Commit graph

126 commits

Author SHA1 Message Date
Jouni Malinen
ed4e845576 tests: Work around race condition for TRANSITION-DISABLE processing
This event may be sent before CTRL-EVENT-CONNECTED, so modify the test
cases to wait directly for TRANSITION-DISABLE by skipping the separate
wait for CTRL-EVENT-CONNECTED.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-02 15:57:39 +02:00
Jouni Malinen
07d3c1177b tests: Make sae_proto_hostapd_status_* more robust
The first MGMT-TX-STATUS event might be for the initial broadcast
Deauthentication frame instead of the SAE Authentication frame. Skip the
first event and try to process TX status for the first Authentication
frame instead.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-08-22 19:46:44 +03:00
Jouni Malinen
07a7bcd7ea WMM: Advertise support for 16 PTKSA replay counters for non-AP STA
In theory, each device that supports WMM (or the IEEE 802.11 QoS for
that matter) is expected to advertise how many replay counters it
supports and the peer device is supposed to use that information to
restrict the total number of different MSDU priorities (AC/UP) that
might be used. In practice, this is not really done in deployed devices
and instead, it is just assumed that everyone supports the eight
different replay counters so that there is no need to restrict which
MSDU priorities can be used.

hostapd implementation of WMM has advertised support for 16 PTKSA replay
counters from the beginning while wpa_supplicant has not had any code
for setting the supported replay counter fields in RSNE, i.e., has left
the value to 0 which implies that only a single replay counter is
supported. While this does not really result in any real issues with
deployed devices, this is not really correct behavior based on the
current IEEE 802.11 standard and the WMM specification.

Update wpa_supplicant to use similar design to the hostapd RSNE
generation by setting the number of supported PTKSA replay counters to
16 whenever WMM is enabled. For now, this is done based on the
association being for HT/VHT/HE/EHT and also based on the AP supporting
WMM since it is much more likely for the local device to support WMM and
eight replay counters (which can be indicated only with the value that
implies support for 16 counters since there is no separate value for 8).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-04-18 11:40:10 +03:00
Ilan Peer
24b4c3abef tests: Extend SAE-EXT-KEY testing
Extend the SAE-EXT-KEY testing to also cover GCMP-256.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-16 22:37:31 +02:00
Jouni Malinen
7c62bccc6e tests: SAE and preferred AP using wrong password
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-24 12:06:59 +02:00
Jouni Malinen
6cb34798f8 tests: SAE-EXT-KEY, H2E, and rejected groups indication
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:13:05 +02:00
Jeffery Miller
c6f8af507e Add option to disable SAE key_mgmt without PMF
Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.

Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.

Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.

Signed-off-by: Jeffery Miller <jefferymiller@google.com>
2022-11-05 17:48:17 +02:00
Jouni Malinen
2a9a61d6cd tests: SAE with extended key AKM
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 11:12:11 +03:00
Jouni Malinen
e35f6ed1d4 tests: More detailed report on SAE PMKSA caching error case
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Juliusz Sosinowicz
b3333a9f4c tests: Add a note for wolfSSL testing with Brainpool curves
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:02:31 +03:00
Jouni Malinen
26dd47f1d1 tests: Skip sae_pwe_group_25 with BoringSSL
BoringSSL does not support this 192-bit EC group, so do not try to run
the test case that is known to fail.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-15 13:36:35 +03:00
Jouni Malinen
64008a1ee8 tests: Make SAE roaming test cases more reliable
Flush the scan table explicitly to avoid issues with the ROAM command if
the new AP is not found and an entry from a previous test case is used
instead. This was happening in a number of cases where a SAE test case
was run after sigma_dut_ap_cipher_gcmp_256 which used the second AP
instance and allowed that to show up in the scan results in the next
text case.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-16 19:57:49 +02:00
Jouni Malinen
f73e041b9b tests: Update sae_bignum_failure to match implementation
This was failing with the PWE derivation change in the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-01-11 20:15:36 +02:00
Jouni Malinen
f5fcac731f tests: Update capability checks to include OpenSSL 3.0
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-11 17:42:55 +02:00
Jouni Malinen
500813f9f3 tests: Do not use SAE group 26
This group should not be used with SAE and as such, it could cause
confusing test errors here. Use an acceptable group instead.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-11 17:42:42 +02:00
Jouni Malinen
8601356e3b tests: Update sae_pmk_lifetime to match implementation
The current PMKSA cache entry with SAE does not expire during the
association anymore.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-18 21:21:07 +03:00
Jouni Malinen
295170851d tests: SAE Authetication failure reporting
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-07-14 18:18:47 +03:00
Jouni Malinen
622be1e10b tests: SAE and WPA3-Personal transition mode roaming
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-21 23:01:10 +03:00
Jouni Malinen
0922519091 tests: Additional GET_PMK coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-06 16:33:03 +02:00
Jouni Malinen
5027f34a33 tests: Fix test description strings for couple of SAE cases
Remove the extraneous closing parenthesis.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 15:51:05 +02:00
Jouni Malinen
ac835ea092 tests: SAE status code handling
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-10-20 00:37:01 +03:00
Jouni Malinen
02f4946172 tests: SAE with OCV and fetching PMK
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-08-03 15:39:45 +03:00
Brian Norris
ddd821365a tests: Skip malformed SAE authentication frames
The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-06-10 21:12:44 +03:00
Jouni Malinen
31bdd8b7c7 tests: Move check_sae_capa() into utils.py
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-18 11:35:32 +03:00
Jouni Malinen
ec182d5e93 tests: SAE/PMF roam
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 23:57:18 +03:00
Jouni Malinen
5cf5680e5c tests: Transition disable
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:22:57 +02:00
Jouni Malinen
60c435493d tests: SAE and RSNE mismatch in EAPOL-Key msg 2/4
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 11:16:22 +02:00
Jouni Malinen
3396a4529c tests: RSNXE missing from EAPOL-Key msg 3/4
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 16:42:47 +02:00
Jouni Malinen
d9aafb75f1 tests: SAE and PSK with multiple passwords/passphrases
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-01 19:53:16 +02:00
Jouni Malinen
fd1892885b tests: SAE and opportunistic key caching and PMK lifetime
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
c90822a5c3 tests: SAE Password Identifier with unexpected PWE derivation
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-10 05:13:13 +02:00
Jouni Malinen
6478f4375b tests: GET_PMK and PMKSA_GET match
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-10 02:56:40 +02:00
Jouni Malinen
3ecaddd62b tests: SAE anti clogging (forced, H2E + loop)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-08 07:19:53 +02:00
Jouni Malinen
4c0af8ad6c tests: Check SAE capability in build more consistently
Use a helper function for this and add checks for number of test cases
that were missing this. This gets rid of undesired FAIL results
(converts them to SKIP) for test runs where the station do not support
SAE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-26 13:40:56 +02:00
Jouni Malinen
6ce883de69 tests: SAE anti clogging (forced, H2E)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-20 21:17:46 +02:00
Jouni Malinen
283be365c3 tests: SAE and AP sending Confirm message without waiting STA (2)
This goes through sae_confirm_immediate=2 behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-08 20:58:18 +02:00
Ilan Peer
7bcb63913a tests: Extend the timeout for some SAE error case tests
Commit 407879b690ba ("mac80211: Adjust SAE authentication timeout") in
the kernel tree increased the SAE authentication timeout. This caused
some error case tests to fail. To fix this, extend the timeout for some
error case tests.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-12-30 18:57:40 +02:00
Jouni Malinen
06540f232c tests: SAE H2E and RSNXE mismatch in EAPOL-Key msg 2/4 retries
The second round may use PMKSA caching, but AP will need to reject msg
2/4 in that case as well due to RSNXE mismatch.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-13 03:27:25 +02:00
Jouni Malinen
fb3ef06dde tests: sae_rejected_groups with and without sigma_dut
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-12 23:52:36 +02:00
Jouni Malinen
63585099d6 tests: SAE H2E and RSNXE mismatch in EAPOL-Key msg 3/4
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-07 17:46:44 +02:00
Jouni Malinen
250db2ab51 tests: SAE H2E and RSNXE mismatch (AP detecting)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-07 12:56:19 +02:00
Jouni Malinen
90d84bc511 tests: SAE H2E and rejected groups indication (unexpected group)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-07 00:45:10 +02:00
Jouni Malinen
b1905c7d8e tests: SAE PWE derivation with H2E-only AP and STA forcing loop
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-06 17:28:52 +02:00
Jouni Malinen
dd8eb44eef tests: sae_pwe parameter in PSK-only-AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-29 00:13:08 +02:00
Jouni Malinen
46746fc170 tests: Additional SAE protocol testing
Check behavior with delayed/replayed SAE commit message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-10-27 15:16:03 +02:00
Jouni Malinen
01b2cd6462 tests: SAE and authentication restarts with H2E/looping
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
7ab3510dad tests: Remove SAE H2E testing with group 26
This is in preparation of an implementation to to remove the alternative
SSWU path that was needed only for this particular group.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
71e276f90f tests: Fix copy-paste issues in SAE H2E group tests
These test cases were all using group 21 even though they were supposed
to go through all the possible groups.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
3fa701b5ce tests: SAE PWE derivation methods
Verify behavior with sae_pwe configuration values 0..2, i.e., test the
new hash-to-element mechanism for deriving PWE and negotiation for which
method to use.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
8a9658dbb5 tests: SAE and AP sending Confirm message without waiting STA
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-10 15:42:11 +03:00