]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_sae.py
2 # Copyright (c) 2013-2016, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
7 from remotehost
import remote_compatible
12 logger
= logging
.getLogger()
16 from utils
import HwsimSkip
, alloc_fail
, fail_test
, wait_fail_trigger
17 from test_ap_psk
import find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
20 def test_sae(dev
, apdev
):
21 """SAE with default group"""
22 if "SAE" not in dev
[0].get_capability("auth_alg"):
23 raise HwsimSkip("SAE not supported")
24 params
= hostapd
.wpa2_params(ssid
="test-sae",
25 passphrase
="12345678")
26 params
['wpa_key_mgmt'] = 'SAE'
27 hapd
= hostapd
.add_ap(apdev
[0], params
)
28 key_mgmt
= hapd
.get_config()['key_mgmt']
29 if key_mgmt
.split(' ')[0] != "SAE":
30 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
32 dev
[0].request("SET sae_groups ")
33 id = dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
35 if dev
[0].get_status_field('sae_group') != '19':
36 raise Exception("Expected default SAE group not used")
37 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
38 if 'flags' not in bss
:
39 raise Exception("Could not get BSS flags from BSS table")
40 if "[WPA2-SAE-CCMP]" not in bss
['flags']:
41 raise Exception("Unexpected BSS flags: " + bss
['flags'])
43 res
= hapd
.request("STA-FIRST")
44 if "sae_group=19" not in res
.splitlines():
45 raise Exception("hostapd STA output did not specify SAE group")
48 def test_sae_password_ecc(dev
, apdev
):
49 """SAE with number of different passwords (ECC)"""
50 if "SAE" not in dev
[0].get_capability("auth_alg"):
51 raise HwsimSkip("SAE not supported")
52 params
= hostapd
.wpa2_params(ssid
="test-sae",
53 passphrase
="12345678")
54 params
['wpa_key_mgmt'] = 'SAE'
55 hapd
= hostapd
.add_ap(apdev
[0], params
)
57 dev
[0].request("SET sae_groups 19")
60 password
= "12345678-" + str(i
)
61 hapd
.set("wpa_passphrase", password
)
62 dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
64 dev
[0].request("REMOVE_NETWORK all")
65 dev
[0].wait_disconnected()
68 def test_sae_password_ffc(dev
, apdev
):
69 """SAE with number of different passwords (FFC)"""
70 if "SAE" not in dev
[0].get_capability("auth_alg"):
71 raise HwsimSkip("SAE not supported")
72 params
= hostapd
.wpa2_params(ssid
="test-sae",
73 passphrase
="12345678")
74 params
['wpa_key_mgmt'] = 'SAE'
75 params
['sae_groups'] = '22'
76 hapd
= hostapd
.add_ap(apdev
[0], params
)
78 dev
[0].request("SET sae_groups 22")
81 password
= "12345678-" + str(i
)
82 hapd
.set("wpa_passphrase", password
)
83 dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
85 dev
[0].request("REMOVE_NETWORK all")
86 dev
[0].wait_disconnected()
89 def test_sae_pmksa_caching(dev
, apdev
):
90 """SAE and PMKSA caching"""
91 if "SAE" not in dev
[0].get_capability("auth_alg"):
92 raise HwsimSkip("SAE not supported")
93 params
= hostapd
.wpa2_params(ssid
="test-sae",
94 passphrase
="12345678")
95 params
['wpa_key_mgmt'] = 'SAE'
96 hapd
= hostapd
.add_ap(apdev
[0], params
)
98 dev
[0].request("SET sae_groups ")
99 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
101 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
103 raise Exception("No connection event received from hostapd")
104 dev
[0].request("DISCONNECT")
105 dev
[0].wait_disconnected()
106 dev
[0].request("RECONNECT")
107 dev
[0].wait_connected(timeout
=15, error
="Reconnect timed out")
108 if dev
[0].get_status_field('sae_group') is not None:
109 raise Exception("SAE group claimed to have been used")
112 def test_sae_pmksa_caching_disabled(dev
, apdev
):
113 """SAE and PMKSA caching disabled"""
114 if "SAE" not in dev
[0].get_capability("auth_alg"):
115 raise HwsimSkip("SAE not supported")
116 params
= hostapd
.wpa2_params(ssid
="test-sae",
117 passphrase
="12345678")
118 params
['wpa_key_mgmt'] = 'SAE'
119 params
['disable_pmksa_caching'] = '1'
120 hapd
= hostapd
.add_ap(apdev
[0], params
)
122 dev
[0].request("SET sae_groups ")
123 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
125 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
127 raise Exception("No connection event received from hostapd")
128 dev
[0].request("DISCONNECT")
129 dev
[0].wait_disconnected()
130 dev
[0].request("RECONNECT")
131 dev
[0].wait_connected(timeout
=15, error
="Reconnect timed out")
132 if dev
[0].get_status_field('sae_group') != '19':
133 raise Exception("Expected default SAE group not used")
135 def test_sae_groups(dev
, apdev
):
136 """SAE with all supported groups"""
137 if "SAE" not in dev
[0].get_capability("auth_alg"):
138 raise HwsimSkip("SAE not supported")
139 # This is the full list of supported groups, but groups 14-16 (2048-4096 bit
140 # MODP) and group 21 (521-bit random ECP group) are a bit too slow on some
141 # VMs and can result in hitting the mac80211 authentication timeout, so
142 # allow them to fail and just report such failures in the debug log.
143 sae_groups
= [ 19, 25, 26, 20, 21, 2, 5, 14, 15, 16, 22, 23, 24 ]
144 tls
= dev
[0].request("GET tls_library")
145 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
146 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
147 sae_groups
+= [ 27, 28, 29, 30 ]
148 heavy_groups
= [ 14, 15, 16 ]
149 groups
= [str(g
) for g
in sae_groups
]
150 params
= hostapd
.wpa2_params(ssid
="test-sae-groups",
151 passphrase
="12345678")
152 params
['wpa_key_mgmt'] = 'SAE'
153 params
['sae_groups'] = ' '.join(groups
)
154 hostapd
.add_ap(apdev
[0], params
)
157 logger
.info("Testing SAE group " + g
)
158 dev
[0].request("SET sae_groups " + g
)
159 id = dev
[0].connect("test-sae-groups", psk
="12345678", key_mgmt
="SAE",
160 scan_freq
="2412", wait_connect
=False)
161 if int(g
) in heavy_groups
:
162 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=5)
164 logger
.info("No connection with heavy SAE group %s did not connect - likely hitting timeout in mac80211" % g
)
165 dev
[0].remove_network(id)
167 dev
[0].dump_monitor()
169 logger
.info("Connection with heavy SAE group " + g
)
171 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
173 if "BoringSSL" in tls
and int(g
) in [ 25 ]:
174 logger
.info("Ignore connection failure with group " + g
+ " with BoringSSL")
175 dev
[0].remove_network(id)
176 dev
[0].dump_monitor()
178 raise Exception("Connection timed out with group " + g
)
179 if dev
[0].get_status_field('sae_group') != g
:
180 raise Exception("Expected SAE group not used")
181 dev
[0].remove_network(id)
182 dev
[0].wait_disconnected()
183 dev
[0].dump_monitor()
186 def test_sae_group_nego(dev
, apdev
):
187 """SAE group negotiation"""
188 if "SAE" not in dev
[0].get_capability("auth_alg"):
189 raise HwsimSkip("SAE not supported")
190 params
= hostapd
.wpa2_params(ssid
="test-sae-group-nego",
191 passphrase
="12345678")
192 params
['wpa_key_mgmt'] = 'SAE'
193 params
['sae_groups'] = '19'
194 hostapd
.add_ap(apdev
[0], params
)
196 dev
[0].request("SET sae_groups 25 26 20 19")
197 dev
[0].connect("test-sae-group-nego", psk
="12345678", key_mgmt
="SAE",
199 if dev
[0].get_status_field('sae_group') != '19':
200 raise Exception("Expected SAE group not used")
203 def test_sae_anti_clogging(dev
, apdev
):
204 """SAE anti clogging"""
205 if "SAE" not in dev
[0].get_capability("auth_alg"):
206 raise HwsimSkip("SAE not supported")
207 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
208 params
['wpa_key_mgmt'] = 'SAE'
209 params
['sae_anti_clogging_threshold'] = '1'
210 hostapd
.add_ap(apdev
[0], params
)
212 dev
[0].request("SET sae_groups ")
213 dev
[1].request("SET sae_groups ")
215 for i
in range(0, 2):
216 dev
[i
].scan(freq
="2412")
217 id[i
] = dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
218 scan_freq
="2412", only_add_network
=True)
219 for i
in range(0, 2):
220 dev
[i
].select_network(id[i
])
221 for i
in range(0, 2):
222 dev
[i
].wait_connected(timeout
=10)
224 def test_sae_forced_anti_clogging(dev
, apdev
):
225 """SAE anti clogging (forced)"""
226 if "SAE" not in dev
[0].get_capability("auth_alg"):
227 raise HwsimSkip("SAE not supported")
228 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
229 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
230 params
['sae_anti_clogging_threshold'] = '0'
231 hostapd
.add_ap(apdev
[0], params
)
232 dev
[2].connect("test-sae", psk
="12345678", scan_freq
="2412")
233 for i
in range(0, 2):
234 dev
[i
].request("SET sae_groups ")
235 dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
238 def test_sae_mixed(dev
, apdev
):
239 """Mixed SAE and non-SAE network"""
240 if "SAE" not in dev
[0].get_capability("auth_alg"):
241 raise HwsimSkip("SAE not supported")
242 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
243 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
244 params
['sae_anti_clogging_threshold'] = '0'
245 hostapd
.add_ap(apdev
[0], params
)
247 dev
[2].connect("test-sae", psk
="12345678", scan_freq
="2412")
248 for i
in range(0, 2):
249 dev
[i
].request("SET sae_groups ")
250 dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
254 def test_sae_missing_password(dev
, apdev
):
255 """SAE and missing password"""
256 if "SAE" not in dev
[0].get_capability("auth_alg"):
257 raise HwsimSkip("SAE not supported")
258 params
= hostapd
.wpa2_params(ssid
="test-sae",
259 passphrase
="12345678")
260 params
['wpa_key_mgmt'] = 'SAE'
261 hapd
= hostapd
.add_ap(apdev
[0], params
)
263 dev
[0].request("SET sae_groups ")
264 id = dev
[0].connect("test-sae",
265 raw_psk
="46b4a73b8a951ad53ebd2e0afdb9c5483257edd4c21d12b7710759da70945858",
266 key_mgmt
="SAE", scan_freq
="2412", wait_connect
=False)
267 ev
= dev
[0].wait_event(['CTRL-EVENT-SSID-TEMP-DISABLED'], timeout
=10)
269 raise Exception("Invalid network not temporarily disabled")
272 def test_sae_key_lifetime_in_memory(dev
, apdev
, params
):
273 """SAE and key lifetime in memory"""
274 if "SAE" not in dev
[0].get_capability("auth_alg"):
275 raise HwsimSkip("SAE not supported")
276 password
= "5ad144a7c1f5a5503baa6fa01dabc15b1843e8c01662d78d16b70b5cd23cf8b"
277 p
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
=password
)
278 p
['wpa_key_mgmt'] = 'SAE'
279 hapd
= hostapd
.add_ap(apdev
[0], p
)
281 pid
= find_wpas_process(dev
[0])
283 dev
[0].request("SET sae_groups ")
284 id = dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
287 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
288 # event has been delivered, so verify that wpa_supplicant has returned to
289 # eloop before reading process memory.
292 buf
= read_process_memory(pid
, password
)
294 dev
[0].request("DISCONNECT")
295 dev
[0].wait_disconnected()
304 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
305 for l
in f
.readlines():
306 if "SAE: k - hexdump" in l
:
307 val
= l
.strip().split(':')[3].replace(' ', '')
308 sae_k
= binascii
.unhexlify(val
)
309 if "SAE: keyseed - hexdump" in l
:
310 val
= l
.strip().split(':')[3].replace(' ', '')
311 sae_keyseed
= binascii
.unhexlify(val
)
312 if "SAE: KCK - hexdump" in l
:
313 val
= l
.strip().split(':')[3].replace(' ', '')
314 sae_kck
= binascii
.unhexlify(val
)
315 if "SAE: PMK - hexdump" in l
:
316 val
= l
.strip().split(':')[3].replace(' ', '')
317 pmk
= binascii
.unhexlify(val
)
318 if "WPA: PTK - hexdump" in l
:
319 val
= l
.strip().split(':')[3].replace(' ', '')
320 ptk
= binascii
.unhexlify(val
)
321 if "WPA: Group Key - hexdump" in l
:
322 val
= l
.strip().split(':')[3].replace(' ', '')
323 gtk
= binascii
.unhexlify(val
)
324 if not sae_k
or not sae_keyseed
or not sae_kck
or not pmk
or not ptk
or not gtk
:
325 raise Exception("Could not find keys from debug log")
327 raise Exception("Unexpected GTK length")
333 fname
= os
.path
.join(params
['logdir'],
334 'sae_key_lifetime_in_memory.memctx-')
336 logger
.info("Checking keys in memory while associated")
337 get_key_locations(buf
, password
, "Password")
338 get_key_locations(buf
, pmk
, "PMK")
339 if password
not in buf
:
340 raise HwsimSkip("Password not found while associated")
342 raise HwsimSkip("PMK not found while associated")
344 raise Exception("KCK not found while associated")
346 raise Exception("KEK not found while associated")
348 # raise Exception("TK found from memory")
349 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
350 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
351 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
353 logger
.info("Checking keys in memory after disassociation")
354 buf
= read_process_memory(pid
, password
)
356 # Note: Password is still present in network configuration
357 # Note: PMK is in PMKSA cache
359 get_key_locations(buf
, password
, "Password")
360 get_key_locations(buf
, pmk
, "PMK")
361 verify_not_present(buf
, kck
, fname
, "KCK")
362 verify_not_present(buf
, kek
, fname
, "KEK")
363 verify_not_present(buf
, tk
, fname
, "TK")
365 get_key_locations(buf
, gtk
, "GTK")
366 verify_not_present(buf
, gtk
, fname
, "GTK")
367 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
368 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
369 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
371 dev
[0].request("PMKSA_FLUSH")
372 logger
.info("Checking keys in memory after PMKSA cache flush")
373 buf
= read_process_memory(pid
, password
)
374 get_key_locations(buf
, password
, "Password")
375 get_key_locations(buf
, pmk
, "PMK")
376 verify_not_present(buf
, pmk
, fname
, "PMK")
378 dev
[0].request("REMOVE_NETWORK all")
380 logger
.info("Checking keys in memory after network profile removal")
381 buf
= read_process_memory(pid
, password
)
383 get_key_locations(buf
, password
, "Password")
384 get_key_locations(buf
, pmk
, "PMK")
385 verify_not_present(buf
, password
, fname
, "password")
386 verify_not_present(buf
, pmk
, fname
, "PMK")
387 verify_not_present(buf
, kck
, fname
, "KCK")
388 verify_not_present(buf
, kek
, fname
, "KEK")
389 verify_not_present(buf
, tk
, fname
, "TK")
390 verify_not_present(buf
, gtk
, fname
, "GTK")
391 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
392 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
393 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
396 def test_sae_oom_wpas(dev
, apdev
):
397 """SAE and OOM in wpa_supplicant"""
398 if "SAE" not in dev
[0].get_capability("auth_alg"):
399 raise HwsimSkip("SAE not supported")
400 params
= hostapd
.wpa2_params(ssid
="test-sae",
401 passphrase
="12345678")
402 params
['wpa_key_mgmt'] = 'SAE'
403 hapd
= hostapd
.add_ap(apdev
[0], params
)
405 dev
[0].request("SET sae_groups 25")
406 tls
= dev
[0].request("GET tls_library")
407 if "BoringSSL" in tls
:
408 dev
[0].request("SET sae_groups 26")
409 with
alloc_fail(dev
[0], 1, "sae_set_group"):
410 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
412 dev
[0].request("REMOVE_NETWORK all")
414 dev
[0].request("SET sae_groups ")
415 with
alloc_fail(dev
[0], 2, "sae_set_group"):
416 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
418 dev
[0].request("REMOVE_NETWORK all")
420 with
alloc_fail(dev
[0], 1, "wpabuf_alloc;sme_auth_build_sae_commit"):
421 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
423 dev
[0].request("REMOVE_NETWORK all")
425 with
alloc_fail(dev
[0], 1, "wpabuf_alloc;sme_auth_build_sae_confirm"):
426 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
427 scan_freq
="2412", wait_connect
=False)
428 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
429 dev
[0].request("REMOVE_NETWORK all")
431 with
alloc_fail(dev
[0], 1, "=sme_authenticate"):
432 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
433 scan_freq
="2412", wait_connect
=False)
434 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
435 dev
[0].request("REMOVE_NETWORK all")
437 with
alloc_fail(dev
[0], 1, "radio_add_work;sme_authenticate"):
438 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
439 scan_freq
="2412", wait_connect
=False)
440 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
441 dev
[0].request("REMOVE_NETWORK all")
444 def test_sae_proto_ecc(dev
, apdev
):
445 """SAE protocol testing (ECC)"""
446 if "SAE" not in dev
[0].get_capability("auth_alg"):
447 raise HwsimSkip("SAE not supported")
448 params
= hostapd
.wpa2_params(ssid
="test-sae",
449 passphrase
="12345678")
450 params
['wpa_key_mgmt'] = 'SAE'
451 hapd
= hostapd
.add_ap(apdev
[0], params
)
452 bssid
= apdev
[0]['bssid']
454 dev
[0].request("SET sae_groups 19")
456 tests
= [ ("Confirm mismatch",
457 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
458 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240"),
459 ("Commit without even full cyclic group field",
463 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02",
465 ("Invalid commit scalar (0)",
466 "1300" + "0000000000000000000000000000000000000000000000000000000000000000" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
468 ("Invalid commit scalar (1)",
469 "1300" + "0000000000000000000000000000000000000000000000000000000000000001" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
471 ("Invalid commit scalar (> r)",
472 "1300" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
474 ("Commit element not on curve",
475 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000",
477 ("Invalid commit element (y coordinate > P)",
478 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
480 ("Invalid commit element (x coordinate > P)",
481 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
483 ("Different group in commit",
484 "1400" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
486 ("Too short confirm",
487 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
488 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42")]
489 for (note
, commit
, confirm
) in tests
:
491 dev
[0].scan_for_bss(bssid
, freq
=2412)
492 hapd
.set("ext_mgmt_frame_handling", "1")
493 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
494 scan_freq
="2412", wait_connect
=False)
496 logger
.info("Commit")
497 for i
in range(0, 10):
500 raise Exception("MGMT RX wait timed out (commit)")
501 if req
['subtype'] == 11:
505 raise Exception("Authentication frame (commit) not received")
509 resp
['fc'] = req
['fc']
510 resp
['da'] = req
['sa']
511 resp
['sa'] = req
['da']
512 resp
['bssid'] = req
['bssid']
513 resp
['payload'] = binascii
.unhexlify("030001000000" + commit
)
517 logger
.info("Confirm")
518 for i
in range(0, 10):
521 raise Exception("MGMT RX wait timed out (confirm)")
522 if req
['subtype'] == 11:
526 raise Exception("Authentication frame (confirm) not received")
530 resp
['fc'] = req
['fc']
531 resp
['da'] = req
['sa']
532 resp
['sa'] = req
['da']
533 resp
['bssid'] = req
['bssid']
534 resp
['payload'] = binascii
.unhexlify("030002000000" + confirm
)
538 dev
[0].request("REMOVE_NETWORK all")
539 hapd
.set("ext_mgmt_frame_handling", "0")
543 def test_sae_proto_ffc(dev
, apdev
):
544 """SAE protocol testing (FFC)"""
545 if "SAE" not in dev
[0].get_capability("auth_alg"):
546 raise HwsimSkip("SAE not supported")
547 params
= hostapd
.wpa2_params(ssid
="test-sae",
548 passphrase
="12345678")
549 params
['wpa_key_mgmt'] = 'SAE'
550 hapd
= hostapd
.add_ap(apdev
[0], params
)
551 bssid
= apdev
[0]['bssid']
553 dev
[0].request("SET sae_groups 2")
555 tests
= [ ("Confirm mismatch",
556 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486",
557 "0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251"),
559 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174",
561 ("Invalid element (0) in commit",
562 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
564 ("Invalid element (1) in commit",
565 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
567 ("Invalid element (> P) in commit",
568 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
570 for (note
, commit
, confirm
) in tests
:
572 dev
[0].scan_for_bss(bssid
, freq
=2412)
573 hapd
.set("ext_mgmt_frame_handling", "1")
574 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
575 scan_freq
="2412", wait_connect
=False)
577 logger
.info("Commit")
578 for i
in range(0, 10):
581 raise Exception("MGMT RX wait timed out (commit)")
582 if req
['subtype'] == 11:
586 raise Exception("Authentication frame (commit) not received")
590 resp
['fc'] = req
['fc']
591 resp
['da'] = req
['sa']
592 resp
['sa'] = req
['da']
593 resp
['bssid'] = req
['bssid']
594 resp
['payload'] = binascii
.unhexlify("030001000000" + commit
)
598 logger
.info("Confirm")
599 for i
in range(0, 10):
602 raise Exception("MGMT RX wait timed out (confirm)")
603 if req
['subtype'] == 11:
607 raise Exception("Authentication frame (confirm) not received")
611 resp
['fc'] = req
['fc']
612 resp
['da'] = req
['sa']
613 resp
['sa'] = req
['da']
614 resp
['bssid'] = req
['bssid']
615 resp
['payload'] = binascii
.unhexlify("030002000000" + confirm
)
619 dev
[0].request("REMOVE_NETWORK all")
620 hapd
.set("ext_mgmt_frame_handling", "0")
623 def test_sae_proto_confirm_replay(dev
, apdev
):
624 """SAE protocol testing - Confirm replay"""
625 if "SAE" not in dev
[0].get_capability("auth_alg"):
626 raise HwsimSkip("SAE not supported")
627 params
= hostapd
.wpa2_params(ssid
="test-sae",
628 passphrase
="12345678")
629 params
['wpa_key_mgmt'] = 'SAE'
630 hapd
= hostapd
.add_ap(apdev
[0], params
)
631 bssid
= apdev
[0]['bssid']
633 dev
[0].request("SET sae_groups 19")
635 dev
[0].scan_for_bss(bssid
, freq
=2412)
636 hapd
.set("ext_mgmt_frame_handling", "1")
637 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
638 scan_freq
="2412", wait_connect
=False)
640 logger
.info("Commit")
641 for i
in range(0, 10):
644 raise Exception("MGMT RX wait timed out (commit)")
645 if req
['subtype'] == 11:
649 raise Exception("Authentication frame (commit) not received")
651 bssid
= hapd
.own_addr().replace(':', '')
652 addr
= dev
[0].own_addr().replace(':', '')
653 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
656 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
658 logger
.info("Confirm")
659 for i
in range(0, 10):
662 raise Exception("MGMT RX wait timed out (confirm)")
663 if req
['subtype'] == 11:
667 raise Exception("Authentication frame (confirm) not received")
670 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
672 logger
.info("Replay Confirm")
673 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
675 logger
.info("Association Request")
676 for i
in range(0, 10):
679 raise Exception("MGMT RX wait timed out (AssocReq)")
680 if req
['subtype'] == 0:
684 raise Exception("Association Request frame not received")
687 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
688 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
690 raise Exception("Management frame TX status not reported (1)")
691 if "stype=1 ok=1" not in ev
:
692 raise Exception("Unexpected management frame TX status (1): " + ev
)
693 cmd
= "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev
.split(' ')[1:4]))
694 if "OK" not in hapd
.request(cmd
):
695 raise Exception("MGMT_TX_STATUS_PROCESS failed")
697 hapd
.set("ext_mgmt_frame_handling", "0")
699 dev
[0].wait_connected()
701 def test_sae_proto_hostapd(dev
, apdev
):
702 """SAE protocol testing with hostapd"""
703 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
704 params
['wpa_key_mgmt'] = 'SAE'
705 params
['sae_groups'] = "19 65535"
706 hapd
= hostapd
.add_ap(apdev
[0], params
)
707 hapd
.set("ext_mgmt_frame_handling", "1")
708 bssid
= hapd
.own_addr().replace(':', '')
709 addr
= "020000000000"
710 addr2
= "020000000001"
711 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
712 hdr2
= "b0003a01" + bssid
+ addr2
+ bssid
+ "1000"
714 scalar
= "f7df19f4a7fef1d3b895ea1de150b7c5a7a705c8ebb31a52b623e0057908bd93"
715 element_x
= "21931572027f2e953e2a49fab3d992944102cc95aa19515fc068b394fb25ae3c"
716 element_y
= "cb4eeb94d7b0b789abfdb73a67ab9d6d5efa94dd553e0e724a6289821cbce530"
717 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
+ element_x
+ element_y
)
718 # "SAE: Not enough data for scalar"
719 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
[:-2])
720 # "SAE: Do not allow group to be changed"
721 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + "ffff" + scalar
[:-2])
722 # "SAE: Unsupported Finite Cyclic Group 65535"
723 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr2
+ "030001000000" + "ffff" + scalar
[:-2])
726 def test_sae_no_ffc_by_default(dev
, apdev
):
727 """SAE and default groups rejecting FFC"""
728 if "SAE" not in dev
[0].get_capability("auth_alg"):
729 raise HwsimSkip("SAE not supported")
730 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
731 params
['wpa_key_mgmt'] = 'SAE'
732 hapd
= hostapd
.add_ap(apdev
[0], params
)
734 dev
[0].request("SET sae_groups 5")
735 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE", scan_freq
="2412",
737 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=3)
739 raise Exception("Did not try to authenticate")
740 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=3)
742 raise Exception("Did not try to authenticate (2)")
743 dev
[0].request("REMOVE_NETWORK all")
745 def sae_reflection_attack(apdev
, dev
, group
):
746 if "SAE" not in dev
.get_capability("auth_alg"):
747 raise HwsimSkip("SAE not supported")
748 params
= hostapd
.wpa2_params(ssid
="test-sae",
749 passphrase
="no-knowledge-of-passphrase")
750 params
['wpa_key_mgmt'] = 'SAE'
751 hapd
= hostapd
.add_ap(apdev
, params
)
752 bssid
= apdev
['bssid']
754 dev
.scan_for_bss(bssid
, freq
=2412)
755 hapd
.set("ext_mgmt_frame_handling", "1")
757 dev
.request("SET sae_groups %d" % group
)
758 dev
.connect("test-sae", psk
="reflection-attack", key_mgmt
="SAE",
759 scan_freq
="2412", wait_connect
=False)
762 for i
in range(0, 10):
765 raise Exception("MGMT RX wait timed out")
766 if req
['subtype'] == 11:
770 raise Exception("Authentication frame not received")
773 resp
['fc'] = req
['fc']
774 resp
['da'] = req
['sa']
775 resp
['sa'] = req
['da']
776 resp
['bssid'] = req
['bssid']
777 resp
['payload'] = req
['payload']
781 req
= hapd
.mgmt_rx(timeout
=0.5)
783 if req
['subtype'] == 11:
784 raise Exception("Unexpected Authentication frame seen")
787 def test_sae_reflection_attack_ecc(dev
, apdev
):
788 """SAE reflection attack (ECC)"""
789 sae_reflection_attack(apdev
[0], dev
[0], 19)
792 def test_sae_reflection_attack_ffc(dev
, apdev
):
793 """SAE reflection attack (FFC)"""
794 sae_reflection_attack(apdev
[0], dev
[0], 5)
796 def sae_reflection_attack_internal(apdev
, dev
, group
):
797 if "SAE" not in dev
.get_capability("auth_alg"):
798 raise HwsimSkip("SAE not supported")
799 params
= hostapd
.wpa2_params(ssid
="test-sae",
800 passphrase
="no-knowledge-of-passphrase")
801 params
['wpa_key_mgmt'] = 'SAE'
802 params
['sae_reflection_attack'] = '1'
803 hapd
= hostapd
.add_ap(apdev
, params
)
804 bssid
= apdev
['bssid']
806 dev
.scan_for_bss(bssid
, freq
=2412)
807 dev
.request("SET sae_groups %d" % group
)
808 dev
.connect("test-sae", psk
="reflection-attack", key_mgmt
="SAE",
809 scan_freq
="2412", wait_connect
=False)
810 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
812 raise Exception("Unexpected connection")
815 def test_sae_reflection_attack_ecc_internal(dev
, apdev
):
816 """SAE reflection attack (ECC) - internal"""
817 sae_reflection_attack_internal(apdev
[0], dev
[0], 19)
820 def test_sae_reflection_attack_ffc_internal(dev
, apdev
):
821 """SAE reflection attack (FFC) - internal"""
822 sae_reflection_attack_internal(apdev
[0], dev
[0], 5)
825 def test_sae_commit_override(dev
, apdev
):
826 """SAE commit override (hostapd)"""
827 if "SAE" not in dev
[0].get_capability("auth_alg"):
828 raise HwsimSkip("SAE not supported")
829 params
= hostapd
.wpa2_params(ssid
="test-sae",
830 passphrase
="12345678")
831 params
['wpa_key_mgmt'] = 'SAE'
832 params
['sae_commit_override'] = '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514'
833 hapd
= hostapd
.add_ap(apdev
[0], params
)
834 dev
[0].request("SET sae_groups ")
835 dev
[0].connect("test-sae", psk
="test-sae", key_mgmt
="SAE",
836 scan_freq
="2412", wait_connect
=False)
837 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
839 raise Exception("Unexpected connection")
842 def test_sae_commit_override2(dev
, apdev
):
843 """SAE commit override (wpa_supplicant)"""
844 if "SAE" not in dev
[0].get_capability("auth_alg"):
845 raise HwsimSkip("SAE not supported")
846 params
= hostapd
.wpa2_params(ssid
="test-sae",
847 passphrase
="12345678")
848 params
['wpa_key_mgmt'] = 'SAE'
849 hapd
= hostapd
.add_ap(apdev
[0], params
)
850 dev
[0].request("SET sae_groups ")
851 dev
[0].set('sae_commit_override', '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514')
852 dev
[0].connect("test-sae", psk
="test-sae", key_mgmt
="SAE",
853 scan_freq
="2412", wait_connect
=False)
854 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
856 raise Exception("Unexpected connection")
859 def test_sae_anti_clogging_proto(dev
, apdev
):
860 """SAE anti clogging protocol testing"""
861 if "SAE" not in dev
[0].get_capability("auth_alg"):
862 raise HwsimSkip("SAE not supported")
863 params
= hostapd
.wpa2_params(ssid
="test-sae",
864 passphrase
="no-knowledge-of-passphrase")
865 params
['wpa_key_mgmt'] = 'SAE'
866 hapd
= hostapd
.add_ap(apdev
[0], params
)
867 bssid
= apdev
[0]['bssid']
869 dev
[0].scan_for_bss(bssid
, freq
=2412)
870 hapd
.set("ext_mgmt_frame_handling", "1")
872 dev
[0].request("SET sae_groups ")
873 dev
[0].connect("test-sae", psk
="anti-cloggign", key_mgmt
="SAE",
874 scan_freq
="2412", wait_connect
=False)
877 for i
in range(0, 10):
880 raise Exception("MGMT RX wait timed out")
881 if req
['subtype'] == 11:
885 raise Exception("Authentication frame not received")
888 resp
['fc'] = req
['fc']
889 resp
['da'] = req
['sa']
890 resp
['sa'] = req
['da']
891 resp
['bssid'] = req
['bssid']
892 resp
['payload'] = binascii
.unhexlify("030001004c00" + "ffff00")
895 # Confirm (not received due to DH group being rejected)
896 req
= hapd
.mgmt_rx(timeout
=0.5)
898 if req
['subtype'] == 11:
899 raise Exception("Unexpected Authentication frame seen")
902 def test_sae_no_random(dev
, apdev
):
903 """SAE and no random numbers available"""
904 if "SAE" not in dev
[0].get_capability("auth_alg"):
905 raise HwsimSkip("SAE not supported")
906 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
907 params
['wpa_key_mgmt'] = 'SAE'
908 hapd
= hostapd
.add_ap(apdev
[0], params
)
910 dev
[0].request("SET sae_groups ")
911 tests
= [ (1, "os_get_random;sae_get_rand"),
912 (1, "os_get_random;get_rand_1_to_p_1"),
913 (1, "os_get_random;get_random_qr_qnr"),
914 (1, "os_get_random;sae_derive_pwe_ecc") ]
915 for count
, func
in tests
:
916 with
fail_test(dev
[0], count
, func
):
917 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
919 dev
[0].request("REMOVE_NETWORK all")
920 dev
[0].wait_disconnected()
923 def test_sae_pwe_failure(dev
, apdev
):
924 """SAE and pwe failure"""
925 if "SAE" not in dev
[0].get_capability("auth_alg"):
926 raise HwsimSkip("SAE not supported")
927 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
928 params
['wpa_key_mgmt'] = 'SAE'
929 params
['sae_groups'] = '19 5'
930 hapd
= hostapd
.add_ap(apdev
[0], params
)
932 dev
[0].request("SET sae_groups 19")
933 with
fail_test(dev
[0], 1, "hmac_sha256_vector;sae_derive_pwe_ecc"):
934 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
936 dev
[0].request("REMOVE_NETWORK all")
937 dev
[0].wait_disconnected()
938 with
fail_test(dev
[0], 1, "sae_test_pwd_seed_ecc"):
939 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
941 dev
[0].request("REMOVE_NETWORK all")
942 dev
[0].wait_disconnected()
944 dev
[0].request("SET sae_groups 5")
945 with
fail_test(dev
[0], 1, "hmac_sha256_vector;sae_derive_pwe_ffc"):
946 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
948 dev
[0].request("REMOVE_NETWORK all")
949 dev
[0].wait_disconnected()
951 dev
[0].request("SET sae_groups 5")
952 with
fail_test(dev
[0], 1, "sae_test_pwd_seed_ffc"):
953 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
955 dev
[0].request("REMOVE_NETWORK all")
956 dev
[0].wait_disconnected()
957 with
fail_test(dev
[0], 2, "sae_test_pwd_seed_ffc"):
958 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
960 dev
[0].request("REMOVE_NETWORK all")
961 dev
[0].wait_disconnected()
964 def test_sae_bignum_failure(dev
, apdev
):
965 """SAE and bignum failure"""
966 if "SAE" not in dev
[0].get_capability("auth_alg"):
967 raise HwsimSkip("SAE not supported")
968 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
969 params
['wpa_key_mgmt'] = 'SAE'
970 params
['sae_groups'] = '19 5 22'
971 hapd
= hostapd
.add_ap(apdev
[0], params
)
973 dev
[0].request("SET sae_groups 19")
974 tests
= [ (1, "crypto_bignum_init_set;get_rand_1_to_p_1"),
975 (1, "crypto_bignum_init;is_quadratic_residue_blind"),
976 (1, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
977 (2, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
978 (3, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
979 (1, "crypto_bignum_legendre;is_quadratic_residue_blind"),
980 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ecc"),
981 (1, "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc"),
982 (1, "crypto_bignum_init_set;get_random_qr_qnr"),
983 (1, "crypto_bignum_to_bin;sae_derive_pwe_ecc"),
984 (1, "crypto_ec_point_init;sae_derive_pwe_ecc"),
985 (1, "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc"),
986 (1, "crypto_ec_point_init;sae_derive_commit_element_ecc"),
987 (1, "crypto_ec_point_mul;sae_derive_commit_element_ecc"),
988 (1, "crypto_ec_point_invert;sae_derive_commit_element_ecc"),
989 (1, "crypto_bignum_init;=sae_derive_commit"),
990 (1, "crypto_ec_point_init;sae_derive_k_ecc"),
991 (1, "crypto_ec_point_mul;sae_derive_k_ecc"),
992 (1, "crypto_ec_point_add;sae_derive_k_ecc"),
993 (2, "crypto_ec_point_mul;sae_derive_k_ecc"),
994 (1, "crypto_ec_point_to_bin;sae_derive_k_ecc"),
995 (1, "crypto_bignum_legendre;get_random_qr_qnr"),
996 (1, "sha256_prf;sae_derive_keys"),
997 (1, "crypto_bignum_init;sae_derive_keys"),
998 (1, "crypto_bignum_init_set;sae_parse_commit_scalar"),
999 (1, "crypto_bignum_to_bin;sae_parse_commit_element_ecc"),
1000 (1, "crypto_ec_point_from_bin;sae_parse_commit_element_ecc") ]
1001 for count
, func
in tests
:
1002 with
fail_test(dev
[0], count
, func
):
1003 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1004 scan_freq
="2412", wait_connect
=False)
1005 wait_fail_trigger(dev
[0], "GET_FAIL")
1006 dev
[0].request("REMOVE_NETWORK all")
1008 dev
[0].request("SET sae_groups 5")
1009 tests
= [ (1, "crypto_bignum_init_set;sae_set_group"),
1010 (2, "crypto_bignum_init_set;sae_set_group"),
1011 (1, "crypto_bignum_init_set;sae_get_rand"),
1012 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
1013 (1, "crypto_bignum_exptmod;sae_test_pwd_seed_ffc"),
1014 (1, "crypto_bignum_init;sae_derive_pwe_ffc"),
1015 (1, "crypto_bignum_init;sae_derive_commit_element_ffc"),
1016 (1, "crypto_bignum_exptmod;sae_derive_commit_element_ffc"),
1017 (1, "crypto_bignum_inverse;sae_derive_commit_element_ffc"),
1018 (1, "crypto_bignum_init;sae_derive_k_ffc"),
1019 (1, "crypto_bignum_exptmod;sae_derive_k_ffc"),
1020 (1, "crypto_bignum_mulmod;sae_derive_k_ffc"),
1021 (2, "crypto_bignum_exptmod;sae_derive_k_ffc"),
1022 (1, "crypto_bignum_to_bin;sae_derive_k_ffc"),
1023 (1, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
1024 (1, "crypto_bignum_init;sae_parse_commit_element_ffc"),
1025 (2, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
1026 (1, "crypto_bignum_exptmod;sae_parse_commit_element_ffc") ]
1027 for count
, func
in tests
:
1028 with
fail_test(dev
[0], count
, func
):
1029 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1030 scan_freq
="2412", wait_connect
=False)
1031 wait_fail_trigger(dev
[0], "GET_FAIL")
1032 dev
[0].request("REMOVE_NETWORK all")
1034 dev
[0].request("SET sae_groups 22")
1035 tests
= [ (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
1036 (1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
1037 (1, "crypto_bignum_div;sae_test_pwd_seed_ffc") ]
1038 for count
, func
in tests
:
1039 with
fail_test(dev
[0], count
, func
):
1040 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1041 scan_freq
="2412", wait_connect
=False)
1042 wait_fail_trigger(dev
[0], "GET_FAIL")
1043 dev
[0].request("REMOVE_NETWORK all")
1045 def test_sae_invalid_anti_clogging_token_req(dev
, apdev
):
1046 """SAE and invalid anti-clogging token request"""
1047 if "SAE" not in dev
[0].get_capability("auth_alg"):
1048 raise HwsimSkip("SAE not supported")
1049 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
1050 params
['wpa_key_mgmt'] = 'SAE'
1051 # Beacon more frequently since Probe Request frames are practically ignored
1052 # in this test setup (ext_mgmt_frame_handled=1 on hostapd side) and
1053 # wpa_supplicant scans may end up getting ignored if no new results are
1054 # available due to the missing Probe Response frames.
1055 params
['beacon_int'] = '20'
1056 hapd
= hostapd
.add_ap(apdev
[0], params
)
1057 bssid
= apdev
[0]['bssid']
1059 dev
[0].request("SET sae_groups 19")
1060 dev
[0].scan_for_bss(bssid
, freq
=2412)
1061 hapd
.set("ext_mgmt_frame_handling", "1")
1062 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1063 scan_freq
="2412", wait_connect
=False)
1064 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1066 raise Exception("No authentication attempt seen (1)")
1067 dev
[0].dump_monitor()
1069 for i
in range(0, 10):
1070 req
= hapd
.mgmt_rx()
1072 raise Exception("MGMT RX wait timed out (commit)")
1073 if req
['subtype'] == 11:
1077 raise Exception("Authentication frame (commit) not received")
1081 resp
['fc'] = req
['fc']
1082 resp
['da'] = req
['sa']
1083 resp
['sa'] = req
['da']
1084 resp
['bssid'] = req
['bssid']
1085 resp
['payload'] = binascii
.unhexlify("030001004c0013")
1087 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
1089 raise Exception("Management frame TX status not reported (1)")
1090 if "stype=11 ok=1" not in ev
:
1091 raise Exception("Unexpected management frame TX status (1): " + ev
)
1093 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1095 raise Exception("No authentication attempt seen (2)")
1096 dev
[0].dump_monitor()
1098 for i
in range(0, 10):
1099 req
= hapd
.mgmt_rx()
1101 raise Exception("MGMT RX wait timed out (commit) (2)")
1102 if req
['subtype'] == 11:
1106 raise Exception("Authentication frame (commit) not received (2)")
1110 resp
['fc'] = req
['fc']
1111 resp
['da'] = req
['sa']
1112 resp
['sa'] = req
['da']
1113 resp
['bssid'] = req
['bssid']
1114 resp
['payload'] = binascii
.unhexlify("030001000100")
1116 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
1118 raise Exception("Management frame TX status not reported (1)")
1119 if "stype=11 ok=1" not in ev
:
1120 raise Exception("Unexpected management frame TX status (1): " + ev
)
1122 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1124 raise Exception("No authentication attempt seen (3)")
1125 dev
[0].dump_monitor()
1127 dev
[0].request("DISCONNECT")
1129 def test_sae_password(dev
, apdev
):
1130 """SAE and sae_password in hostapd configuration"""
1131 if "SAE" not in dev
[0].get_capability("auth_alg"):
1132 raise HwsimSkip("SAE not supported")
1133 params
= hostapd
.wpa2_params(ssid
="test-sae",
1134 passphrase
="12345678")
1135 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
1136 params
['sae_password'] = "sae-password"
1137 hapd
= hostapd
.add_ap(apdev
[0], params
)
1139 dev
[0].request("SET sae_groups ")
1140 dev
[0].connect("test-sae", psk
="sae-password", key_mgmt
="SAE",
1142 dev
[1].connect("test-sae", psk
="12345678", scan_freq
="2412")
1143 dev
[2].request("SET sae_groups ")
1144 dev
[2].connect("test-sae", sae_password
="sae-password", key_mgmt
="SAE",
1147 def test_sae_password_short(dev
, apdev
):
1148 """SAE and short password"""
1149 if "SAE" not in dev
[0].get_capability("auth_alg"):
1150 raise HwsimSkip("SAE not supported")
1151 params
= hostapd
.wpa2_params(ssid
="test-sae")
1152 params
['wpa_key_mgmt'] = 'SAE'
1153 params
['sae_password'] = "secret"
1154 hapd
= hostapd
.add_ap(apdev
[0], params
)
1156 dev
[0].request("SET sae_groups ")
1157 dev
[0].connect("test-sae", sae_password
="secret", key_mgmt
="SAE",
1160 def test_sae_password_long(dev
, apdev
):
1161 """SAE and long password"""
1162 if "SAE" not in dev
[0].get_capability("auth_alg"):
1163 raise HwsimSkip("SAE not supported")
1164 params
= hostapd
.wpa2_params(ssid
="test-sae")
1165 params
['wpa_key_mgmt'] = 'SAE'
1166 params
['sae_password'] = 100*"A"
1167 hapd
= hostapd
.add_ap(apdev
[0], params
)
1169 dev
[0].request("SET sae_groups ")
1170 dev
[0].connect("test-sae", sae_password
=100*"A", key_mgmt
="SAE",