]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_sae.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: sae_group in hostapd STA ctrl_iface command
[thirdparty/hostap.git] / tests / hwsim / test_sae.py
1 # Test cases for SAE
2 # Copyright (c) 2013-2016, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 from remotehost import remote_compatible
8 import binascii
9 import os
10 import time
11 import logging
12 logger = logging.getLogger()
13
14 import hwsim_utils
15 import hostapd
16 from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
17 from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
18
19 @remote_compatible
20 def test_sae(dev, apdev):
21 """SAE with default group"""
22 if "SAE" not in dev[0].get_capability("auth_alg"):
23 raise HwsimSkip("SAE not supported")
24 params = hostapd.wpa2_params(ssid="test-sae",
25 passphrase="12345678")
26 params['wpa_key_mgmt'] = 'SAE'
27 hapd = hostapd.add_ap(apdev[0], params)
28 key_mgmt = hapd.get_config()['key_mgmt']
29 if key_mgmt.split(' ')[0] != "SAE":
30 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
31
32 dev[0].request("SET sae_groups ")
33 id = dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
34 scan_freq="2412")
35 if dev[0].get_status_field('sae_group') != '19':
36 raise Exception("Expected default SAE group not used")
37 bss = dev[0].get_bss(apdev[0]['bssid'])
38 if 'flags' not in bss:
39 raise Exception("Could not get BSS flags from BSS table")
40 if "[WPA2-SAE-CCMP]" not in bss['flags']:
41 raise Exception("Unexpected BSS flags: " + bss['flags'])
42
43 res = hapd.request("STA-FIRST")
44 if "sae_group=19" not in res.splitlines():
45 raise Exception("hostapd STA output did not specify SAE group")
46
47 @remote_compatible
48 def test_sae_password_ecc(dev, apdev):
49 """SAE with number of different passwords (ECC)"""
50 if "SAE" not in dev[0].get_capability("auth_alg"):
51 raise HwsimSkip("SAE not supported")
52 params = hostapd.wpa2_params(ssid="test-sae",
53 passphrase="12345678")
54 params['wpa_key_mgmt'] = 'SAE'
55 hapd = hostapd.add_ap(apdev[0], params)
56
57 dev[0].request("SET sae_groups 19")
58
59 for i in range(10):
60 password = "12345678-" + str(i)
61 hapd.set("wpa_passphrase", password)
62 dev[0].connect("test-sae", psk=password, key_mgmt="SAE",
63 scan_freq="2412")
64 dev[0].request("REMOVE_NETWORK all")
65 dev[0].wait_disconnected()
66
67 @remote_compatible
68 def test_sae_password_ffc(dev, apdev):
69 """SAE with number of different passwords (FFC)"""
70 if "SAE" not in dev[0].get_capability("auth_alg"):
71 raise HwsimSkip("SAE not supported")
72 params = hostapd.wpa2_params(ssid="test-sae",
73 passphrase="12345678")
74 params['wpa_key_mgmt'] = 'SAE'
75 params['sae_groups'] = '22'
76 hapd = hostapd.add_ap(apdev[0], params)
77
78 dev[0].request("SET sae_groups 22")
79
80 for i in range(10):
81 password = "12345678-" + str(i)
82 hapd.set("wpa_passphrase", password)
83 dev[0].connect("test-sae", psk=password, key_mgmt="SAE",
84 scan_freq="2412")
85 dev[0].request("REMOVE_NETWORK all")
86 dev[0].wait_disconnected()
87
88 @remote_compatible
89 def test_sae_pmksa_caching(dev, apdev):
90 """SAE and PMKSA caching"""
91 if "SAE" not in dev[0].get_capability("auth_alg"):
92 raise HwsimSkip("SAE not supported")
93 params = hostapd.wpa2_params(ssid="test-sae",
94 passphrase="12345678")
95 params['wpa_key_mgmt'] = 'SAE'
96 hapd = hostapd.add_ap(apdev[0], params)
97
98 dev[0].request("SET sae_groups ")
99 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
100 scan_freq="2412")
101 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
102 if ev is None:
103 raise Exception("No connection event received from hostapd")
104 dev[0].request("DISCONNECT")
105 dev[0].wait_disconnected()
106 dev[0].request("RECONNECT")
107 dev[0].wait_connected(timeout=15, error="Reconnect timed out")
108 if dev[0].get_status_field('sae_group') is not None:
109 raise Exception("SAE group claimed to have been used")
110
111 @remote_compatible
112 def test_sae_pmksa_caching_disabled(dev, apdev):
113 """SAE and PMKSA caching disabled"""
114 if "SAE" not in dev[0].get_capability("auth_alg"):
115 raise HwsimSkip("SAE not supported")
116 params = hostapd.wpa2_params(ssid="test-sae",
117 passphrase="12345678")
118 params['wpa_key_mgmt'] = 'SAE'
119 params['disable_pmksa_caching'] = '1'
120 hapd = hostapd.add_ap(apdev[0], params)
121
122 dev[0].request("SET sae_groups ")
123 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
124 scan_freq="2412")
125 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
126 if ev is None:
127 raise Exception("No connection event received from hostapd")
128 dev[0].request("DISCONNECT")
129 dev[0].wait_disconnected()
130 dev[0].request("RECONNECT")
131 dev[0].wait_connected(timeout=15, error="Reconnect timed out")
132 if dev[0].get_status_field('sae_group') != '19':
133 raise Exception("Expected default SAE group not used")
134
135 def test_sae_groups(dev, apdev):
136 """SAE with all supported groups"""
137 if "SAE" not in dev[0].get_capability("auth_alg"):
138 raise HwsimSkip("SAE not supported")
139 # This is the full list of supported groups, but groups 14-16 (2048-4096 bit
140 # MODP) and group 21 (521-bit random ECP group) are a bit too slow on some
141 # VMs and can result in hitting the mac80211 authentication timeout, so
142 # allow them to fail and just report such failures in the debug log.
143 sae_groups = [ 19, 25, 26, 20, 21, 2, 5, 14, 15, 16, 22, 23, 24 ]
144 tls = dev[0].request("GET tls_library")
145 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
146 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
147 sae_groups += [ 27, 28, 29, 30 ]
148 heavy_groups = [ 14, 15, 16 ]
149 groups = [str(g) for g in sae_groups]
150 params = hostapd.wpa2_params(ssid="test-sae-groups",
151 passphrase="12345678")
152 params['wpa_key_mgmt'] = 'SAE'
153 params['sae_groups'] = ' '.join(groups)
154 hostapd.add_ap(apdev[0], params)
155
156 for g in groups:
157 logger.info("Testing SAE group " + g)
158 dev[0].request("SET sae_groups " + g)
159 id = dev[0].connect("test-sae-groups", psk="12345678", key_mgmt="SAE",
160 scan_freq="2412", wait_connect=False)
161 if int(g) in heavy_groups:
162 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=5)
163 if ev is None:
164 logger.info("No connection with heavy SAE group %s did not connect - likely hitting timeout in mac80211" % g)
165 dev[0].remove_network(id)
166 time.sleep(0.1)
167 dev[0].dump_monitor()
168 continue
169 logger.info("Connection with heavy SAE group " + g)
170 else:
171 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
172 if ev is None:
173 if "BoringSSL" in tls and int(g) in [ 25 ]:
174 logger.info("Ignore connection failure with group " + g + " with BoringSSL")
175 dev[0].remove_network(id)
176 dev[0].dump_monitor()
177 continue
178 raise Exception("Connection timed out with group " + g)
179 if dev[0].get_status_field('sae_group') != g:
180 raise Exception("Expected SAE group not used")
181 dev[0].remove_network(id)
182 dev[0].wait_disconnected()
183 dev[0].dump_monitor()
184
185 @remote_compatible
186 def test_sae_group_nego(dev, apdev):
187 """SAE group negotiation"""
188 if "SAE" not in dev[0].get_capability("auth_alg"):
189 raise HwsimSkip("SAE not supported")
190 params = hostapd.wpa2_params(ssid="test-sae-group-nego",
191 passphrase="12345678")
192 params['wpa_key_mgmt'] = 'SAE'
193 params['sae_groups'] = '19'
194 hostapd.add_ap(apdev[0], params)
195
196 dev[0].request("SET sae_groups 25 26 20 19")
197 dev[0].connect("test-sae-group-nego", psk="12345678", key_mgmt="SAE",
198 scan_freq="2412")
199 if dev[0].get_status_field('sae_group') != '19':
200 raise Exception("Expected SAE group not used")
201
202 @remote_compatible
203 def test_sae_anti_clogging(dev, apdev):
204 """SAE anti clogging"""
205 if "SAE" not in dev[0].get_capability("auth_alg"):
206 raise HwsimSkip("SAE not supported")
207 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
208 params['wpa_key_mgmt'] = 'SAE'
209 params['sae_anti_clogging_threshold'] = '1'
210 hostapd.add_ap(apdev[0], params)
211
212 dev[0].request("SET sae_groups ")
213 dev[1].request("SET sae_groups ")
214 id = {}
215 for i in range(0, 2):
216 dev[i].scan(freq="2412")
217 id[i] = dev[i].connect("test-sae", psk="12345678", key_mgmt="SAE",
218 scan_freq="2412", only_add_network=True)
219 for i in range(0, 2):
220 dev[i].select_network(id[i])
221 for i in range(0, 2):
222 dev[i].wait_connected(timeout=10)
223
224 def test_sae_forced_anti_clogging(dev, apdev):
225 """SAE anti clogging (forced)"""
226 if "SAE" not in dev[0].get_capability("auth_alg"):
227 raise HwsimSkip("SAE not supported")
228 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
229 params['wpa_key_mgmt'] = 'SAE WPA-PSK'
230 params['sae_anti_clogging_threshold'] = '0'
231 hostapd.add_ap(apdev[0], params)
232 dev[2].connect("test-sae", psk="12345678", scan_freq="2412")
233 for i in range(0, 2):
234 dev[i].request("SET sae_groups ")
235 dev[i].connect("test-sae", psk="12345678", key_mgmt="SAE",
236 scan_freq="2412")
237
238 def test_sae_mixed(dev, apdev):
239 """Mixed SAE and non-SAE network"""
240 if "SAE" not in dev[0].get_capability("auth_alg"):
241 raise HwsimSkip("SAE not supported")
242 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
243 params['wpa_key_mgmt'] = 'SAE WPA-PSK'
244 params['sae_anti_clogging_threshold'] = '0'
245 hostapd.add_ap(apdev[0], params)
246
247 dev[2].connect("test-sae", psk="12345678", scan_freq="2412")
248 for i in range(0, 2):
249 dev[i].request("SET sae_groups ")
250 dev[i].connect("test-sae", psk="12345678", key_mgmt="SAE",
251 scan_freq="2412")
252
253 @remote_compatible
254 def test_sae_missing_password(dev, apdev):
255 """SAE and missing password"""
256 if "SAE" not in dev[0].get_capability("auth_alg"):
257 raise HwsimSkip("SAE not supported")
258 params = hostapd.wpa2_params(ssid="test-sae",
259 passphrase="12345678")
260 params['wpa_key_mgmt'] = 'SAE'
261 hapd = hostapd.add_ap(apdev[0], params)
262
263 dev[0].request("SET sae_groups ")
264 id = dev[0].connect("test-sae",
265 raw_psk="46b4a73b8a951ad53ebd2e0afdb9c5483257edd4c21d12b7710759da70945858",
266 key_mgmt="SAE", scan_freq="2412", wait_connect=False)
267 ev = dev[0].wait_event(['CTRL-EVENT-SSID-TEMP-DISABLED'], timeout=10)
268 if ev is None:
269 raise Exception("Invalid network not temporarily disabled")
270
271
272 def test_sae_key_lifetime_in_memory(dev, apdev, params):
273 """SAE and key lifetime in memory"""
274 if "SAE" not in dev[0].get_capability("auth_alg"):
275 raise HwsimSkip("SAE not supported")
276 password = "5ad144a7c1f5a5503baa6fa01dabc15b1843e8c01662d78d16b70b5cd23cf8b"
277 p = hostapd.wpa2_params(ssid="test-sae", passphrase=password)
278 p['wpa_key_mgmt'] = 'SAE'
279 hapd = hostapd.add_ap(apdev[0], p)
280
281 pid = find_wpas_process(dev[0])
282
283 dev[0].request("SET sae_groups ")
284 id = dev[0].connect("test-sae", psk=password, key_mgmt="SAE",
285 scan_freq="2412")
286
287 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
288 # event has been delivered, so verify that wpa_supplicant has returned to
289 # eloop before reading process memory.
290 time.sleep(1)
291 dev[0].ping()
292 buf = read_process_memory(pid, password)
293
294 dev[0].request("DISCONNECT")
295 dev[0].wait_disconnected()
296
297 dev[0].relog()
298 sae_k = None
299 sae_keyseed = None
300 sae_kck = None
301 pmk = None
302 ptk = None
303 gtk = None
304 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
305 for l in f.readlines():
306 if "SAE: k - hexdump" in l:
307 val = l.strip().split(':')[3].replace(' ', '')
308 sae_k = binascii.unhexlify(val)
309 if "SAE: keyseed - hexdump" in l:
310 val = l.strip().split(':')[3].replace(' ', '')
311 sae_keyseed = binascii.unhexlify(val)
312 if "SAE: KCK - hexdump" in l:
313 val = l.strip().split(':')[3].replace(' ', '')
314 sae_kck = binascii.unhexlify(val)
315 if "SAE: PMK - hexdump" in l:
316 val = l.strip().split(':')[3].replace(' ', '')
317 pmk = binascii.unhexlify(val)
318 if "WPA: PTK - hexdump" in l:
319 val = l.strip().split(':')[3].replace(' ', '')
320 ptk = binascii.unhexlify(val)
321 if "WPA: Group Key - hexdump" in l:
322 val = l.strip().split(':')[3].replace(' ', '')
323 gtk = binascii.unhexlify(val)
324 if not sae_k or not sae_keyseed or not sae_kck or not pmk or not ptk or not gtk:
325 raise Exception("Could not find keys from debug log")
326 if len(gtk) != 16:
327 raise Exception("Unexpected GTK length")
328
329 kck = ptk[0:16]
330 kek = ptk[16:32]
331 tk = ptk[32:48]
332
333 fname = os.path.join(params['logdir'],
334 'sae_key_lifetime_in_memory.memctx-')
335
336 logger.info("Checking keys in memory while associated")
337 get_key_locations(buf, password, "Password")
338 get_key_locations(buf, pmk, "PMK")
339 if password not in buf:
340 raise HwsimSkip("Password not found while associated")
341 if pmk not in buf:
342 raise HwsimSkip("PMK not found while associated")
343 if kck not in buf:
344 raise Exception("KCK not found while associated")
345 if kek not in buf:
346 raise Exception("KEK not found while associated")
347 if tk in buf:
348 raise Exception("TK found from memory")
349 if gtk in buf:
350 get_key_locations(buf, gtk, "GTK")
351 raise Exception("GTK found from memory")
352 verify_not_present(buf, sae_k, fname, "SAE(k)")
353 verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
354 verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
355
356 logger.info("Checking keys in memory after disassociation")
357 buf = read_process_memory(pid, password)
358
359 # Note: Password is still present in network configuration
360 # Note: PMK is in PMKSA cache
361
362 get_key_locations(buf, password, "Password")
363 get_key_locations(buf, pmk, "PMK")
364 verify_not_present(buf, kck, fname, "KCK")
365 verify_not_present(buf, kek, fname, "KEK")
366 verify_not_present(buf, tk, fname, "TK")
367 verify_not_present(buf, gtk, fname, "GTK")
368 verify_not_present(buf, sae_k, fname, "SAE(k)")
369 verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
370 verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
371
372 dev[0].request("PMKSA_FLUSH")
373 logger.info("Checking keys in memory after PMKSA cache flush")
374 buf = read_process_memory(pid, password)
375 get_key_locations(buf, password, "Password")
376 get_key_locations(buf, pmk, "PMK")
377 verify_not_present(buf, pmk, fname, "PMK")
378
379 dev[0].request("REMOVE_NETWORK all")
380
381 logger.info("Checking keys in memory after network profile removal")
382 buf = read_process_memory(pid, password)
383
384 get_key_locations(buf, password, "Password")
385 get_key_locations(buf, pmk, "PMK")
386 verify_not_present(buf, password, fname, "password")
387 verify_not_present(buf, pmk, fname, "PMK")
388 verify_not_present(buf, kck, fname, "KCK")
389 verify_not_present(buf, kek, fname, "KEK")
390 verify_not_present(buf, tk, fname, "TK")
391 verify_not_present(buf, gtk, fname, "GTK")
392 verify_not_present(buf, sae_k, fname, "SAE(k)")
393 verify_not_present(buf, sae_keyseed, fname, "SAE(keyseed)")
394 verify_not_present(buf, sae_kck, fname, "SAE(KCK)")
395
396 @remote_compatible
397 def test_sae_oom_wpas(dev, apdev):
398 """SAE and OOM in wpa_supplicant"""
399 if "SAE" not in dev[0].get_capability("auth_alg"):
400 raise HwsimSkip("SAE not supported")
401 params = hostapd.wpa2_params(ssid="test-sae",
402 passphrase="12345678")
403 params['wpa_key_mgmt'] = 'SAE'
404 hapd = hostapd.add_ap(apdev[0], params)
405
406 dev[0].request("SET sae_groups 25")
407 tls = dev[0].request("GET tls_library")
408 if "BoringSSL" in tls:
409 dev[0].request("SET sae_groups 26")
410 with alloc_fail(dev[0], 1, "sae_set_group"):
411 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
412 scan_freq="2412")
413 dev[0].request("REMOVE_NETWORK all")
414
415 dev[0].request("SET sae_groups ")
416 with alloc_fail(dev[0], 2, "sae_set_group"):
417 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
418 scan_freq="2412")
419 dev[0].request("REMOVE_NETWORK all")
420
421 with alloc_fail(dev[0], 1, "wpabuf_alloc;sme_auth_build_sae_commit"):
422 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
423 scan_freq="2412")
424 dev[0].request("REMOVE_NETWORK all")
425
426 with alloc_fail(dev[0], 1, "wpabuf_alloc;sme_auth_build_sae_confirm"):
427 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
428 scan_freq="2412", wait_connect=False)
429 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
430 dev[0].request("REMOVE_NETWORK all")
431
432 with alloc_fail(dev[0], 1, "=sme_authenticate"):
433 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
434 scan_freq="2412", wait_connect=False)
435 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
436 dev[0].request("REMOVE_NETWORK all")
437
438 with alloc_fail(dev[0], 1, "radio_add_work;sme_authenticate"):
439 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
440 scan_freq="2412", wait_connect=False)
441 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
442 dev[0].request("REMOVE_NETWORK all")
443
444 @remote_compatible
445 def test_sae_proto_ecc(dev, apdev):
446 """SAE protocol testing (ECC)"""
447 if "SAE" not in dev[0].get_capability("auth_alg"):
448 raise HwsimSkip("SAE not supported")
449 params = hostapd.wpa2_params(ssid="test-sae",
450 passphrase="12345678")
451 params['wpa_key_mgmt'] = 'SAE'
452 hapd = hostapd.add_ap(apdev[0], params)
453 bssid = apdev[0]['bssid']
454
455 dev[0].request("SET sae_groups 19")
456
457 tests = [ ("Confirm mismatch",
458 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
459 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240"),
460 ("Commit without even full cyclic group field",
461 "13",
462 None),
463 ("Too short commit",
464 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02",
465 None),
466 ("Invalid commit scalar (0)",
467 "1300" + "0000000000000000000000000000000000000000000000000000000000000000" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
468 None),
469 ("Invalid commit scalar (1)",
470 "1300" + "0000000000000000000000000000000000000000000000000000000000000001" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
471 None),
472 ("Invalid commit scalar (> r)",
473 "1300" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
474 None),
475 ("Commit element not on curve",
476 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000",
477 None),
478 ("Invalid commit element (y coordinate > P)",
479 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
480 None),
481 ("Invalid commit element (x coordinate > P)",
482 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
483 None),
484 ("Different group in commit",
485 "1400" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
486 None),
487 ("Too short confirm",
488 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
489 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42")]
490 for (note, commit, confirm) in tests:
491 logger.info(note)
492 dev[0].scan_for_bss(bssid, freq=2412)
493 hapd.set("ext_mgmt_frame_handling", "1")
494 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
495 scan_freq="2412", wait_connect=False)
496
497 logger.info("Commit")
498 for i in range(0, 10):
499 req = hapd.mgmt_rx()
500 if req is None:
501 raise Exception("MGMT RX wait timed out (commit)")
502 if req['subtype'] == 11:
503 break
504 req = None
505 if not req:
506 raise Exception("Authentication frame (commit) not received")
507
508 hapd.dump_monitor()
509 resp = {}
510 resp['fc'] = req['fc']
511 resp['da'] = req['sa']
512 resp['sa'] = req['da']
513 resp['bssid'] = req['bssid']
514 resp['payload'] = binascii.unhexlify("030001000000" + commit)
515 hapd.mgmt_tx(resp)
516
517 if confirm:
518 logger.info("Confirm")
519 for i in range(0, 10):
520 req = hapd.mgmt_rx()
521 if req is None:
522 raise Exception("MGMT RX wait timed out (confirm)")
523 if req['subtype'] == 11:
524 break
525 req = None
526 if not req:
527 raise Exception("Authentication frame (confirm) not received")
528
529 hapd.dump_monitor()
530 resp = {}
531 resp['fc'] = req['fc']
532 resp['da'] = req['sa']
533 resp['sa'] = req['da']
534 resp['bssid'] = req['bssid']
535 resp['payload'] = binascii.unhexlify("030002000000" + confirm)
536 hapd.mgmt_tx(resp)
537
538 time.sleep(0.1)
539 dev[0].request("REMOVE_NETWORK all")
540 hapd.set("ext_mgmt_frame_handling", "0")
541 hapd.dump_monitor()
542
543 @remote_compatible
544 def test_sae_proto_ffc(dev, apdev):
545 """SAE protocol testing (FFC)"""
546 if "SAE" not in dev[0].get_capability("auth_alg"):
547 raise HwsimSkip("SAE not supported")
548 params = hostapd.wpa2_params(ssid="test-sae",
549 passphrase="12345678")
550 params['wpa_key_mgmt'] = 'SAE'
551 hapd = hostapd.add_ap(apdev[0], params)
552 bssid = apdev[0]['bssid']
553
554 dev[0].request("SET sae_groups 2")
555
556 tests = [ ("Confirm mismatch",
557 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486",
558 "0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251"),
559 ("Too short commit",
560 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174",
561 None),
562 ("Invalid element (0) in commit",
563 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
564 None),
565 ("Invalid element (1) in commit",
566 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
567 None),
568 ("Invalid element (> P) in commit",
569 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
570 None) ]
571 for (note, commit, confirm) in tests:
572 logger.info(note)
573 dev[0].scan_for_bss(bssid, freq=2412)
574 hapd.set("ext_mgmt_frame_handling", "1")
575 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
576 scan_freq="2412", wait_connect=False)
577
578 logger.info("Commit")
579 for i in range(0, 10):
580 req = hapd.mgmt_rx()
581 if req is None:
582 raise Exception("MGMT RX wait timed out (commit)")
583 if req['subtype'] == 11:
584 break
585 req = None
586 if not req:
587 raise Exception("Authentication frame (commit) not received")
588
589 hapd.dump_monitor()
590 resp = {}
591 resp['fc'] = req['fc']
592 resp['da'] = req['sa']
593 resp['sa'] = req['da']
594 resp['bssid'] = req['bssid']
595 resp['payload'] = binascii.unhexlify("030001000000" + commit)
596 hapd.mgmt_tx(resp)
597
598 if confirm:
599 logger.info("Confirm")
600 for i in range(0, 10):
601 req = hapd.mgmt_rx()
602 if req is None:
603 raise Exception("MGMT RX wait timed out (confirm)")
604 if req['subtype'] == 11:
605 break
606 req = None
607 if not req:
608 raise Exception("Authentication frame (confirm) not received")
609
610 hapd.dump_monitor()
611 resp = {}
612 resp['fc'] = req['fc']
613 resp['da'] = req['sa']
614 resp['sa'] = req['da']
615 resp['bssid'] = req['bssid']
616 resp['payload'] = binascii.unhexlify("030002000000" + confirm)
617 hapd.mgmt_tx(resp)
618
619 time.sleep(0.1)
620 dev[0].request("REMOVE_NETWORK all")
621 hapd.set("ext_mgmt_frame_handling", "0")
622 hapd.dump_monitor()
623
624 def test_sae_proto_hostapd(dev, apdev):
625 """SAE protocol testing with hostapd"""
626 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
627 params['wpa_key_mgmt'] = 'SAE'
628 params['sae_groups'] = "19 65535"
629 hapd = hostapd.add_ap(apdev[0], params)
630 hapd.set("ext_mgmt_frame_handling", "1")
631 bssid = hapd.own_addr().replace(':', '')
632 addr = "020000000000"
633 addr2 = "020000000001"
634 hdr = "b0003a01" + bssid + addr + bssid + "1000"
635 hdr2 = "b0003a01" + bssid + addr2 + bssid + "1000"
636 group = "1300"
637 scalar = "f7df19f4a7fef1d3b895ea1de150b7c5a7a705c8ebb31a52b623e0057908bd93"
638 element_x = "21931572027f2e953e2a49fab3d992944102cc95aa19515fc068b394fb25ae3c"
639 element_y = "cb4eeb94d7b0b789abfdb73a67ab9d6d5efa94dd553e0e724a6289821cbce530"
640 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + "030001000000" + group + scalar + element_x + element_y)
641 # "SAE: Not enough data for scalar"
642 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + "030001000000" + group + scalar[:-2])
643 # "SAE: Do not allow group to be changed"
644 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr + "030001000000" + "ffff" + scalar[:-2])
645 # "SAE: Unsupported Finite Cyclic Group 65535"
646 hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr2 + "030001000000" + "ffff" + scalar[:-2])
647
648 @remote_compatible
649 def test_sae_no_ffc_by_default(dev, apdev):
650 """SAE and default groups rejecting FFC"""
651 if "SAE" not in dev[0].get_capability("auth_alg"):
652 raise HwsimSkip("SAE not supported")
653 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
654 params['wpa_key_mgmt'] = 'SAE'
655 hapd = hostapd.add_ap(apdev[0], params)
656
657 dev[0].request("SET sae_groups 5")
658 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
659 wait_connect=False)
660 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=3)
661 if ev is None:
662 raise Exception("Did not try to authenticate")
663 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=3)
664 if ev is None:
665 raise Exception("Did not try to authenticate (2)")
666 dev[0].request("REMOVE_NETWORK all")
667
668 def sae_reflection_attack(apdev, dev, group):
669 if "SAE" not in dev.get_capability("auth_alg"):
670 raise HwsimSkip("SAE not supported")
671 params = hostapd.wpa2_params(ssid="test-sae",
672 passphrase="no-knowledge-of-passphrase")
673 params['wpa_key_mgmt'] = 'SAE'
674 hapd = hostapd.add_ap(apdev, params)
675 bssid = apdev['bssid']
676
677 dev.scan_for_bss(bssid, freq=2412)
678 hapd.set("ext_mgmt_frame_handling", "1")
679
680 dev.request("SET sae_groups %d" % group)
681 dev.connect("test-sae", psk="reflection-attack", key_mgmt="SAE",
682 scan_freq="2412", wait_connect=False)
683
684 # Commit
685 for i in range(0, 10):
686 req = hapd.mgmt_rx()
687 if req is None:
688 raise Exception("MGMT RX wait timed out")
689 if req['subtype'] == 11:
690 break
691 req = None
692 if not req:
693 raise Exception("Authentication frame not received")
694
695 resp = {}
696 resp['fc'] = req['fc']
697 resp['da'] = req['sa']
698 resp['sa'] = req['da']
699 resp['bssid'] = req['bssid']
700 resp['payload'] = req['payload']
701 hapd.mgmt_tx(resp)
702
703 # Confirm
704 req = hapd.mgmt_rx(timeout=0.5)
705 if req is not None:
706 if req['subtype'] == 11:
707 raise Exception("Unexpected Authentication frame seen")
708
709 @remote_compatible
710 def test_sae_reflection_attack_ecc(dev, apdev):
711 """SAE reflection attack (ECC)"""
712 sae_reflection_attack(apdev[0], dev[0], 19)
713
714 @remote_compatible
715 def test_sae_reflection_attack_ffc(dev, apdev):
716 """SAE reflection attack (FFC)"""
717 sae_reflection_attack(apdev[0], dev[0], 5)
718
719 @remote_compatible
720 def test_sae_anti_clogging_proto(dev, apdev):
721 """SAE anti clogging protocol testing"""
722 if "SAE" not in dev[0].get_capability("auth_alg"):
723 raise HwsimSkip("SAE not supported")
724 params = hostapd.wpa2_params(ssid="test-sae",
725 passphrase="no-knowledge-of-passphrase")
726 params['wpa_key_mgmt'] = 'SAE'
727 hapd = hostapd.add_ap(apdev[0], params)
728 bssid = apdev[0]['bssid']
729
730 dev[0].scan_for_bss(bssid, freq=2412)
731 hapd.set("ext_mgmt_frame_handling", "1")
732
733 dev[0].request("SET sae_groups ")
734 dev[0].connect("test-sae", psk="anti-cloggign", key_mgmt="SAE",
735 scan_freq="2412", wait_connect=False)
736
737 # Commit
738 for i in range(0, 10):
739 req = hapd.mgmt_rx()
740 if req is None:
741 raise Exception("MGMT RX wait timed out")
742 if req['subtype'] == 11:
743 break
744 req = None
745 if not req:
746 raise Exception("Authentication frame not received")
747
748 resp = {}
749 resp['fc'] = req['fc']
750 resp['da'] = req['sa']
751 resp['sa'] = req['da']
752 resp['bssid'] = req['bssid']
753 resp['payload'] = binascii.unhexlify("030001004c00" + "ffff00")
754 hapd.mgmt_tx(resp)
755
756 # Confirm (not received due to DH group being rejected)
757 req = hapd.mgmt_rx(timeout=0.5)
758 if req is not None:
759 if req['subtype'] == 11:
760 raise Exception("Unexpected Authentication frame seen")
761
762 @remote_compatible
763 def test_sae_no_random(dev, apdev):
764 """SAE and no random numbers available"""
765 if "SAE" not in dev[0].get_capability("auth_alg"):
766 raise HwsimSkip("SAE not supported")
767 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
768 params['wpa_key_mgmt'] = 'SAE'
769 hapd = hostapd.add_ap(apdev[0], params)
770
771 dev[0].request("SET sae_groups ")
772 tests = [ (1, "os_get_random;sae_get_rand"),
773 (1, "os_get_random;get_rand_1_to_p_1"),
774 (1, "os_get_random;get_random_qr_qnr"),
775 (1, "os_get_random;sae_derive_pwe_ecc") ]
776 for count, func in tests:
777 with fail_test(dev[0], count, func):
778 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
779 scan_freq="2412")
780 dev[0].request("REMOVE_NETWORK all")
781 dev[0].wait_disconnected()
782
783 @remote_compatible
784 def test_sae_pwe_failure(dev, apdev):
785 """SAE and pwe failure"""
786 if "SAE" not in dev[0].get_capability("auth_alg"):
787 raise HwsimSkip("SAE not supported")
788 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
789 params['wpa_key_mgmt'] = 'SAE'
790 params['sae_groups'] = '19 5'
791 hapd = hostapd.add_ap(apdev[0], params)
792
793 dev[0].request("SET sae_groups 19")
794 with fail_test(dev[0], 1, "hmac_sha256_vector;sae_derive_pwe_ecc"):
795 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
796 scan_freq="2412")
797 dev[0].request("REMOVE_NETWORK all")
798 dev[0].wait_disconnected()
799 with fail_test(dev[0], 1, "sae_test_pwd_seed_ecc"):
800 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
801 scan_freq="2412")
802 dev[0].request("REMOVE_NETWORK all")
803 dev[0].wait_disconnected()
804
805 dev[0].request("SET sae_groups 5")
806 with fail_test(dev[0], 1, "hmac_sha256_vector;sae_derive_pwe_ffc"):
807 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
808 scan_freq="2412")
809 dev[0].request("REMOVE_NETWORK all")
810 dev[0].wait_disconnected()
811
812 dev[0].request("SET sae_groups 5")
813 with fail_test(dev[0], 1, "sae_test_pwd_seed_ffc"):
814 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
815 scan_freq="2412")
816 dev[0].request("REMOVE_NETWORK all")
817 dev[0].wait_disconnected()
818 with fail_test(dev[0], 2, "sae_test_pwd_seed_ffc"):
819 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
820 scan_freq="2412")
821 dev[0].request("REMOVE_NETWORK all")
822 dev[0].wait_disconnected()
823
824 @remote_compatible
825 def test_sae_bignum_failure(dev, apdev):
826 """SAE and bignum failure"""
827 if "SAE" not in dev[0].get_capability("auth_alg"):
828 raise HwsimSkip("SAE not supported")
829 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
830 params['wpa_key_mgmt'] = 'SAE'
831 params['sae_groups'] = '19 5 22'
832 hapd = hostapd.add_ap(apdev[0], params)
833
834 dev[0].request("SET sae_groups 19")
835 tests = [ (1, "crypto_bignum_init_set;get_rand_1_to_p_1"),
836 (1, "crypto_bignum_init;is_quadratic_residue_blind"),
837 (1, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
838 (2, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
839 (3, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
840 (1, "crypto_bignum_legendre;is_quadratic_residue_blind"),
841 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ecc"),
842 (1, "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc"),
843 (1, "crypto_bignum_init_set;get_random_qr_qnr"),
844 (1, "crypto_bignum_to_bin;sae_derive_pwe_ecc"),
845 (1, "crypto_ec_point_init;sae_derive_pwe_ecc"),
846 (1, "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc"),
847 (1, "crypto_ec_point_init;sae_derive_commit_element_ecc"),
848 (1, "crypto_ec_point_mul;sae_derive_commit_element_ecc"),
849 (1, "crypto_ec_point_invert;sae_derive_commit_element_ecc"),
850 (1, "crypto_bignum_init;=sae_derive_commit"),
851 (1, "crypto_ec_point_init;sae_derive_k_ecc"),
852 (1, "crypto_ec_point_mul;sae_derive_k_ecc"),
853 (1, "crypto_ec_point_add;sae_derive_k_ecc"),
854 (2, "crypto_ec_point_mul;sae_derive_k_ecc"),
855 (1, "crypto_ec_point_to_bin;sae_derive_k_ecc"),
856 (1, "crypto_bignum_legendre;get_random_qr_qnr"),
857 (1, "sha256_prf;sae_derive_keys"),
858 (1, "crypto_bignum_init;sae_derive_keys"),
859 (1, "crypto_bignum_init_set;sae_parse_commit_scalar"),
860 (1, "crypto_bignum_to_bin;sae_parse_commit_element_ecc"),
861 (1, "crypto_ec_point_from_bin;sae_parse_commit_element_ecc") ]
862 for count, func in tests:
863 with fail_test(dev[0], count, func):
864 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
865 scan_freq="2412", wait_connect=False)
866 wait_fail_trigger(dev[0], "GET_FAIL")
867 dev[0].request("REMOVE_NETWORK all")
868
869 dev[0].request("SET sae_groups 5")
870 tests = [ (1, "crypto_bignum_init_set;sae_set_group"),
871 (2, "crypto_bignum_init_set;sae_set_group"),
872 (1, "crypto_bignum_init_set;sae_get_rand"),
873 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
874 (1, "crypto_bignum_exptmod;sae_test_pwd_seed_ffc"),
875 (1, "crypto_bignum_init;sae_derive_pwe_ffc"),
876 (1, "crypto_bignum_init;sae_derive_commit_element_ffc"),
877 (1, "crypto_bignum_exptmod;sae_derive_commit_element_ffc"),
878 (1, "crypto_bignum_inverse;sae_derive_commit_element_ffc"),
879 (1, "crypto_bignum_init;sae_derive_k_ffc"),
880 (1, "crypto_bignum_exptmod;sae_derive_k_ffc"),
881 (1, "crypto_bignum_mulmod;sae_derive_k_ffc"),
882 (2, "crypto_bignum_exptmod;sae_derive_k_ffc"),
883 (1, "crypto_bignum_to_bin;sae_derive_k_ffc"),
884 (1, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
885 (1, "crypto_bignum_init;sae_parse_commit_element_ffc"),
886 (2, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
887 (1, "crypto_bignum_exptmod;sae_parse_commit_element_ffc") ]
888 for count, func in tests:
889 with fail_test(dev[0], count, func):
890 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
891 scan_freq="2412", wait_connect=False)
892 wait_fail_trigger(dev[0], "GET_FAIL")
893 dev[0].request("REMOVE_NETWORK all")
894
895 dev[0].request("SET sae_groups 22")
896 tests = [ (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
897 (1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
898 (1, "crypto_bignum_div;sae_test_pwd_seed_ffc") ]
899 for count, func in tests:
900 with fail_test(dev[0], count, func):
901 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
902 scan_freq="2412", wait_connect=False)
903 wait_fail_trigger(dev[0], "GET_FAIL")
904 dev[0].request("REMOVE_NETWORK all")
905
906 def test_sae_invalid_anti_clogging_token_req(dev, apdev):
907 """SAE and invalid anti-clogging token request"""
908 if "SAE" not in dev[0].get_capability("auth_alg"):
909 raise HwsimSkip("SAE not supported")
910 params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
911 params['wpa_key_mgmt'] = 'SAE'
912 hapd = hostapd.add_ap(apdev[0], params)
913 bssid = apdev[0]['bssid']
914
915 dev[0].request("SET sae_groups 19")
916 dev[0].scan_for_bss(bssid, freq=2412)
917 hapd.set("ext_mgmt_frame_handling", "1")
918 dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
919 scan_freq="2412", wait_connect=False)
920 ev = dev[0].wait_event(["SME: Trying to authenticate"])
921 if ev is None:
922 raise Exception("No authentication attempt seen")
923 dev[0].dump_monitor()
924
925 for i in range(0, 10):
926 req = hapd.mgmt_rx()
927 if req is None:
928 raise Exception("MGMT RX wait timed out (commit)")
929 if req['subtype'] == 11:
930 break
931 req = None
932 if not req:
933 raise Exception("Authentication frame (commit) not received")
934
935 hapd.dump_monitor()
936 resp = {}
937 resp['fc'] = req['fc']
938 resp['da'] = req['sa']
939 resp['sa'] = req['da']
940 resp['bssid'] = req['bssid']
941 resp['payload'] = binascii.unhexlify("030001004c0013")
942 hapd.mgmt_tx(resp)
943
944 ev = dev[0].wait_event(["SME: Trying to authenticate"])
945 if ev is None:
946 raise Exception("No authentication attempt seen")
947 dev[0].dump_monitor()
948
949 for i in range(0, 10):
950 req = hapd.mgmt_rx()
951 if req is None:
952 raise Exception("MGMT RX wait timed out (commit) (2)")
953 if req['subtype'] == 11:
954 break
955 req = None
956 if not req:
957 raise Exception("Authentication frame (commit) not received (2)")
958
959 hapd.dump_monitor()
960 resp = {}
961 resp['fc'] = req['fc']
962 resp['da'] = req['sa']
963 resp['sa'] = req['da']
964 resp['bssid'] = req['bssid']
965 resp['payload'] = binascii.unhexlify("030001000100")
966 hapd.mgmt_tx(resp)
967
968 ev = dev[0].wait_event(["SME: Trying to authenticate"])
969 if ev is None:
970 raise Exception("No authentication attempt seen")
971 dev[0].dump_monitor()
972
973 dev[0].request("DISCONNECT")
Unnamed repository; edit this file 'description' to name the repository.