From 3fa701b5ce38bb16dfa257f6e2e321ffb77da5d6 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 5 Sep 2019 12:34:48 +0300 Subject: [PATCH] tests: SAE PWE derivation methods Verify behavior with sae_pwe configuration values 0..2, i.e., test the new hash-to-element mechanism for deriving PWE and negotiation for which method to use. Signed-off-by: Jouni Malinen --- tests/hwsim/test_sae.py | 169 ++++++++++++++++++++++++++++++++++++ tests/hwsim/test_wpas_ap.py | 21 ++++- 2 files changed, 187 insertions(+), 3 deletions(-) diff --git a/tests/hwsim/test_sae.py b/tests/hwsim/test_sae.py index 1035f16d7..2f612dfe7 100644 --- a/tests/hwsim/test_sae.py +++ b/tests/hwsim/test_sae.py @@ -1709,3 +1709,172 @@ def test_sae_confirm_immediate(dev, apdev): dev[0].request("SET sae_groups ") dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412") + +def test_sae_pwe_group_19(dev, apdev): + """SAE PWE derivation options with group 19""" + run_sae_pwe_group(dev, apdev, 19) + +def test_sae_pwe_group_20(dev, apdev): + """SAE PWE derivation options with group 20""" + run_sae_pwe_group(dev, apdev, 20) + +def test_sae_pwe_group_21(dev, apdev): + """SAE PWE derivation options with group 21""" + run_sae_pwe_group(dev, apdev, 21) + +def test_sae_pwe_group_25(dev, apdev): + """SAE PWE derivation options with group 21""" + run_sae_pwe_group(dev, apdev, 21) + +def test_sae_pwe_group_26(dev, apdev): + """SAE PWE derivation options with group 21""" + run_sae_pwe_group(dev, apdev, 21) + +def test_sae_pwe_group_28(dev, apdev): + """SAE PWE derivation options with group 21""" + run_sae_pwe_group(dev, apdev, 21) + +def test_sae_pwe_group_29(dev, apdev): + """SAE PWE derivation options with group 21""" + run_sae_pwe_group(dev, apdev, 21) + +def test_sae_pwe_group_30(dev, apdev): + """SAE PWE derivation options with group 21""" + run_sae_pwe_group(dev, apdev, 21) + +def test_sae_pwe_group_1(dev, apdev): + """SAE PWE derivation options with group 1""" + run_sae_pwe_group(dev, apdev, 1) + +def test_sae_pwe_group_2(dev, apdev): + """SAE PWE derivation options with group 2""" + run_sae_pwe_group(dev, apdev, 2) + +def test_sae_pwe_group_5(dev, apdev): + """SAE PWE derivation options with group 5""" + run_sae_pwe_group(dev, apdev, 5) + +def test_sae_pwe_group_14(dev, apdev): + """SAE PWE derivation options with group 14""" + run_sae_pwe_group(dev, apdev, 14) + +def test_sae_pwe_group_15(dev, apdev): + """SAE PWE derivation options with group 15""" + run_sae_pwe_group(dev, apdev, 15) + +def test_sae_pwe_group_16(dev, apdev): + """SAE PWE derivation options with group 16""" + run_sae_pwe_group(dev, apdev, 16) + +def test_sae_pwe_group_22(dev, apdev): + """SAE PWE derivation options with group 22""" + run_sae_pwe_group(dev, apdev, 22) + +def test_sae_pwe_group_23(dev, apdev): + """SAE PWE derivation options with group 23""" + run_sae_pwe_group(dev, apdev, 23) + +def test_sae_pwe_group_24(dev, apdev): + """SAE PWE derivation options with group 24""" + run_sae_pwe_group(dev, apdev, 24) + +def start_sae_pwe_ap(apdev, group, sae_pwe): + params = hostapd.wpa2_params(ssid="sae-pwe", passphrase="12345678") + params['wpa_key_mgmt'] = 'SAE' + params['sae_groups'] = str(group) + params['sae_pwe'] = str(sae_pwe) + return hostapd.add_ap(apdev, params) + +def run_sae_pwe_group(dev, apdev, group): + if "SAE" not in dev[0].get_capability("auth_alg"): + raise HwsimSkip("SAE not supported") + tls = dev[0].request("GET tls_library") + if group in [27, 28, 29, 30]: + if tls.startswith("OpenSSL") and "run=OpenSSL 1." in tls: + logger.info("Add Brainpool EC groups since OpenSSL is new enough") + else: + raise HwsimSkip("Brainpool curve not supported") + start_sae_pwe_ap(apdev[0], group, 2) + try: + check_sae_pwe_group(dev[0], group, 0) + check_sae_pwe_group(dev[0], group, 1) + check_sae_pwe_group(dev[0], group, 2) + finally: + dev[0].set("sae_groups", "") + dev[0].set("sae_pwe", "0") + +def check_sae_pwe_group(dev, group, sae_pwe): + dev.set("sae_groups", str(group)) + dev.set("sae_pwe", str(sae_pwe)) + dev.connect("sae-pwe", psk="12345678", key_mgmt="SAE", scan_freq="2412") + dev.request("REMOVE_NETWORK all") + dev.wait_disconnected() + dev.dump_monitor() + +def test_sae_pwe_h2e_only_ap(dev, apdev): + """SAE PWE derivation with H2E-only AP""" + start_sae_pwe_ap(apdev[0], 19, 1) + try: + check_sae_pwe_group(dev[0], 19, 1) + check_sae_pwe_group(dev[0], 19, 2) + finally: + dev[0].set("sae_groups", "") + dev[0].set("sae_pwe", "0") + + dev[0].connect("sae-pwe", psk="12345678", key_mgmt="SAE", scan_freq="2412", + wait_connect=False) + ev = dev[0].wait_event(["CTRL-EVENT-NETWORK-NOT-FOUND"], timeout=10) + if ev is None: + raise Exception("No indication of mismatching network seen") + +def test_sae_pwe_loop_only_ap(dev, apdev): + """SAE PWE derivation with loop-only AP""" + start_sae_pwe_ap(apdev[0], 19, 0) + try: + check_sae_pwe_group(dev[0], 19, 0) + check_sae_pwe_group(dev[0], 19, 2) + dev[0].set("sae_pwe", "1") + dev[0].connect("sae-pwe", psk="12345678", key_mgmt="SAE", + scan_freq="2412", wait_connect=False) + ev = dev[0].wait_event(["CTRL-EVENT-NETWORK-NOT-FOUND"], timeout=10) + if ev is None: + raise Exception("No indication of mismatching network seen") + finally: + dev[0].set("sae_groups", "") + dev[0].set("sae_pwe", "0") + +def test_sae_h2e_rejected_groups(dev, apdev): + """SAE H2E and rejected groups indication""" + params = hostapd.wpa2_params(ssid="sae-pwe", passphrase="12345678") + params['wpa_key_mgmt'] = 'SAE' + params['sae_groups'] = "19" + params['sae_pwe'] = "1" + hapd = hostapd.add_ap(apdev[0], params) + try: + dev[0].set("sae_groups", "21 20 19") + dev[0].set("sae_pwe", "1") + dev[0].connect("sae-pwe", psk="12345678", key_mgmt="SAE", + scan_freq="2412") + finally: + dev[0].set("sae_groups", "") + dev[0].set("sae_pwe", "0") + +def test_sae_h2e_password_id(dev, apdev): + """SAE H2E and password identifier""" + if "SAE" not in dev[0].get_capability("auth_alg"): + raise HwsimSkip("SAE not supported") + params = hostapd.wpa2_params(ssid="test-sae") + params['wpa_key_mgmt'] = 'SAE' + params['sae_pwe'] = '1' + params['sae_password'] = 'secret|id=pw id' + hapd = hostapd.add_ap(apdev[0], params) + + try: + dev[0].request("SET sae_groups ") + dev[0].set("sae_pwe", "1") + dev[0].connect("test-sae", sae_password="secret", + sae_password_id="pw id", + key_mgmt="SAE", scan_freq="2412") + finally: + dev[0].set("sae_groups", "") + dev[0].set("sae_pwe", "0") diff --git a/tests/hwsim/test_wpas_ap.py b/tests/hwsim/test_wpas_ap.py index 92b39d015..5d6dfedde 100644 --- a/tests/hwsim/test_wpas_ap.py +++ b/tests/hwsim/test_wpas_ap.py @@ -771,7 +771,17 @@ def test_wpas_ap_sae_password(dev): """wpa_supplicant AP mode - SAE using sae_password""" run_wpas_ap_sae(dev, True) -def run_wpas_ap_sae(dev, sae_password): +def test_wpas_ap_sae_pwe_1(dev): + """wpa_supplicant AP mode - SAE using sae_password and sae_pwe=1""" + try: + dev[0].set("sae_pwe", "1") + dev[1].set("sae_pwe", "1") + run_wpas_ap_sae(dev, True, sae_password_id=True) + finally: + dev[0].set("sae_pwe", "0") + dev[1].set("sae_pwe", "0") + +def run_wpas_ap_sae(dev, sae_password, sae_password_id=False): if "SAE" not in dev[0].get_capability("auth_alg"): raise HwsimSkip("SAE not supported") if "SAE" not in dev[1].get_capability("auth_alg"): @@ -788,6 +798,11 @@ def run_wpas_ap_sae(dev, sae_password): dev[0].set_network_quoted(id, "sae_password", "12345678") else: dev[0].set_network_quoted(id, "psk", "12345678") + if sae_password_id: + pw_id = "pw id" + dev[0].set_network_quoted(id, "sae_password_id", pw_id) + else: + pw_id = None dev[0].set_network(id, "frequency", "2412") dev[0].set_network(id, "scan_freq", "2412") dev[0].set_network(id, "wps_disabled", "1") @@ -795,5 +810,5 @@ def run_wpas_ap_sae(dev, sae_password): wait_ap_ready(dev[0]) dev[1].request("SET sae_groups ") - dev[1].connect("wpas-ap-sae", key_mgmt="SAE", psk="12345678", - scan_freq="2412") + dev[1].connect("wpas-ap-sae", key_mgmt="SAE", sae_password="12345678", + sae_password_id=pw_id, scan_freq="2412")