]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_sae.py
2 # Copyright (c) 2013-2016, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
7 from remotehost
import remote_compatible
12 logger
= logging
.getLogger()
16 from wpasupplicant
import WpaSupplicant
17 from utils
import HwsimSkip
, alloc_fail
, fail_test
, wait_fail_trigger
18 from test_ap_psk
import find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
21 def test_sae(dev
, apdev
):
22 """SAE with default group"""
23 if "SAE" not in dev
[0].get_capability("auth_alg"):
24 raise HwsimSkip("SAE not supported")
25 params
= hostapd
.wpa2_params(ssid
="test-sae",
26 passphrase
="12345678")
27 params
['wpa_key_mgmt'] = 'SAE'
28 hapd
= hostapd
.add_ap(apdev
[0], params
)
29 key_mgmt
= hapd
.get_config()['key_mgmt']
30 if key_mgmt
.split(' ')[0] != "SAE":
31 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
33 dev
[0].request("SET sae_groups ")
34 id = dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
36 if dev
[0].get_status_field('sae_group') != '19':
37 raise Exception("Expected default SAE group not used")
38 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
39 if 'flags' not in bss
:
40 raise Exception("Could not get BSS flags from BSS table")
41 if "[WPA2-SAE-CCMP]" not in bss
['flags']:
42 raise Exception("Unexpected BSS flags: " + bss
['flags'])
44 res
= hapd
.request("STA-FIRST")
45 if "sae_group=19" not in res
.splitlines():
46 raise Exception("hostapd STA output did not specify SAE group")
49 def test_sae_password_ecc(dev
, apdev
):
50 """SAE with number of different passwords (ECC)"""
51 if "SAE" not in dev
[0].get_capability("auth_alg"):
52 raise HwsimSkip("SAE not supported")
53 params
= hostapd
.wpa2_params(ssid
="test-sae",
54 passphrase
="12345678")
55 params
['wpa_key_mgmt'] = 'SAE'
56 hapd
= hostapd
.add_ap(apdev
[0], params
)
58 dev
[0].request("SET sae_groups 19")
61 password
= "12345678-" + str(i
)
62 hapd
.set("wpa_passphrase", password
)
63 dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
65 dev
[0].request("REMOVE_NETWORK all")
66 dev
[0].wait_disconnected()
69 def test_sae_password_ffc(dev
, apdev
):
70 """SAE with number of different passwords (FFC)"""
71 if "SAE" not in dev
[0].get_capability("auth_alg"):
72 raise HwsimSkip("SAE not supported")
73 params
= hostapd
.wpa2_params(ssid
="test-sae",
74 passphrase
="12345678")
75 params
['wpa_key_mgmt'] = 'SAE'
76 params
['sae_groups'] = '22'
77 hapd
= hostapd
.add_ap(apdev
[0], params
)
79 dev
[0].request("SET sae_groups 22")
82 password
= "12345678-" + str(i
)
83 hapd
.set("wpa_passphrase", password
)
84 dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
86 dev
[0].request("REMOVE_NETWORK all")
87 dev
[0].wait_disconnected()
90 def test_sae_pmksa_caching(dev
, apdev
):
91 """SAE and PMKSA caching"""
92 if "SAE" not in dev
[0].get_capability("auth_alg"):
93 raise HwsimSkip("SAE not supported")
94 params
= hostapd
.wpa2_params(ssid
="test-sae",
95 passphrase
="12345678")
96 params
['wpa_key_mgmt'] = 'SAE'
97 hapd
= hostapd
.add_ap(apdev
[0], params
)
99 dev
[0].request("SET sae_groups ")
100 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
102 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
104 raise Exception("No connection event received from hostapd")
105 dev
[0].request("DISCONNECT")
106 dev
[0].wait_disconnected()
107 dev
[0].request("RECONNECT")
108 dev
[0].wait_connected(timeout
=15, error
="Reconnect timed out")
109 if dev
[0].get_status_field('sae_group') is not None:
110 raise Exception("SAE group claimed to have been used")
113 def test_sae_pmksa_caching_disabled(dev
, apdev
):
114 """SAE and PMKSA caching disabled"""
115 if "SAE" not in dev
[0].get_capability("auth_alg"):
116 raise HwsimSkip("SAE not supported")
117 params
= hostapd
.wpa2_params(ssid
="test-sae",
118 passphrase
="12345678")
119 params
['wpa_key_mgmt'] = 'SAE'
120 params
['disable_pmksa_caching'] = '1'
121 hapd
= hostapd
.add_ap(apdev
[0], params
)
123 dev
[0].request("SET sae_groups ")
124 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
126 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
128 raise Exception("No connection event received from hostapd")
129 dev
[0].request("DISCONNECT")
130 dev
[0].wait_disconnected()
131 dev
[0].request("RECONNECT")
132 dev
[0].wait_connected(timeout
=15, error
="Reconnect timed out")
133 if dev
[0].get_status_field('sae_group') != '19':
134 raise Exception("Expected default SAE group not used")
136 def test_sae_groups(dev
, apdev
):
137 """SAE with all supported groups"""
138 if "SAE" not in dev
[0].get_capability("auth_alg"):
139 raise HwsimSkip("SAE not supported")
140 # This is the full list of supported groups, but groups 14-16 (2048-4096 bit
141 # MODP) and group 21 (521-bit random ECP group) are a bit too slow on some
142 # VMs and can result in hitting the mac80211 authentication timeout, so
143 # allow them to fail and just report such failures in the debug log.
144 sae_groups
= [ 19, 25, 26, 20, 21, 2, 5, 14, 15, 16, 22, 23, 24 ]
145 tls
= dev
[0].request("GET tls_library")
146 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
147 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
148 sae_groups
+= [ 27, 28, 29, 30 ]
149 heavy_groups
= [ 14, 15, 16 ]
150 groups
= [str(g
) for g
in sae_groups
]
151 params
= hostapd
.wpa2_params(ssid
="test-sae-groups",
152 passphrase
="12345678")
153 params
['wpa_key_mgmt'] = 'SAE'
154 params
['sae_groups'] = ' '.join(groups
)
155 hostapd
.add_ap(apdev
[0], params
)
158 logger
.info("Testing SAE group " + g
)
159 dev
[0].request("SET sae_groups " + g
)
160 id = dev
[0].connect("test-sae-groups", psk
="12345678", key_mgmt
="SAE",
161 scan_freq
="2412", wait_connect
=False)
162 if int(g
) in heavy_groups
:
163 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=5)
165 logger
.info("No connection with heavy SAE group %s did not connect - likely hitting timeout in mac80211" % g
)
166 dev
[0].remove_network(id)
168 dev
[0].dump_monitor()
170 logger
.info("Connection with heavy SAE group " + g
)
172 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
174 if "BoringSSL" in tls
and int(g
) in [ 25 ]:
175 logger
.info("Ignore connection failure with group " + g
+ " with BoringSSL")
176 dev
[0].remove_network(id)
177 dev
[0].dump_monitor()
179 raise Exception("Connection timed out with group " + g
)
180 if dev
[0].get_status_field('sae_group') != g
:
181 raise Exception("Expected SAE group not used")
182 dev
[0].remove_network(id)
183 dev
[0].wait_disconnected()
184 dev
[0].dump_monitor()
187 def test_sae_group_nego(dev
, apdev
):
188 """SAE group negotiation"""
189 if "SAE" not in dev
[0].get_capability("auth_alg"):
190 raise HwsimSkip("SAE not supported")
191 params
= hostapd
.wpa2_params(ssid
="test-sae-group-nego",
192 passphrase
="12345678")
193 params
['wpa_key_mgmt'] = 'SAE'
194 params
['sae_groups'] = '19'
195 hostapd
.add_ap(apdev
[0], params
)
197 dev
[0].request("SET sae_groups 25 26 20 19")
198 dev
[0].connect("test-sae-group-nego", psk
="12345678", key_mgmt
="SAE",
200 if dev
[0].get_status_field('sae_group') != '19':
201 raise Exception("Expected SAE group not used")
204 def test_sae_anti_clogging(dev
, apdev
):
205 """SAE anti clogging"""
206 if "SAE" not in dev
[0].get_capability("auth_alg"):
207 raise HwsimSkip("SAE not supported")
208 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
209 params
['wpa_key_mgmt'] = 'SAE'
210 params
['sae_anti_clogging_threshold'] = '1'
211 hostapd
.add_ap(apdev
[0], params
)
213 dev
[0].request("SET sae_groups ")
214 dev
[1].request("SET sae_groups ")
216 for i
in range(0, 2):
217 dev
[i
].scan(freq
="2412")
218 id[i
] = dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
219 scan_freq
="2412", only_add_network
=True)
220 for i
in range(0, 2):
221 dev
[i
].select_network(id[i
])
222 for i
in range(0, 2):
223 dev
[i
].wait_connected(timeout
=10)
225 def test_sae_forced_anti_clogging(dev
, apdev
):
226 """SAE anti clogging (forced)"""
227 if "SAE" not in dev
[0].get_capability("auth_alg"):
228 raise HwsimSkip("SAE not supported")
229 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
230 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
231 params
['sae_anti_clogging_threshold'] = '0'
232 hostapd
.add_ap(apdev
[0], params
)
233 dev
[2].connect("test-sae", psk
="12345678", scan_freq
="2412")
234 for i
in range(0, 2):
235 dev
[i
].request("SET sae_groups ")
236 dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
239 def test_sae_mixed(dev
, apdev
):
240 """Mixed SAE and non-SAE network"""
241 if "SAE" not in dev
[0].get_capability("auth_alg"):
242 raise HwsimSkip("SAE not supported")
243 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
244 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
245 params
['sae_anti_clogging_threshold'] = '0'
246 hostapd
.add_ap(apdev
[0], params
)
248 dev
[2].connect("test-sae", psk
="12345678", scan_freq
="2412")
249 for i
in range(0, 2):
250 dev
[i
].request("SET sae_groups ")
251 dev
[i
].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
254 def test_sae_and_psk(dev
, apdev
):
255 """SAE and PSK enabled in network profile"""
256 if "SAE" not in dev
[0].get_capability("auth_alg"):
257 raise HwsimSkip("SAE not supported")
258 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
259 params
['wpa_key_mgmt'] = 'SAE'
260 hostapd
.add_ap(apdev
[0], params
)
262 dev
[0].request("SET sae_groups ")
263 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE WPA-PSK",
266 def test_sae_and_psk2(dev
, apdev
):
267 """SAE and PSK enabled in network profile (use PSK)"""
268 if "SAE" not in dev
[0].get_capability("auth_alg"):
269 raise HwsimSkip("SAE not supported")
270 params
= hostapd
.wpa2_params(ssid
="test-psk", passphrase
="12345678")
271 hostapd
.add_ap(apdev
[0], params
)
273 dev
[0].request("SET sae_groups ")
274 dev
[0].connect("test-psk", psk
="12345678", key_mgmt
="SAE WPA-PSK",
277 def test_sae_mixed_mfp(dev
, apdev
):
278 """Mixed SAE and non-SAE network and MFP required with SAE"""
279 if "SAE" not in dev
[0].get_capability("auth_alg"):
280 raise HwsimSkip("SAE not supported")
281 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
282 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
283 params
["ieee80211w"] = "1"
284 params
['sae_require_mfp'] = '1'
285 hostapd
.add_ap(apdev
[0], params
)
287 dev
[0].request("SET sae_groups ")
288 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE", ieee80211w
="2",
290 dev
[0].dump_monitor()
292 dev
[1].request("SET sae_groups ")
293 dev
[1].connect("test-sae", psk
="12345678", key_mgmt
="SAE", ieee80211w
="0",
294 scan_freq
="2412", wait_connect
=False)
295 ev
= dev
[1].wait_event(["CTRL-EVENT-CONNECTED",
296 "CTRL-EVENT-ASSOC-REJECT"], timeout
=10)
298 raise Exception("No connection result reported")
299 if "CTRL-EVENT-ASSOC-REJECT" not in ev
:
300 raise Exception("SAE connection without MFP was not rejected")
301 if "status_code=31" not in ev
:
302 raise Exception("Unexpected status code in rejection: " + ev
)
303 dev
[1].request("DISCONNECT")
304 dev
[1].dump_monitor()
306 dev
[2].connect("test-sae", psk
="12345678", ieee80211w
="0", scan_freq
="2412")
307 dev
[2].dump_monitor()
309 def test_sae_mfp(dev
, apdev
):
310 """SAE and MFP enabled without sae_require_mfp"""
311 if "SAE" not in dev
[0].get_capability("auth_alg"):
312 raise HwsimSkip("SAE not supported")
313 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
314 params
['wpa_key_mgmt'] = 'SAE'
315 params
["ieee80211w"] = "1"
316 hostapd
.add_ap(apdev
[0], params
)
318 dev
[0].request("SET sae_groups ")
319 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE", ieee80211w
="2",
322 dev
[1].request("SET sae_groups ")
323 dev
[1].connect("test-sae", psk
="12345678", key_mgmt
="SAE", ieee80211w
="0",
327 def test_sae_missing_password(dev
, apdev
):
328 """SAE and missing password"""
329 if "SAE" not in dev
[0].get_capability("auth_alg"):
330 raise HwsimSkip("SAE not supported")
331 params
= hostapd
.wpa2_params(ssid
="test-sae",
332 passphrase
="12345678")
333 params
['wpa_key_mgmt'] = 'SAE'
334 hapd
= hostapd
.add_ap(apdev
[0], params
)
336 dev
[0].request("SET sae_groups ")
337 id = dev
[0].connect("test-sae",
338 raw_psk
="46b4a73b8a951ad53ebd2e0afdb9c5483257edd4c21d12b7710759da70945858",
339 key_mgmt
="SAE", scan_freq
="2412", wait_connect
=False)
340 ev
= dev
[0].wait_event(['CTRL-EVENT-SSID-TEMP-DISABLED'], timeout
=10)
342 raise Exception("Invalid network not temporarily disabled")
345 def test_sae_key_lifetime_in_memory(dev
, apdev
, params
):
346 """SAE and key lifetime in memory"""
347 if "SAE" not in dev
[0].get_capability("auth_alg"):
348 raise HwsimSkip("SAE not supported")
349 password
= "5ad144a7c1f5a5503baa6fa01dabc15b1843e8c01662d78d16b70b5cd23cf8b"
350 p
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
=password
)
351 p
['wpa_key_mgmt'] = 'SAE'
352 hapd
= hostapd
.add_ap(apdev
[0], p
)
354 pid
= find_wpas_process(dev
[0])
356 dev
[0].request("SET sae_groups ")
357 id = dev
[0].connect("test-sae", psk
=password
, key_mgmt
="SAE",
360 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
361 # event has been delivered, so verify that wpa_supplicant has returned to
362 # eloop before reading process memory.
365 buf
= read_process_memory(pid
, password
)
367 dev
[0].request("DISCONNECT")
368 dev
[0].wait_disconnected()
377 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
378 for l
in f
.readlines():
379 if "SAE: k - hexdump" in l
:
380 val
= l
.strip().split(':')[3].replace(' ', '')
381 sae_k
= binascii
.unhexlify(val
)
382 if "SAE: keyseed - hexdump" in l
:
383 val
= l
.strip().split(':')[3].replace(' ', '')
384 sae_keyseed
= binascii
.unhexlify(val
)
385 if "SAE: KCK - hexdump" in l
:
386 val
= l
.strip().split(':')[3].replace(' ', '')
387 sae_kck
= binascii
.unhexlify(val
)
388 if "SAE: PMK - hexdump" in l
:
389 val
= l
.strip().split(':')[3].replace(' ', '')
390 pmk
= binascii
.unhexlify(val
)
391 if "WPA: PTK - hexdump" in l
:
392 val
= l
.strip().split(':')[3].replace(' ', '')
393 ptk
= binascii
.unhexlify(val
)
394 if "WPA: Group Key - hexdump" in l
:
395 val
= l
.strip().split(':')[3].replace(' ', '')
396 gtk
= binascii
.unhexlify(val
)
397 if not sae_k
or not sae_keyseed
or not sae_kck
or not pmk
or not ptk
or not gtk
:
398 raise Exception("Could not find keys from debug log")
400 raise Exception("Unexpected GTK length")
406 fname
= os
.path
.join(params
['logdir'],
407 'sae_key_lifetime_in_memory.memctx-')
409 logger
.info("Checking keys in memory while associated")
410 get_key_locations(buf
, password
, "Password")
411 get_key_locations(buf
, pmk
, "PMK")
412 if password
not in buf
:
413 raise HwsimSkip("Password not found while associated")
415 raise HwsimSkip("PMK not found while associated")
417 raise Exception("KCK not found while associated")
419 raise Exception("KEK not found while associated")
421 # raise Exception("TK found from memory")
422 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
423 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
424 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
426 logger
.info("Checking keys in memory after disassociation")
427 buf
= read_process_memory(pid
, password
)
429 # Note: Password is still present in network configuration
430 # Note: PMK is in PMKSA cache
432 get_key_locations(buf
, password
, "Password")
433 get_key_locations(buf
, pmk
, "PMK")
434 verify_not_present(buf
, kck
, fname
, "KCK")
435 verify_not_present(buf
, kek
, fname
, "KEK")
436 verify_not_present(buf
, tk
, fname
, "TK")
438 get_key_locations(buf
, gtk
, "GTK")
439 verify_not_present(buf
, gtk
, fname
, "GTK")
440 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
441 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
442 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
444 dev
[0].request("PMKSA_FLUSH")
445 logger
.info("Checking keys in memory after PMKSA cache flush")
446 buf
= read_process_memory(pid
, password
)
447 get_key_locations(buf
, password
, "Password")
448 get_key_locations(buf
, pmk
, "PMK")
449 verify_not_present(buf
, pmk
, fname
, "PMK")
451 dev
[0].request("REMOVE_NETWORK all")
453 logger
.info("Checking keys in memory after network profile removal")
454 buf
= read_process_memory(pid
, password
)
456 get_key_locations(buf
, password
, "Password")
457 get_key_locations(buf
, pmk
, "PMK")
458 verify_not_present(buf
, password
, fname
, "password")
459 verify_not_present(buf
, pmk
, fname
, "PMK")
460 verify_not_present(buf
, kck
, fname
, "KCK")
461 verify_not_present(buf
, kek
, fname
, "KEK")
462 verify_not_present(buf
, tk
, fname
, "TK")
463 verify_not_present(buf
, gtk
, fname
, "GTK")
464 verify_not_present(buf
, sae_k
, fname
, "SAE(k)")
465 verify_not_present(buf
, sae_keyseed
, fname
, "SAE(keyseed)")
466 verify_not_present(buf
, sae_kck
, fname
, "SAE(KCK)")
469 def test_sae_oom_wpas(dev
, apdev
):
470 """SAE and OOM in wpa_supplicant"""
471 if "SAE" not in dev
[0].get_capability("auth_alg"):
472 raise HwsimSkip("SAE not supported")
473 params
= hostapd
.wpa2_params(ssid
="test-sae",
474 passphrase
="12345678")
475 params
['wpa_key_mgmt'] = 'SAE'
476 hapd
= hostapd
.add_ap(apdev
[0], params
)
478 dev
[0].request("SET sae_groups 25")
479 tls
= dev
[0].request("GET tls_library")
480 if "BoringSSL" in tls
:
481 dev
[0].request("SET sae_groups 26")
482 with
alloc_fail(dev
[0], 1, "sae_set_group"):
483 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
485 dev
[0].request("REMOVE_NETWORK all")
487 dev
[0].request("SET sae_groups ")
488 with
alloc_fail(dev
[0], 2, "sae_set_group"):
489 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
491 dev
[0].request("REMOVE_NETWORK all")
493 with
alloc_fail(dev
[0], 1, "wpabuf_alloc;sme_auth_build_sae_commit"):
494 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
496 dev
[0].request("REMOVE_NETWORK all")
498 with
alloc_fail(dev
[0], 1, "wpabuf_alloc;sme_auth_build_sae_confirm"):
499 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
500 scan_freq
="2412", wait_connect
=False)
501 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
502 dev
[0].request("REMOVE_NETWORK all")
504 with
alloc_fail(dev
[0], 1, "=sme_authenticate"):
505 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
506 scan_freq
="2412", wait_connect
=False)
507 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
508 dev
[0].request("REMOVE_NETWORK all")
510 with
alloc_fail(dev
[0], 1, "radio_add_work;sme_authenticate"):
511 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
512 scan_freq
="2412", wait_connect
=False)
513 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
514 dev
[0].request("REMOVE_NETWORK all")
517 def test_sae_proto_ecc(dev
, apdev
):
518 """SAE protocol testing (ECC)"""
519 if "SAE" not in dev
[0].get_capability("auth_alg"):
520 raise HwsimSkip("SAE not supported")
521 params
= hostapd
.wpa2_params(ssid
="test-sae",
522 passphrase
="12345678")
523 params
['wpa_key_mgmt'] = 'SAE'
524 hapd
= hostapd
.add_ap(apdev
[0], params
)
525 bssid
= apdev
[0]['bssid']
527 dev
[0].request("SET sae_groups 19")
529 tests
= [ ("Confirm mismatch",
530 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
531 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc4240"),
532 ("Commit without even full cyclic group field",
536 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02",
538 ("Invalid commit scalar (0)",
539 "1300" + "0000000000000000000000000000000000000000000000000000000000000000" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
541 ("Invalid commit scalar (1)",
542 "1300" + "0000000000000000000000000000000000000000000000000000000000000001" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
544 ("Invalid commit scalar (> r)",
545 "1300" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
547 ("Commit element not on curve",
548 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728d0000000000000000000000000000000000000000000000000000000000000000",
550 ("Invalid commit element (y coordinate > P)",
551 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
553 ("Invalid commit element (x coordinate > P)",
554 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
556 ("Different group in commit",
557 "1400" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
559 ("Too short confirm",
560 "1300" + "033d3635b39666ed427fd4a3e7d37acec2810afeaf1687f746a14163ff0e6d03" + "559cb8928db4ce4e3cbd6555e837591995e5ebe503ef36b503d9ca519d63728dd3c7c676b8e8081831b6bc3a64bdf136061a7de175e17d1965bfa41983ed02f8",
561 "0000800edebc3f260dc1fe7e0b20888af2b8a3316252ec37388a8504e25b73dc42")]
562 for (note
, commit
, confirm
) in tests
:
564 dev
[0].scan_for_bss(bssid
, freq
=2412)
565 hapd
.set("ext_mgmt_frame_handling", "1")
566 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
567 scan_freq
="2412", wait_connect
=False)
569 logger
.info("Commit")
570 for i
in range(0, 10):
573 raise Exception("MGMT RX wait timed out (commit)")
574 if req
['subtype'] == 11:
578 raise Exception("Authentication frame (commit) not received")
582 resp
['fc'] = req
['fc']
583 resp
['da'] = req
['sa']
584 resp
['sa'] = req
['da']
585 resp
['bssid'] = req
['bssid']
586 resp
['payload'] = binascii
.unhexlify("030001000000" + commit
)
590 logger
.info("Confirm")
591 for i
in range(0, 10):
594 raise Exception("MGMT RX wait timed out (confirm)")
595 if req
['subtype'] == 11:
599 raise Exception("Authentication frame (confirm) not received")
603 resp
['fc'] = req
['fc']
604 resp
['da'] = req
['sa']
605 resp
['sa'] = req
['da']
606 resp
['bssid'] = req
['bssid']
607 resp
['payload'] = binascii
.unhexlify("030002000000" + confirm
)
611 dev
[0].request("REMOVE_NETWORK all")
612 hapd
.set("ext_mgmt_frame_handling", "0")
616 def test_sae_proto_ffc(dev
, apdev
):
617 """SAE protocol testing (FFC)"""
618 if "SAE" not in dev
[0].get_capability("auth_alg"):
619 raise HwsimSkip("SAE not supported")
620 params
= hostapd
.wpa2_params(ssid
="test-sae",
621 passphrase
="12345678")
622 params
['wpa_key_mgmt'] = 'SAE'
623 hapd
= hostapd
.add_ap(apdev
[0], params
)
624 bssid
= apdev
[0]['bssid']
626 dev
[0].request("SET sae_groups 2")
628 tests
= [ ("Confirm mismatch",
629 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a17486",
630 "0000f3116a9731f1259622e3eb55d4b3b50ba16f8c5f5565b28e609b180c51460251"),
632 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "a8c00117493cdffa5dd671e934bc9cb1a69f39e25e9dd9cd9afd3aea2441a0f5491211c7ba50a753563f9ce943b043557cb71193b28e86ed9544f4289c471bf91b70af5c018cf4663e004165b0fd0bc1d8f3f78adf42eee92bcbc55246fd3ee9f107ab965dc7d4986f23eb71d616ebfe6bfe0a6c1ac5dc1718acee17c9a174",
634 ("Invalid element (0) in commit",
635 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
637 ("Invalid element (1) in commit",
638 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
640 ("Invalid element (> P) in commit",
641 "0200" + "0c70519d874e3e4930a917cc5e17ea7a26028211159f217bab28b8d6c56691805e49f03249b2c6e22c7c9f86b30e04ccad2deedd5e5108ae07b737c00001c59cd0eb08b1dfc7f1b06a1542e2b6601a963c066e0c65940983a03917ae57a101ce84b5cbbc76ff33ebb990aac2e54aa0f0ab6ec0a58113d927683502b2cb2347d2" + "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
643 for (note
, commit
, confirm
) in tests
:
645 dev
[0].scan_for_bss(bssid
, freq
=2412)
646 hapd
.set("ext_mgmt_frame_handling", "1")
647 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
648 scan_freq
="2412", wait_connect
=False)
650 logger
.info("Commit")
651 for i
in range(0, 10):
654 raise Exception("MGMT RX wait timed out (commit)")
655 if req
['subtype'] == 11:
659 raise Exception("Authentication frame (commit) not received")
663 resp
['fc'] = req
['fc']
664 resp
['da'] = req
['sa']
665 resp
['sa'] = req
['da']
666 resp
['bssid'] = req
['bssid']
667 resp
['payload'] = binascii
.unhexlify("030001000000" + commit
)
671 logger
.info("Confirm")
672 for i
in range(0, 10):
675 raise Exception("MGMT RX wait timed out (confirm)")
676 if req
['subtype'] == 11:
680 raise Exception("Authentication frame (confirm) not received")
684 resp
['fc'] = req
['fc']
685 resp
['da'] = req
['sa']
686 resp
['sa'] = req
['da']
687 resp
['bssid'] = req
['bssid']
688 resp
['payload'] = binascii
.unhexlify("030002000000" + confirm
)
692 dev
[0].request("REMOVE_NETWORK all")
693 hapd
.set("ext_mgmt_frame_handling", "0")
696 def test_sae_proto_confirm_replay(dev
, apdev
):
697 """SAE protocol testing - Confirm replay"""
698 if "SAE" not in dev
[0].get_capability("auth_alg"):
699 raise HwsimSkip("SAE not supported")
700 params
= hostapd
.wpa2_params(ssid
="test-sae",
701 passphrase
="12345678")
702 params
['wpa_key_mgmt'] = 'SAE'
703 hapd
= hostapd
.add_ap(apdev
[0], params
)
704 bssid
= apdev
[0]['bssid']
706 dev
[0].request("SET sae_groups 19")
708 dev
[0].scan_for_bss(bssid
, freq
=2412)
709 hapd
.set("ext_mgmt_frame_handling", "1")
710 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
711 scan_freq
="2412", wait_connect
=False)
713 logger
.info("Commit")
714 for i
in range(0, 10):
717 raise Exception("MGMT RX wait timed out (commit)")
718 if req
['subtype'] == 11:
722 raise Exception("Authentication frame (commit) not received")
724 bssid
= hapd
.own_addr().replace(':', '')
725 addr
= dev
[0].own_addr().replace(':', '')
726 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
729 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
731 logger
.info("Confirm")
732 for i
in range(0, 10):
735 raise Exception("MGMT RX wait timed out (confirm)")
736 if req
['subtype'] == 11:
740 raise Exception("Authentication frame (confirm) not received")
743 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
745 logger
.info("Replay Confirm")
746 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
748 logger
.info("Association Request")
749 for i
in range(0, 10):
752 raise Exception("MGMT RX wait timed out (AssocReq)")
753 if req
['subtype'] == 0:
757 raise Exception("Association Request frame not received")
760 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + req
['frame'].encode('hex'))
761 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
763 raise Exception("Management frame TX status not reported (1)")
764 if "stype=1 ok=1" not in ev
:
765 raise Exception("Unexpected management frame TX status (1): " + ev
)
766 cmd
= "MGMT_TX_STATUS_PROCESS %s" % (" ".join(ev
.split(' ')[1:4]))
767 if "OK" not in hapd
.request(cmd
):
768 raise Exception("MGMT_TX_STATUS_PROCESS failed")
770 hapd
.set("ext_mgmt_frame_handling", "0")
772 dev
[0].wait_connected()
774 def test_sae_proto_hostapd(dev
, apdev
):
775 """SAE protocol testing with hostapd"""
776 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
777 params
['wpa_key_mgmt'] = 'SAE'
778 params
['sae_groups'] = "19 65535"
779 hapd
= hostapd
.add_ap(apdev
[0], params
)
780 hapd
.set("ext_mgmt_frame_handling", "1")
781 bssid
= hapd
.own_addr().replace(':', '')
782 addr
= "020000000000"
783 addr2
= "020000000001"
784 hdr
= "b0003a01" + bssid
+ addr
+ bssid
+ "1000"
785 hdr2
= "b0003a01" + bssid
+ addr2
+ bssid
+ "1000"
787 scalar
= "f7df19f4a7fef1d3b895ea1de150b7c5a7a705c8ebb31a52b623e0057908bd93"
788 element_x
= "21931572027f2e953e2a49fab3d992944102cc95aa19515fc068b394fb25ae3c"
789 element_y
= "cb4eeb94d7b0b789abfdb73a67ab9d6d5efa94dd553e0e724a6289821cbce530"
790 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
+ element_x
+ element_y
)
791 # "SAE: Not enough data for scalar"
792 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + group
+ scalar
[:-2])
793 # "SAE: Do not allow group to be changed"
794 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr
+ "030001000000" + "ffff" + scalar
[:-2])
795 # "SAE: Unsupported Finite Cyclic Group 65535"
796 hapd
.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=" + hdr2
+ "030001000000" + "ffff" + scalar
[:-2])
799 def test_sae_no_ffc_by_default(dev
, apdev
):
800 """SAE and default groups rejecting FFC"""
801 if "SAE" not in dev
[0].get_capability("auth_alg"):
802 raise HwsimSkip("SAE not supported")
803 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
804 params
['wpa_key_mgmt'] = 'SAE'
805 hapd
= hostapd
.add_ap(apdev
[0], params
)
807 dev
[0].request("SET sae_groups 5")
808 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE", scan_freq
="2412",
810 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=3)
812 raise Exception("Did not try to authenticate")
813 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=3)
815 raise Exception("Did not try to authenticate (2)")
816 dev
[0].request("REMOVE_NETWORK all")
818 def sae_reflection_attack(apdev
, dev
, group
):
819 if "SAE" not in dev
.get_capability("auth_alg"):
820 raise HwsimSkip("SAE not supported")
821 params
= hostapd
.wpa2_params(ssid
="test-sae",
822 passphrase
="no-knowledge-of-passphrase")
823 params
['wpa_key_mgmt'] = 'SAE'
824 hapd
= hostapd
.add_ap(apdev
, params
)
825 bssid
= apdev
['bssid']
827 dev
.scan_for_bss(bssid
, freq
=2412)
828 hapd
.set("ext_mgmt_frame_handling", "1")
830 dev
.request("SET sae_groups %d" % group
)
831 dev
.connect("test-sae", psk
="reflection-attack", key_mgmt
="SAE",
832 scan_freq
="2412", wait_connect
=False)
835 for i
in range(0, 10):
838 raise Exception("MGMT RX wait timed out")
839 if req
['subtype'] == 11:
843 raise Exception("Authentication frame not received")
846 resp
['fc'] = req
['fc']
847 resp
['da'] = req
['sa']
848 resp
['sa'] = req
['da']
849 resp
['bssid'] = req
['bssid']
850 resp
['payload'] = req
['payload']
854 req
= hapd
.mgmt_rx(timeout
=0.5)
856 if req
['subtype'] == 11:
857 raise Exception("Unexpected Authentication frame seen")
860 def test_sae_reflection_attack_ecc(dev
, apdev
):
861 """SAE reflection attack (ECC)"""
862 sae_reflection_attack(apdev
[0], dev
[0], 19)
865 def test_sae_reflection_attack_ffc(dev
, apdev
):
866 """SAE reflection attack (FFC)"""
867 sae_reflection_attack(apdev
[0], dev
[0], 5)
869 def sae_reflection_attack_internal(apdev
, dev
, group
):
870 if "SAE" not in dev
.get_capability("auth_alg"):
871 raise HwsimSkip("SAE not supported")
872 params
= hostapd
.wpa2_params(ssid
="test-sae",
873 passphrase
="no-knowledge-of-passphrase")
874 params
['wpa_key_mgmt'] = 'SAE'
875 params
['sae_reflection_attack'] = '1'
876 hapd
= hostapd
.add_ap(apdev
, params
)
877 bssid
= apdev
['bssid']
879 dev
.scan_for_bss(bssid
, freq
=2412)
880 dev
.request("SET sae_groups %d" % group
)
881 dev
.connect("test-sae", psk
="reflection-attack", key_mgmt
="SAE",
882 scan_freq
="2412", wait_connect
=False)
883 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
885 raise Exception("Unexpected connection")
888 def test_sae_reflection_attack_ecc_internal(dev
, apdev
):
889 """SAE reflection attack (ECC) - internal"""
890 sae_reflection_attack_internal(apdev
[0], dev
[0], 19)
893 def test_sae_reflection_attack_ffc_internal(dev
, apdev
):
894 """SAE reflection attack (FFC) - internal"""
895 sae_reflection_attack_internal(apdev
[0], dev
[0], 5)
898 def test_sae_commit_override(dev
, apdev
):
899 """SAE commit override (hostapd)"""
900 if "SAE" not in dev
[0].get_capability("auth_alg"):
901 raise HwsimSkip("SAE not supported")
902 params
= hostapd
.wpa2_params(ssid
="test-sae",
903 passphrase
="12345678")
904 params
['wpa_key_mgmt'] = 'SAE'
905 params
['sae_commit_override'] = '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514'
906 hapd
= hostapd
.add_ap(apdev
[0], params
)
907 dev
[0].request("SET sae_groups ")
908 dev
[0].connect("test-sae", psk
="test-sae", key_mgmt
="SAE",
909 scan_freq
="2412", wait_connect
=False)
910 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
912 raise Exception("Unexpected connection")
915 def test_sae_commit_override2(dev
, apdev
):
916 """SAE commit override (wpa_supplicant)"""
917 if "SAE" not in dev
[0].get_capability("auth_alg"):
918 raise HwsimSkip("SAE not supported")
919 params
= hostapd
.wpa2_params(ssid
="test-sae",
920 passphrase
="12345678")
921 params
['wpa_key_mgmt'] = 'SAE'
922 hapd
= hostapd
.add_ap(apdev
[0], params
)
923 dev
[0].request("SET sae_groups ")
924 dev
[0].set('sae_commit_override', '13ffbad00d215867a7c5ff37d87bb9bdb7cb116e520f71e8d7a794ca2606d537ddc6c099c40e7a25372b80a8fd443cd7dd222c8ea21b8ef372d4b3e316c26a73fd999cc79ad483eb826e7b3893ea332da68fa13224bcdeb4fb18b0584dd100a2c514')
925 dev
[0].connect("test-sae", psk
="test-sae", key_mgmt
="SAE",
926 scan_freq
="2412", wait_connect
=False)
927 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
929 raise Exception("Unexpected connection")
932 def test_sae_anti_clogging_proto(dev
, apdev
):
933 """SAE anti clogging protocol testing"""
934 if "SAE" not in dev
[0].get_capability("auth_alg"):
935 raise HwsimSkip("SAE not supported")
936 params
= hostapd
.wpa2_params(ssid
="test-sae",
937 passphrase
="no-knowledge-of-passphrase")
938 params
['wpa_key_mgmt'] = 'SAE'
939 hapd
= hostapd
.add_ap(apdev
[0], params
)
940 bssid
= apdev
[0]['bssid']
942 dev
[0].scan_for_bss(bssid
, freq
=2412)
943 hapd
.set("ext_mgmt_frame_handling", "1")
945 dev
[0].request("SET sae_groups ")
946 dev
[0].connect("test-sae", psk
="anti-cloggign", key_mgmt
="SAE",
947 scan_freq
="2412", wait_connect
=False)
950 for i
in range(0, 10):
953 raise Exception("MGMT RX wait timed out")
954 if req
['subtype'] == 11:
958 raise Exception("Authentication frame not received")
961 resp
['fc'] = req
['fc']
962 resp
['da'] = req
['sa']
963 resp
['sa'] = req
['da']
964 resp
['bssid'] = req
['bssid']
965 resp
['payload'] = binascii
.unhexlify("030001004c00" + "ffff00")
968 # Confirm (not received due to DH group being rejected)
969 req
= hapd
.mgmt_rx(timeout
=0.5)
971 if req
['subtype'] == 11:
972 raise Exception("Unexpected Authentication frame seen")
975 def test_sae_no_random(dev
, apdev
):
976 """SAE and no random numbers available"""
977 if "SAE" not in dev
[0].get_capability("auth_alg"):
978 raise HwsimSkip("SAE not supported")
979 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
980 params
['wpa_key_mgmt'] = 'SAE'
981 hapd
= hostapd
.add_ap(apdev
[0], params
)
983 dev
[0].request("SET sae_groups ")
984 tests
= [ (1, "os_get_random;sae_get_rand"),
985 (1, "os_get_random;get_rand_1_to_p_1"),
986 (1, "os_get_random;get_random_qr_qnr"),
987 (1, "os_get_random;sae_derive_pwe_ecc") ]
988 for count
, func
in tests
:
989 with
fail_test(dev
[0], count
, func
):
990 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
992 dev
[0].request("REMOVE_NETWORK all")
993 dev
[0].wait_disconnected()
996 def test_sae_pwe_failure(dev
, apdev
):
997 """SAE and pwe failure"""
998 if "SAE" not in dev
[0].get_capability("auth_alg"):
999 raise HwsimSkip("SAE not supported")
1000 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
1001 params
['wpa_key_mgmt'] = 'SAE'
1002 params
['sae_groups'] = '19 5'
1003 hapd
= hostapd
.add_ap(apdev
[0], params
)
1005 dev
[0].request("SET sae_groups 19")
1006 with
fail_test(dev
[0], 1, "hmac_sha256_vector;sae_derive_pwe_ecc"):
1007 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1009 dev
[0].request("REMOVE_NETWORK all")
1010 dev
[0].wait_disconnected()
1011 with
fail_test(dev
[0], 1, "sae_test_pwd_seed_ecc"):
1012 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1014 dev
[0].request("REMOVE_NETWORK all")
1015 dev
[0].wait_disconnected()
1017 dev
[0].request("SET sae_groups 5")
1018 with
fail_test(dev
[0], 1, "hmac_sha256_vector;sae_derive_pwe_ffc"):
1019 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1021 dev
[0].request("REMOVE_NETWORK all")
1022 dev
[0].wait_disconnected()
1024 dev
[0].request("SET sae_groups 5")
1025 with
fail_test(dev
[0], 1, "sae_test_pwd_seed_ffc"):
1026 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1028 dev
[0].request("REMOVE_NETWORK all")
1029 dev
[0].wait_disconnected()
1030 with
fail_test(dev
[0], 2, "sae_test_pwd_seed_ffc"):
1031 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1033 dev
[0].request("REMOVE_NETWORK all")
1034 dev
[0].wait_disconnected()
1037 def test_sae_bignum_failure(dev
, apdev
):
1038 """SAE and bignum failure"""
1039 if "SAE" not in dev
[0].get_capability("auth_alg"):
1040 raise HwsimSkip("SAE not supported")
1041 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
1042 params
['wpa_key_mgmt'] = 'SAE'
1043 params
['sae_groups'] = '19 5 22'
1044 hapd
= hostapd
.add_ap(apdev
[0], params
)
1046 dev
[0].request("SET sae_groups 19")
1047 tests
= [ (1, "crypto_bignum_init_set;get_rand_1_to_p_1"),
1048 (1, "crypto_bignum_init;is_quadratic_residue_blind"),
1049 (1, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
1050 (2, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
1051 (3, "crypto_bignum_mulmod;is_quadratic_residue_blind"),
1052 (1, "crypto_bignum_legendre;is_quadratic_residue_blind"),
1053 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ecc"),
1054 (1, "crypto_ec_point_compute_y_sqr;sae_test_pwd_seed_ecc"),
1055 (1, "crypto_bignum_init_set;get_random_qr_qnr"),
1056 (1, "crypto_bignum_to_bin;sae_derive_pwe_ecc"),
1057 (1, "crypto_ec_point_init;sae_derive_pwe_ecc"),
1058 (1, "crypto_ec_point_solve_y_coord;sae_derive_pwe_ecc"),
1059 (1, "crypto_ec_point_init;sae_derive_commit_element_ecc"),
1060 (1, "crypto_ec_point_mul;sae_derive_commit_element_ecc"),
1061 (1, "crypto_ec_point_invert;sae_derive_commit_element_ecc"),
1062 (1, "crypto_bignum_init;=sae_derive_commit"),
1063 (1, "crypto_ec_point_init;sae_derive_k_ecc"),
1064 (1, "crypto_ec_point_mul;sae_derive_k_ecc"),
1065 (1, "crypto_ec_point_add;sae_derive_k_ecc"),
1066 (2, "crypto_ec_point_mul;sae_derive_k_ecc"),
1067 (1, "crypto_ec_point_to_bin;sae_derive_k_ecc"),
1068 (1, "crypto_bignum_legendre;get_random_qr_qnr"),
1069 (1, "sha256_prf;sae_derive_keys"),
1070 (1, "crypto_bignum_init;sae_derive_keys"),
1071 (1, "crypto_bignum_init_set;sae_parse_commit_scalar"),
1072 (1, "crypto_bignum_to_bin;sae_parse_commit_element_ecc"),
1073 (1, "crypto_ec_point_from_bin;sae_parse_commit_element_ecc") ]
1074 for count
, func
in tests
:
1075 with
fail_test(dev
[0], count
, func
):
1076 hapd
.request("NOTE STA failure testing %d:%s" % (count
, func
))
1077 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1078 scan_freq
="2412", wait_connect
=False)
1079 wait_fail_trigger(dev
[0], "GET_FAIL")
1080 dev
[0].request("REMOVE_NETWORK all")
1081 dev
[0].dump_monitor()
1084 dev
[0].request("SET sae_groups 5")
1085 tests
= [ (1, "crypto_bignum_init_set;sae_set_group"),
1086 (2, "crypto_bignum_init_set;sae_set_group"),
1087 (1, "crypto_bignum_init_set;sae_get_rand"),
1088 (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
1089 (1, "crypto_bignum_exptmod;sae_test_pwd_seed_ffc"),
1090 (1, "crypto_bignum_init;sae_derive_pwe_ffc"),
1091 (1, "crypto_bignum_init;sae_derive_commit_element_ffc"),
1092 (1, "crypto_bignum_exptmod;sae_derive_commit_element_ffc"),
1093 (1, "crypto_bignum_inverse;sae_derive_commit_element_ffc"),
1094 (1, "crypto_bignum_init;sae_derive_k_ffc"),
1095 (1, "crypto_bignum_exptmod;sae_derive_k_ffc"),
1096 (1, "crypto_bignum_mulmod;sae_derive_k_ffc"),
1097 (2, "crypto_bignum_exptmod;sae_derive_k_ffc"),
1098 (1, "crypto_bignum_to_bin;sae_derive_k_ffc"),
1099 (1, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
1100 (1, "crypto_bignum_init;sae_parse_commit_element_ffc"),
1101 (2, "crypto_bignum_init_set;sae_parse_commit_element_ffc"),
1102 (1, "crypto_bignum_exptmod;sae_parse_commit_element_ffc") ]
1103 for count
, func
in tests
:
1104 with
fail_test(dev
[0], count
, func
):
1105 hapd
.request("NOTE STA failure testing %d:%s" % (count
, func
))
1106 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1107 scan_freq
="2412", wait_connect
=False)
1108 wait_fail_trigger(dev
[0], "GET_FAIL")
1109 dev
[0].request("REMOVE_NETWORK all")
1110 dev
[0].dump_monitor()
1113 dev
[0].request("SET sae_groups 22")
1114 tests
= [ (1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
1115 (1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
1116 (1, "crypto_bignum_div;sae_test_pwd_seed_ffc") ]
1117 for count
, func
in tests
:
1118 with
fail_test(dev
[0], count
, func
):
1119 hapd
.request("NOTE STA failure testing %d:%s" % (count
, func
))
1120 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1121 scan_freq
="2412", wait_connect
=False)
1122 wait_fail_trigger(dev
[0], "GET_FAIL")
1123 dev
[0].request("REMOVE_NETWORK all")
1124 dev
[0].dump_monitor()
1127 def test_sae_invalid_anti_clogging_token_req(dev
, apdev
):
1128 """SAE and invalid anti-clogging token request"""
1129 if "SAE" not in dev
[0].get_capability("auth_alg"):
1130 raise HwsimSkip("SAE not supported")
1131 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
1132 params
['wpa_key_mgmt'] = 'SAE'
1133 # Beacon more frequently since Probe Request frames are practically ignored
1134 # in this test setup (ext_mgmt_frame_handled=1 on hostapd side) and
1135 # wpa_supplicant scans may end up getting ignored if no new results are
1136 # available due to the missing Probe Response frames.
1137 params
['beacon_int'] = '20'
1138 hapd
= hostapd
.add_ap(apdev
[0], params
)
1139 bssid
= apdev
[0]['bssid']
1141 dev
[0].request("SET sae_groups 19")
1142 dev
[0].scan_for_bss(bssid
, freq
=2412)
1143 hapd
.set("ext_mgmt_frame_handling", "1")
1144 dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1145 scan_freq
="2412", wait_connect
=False)
1146 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1148 raise Exception("No authentication attempt seen (1)")
1149 dev
[0].dump_monitor()
1151 for i
in range(0, 10):
1152 req
= hapd
.mgmt_rx()
1154 raise Exception("MGMT RX wait timed out (commit)")
1155 if req
['subtype'] == 11:
1159 raise Exception("Authentication frame (commit) not received")
1163 resp
['fc'] = req
['fc']
1164 resp
['da'] = req
['sa']
1165 resp
['sa'] = req
['da']
1166 resp
['bssid'] = req
['bssid']
1167 resp
['payload'] = binascii
.unhexlify("030001004c0013")
1169 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
1171 raise Exception("Management frame TX status not reported (1)")
1172 if "stype=11 ok=1" not in ev
:
1173 raise Exception("Unexpected management frame TX status (1): " + ev
)
1175 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1177 raise Exception("No authentication attempt seen (2)")
1178 dev
[0].dump_monitor()
1180 for i
in range(0, 10):
1181 req
= hapd
.mgmt_rx()
1183 raise Exception("MGMT RX wait timed out (commit) (2)")
1184 if req
['subtype'] == 11:
1188 raise Exception("Authentication frame (commit) not received (2)")
1192 resp
['fc'] = req
['fc']
1193 resp
['da'] = req
['sa']
1194 resp
['sa'] = req
['da']
1195 resp
['bssid'] = req
['bssid']
1196 resp
['payload'] = binascii
.unhexlify("030001000100")
1198 ev
= hapd
.wait_event(["MGMT-TX-STATUS"], timeout
=5)
1200 raise Exception("Management frame TX status not reported (1)")
1201 if "stype=11 ok=1" not in ev
:
1202 raise Exception("Unexpected management frame TX status (1): " + ev
)
1204 ev
= dev
[0].wait_event(["SME: Trying to authenticate"])
1206 raise Exception("No authentication attempt seen (3)")
1207 dev
[0].dump_monitor()
1209 dev
[0].request("DISCONNECT")
1211 def test_sae_password(dev
, apdev
):
1212 """SAE and sae_password in hostapd configuration"""
1213 if "SAE" not in dev
[0].get_capability("auth_alg"):
1214 raise HwsimSkip("SAE not supported")
1215 params
= hostapd
.wpa2_params(ssid
="test-sae",
1216 passphrase
="12345678")
1217 params
['wpa_key_mgmt'] = 'SAE WPA-PSK'
1218 params
['sae_password'] = "sae-password"
1219 hapd
= hostapd
.add_ap(apdev
[0], params
)
1221 dev
[0].request("SET sae_groups ")
1222 dev
[0].connect("test-sae", psk
="sae-password", key_mgmt
="SAE",
1224 dev
[1].connect("test-sae", psk
="12345678", scan_freq
="2412")
1225 dev
[2].request("SET sae_groups ")
1226 dev
[2].connect("test-sae", sae_password
="sae-password", key_mgmt
="SAE",
1229 def test_sae_password_short(dev
, apdev
):
1230 """SAE and short password"""
1231 if "SAE" not in dev
[0].get_capability("auth_alg"):
1232 raise HwsimSkip("SAE not supported")
1233 params
= hostapd
.wpa2_params(ssid
="test-sae")
1234 params
['wpa_key_mgmt'] = 'SAE'
1235 params
['sae_password'] = "secret"
1236 hapd
= hostapd
.add_ap(apdev
[0], params
)
1238 dev
[0].request("SET sae_groups ")
1239 dev
[0].connect("test-sae", sae_password
="secret", key_mgmt
="SAE",
1242 def test_sae_password_long(dev
, apdev
):
1243 """SAE and long password"""
1244 if "SAE" not in dev
[0].get_capability("auth_alg"):
1245 raise HwsimSkip("SAE not supported")
1246 params
= hostapd
.wpa2_params(ssid
="test-sae")
1247 params
['wpa_key_mgmt'] = 'SAE'
1248 params
['sae_password'] = 100*"A"
1249 hapd
= hostapd
.add_ap(apdev
[0], params
)
1251 dev
[0].request("SET sae_groups ")
1252 dev
[0].connect("test-sae", sae_password
=100*"A", key_mgmt
="SAE",
1255 def test_sae_connect_cmd(dev
, apdev
):
1256 """SAE with connect command"""
1257 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
1258 wpas
.interface_add("wlan5", drv_params
="force_connect_cmd=1")
1259 if "SAE" not in wpas
.get_capability("auth_alg"):
1260 raise HwsimSkip("SAE not supported")
1261 params
= hostapd
.wpa2_params(ssid
="test-sae", passphrase
="12345678")
1262 params
['wpa_key_mgmt'] = 'SAE'
1263 hapd
= hostapd
.add_ap(apdev
[0], params
)
1265 wpas
.request("SET sae_groups ")
1266 wpas
.connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1267 scan_freq
="2412", wait_connect
=False)
1268 # mac80211_hwsim does not support SAE offload, so accept both a successful
1269 # connection and association rejection.
1270 ev
= wpas
.wait_event(["CTRL-EVENT-CONNECTED", "CTRL-EVENT-ASSOC-REJECT",
1271 "Association request to the driver failed"],
1274 raise Exception("No connection result reported")
1276 def run_sae_password_id(dev
, apdev
, groups
=None):
1277 if "SAE" not in dev
[0].get_capability("auth_alg"):
1278 raise HwsimSkip("SAE not supported")
1279 params
= hostapd
.wpa2_params(ssid
="test-sae")
1280 params
['wpa_key_mgmt'] = 'SAE'
1282 params
['sae_groups'] = groups
1285 params
['sae_password'] = [ 'secret|mac=ff:ff:ff:ff:ff:ff|id=pw id',
1286 'foo|mac=02:02:02:02:02:02',
1287 'another secret|mac=ff:ff:ff:ff:ff:ff|id=' + 29*'A' ]
1288 hapd
= hostapd
.add_ap(apdev
[0], params
)
1290 dev
[0].request("SET sae_groups " + groups
)
1291 dev
[0].connect("test-sae", sae_password
="secret", sae_password_id
="pw id",
1292 key_mgmt
="SAE", scan_freq
="2412")
1293 dev
[0].request("REMOVE_NETWORK all")
1294 dev
[0].wait_disconnected()
1296 # SAE Password Identifier element with the exact same length as the
1297 # optional Anti-Clogging Token field
1298 dev
[0].connect("test-sae", sae_password
="another secret",
1299 sae_password_id
=29*'A',
1300 key_mgmt
="SAE", scan_freq
="2412")
1301 dev
[0].request("REMOVE_NETWORK all")
1302 dev
[0].wait_disconnected()
1304 dev
[0].connect("test-sae", sae_password
="secret", sae_password_id
="unknown",
1305 key_mgmt
="SAE", scan_freq
="2412", wait_connect
=False)
1307 ev
= dev
[0].wait_event(["CTRL-EVENT-SAE-UNKNOWN-PASSWORD-IDENTIFIER"],
1310 raise Exception("Unknown password identifier not reported")
1311 dev
[0].request("REMOVE_NETWORK all")
1313 def test_sae_password_id(dev
, apdev
):
1314 """SAE and password identifier"""
1315 run_sae_password_id(dev
, apdev
, "")
1317 def test_sae_password_id_ecc(dev
, apdev
):
1318 """SAE and password identifier (ECC)"""
1319 run_sae_password_id(dev
, apdev
, "19")
1321 def test_sae_password_id_ffc(dev
, apdev
):
1322 """SAE and password identifier (FFC)"""
1323 run_sae_password_id(dev
, apdev
, "22")
1325 def test_sae_forced_anti_clogging_pw_id(dev
, apdev
):
1326 """SAE anti clogging (forced and Password Identifier)"""
1327 if "SAE" not in dev
[0].get_capability("auth_alg"):
1328 raise HwsimSkip("SAE not supported")
1329 params
= hostapd
.wpa2_params(ssid
="test-sae")
1330 params
['wpa_key_mgmt'] = 'SAE'
1331 params
['sae_anti_clogging_threshold'] = '0'
1332 params
['sae_password'] = 'secret|id=' + 29*'A'
1333 hostapd
.add_ap(apdev
[0], params
)
1334 for i
in range(0, 2):
1335 dev
[i
].request("SET sae_groups ")
1336 dev
[i
].connect("test-sae", sae_password
="secret",
1337 sae_password_id
=29*'A', key_mgmt
="SAE", scan_freq
="2412")
1339 def test_sae_reauth(dev
, apdev
):
1340 """SAE reauthentication"""
1341 if "SAE" not in dev
[0].get_capability("auth_alg"):
1342 raise HwsimSkip("SAE not supported")
1343 params
= hostapd
.wpa2_params(ssid
="test-sae",
1344 passphrase
="12345678")
1345 params
['wpa_key_mgmt'] = 'SAE'
1346 params
["ieee80211w"] = "2"
1347 hapd
= hostapd
.add_ap(apdev
[0], params
)
1349 dev
[0].request("SET sae_groups ")
1350 id = dev
[0].connect("test-sae", psk
="12345678", key_mgmt
="SAE",
1351 ieee80211w
="2", scan_freq
="2412")
1353 hapd
.set("ext_mgmt_frame_handling", "1")
1354 dev
[0].request("DISCONNECT")
1355 dev
[0].wait_disconnected(timeout
=10)
1356 hapd
.set("ext_mgmt_frame_handling", "0")
1357 dev
[0].request("PMKSA_FLUSH")
1358 dev
[0].request("REASSOCIATE")
1359 dev
[0].wait_connected(timeout
=10, error
="Timeout on re-connection")