sae_pwe' ] = '2'
2073 params
[ 'sae_password' ] = 'secret|id=pw id'
2074 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2077 dev
[ 0 ]. request ( "SET sae_groups " )
2078 for pwe
in [ 1 , 0 , 1 ]:
2079 dev
[ 0 ]. set ( "sae_pwe" , str ( pwe
))
2080 dev
[ 0 ]. connect ( "test-sae" , sae_password
= "secret" ,
2081 sae_password_id
= "pw id" ,
2082 key_mgmt
= "SAE" , scan_freq
= "2412" )
2083 # Disconnect without hostapd removing the STA entry so that the
2084 # following SAE authentication instance starts with an existing
2085 # STA entry that has maintained some SAE state.
2086 hapd
. set ( "ext_mgmt_frame_handling" , "1" )
2087 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
2088 req
= hapd
. mgmt_rx ()
2089 dev
[ 0 ]. wait_disconnected ()
2090 dev
[ 0 ]. dump_monitor ()
2091 hapd
. set ( "ext_mgmt_frame_handling" , "0" )
2093 dev
[ 0 ]. set ( "sae_groups" , "" )
2094 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2096 def test_sae_h2e_rsnxe_mismatch ( dev
, apdev
):
2097 """SAE H2E and RSNXE mismatch in EAPOL-Key msg 2/4"""
2098 check_sae_capab ( dev
[ 0 ])
2099 params
= hostapd
. wpa2_params ( ssid
= "sae-pwe" , passphrase
= "12345678" )
2100 params
[ 'wpa_key_mgmt' ] = 'SAE'
2101 params
[ 'sae_pwe' ] = "1"
2102 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2104 dev
[ 0 ]. set ( "sae_groups" , "19" )
2105 dev
[ 0 ]. set ( "sae_pwe" , "1" )
2106 for rsnxe
in [ "F40100" , "F400" , "" ]:
2107 dev
[ 0 ]. set ( "rsnxe_override_eapol" , rsnxe
)
2108 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" ,
2109 scan_freq
= "2412" , wait_connect
= False )
2110 ev
= dev
[ 0 ]. wait_event ([ "Associated with" ], timeout
= 10 )
2112 raise Exception ( "No indication of association seen" )
2113 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
2114 "CTRL-EVENT-DISCONNECTED" ], timeout
= 5 )
2115 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
2117 raise Exception ( "No disconnection seen" )
2118 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2119 raise Exception ( "Unexpected connection" )
2120 dev
[ 0 ]. dump_monitor ()
2122 dev
[ 0 ]. set ( "sae_groups" , "" )
2123 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2125 def test_sae_h2e_rsnxe_mismatch_retries ( dev
, apdev
):
2126 """SAE H2E and RSNXE mismatch in EAPOL-Key msg 2/4 retries"""
2127 check_sae_capab ( dev
[ 0 ])
2128 params
= hostapd
. wpa2_params ( ssid
= "sae-pwe" , passphrase
= "12345678" )
2129 params
[ 'wpa_key_mgmt' ] = 'SAE'
2130 params
[ 'sae_pwe' ] = "1"
2131 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2133 dev
[ 0 ]. set ( "sae_groups" , "19" )
2134 dev
[ 0 ]. set ( "sae_pwe" , "1" )
2136 dev
[ 0 ]. set ( "rsnxe_override_eapol" , rsnxe
)
2137 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" ,
2138 scan_freq
= "2412" , wait_connect
= False )
2139 ev
= dev
[ 0 ]. wait_event ([ "Associated with" ], timeout
= 10 )
2141 raise Exception ( "No indication of association seen" )
2142 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
2143 "CTRL-EVENT-DISCONNECTED" ], timeout
= 5 )
2145 raise Exception ( "No disconnection seen" )
2146 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2147 raise Exception ( "Unexpected connection" )
2149 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
2150 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
2152 raise Exception ( "No disconnection seen (2)" )
2153 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2154 raise Exception ( "Unexpected connection (2)" )
2156 dev
[ 0 ]. dump_monitor ()
2158 dev
[ 0 ]. set ( "sae_groups" , "" )
2159 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2161 def test_sae_h2e_rsnxe_mismatch_assoc ( dev
, apdev
):
2162 """SAE H2E and RSNXE mismatch in EAPOL-Key msg 2/4 (assoc)"""
2163 check_sae_capab ( dev
[ 0 ])
2164 params
= hostapd
. wpa2_params ( ssid
= "sae-pwe" , passphrase
= "12345678" )
2165 params
[ 'wpa_key_mgmt' ] = 'SAE'
2166 params
[ 'sae_pwe' ] = "1"
2167 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2169 dev
[ 0 ]. set ( "sae_groups" , "19" )
2170 dev
[ 0 ]. set ( "sae_pwe" , "1" )
2171 for rsnxe
in [ "F40100" , "F400" , "" ]:
2172 dev
[ 0 ]. set ( "rsnxe_override_assoc" , rsnxe
)
2173 dev
[ 0 ]. set ( "rsnxe_override_eapol" , "F40120" )
2174 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" ,
2175 scan_freq
= "2412" , wait_connect
= False )
2176 ev
= dev
[ 0 ]. wait_event ([ "Associated with" ], timeout
= 10 )
2178 raise Exception ( "No indication of association seen" )
2179 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
2180 "CTRL-EVENT-DISCONNECTED" ], timeout
= 5 )
2181 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
2183 raise Exception ( "No disconnection seen" )
2184 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2185 raise Exception ( "Unexpected connection" )
2186 dev
[ 0 ]. dump_monitor ()
2188 dev
[ 0 ]. set ( "sae_groups" , "" )
2189 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2191 def test_sae_h2e_rsnxe_mismatch_ap ( dev
, apdev
):
2192 """SAE H2E and RSNXE mismatch in EAPOL-Key msg 3/4"""
2193 run_sae_h2e_rsnxe_mismatch_ap ( dev
, apdev
, "F40100" )
2195 def test_sae_h2e_rsnxe_mismatch_ap2 ( dev
, apdev
):
2196 """SAE H2E and RSNXE mismatch in EAPOL-Key msg 3/4"""
2197 run_sae_h2e_rsnxe_mismatch_ap ( dev
, apdev
, "F400" )
2199 def run_sae_h2e_rsnxe_mismatch_ap ( dev
, apdev
, rsnxe
):
2200 check_sae_capab ( dev
[ 0 ])
2201 params
= hostapd
. wpa2_params ( ssid
= "sae-pwe" , passphrase
= "12345678" )
2202 params
[ 'wpa_key_mgmt' ] = 'SAE'
2203 params
[ 'sae_pwe' ] = "1"
2204 params
[ 'rsnxe_override_eapol' ] = rsnxe
2205 hapd
= hostapd
. add_ap ( apdev
[ 0 ], params
)
2207 dev
[ 0 ]. set ( "sae_groups" , "19" )
2208 dev
[ 0 ]. set ( "sae_pwe" , "1" )
2209 dev
[ 0 ]. connect ( "sae-pwe" , psk
= "12345678" , key_mgmt
= "SAE" ,
2210 scan_freq
= "2412" , wait_connect
= False )
2211 ev
= dev
[ 0 ]. wait_event ([ "Associated with" ], timeout
= 10 )
2213 raise Exception ( "No indication of association seen" )
2214 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
2215 "CTRL-EVENT-DISCONNECTED" ], timeout
= 5 )
2216 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
2218 raise Exception ( "No disconnection seen" )
2219 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2220 raise Exception ( "Unexpected connection" )
2222 dev
[ 0 ]. set ( "sae_groups" , "" )
2223 dev
[ 0 ]. set ( "sae_pwe" , "0" )
2225 def test_sae_forced_anti_clogging_h2e ( dev
, apdev
):
2226 """SAE anti clogging (forced, H2E)"""
2227 check_sae_capab ( dev
[ 0 ])
2228 check_sae_capab ( dev
[ 1 ])
2229 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
2230 params
[ 'wpa_key_mgmt' ] = 'SAE WPA-PSK'
2231 params
[ 'sae_pwe' ] = "1"
2232 params
[ 'sae_anti_clogging_threshold' ] = '0'
2233 hostapd
. add_ap ( apdev
[ 0 ], params
)
2234 dev
[ 2 ]. connect ( "test-sae" , psk
= "12345678" , scan_freq
= "2412" )
2237 dev
[ i
]. request ( "SET sae_groups " )
2238 dev
[ i
]. set ( "sae_pwe" , "1" )
2239 dev
[ i
]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
2243 dev
[ i
]. set ( "sae_pwe" , "0" )
2245 def test_sae_forced_anti_clogging_h2e_loop ( dev
, apdev
):
2246 """SAE anti clogging (forced, H2E + loop)"""
2247 check_sae_capab ( dev
[ 0 ])
2248 check_sae_capab ( dev
[ 1 ])
2249 params
= hostapd
. wpa2_params ( ssid
= "test-sae" , passphrase
= "12345678" )
2250 params
[ 'wpa_key_mgmt' ] = 'SAE WPA-PSK'
2251 params
[ 'sae_pwe' ] = "2"
2252 params
[ 'sae_anti_clogging_threshold' ] = '0'
2253 hostapd
. add_ap ( apdev
[ 0 ], params
)
2254 dev
[ 2 ]. connect ( "test-sae" , psk
= "12345678" , scan_freq
= "2412" )
2257 dev
[ i
]. request ( "SET sae_groups " )
2258 dev
[ i
]. set ( "sae_pwe" , "2" )
2259 dev
[ i
]. connect ( "test-sae" , psk
= "12345678" , key_mgmt
= "SAE" ,
2263 dev
[ i
]. set ( "sae_pwe" , "0" )