mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-12-02 20:28:24 -05:00
tests: Change most SAE test cases to use suitable groups
Reduce testing dependency on the unsuitable groups so that a test case against a production build would not fail the test case unnecessarily. This is in preparation of making production builds (CONFIG_TESTING_OPTIONS not defined) of wpa_supplicant hostapd disable all DH groups that have been indicated as being unsuitable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
6bb9d9a8db
commit
8e607b1b62
@ -76,10 +76,10 @@ def test_sae_password_ffc(dev, apdev):
|
|||||||
params = hostapd.wpa2_params(ssid="test-sae",
|
params = hostapd.wpa2_params(ssid="test-sae",
|
||||||
passphrase="12345678")
|
passphrase="12345678")
|
||||||
params['wpa_key_mgmt'] = 'SAE'
|
params['wpa_key_mgmt'] = 'SAE'
|
||||||
params['sae_groups'] = '22'
|
params['sae_groups'] = '15'
|
||||||
hapd = hostapd.add_ap(apdev[0], params)
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 22")
|
dev[0].request("SET sae_groups 15")
|
||||||
|
|
||||||
for i in range(10):
|
for i in range(10):
|
||||||
password = "12345678-" + str(i)
|
password = "12345678-" + str(i)
|
||||||
@ -150,6 +150,7 @@ def test_sae_groups(dev, apdev):
|
|||||||
logger.info("Add Brainpool EC groups since OpenSSL is new enough")
|
logger.info("Add Brainpool EC groups since OpenSSL is new enough")
|
||||||
sae_groups += [27, 28, 29, 30]
|
sae_groups += [27, 28, 29, 30]
|
||||||
heavy_groups = [14, 15, 16]
|
heavy_groups = [14, 15, 16]
|
||||||
|
suitable_groups = [15, 16, 17, 18, 19, 20, 21, 28, 29, 30]
|
||||||
groups = [str(g) for g in sae_groups]
|
groups = [str(g) for g in sae_groups]
|
||||||
params = hostapd.wpa2_params(ssid="test-sae-groups",
|
params = hostapd.wpa2_params(ssid="test-sae-groups",
|
||||||
passphrase="12345678")
|
passphrase="12345678")
|
||||||
@ -179,6 +180,11 @@ def test_sae_groups(dev, apdev):
|
|||||||
dev[0].remove_network(id)
|
dev[0].remove_network(id)
|
||||||
dev[0].dump_monitor()
|
dev[0].dump_monitor()
|
||||||
continue
|
continue
|
||||||
|
if int(g) not in suitable_groups:
|
||||||
|
logger.info("Ignore connection failure with unsuitable group " + g)
|
||||||
|
dev[0].remove_network(id)
|
||||||
|
dev[0].dump_monitor()
|
||||||
|
continue
|
||||||
raise Exception("Connection timed out with group " + g)
|
raise Exception("Connection timed out with group " + g)
|
||||||
if dev[0].get_status_field('sae_group') != g:
|
if dev[0].get_status_field('sae_group') != g:
|
||||||
raise Exception("Expected SAE group not used")
|
raise Exception("Expected SAE group not used")
|
||||||
@ -496,13 +502,10 @@ def test_sae_oom_wpas(dev, apdev):
|
|||||||
params = hostapd.wpa2_params(ssid="test-sae",
|
params = hostapd.wpa2_params(ssid="test-sae",
|
||||||
passphrase="12345678")
|
passphrase="12345678")
|
||||||
params['wpa_key_mgmt'] = 'SAE'
|
params['wpa_key_mgmt'] = 'SAE'
|
||||||
params['sae_groups'] = '19 25 26'
|
params['sae_groups'] = '19 25 26 20'
|
||||||
hapd = hostapd.add_ap(apdev[0], params)
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 25")
|
dev[0].request("SET sae_groups 20")
|
||||||
tls = dev[0].request("GET tls_library")
|
|
||||||
if "BoringSSL" in tls:
|
|
||||||
dev[0].request("SET sae_groups 26")
|
|
||||||
with alloc_fail(dev[0], 1, "sae_set_group"):
|
with alloc_fail(dev[0], 1, "sae_set_group"):
|
||||||
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
|
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
|
||||||
scan_freq="2412")
|
scan_freq="2412")
|
||||||
@ -828,7 +831,7 @@ def test_sae_no_ffc_by_default(dev, apdev):
|
|||||||
params['wpa_key_mgmt'] = 'SAE'
|
params['wpa_key_mgmt'] = 'SAE'
|
||||||
hapd = hostapd.add_ap(apdev[0], params)
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 5")
|
dev[0].request("SET sae_groups 15")
|
||||||
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
|
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE", scan_freq="2412",
|
||||||
wait_connect=False)
|
wait_connect=False)
|
||||||
ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=3)
|
ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=3)
|
||||||
@ -888,7 +891,7 @@ def test_sae_reflection_attack_ecc(dev, apdev):
|
|||||||
@remote_compatible
|
@remote_compatible
|
||||||
def test_sae_reflection_attack_ffc(dev, apdev):
|
def test_sae_reflection_attack_ffc(dev, apdev):
|
||||||
"""SAE reflection attack (FFC)"""
|
"""SAE reflection attack (FFC)"""
|
||||||
sae_reflection_attack(apdev[0], dev[0], 5)
|
sae_reflection_attack(apdev[0], dev[0], 15)
|
||||||
|
|
||||||
def sae_reflection_attack_internal(apdev, dev, group):
|
def sae_reflection_attack_internal(apdev, dev, group):
|
||||||
if "SAE" not in dev.get_capability("auth_alg"):
|
if "SAE" not in dev.get_capability("auth_alg"):
|
||||||
@ -904,6 +907,9 @@ def sae_reflection_attack_internal(apdev, dev, group):
|
|||||||
dev.request("SET sae_groups %d" % group)
|
dev.request("SET sae_groups %d" % group)
|
||||||
dev.connect("test-sae", psk="reflection-attack", key_mgmt="SAE",
|
dev.connect("test-sae", psk="reflection-attack", key_mgmt="SAE",
|
||||||
scan_freq="2412", wait_connect=False)
|
scan_freq="2412", wait_connect=False)
|
||||||
|
ev = dev.wait_event(["SME: Trying to authenticate"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("No authentication attempt seen")
|
||||||
ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
|
ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
|
||||||
if ev is not None:
|
if ev is not None:
|
||||||
raise Exception("Unexpected connection")
|
raise Exception("Unexpected connection")
|
||||||
@ -916,7 +922,7 @@ def test_sae_reflection_attack_ecc_internal(dev, apdev):
|
|||||||
@remote_compatible
|
@remote_compatible
|
||||||
def test_sae_reflection_attack_ffc_internal(dev, apdev):
|
def test_sae_reflection_attack_ffc_internal(dev, apdev):
|
||||||
"""SAE reflection attack (FFC) - internal"""
|
"""SAE reflection attack (FFC) - internal"""
|
||||||
sae_reflection_attack_internal(apdev[0], dev[0], 5)
|
sae_reflection_attack_internal(apdev[0], dev[0], 15)
|
||||||
|
|
||||||
@remote_compatible
|
@remote_compatible
|
||||||
def test_sae_commit_override(dev, apdev):
|
def test_sae_commit_override(dev, apdev):
|
||||||
@ -1023,7 +1029,7 @@ def test_sae_pwe_failure(dev, apdev):
|
|||||||
raise HwsimSkip("SAE not supported")
|
raise HwsimSkip("SAE not supported")
|
||||||
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
|
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
|
||||||
params['wpa_key_mgmt'] = 'SAE'
|
params['wpa_key_mgmt'] = 'SAE'
|
||||||
params['sae_groups'] = '19 5'
|
params['sae_groups'] = '19 15'
|
||||||
hapd = hostapd.add_ap(apdev[0], params)
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 19")
|
dev[0].request("SET sae_groups 19")
|
||||||
@ -1038,14 +1044,14 @@ def test_sae_pwe_failure(dev, apdev):
|
|||||||
dev[0].request("REMOVE_NETWORK all")
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
dev[0].wait_disconnected()
|
dev[0].wait_disconnected()
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 5")
|
dev[0].request("SET sae_groups 15")
|
||||||
with fail_test(dev[0], 1, "hmac_sha256_vector;sae_derive_pwe_ffc"):
|
with fail_test(dev[0], 1, "hmac_sha256_vector;sae_derive_pwe_ffc"):
|
||||||
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
|
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
|
||||||
scan_freq="2412")
|
scan_freq="2412")
|
||||||
dev[0].request("REMOVE_NETWORK all")
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
dev[0].wait_disconnected()
|
dev[0].wait_disconnected()
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 5")
|
dev[0].request("SET sae_groups 15")
|
||||||
with fail_test(dev[0], 1, "sae_test_pwd_seed_ffc"):
|
with fail_test(dev[0], 1, "sae_test_pwd_seed_ffc"):
|
||||||
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
|
dev[0].connect("test-sae", psk="12345678", key_mgmt="SAE",
|
||||||
scan_freq="2412")
|
scan_freq="2412")
|
||||||
@ -1064,7 +1070,7 @@ def test_sae_bignum_failure(dev, apdev):
|
|||||||
raise HwsimSkip("SAE not supported")
|
raise HwsimSkip("SAE not supported")
|
||||||
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
|
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
|
||||||
params['wpa_key_mgmt'] = 'SAE'
|
params['wpa_key_mgmt'] = 'SAE'
|
||||||
params['sae_groups'] = '19 5 22'
|
params['sae_groups'] = '19 15 22'
|
||||||
hapd = hostapd.add_ap(apdev[0], params)
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 19")
|
dev[0].request("SET sae_groups 19")
|
||||||
@ -1105,7 +1111,7 @@ def test_sae_bignum_failure(dev, apdev):
|
|||||||
dev[0].dump_monitor()
|
dev[0].dump_monitor()
|
||||||
hapd.dump_monitor()
|
hapd.dump_monitor()
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 5")
|
dev[0].request("SET sae_groups 15")
|
||||||
tests = [(1, "crypto_bignum_init_set;sae_set_group"),
|
tests = [(1, "crypto_bignum_init_set;sae_set_group"),
|
||||||
(2, "crypto_bignum_init_set;sae_set_group"),
|
(2, "crypto_bignum_init_set;sae_set_group"),
|
||||||
(1, "crypto_bignum_init_set;sae_get_rand"),
|
(1, "crypto_bignum_init_set;sae_get_rand"),
|
||||||
@ -1134,6 +1140,15 @@ def test_sae_bignum_failure(dev, apdev):
|
|||||||
dev[0].dump_monitor()
|
dev[0].dump_monitor()
|
||||||
hapd.dump_monitor()
|
hapd.dump_monitor()
|
||||||
|
|
||||||
|
def test_sae_bignum_failure_unsafe_group(dev, apdev):
|
||||||
|
"""SAE and bignum failure unsafe group"""
|
||||||
|
if "SAE" not in dev[0].get_capability("auth_alg"):
|
||||||
|
raise HwsimSkip("SAE not supported")
|
||||||
|
params = hostapd.wpa2_params(ssid="test-sae", passphrase="12345678")
|
||||||
|
params['wpa_key_mgmt'] = 'SAE'
|
||||||
|
params['sae_groups'] = '22'
|
||||||
|
hapd = hostapd.add_ap(apdev[0], params)
|
||||||
|
|
||||||
dev[0].request("SET sae_groups 22")
|
dev[0].request("SET sae_groups 22")
|
||||||
tests = [(1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
|
tests = [(1, "crypto_bignum_init_set;sae_test_pwd_seed_ffc"),
|
||||||
(1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
|
(1, "crypto_bignum_sub;sae_test_pwd_seed_ffc"),
|
||||||
@ -1344,7 +1359,7 @@ def test_sae_password_id_ecc(dev, apdev):
|
|||||||
|
|
||||||
def test_sae_password_id_ffc(dev, apdev):
|
def test_sae_password_id_ffc(dev, apdev):
|
||||||
"""SAE and password identifier (FFC)"""
|
"""SAE and password identifier (FFC)"""
|
||||||
run_sae_password_id(dev, apdev, "22")
|
run_sae_password_id(dev, apdev, "15")
|
||||||
|
|
||||||
def test_sae_password_id_only(dev, apdev):
|
def test_sae_password_id_only(dev, apdev):
|
||||||
"""SAE and password identifier (exclusively)"""
|
"""SAE and password identifier (exclusively)"""
|
||||||
|
Loading…
Reference in New Issue
Block a user