diff --git a/tests/hwsim/test_sae.py b/tests/hwsim/test_sae.py index 922e78dd0..cdcabf8b2 100644 --- a/tests/hwsim/test_sae.py +++ b/tests/hwsim/test_sae.py @@ -1246,3 +1246,51 @@ def test_sae_connect_cmd(dev, apdev): timeout=15) if ev is None: raise Exception("No connection result reported") + +def test_sae_password_id(dev, apdev): + """SAE and password identifier""" + if "SAE" not in dev[0].get_capability("auth_alg"): + raise HwsimSkip("SAE not supported") + params = hostapd.wpa2_params(ssid="test-sae") + params['wpa_key_mgmt'] = 'SAE' + params['sae_password'] = [ 'secret|mac=ff:ff:ff:ff:ff:ff|id=pw id', + 'foo|mac=02:02:02:02:02:02', + 'another secret|mac=ff:ff:ff:ff:ff:ff|id=' + 29*'A' ] + hapd = hostapd.add_ap(apdev[0], params) + + dev[0].request("SET sae_groups ") + dev[0].connect("test-sae", sae_password="secret", sae_password_id="pw id", + key_mgmt="SAE", scan_freq="2412") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + # SAE Password Identifier element with the exact same length as the + # optional Anti-Clogging Token field + dev[0].connect("test-sae", sae_password="another secret", + sae_password_id=29*'A', + key_mgmt="SAE", scan_freq="2412") + dev[0].request("REMOVE_NETWORK all") + dev[0].wait_disconnected() + + dev[0].connect("test-sae", sae_password="secret", sae_password_id="unknown", + key_mgmt="SAE", scan_freq="2412", wait_connect=False) + + ev = dev[0].wait_event(["CTRL-EVENT-SAE-UNKNOWN-PASSWORD-IDENTIFIER"], + timeout=10) + if ev is None: + raise Exception("Unknown password identifier not reported") + dev[0].request("REMOVE_NETWORK all") + +def test_sae_forced_anti_clogging_pw_id(dev, apdev): + """SAE anti clogging (forced and Password Identifier)""" + if "SAE" not in dev[0].get_capability("auth_alg"): + raise HwsimSkip("SAE not supported") + params = hostapd.wpa2_params(ssid="test-sae") + params['wpa_key_mgmt'] = 'SAE' + params['sae_anti_clogging_threshold'] = '0' + params['sae_password'] = 'secret|id=' + 29*'A' + hostapd.add_ap(apdev[0], params) + for i in range(0, 2): + dev[i].request("SET sae_groups ") + dev[i].connect("test-sae", sae_password="secret", + sae_password_id=29*'A', key_mgmt="SAE", scan_freq="2412") diff --git a/tests/hwsim/test_wpas_mesh.py b/tests/hwsim/test_wpas_mesh.py index 7d9e0ef9a..bf10645b0 100644 --- a/tests/hwsim/test_wpas_mesh.py +++ b/tests/hwsim/test_wpas_mesh.py @@ -305,7 +305,7 @@ def _test_mesh_open_rssi_threshold(dev, apdev, value, expected): ": " + str(mesh_rssi_threshold)) def add_mesh_secure_net(dev, psk=True, pmf=False, pairwise=None, group=None, - sae_password=False): + sae_password=False, sae_password_id=None): id = dev.add_network() dev.set_network(id, "mode", "5") dev.set_network_quoted(id, "ssid", "wpas-mesh-sec") @@ -313,6 +313,8 @@ def add_mesh_secure_net(dev, psk=True, pmf=False, pairwise=None, group=None, dev.set_network(id, "frequency", "2412") if sae_password: dev.set_network_quoted(id, "sae_password", "thisismypassphrase!") + if sae_password_id: + dev.set_network_quoted(id, "sae_password_id", sae_password_id) if psk: dev.set_network_quoted(id, "psk", "thisismypassphrase!") if pmf: @@ -371,6 +373,48 @@ def test_wpas_mesh_secure_sae_password(dev, apdev): hwsim_utils.test_connectivity(dev[0], dev[1]) +def test_wpas_mesh_secure_sae_password_id(dev, apdev): + """Secure mesh using sae_password and password identifier""" + check_mesh_support(dev[0], secure=True) + dev[0].request("SET sae_groups ") + id = add_mesh_secure_net(dev[0], psk=False, sae_password=True, + sae_password_id="pw id") + dev[0].mesh_group_add(id) + + dev[1].request("SET sae_groups ") + id = add_mesh_secure_net(dev[1], sae_password=True, + sae_password_id="pw id") + dev[1].mesh_group_add(id) + + check_mesh_group_added(dev[0]) + check_mesh_group_added(dev[1]) + + check_mesh_peer_connected(dev[0]) + check_mesh_peer_connected(dev[1]) + + hwsim_utils.test_connectivity(dev[0], dev[1]) + +def test_wpas_mesh_secure_sae_password_id_mismatch(dev, apdev): + """Secure mesh using sae_password and password identifier mismatch""" + check_mesh_support(dev[0], secure=True) + dev[0].request("SET sae_groups ") + id = add_mesh_secure_net(dev[0], psk=False, sae_password=True, + sae_password_id="pw id") + dev[0].mesh_group_add(id) + + dev[1].request("SET sae_groups ") + id = add_mesh_secure_net(dev[1], sae_password=True, + sae_password_id="wrong") + dev[1].mesh_group_add(id) + + check_mesh_group_added(dev[0]) + check_mesh_group_added(dev[1]) + + ev = dev[0].wait_event(["CTRL-EVENT-SAE-UNKNOWN-PASSWORD-IDENTIFIER"], + timeout=10) + if ev is None: + raise Exception("Unknown Password Identifier not noticed") + def test_mesh_secure_pmf(dev, apdev): """Secure mesh network connectivity with PMF enabled""" check_mesh_support(dev[0], secure=True) diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index f0cbe6bf7..2f2e703a3 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -1011,7 +1011,8 @@ class WpaSupplicant: "private_key2", "phase1", "phase2", "domain_suffix_match", "altsubject_match", "subject_match", "pac_file", "dh_file", "bgscan", "ht_mcs", "id_str", "openssl_ciphers", - "domain_match", "dpp_connector", "sae_password" ] + "domain_match", "dpp_connector", "sae_password", + "sae_password_id" ] for field in quoted: if field in kwargs and kwargs[field]: self.set_network_quoted(id, field, kwargs[field])