tests: SAE with Password Identifier

This verifies SAE Password Identifier functionality in both the
infrastructure and mesh BSS cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

tests/hwsim/test_sae.py

@@ -1246,3 +1246,51 @@ def test_sae_connect_cmd(dev, apdev):
                          timeout=15)
     if ev is None:
         raise Exception("No connection result reported")
+
+def test_sae_password_id(dev, apdev):
+    """SAE and password identifier"""
+    if "SAE" not in dev[0].get_capability("auth_alg"):
+        raise HwsimSkip("SAE not supported")
+    params = hostapd.wpa2_params(ssid="test-sae")
+    params['wpa_key_mgmt'] = 'SAE'
+    params['sae_password'] = [ 'secret|mac=ff:ff:ff:ff:ff:ff|id=pw id',
+                               'foo|mac=02:02:02:02:02:02',
+                               'another secret|mac=ff:ff:ff:ff:ff:ff|id=' + 29*'A' ]
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    dev[0].request("SET sae_groups ")
+    dev[0].connect("test-sae", sae_password="secret", sae_password_id="pw id",
+                   key_mgmt="SAE", scan_freq="2412")
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].wait_disconnected()
+
+    # SAE Password Identifier element with the exact same length as the
+    # optional Anti-Clogging Token field
+    dev[0].connect("test-sae", sae_password="another secret",
+                   sae_password_id=29*'A',
+                   key_mgmt="SAE", scan_freq="2412")
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].wait_disconnected()
+
+    dev[0].connect("test-sae", sae_password="secret", sae_password_id="unknown",
+                   key_mgmt="SAE", scan_freq="2412", wait_connect=False)
+
+    ev = dev[0].wait_event(["CTRL-EVENT-SAE-UNKNOWN-PASSWORD-IDENTIFIER"],
+                           timeout=10)
+    if ev is None:
+        raise Exception("Unknown password identifier not reported")
+    dev[0].request("REMOVE_NETWORK all")
+
+def test_sae_forced_anti_clogging_pw_id(dev, apdev):
+    """SAE anti clogging (forced and Password Identifier)"""
+    if "SAE" not in dev[0].get_capability("auth_alg"):
+        raise HwsimSkip("SAE not supported")
+    params = hostapd.wpa2_params(ssid="test-sae")
+    params['wpa_key_mgmt'] = 'SAE'
+    params['sae_anti_clogging_threshold'] = '0'
+    params['sae_password'] = 'secret|id=' + 29*'A'
+    hostapd.add_ap(apdev[0], params)
+    for i in range(0, 2):
+        dev[i].request("SET sae_groups ")
+        dev[i].connect("test-sae", sae_password="secret",
+                       sae_password_id=29*'A', key_mgmt="SAE", scan_freq="2412")

tests/hwsim/test_wpas_mesh.py

@@ -305,7 +305,7 @@ def _test_mesh_open_rssi_threshold(dev, apdev, value, expected):
                         ": " + str(mesh_rssi_threshold))
 
 def add_mesh_secure_net(dev, psk=True, pmf=False, pairwise=None, group=None,
-                        sae_password=False):
+                        sae_password=False, sae_password_id=None):
     id = dev.add_network()
     dev.set_network(id, "mode", "5")
     dev.set_network_quoted(id, "ssid", "wpas-mesh-sec")
@@ -313,6 +313,8 @@ def add_mesh_secure_net(dev, psk=True, pmf=False, pairwise=None, group=None,
     dev.set_network(id, "frequency", "2412")
     if sae_password:
         dev.set_network_quoted(id, "sae_password", "thisismypassphrase!")
+    if sae_password_id:
+        dev.set_network_quoted(id, "sae_password_id", sae_password_id)
     if psk:
         dev.set_network_quoted(id, "psk", "thisismypassphrase!")
     if pmf:
@@ -371,6 +373,48 @@ def test_wpas_mesh_secure_sae_password(dev, apdev):
 
     hwsim_utils.test_connectivity(dev[0], dev[1])
 
+def test_wpas_mesh_secure_sae_password_id(dev, apdev):
+    """Secure mesh using sae_password and password identifier"""
+    check_mesh_support(dev[0], secure=True)
+    dev[0].request("SET sae_groups ")
+    id = add_mesh_secure_net(dev[0], psk=False, sae_password=True,
+                             sae_password_id="pw id")
+    dev[0].mesh_group_add(id)
+
+    dev[1].request("SET sae_groups ")
+    id = add_mesh_secure_net(dev[1], sae_password=True,
+                             sae_password_id="pw id")
+    dev[1].mesh_group_add(id)
+
+    check_mesh_group_added(dev[0])
+    check_mesh_group_added(dev[1])
+
+    check_mesh_peer_connected(dev[0])
+    check_mesh_peer_connected(dev[1])
+
+    hwsim_utils.test_connectivity(dev[0], dev[1])
+
+def test_wpas_mesh_secure_sae_password_id_mismatch(dev, apdev):
+    """Secure mesh using sae_password and password identifier mismatch"""
+    check_mesh_support(dev[0], secure=True)
+    dev[0].request("SET sae_groups ")
+    id = add_mesh_secure_net(dev[0], psk=False, sae_password=True,
+                             sae_password_id="pw id")
+    dev[0].mesh_group_add(id)
+
+    dev[1].request("SET sae_groups ")
+    id = add_mesh_secure_net(dev[1], sae_password=True,
+                             sae_password_id="wrong")
+    dev[1].mesh_group_add(id)
+
+    check_mesh_group_added(dev[0])
+    check_mesh_group_added(dev[1])
+
+    ev = dev[0].wait_event(["CTRL-EVENT-SAE-UNKNOWN-PASSWORD-IDENTIFIER"],
+                           timeout=10)
+    if ev is None:
+        raise Exception("Unknown Password Identifier not noticed")
+
 def test_mesh_secure_pmf(dev, apdev):
     """Secure mesh network connectivity with PMF enabled"""
     check_mesh_support(dev[0], secure=True)

tests/hwsim/wpasupplicant.py

@@ -1011,7 +1011,8 @@ class WpaSupplicant:
                    "private_key2", "phase1", "phase2", "domain_suffix_match",
                    "altsubject_match", "subject_match", "pac_file", "dh_file",
                    "bgscan", "ht_mcs", "id_str", "openssl_ciphers",
-                   "domain_match", "dpp_connector", "sae_password" ]
+                   "domain_match", "dpp_connector", "sae_password",
+                   "sae_password_id" ]
         for field in quoted:
             if field in kwargs and kwargs[field]:
                 self.set_network_quoted(id, field, kwargs[field])