From patchwork Thu Apr 4 18:16:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919900 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=jxhoS6Mu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=rXSsGfeq; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VG13vyPz1yYf for ; Fri, 5 Apr 2024 05:17:27 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=teGrBTDBqmQGEAe2uAjSc0TPb9AYIoCwZA5kUDsnJ90=; b=jxhoS6MuflrvvI pzE1E0vWY5isitdEYOAl01BI0CZ0/lqBsaGZ8oQYoxKUi1TPiEf1o+C3jBYpc2369DO5MF6FAvZQz DrGodQxeTtoWXBNVpVX6A4Rtpuud/pSjDXlMNBBlX4OEg2QJjyLXAeqpmsH1A0Tb1SdlzkRS4g4sM H85IhSsq7alzMyMJ8VG9k5sDoXEcl0gYps8KrpFf4F5KXWrXcq1wRcdGP0/cWE9LX/eQ/eNRkRP6D FzPNwV5CWjS362IKCNq/kHbEH2FlQIU6NaOYfzA1O5DeHapd9Td/+Wmdx1lFZLnQApiRa2lkdzOwt lHc0+/52pZFLWlzCoxbQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRdx-00000003mdK-0epU; Thu, 04 Apr 2024 18:16:57 +0000 Received: from mail-lf1-x136.google.com ([2a00:1450:4864:20::136]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRdu-00000003mcK-2OG0 for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:16:56 +0000 Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-516cdb21b34so1328517e87.1 for ; Thu, 04 Apr 2024 11:16:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254610; x=1712859410; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4Jx8O5AJhRhviHQeIrM/FPZG9yJMYqBQ6FeAtFoe5mc=; b=rXSsGfeq/ELhHKNeqFn7az7AqjcglUEEH8CNOKWcXN4Vi5CWoJ1MORNitucLcc5Be+ 0KYQSuEgndzEEftPlMfScOw7/iE4/SquEGLUIDw4Afy/kRqBLKE07Q4JvikugGE/xnMC w5LwwzIFFzFO/w/LSFW2cnQDxE6d29ZhYjeyckAr5cRIwOminzus6H7G9MCVp7Bmhnkc kumjdF/3LsDETgMyHdQ4rJovddVY5UsFXiZm8lHOwssKlzAEMF4hvnNJjgMGMxOVAQru OSANbXwFjlPJmpNnbddPW3Di4Wo5kKM4/mOGMa8TCmZ0mg6WLdTxcSDwHGKKtmABsMy/ nabw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254610; x=1712859410; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4Jx8O5AJhRhviHQeIrM/FPZG9yJMYqBQ6FeAtFoe5mc=; b=UCA3lIJnboTJ/7jVHhZ0VAujio3aXCx7fj8hl7iEG7XklmGE/5DifzHuouOTqwB0TQ qDmnlyDty5TzK0Pbd8wdTmPq6QG6LUPvy2hnoEEEEm4JjKL8sqivSkPQ2tjfjUot7RuJ BevV9/JV358KinNOK/zr4z9/PKJJn0xPpcnZ/eaGh+RPDTlGfDrIydDYTr1/PXoM6d4Y Z9muKl9NsvTOASig1Zaxoyqnb/Ntw0URJsjtGrf3OjnL8cF6flv2qtb5SLfA5plub52F BaQ8WEWUeV6NEiprs5n9oOw+W4JxdG/VSe4C/Ps4/9eLw64Vqs3tq/LszPifCpu+55tO Ytww== X-Gm-Message-State: AOJu0YygjwPbye5+KmOx+Hk5lboJbky6zsNF8cLjE9FnRsi76nMIeoQj f1/Rz+aGdR7cE/DDMbjGi5g0+Ok00uZGCq/jTTNQNHyf3lGQeRoBlLDL8AMl5fL5omhzN0yfFCq xX3U= X-Google-Smtp-Source: AGHT+IHJn3NglF7pbtiTp/ZRAZOzpRuX7X7tIa80RbAoHgNiV3bdhPAal0cz+Gb+p6QG2E/QXEHurg== X-Received: by 2002:a19:2d59:0:b0:516:9f1a:929d with SMTP id t25-20020a192d59000000b005169f1a929dmr2353660lft.1.1712254610263; Thu, 04 Apr 2024 11:16:50 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.16.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:16:49 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 02/24] wolfssl: implement suiteb ciphersuite Date: Thu, 4 Apr 2024 20:16:08 +0200 Message-Id: <20240404181630.2431991-2-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111654_640242_64862725 X-CRM114-Status: GOOD ( 19.55 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 166 +++++++++++++++++++++++++++++------- tests/hwsim/test_suite_b.py | 31 +++++-- 2 files changed, 162 insertions [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:136 listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 166 +++++++++++++++++++++++++++++------- tests/hwsim/test_suite_b.py | 31 +++++-- 2 files changed, 162 insertions(+), 35 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 4db23e14ff..25616f2c7a 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -223,11 +223,127 @@ static void wolfSSL_logging_cb(const int log_level, #endif /* DEBUG_WOLFSSL */ +#define SUITEB_OLDTLS_192_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384" +#define SUITEB_TLS13_192_CIPHERS "TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256" +#define SUITEB_TLS_192_CIPHERS SUITEB_TLS13_192_CIPHERS ":" SUITEB_OLDTLS_192_CIPHERS + +#define SUITEB_OLDTLS_128_CIPHERS SUITEB_OLDTLS_192_CIPHERS ":ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256" +#define SUITEB_TLS13_128_CIPHERS SUITEB_TLS13_192_CIPHERS ":TLS13-AES128-GCM-SHA256" +#define SUITEB_TLS_128_CIPHERS SUITEB_TLS13_128_CIPHERS ":" SUITEB_OLDTLS_128_CIPHERS + +#define SUITEB_TLS_192_SIGALGS "ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384" +#define SUITEB_TLS_128_SIGALGS SUITEB_TLS_192_SIGALGS ":ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256" + +#define SUITEB_TLS_192_CURVES "P-384:P-521" +#define SUITEB_TLS_128_CURVES "P-256:" SUITEB_TLS_192_CURVES + +static int handle_ciphersuites(WOLFSSL_CTX* ssl_ctx, WOLFSSL* ssl, + const char* openssl_ciphers, unsigned int flags) +{ + const char* ciphers = "DEFAULT:!aNULL"; + const char* sigalgs = NULL; + const char* curves = NULL; + unsigned int tls13 = !(flags & TLS_CONN_DISABLE_TLSv1_3); + unsigned int tls13OnlyMask = TLS_CONN_DISABLE_TLSv1_2 | + TLS_CONN_DISABLE_TLSv1_1 | TLS_CONN_DISABLE_TLSv1_0; + unsigned int oldTlsOnly = ((flags & tls13OnlyMask) != tls13OnlyMask) && !tls13; + unsigned int tls13only = ((flags & tls13OnlyMask) == tls13OnlyMask) && + !(flags & TLS_CONN_DISABLE_TLSv1_3); + short keySz = 0; + short eccKeySz = 0; + if (openssl_ciphers) { + if (os_strcmp(openssl_ciphers, "SUITEB128") == 0) { + if (tls13only) + ciphers = SUITEB_TLS13_128_CIPHERS; + else if (oldTlsOnly) + ciphers = SUITEB_OLDTLS_128_CIPHERS; + else + ciphers = SUITEB_TLS_128_CIPHERS; + sigalgs = SUITEB_TLS_128_SIGALGS; + keySz = 2048; + eccKeySz = 224; + curves = SUITEB_TLS_128_CURVES; + } + else if (os_strcmp(openssl_ciphers, "SUITEB192") == 0) { + if (tls13only) + ciphers = SUITEB_TLS13_192_CIPHERS; + else if (oldTlsOnly) + ciphers = SUITEB_OLDTLS_192_CIPHERS; + else + ciphers = SUITEB_TLS_192_CIPHERS; + sigalgs = SUITEB_TLS_192_SIGALGS; + keySz = 3072; + eccKeySz = 256; + curves = SUITEB_TLS_192_CURVES; + } + else + ciphers = openssl_ciphers; + } + else if (flags & TLS_CONN_SUITEB) { + if (tls13only) + ciphers = SUITEB_TLS13_192_CIPHERS; + else if (oldTlsOnly) + ciphers = SUITEB_OLDTLS_192_CIPHERS; + else + ciphers = SUITEB_TLS_192_CIPHERS; + sigalgs = SUITEB_TLS_192_SIGALGS; + keySz = 3072; + eccKeySz = 256; + curves = SUITEB_TLS_192_CURVES; + } + wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites for %s", ssl_ctx ? "ctx" : "ssl"); + wpa_printf(MSG_DEBUG, "wolfSSL: openssl_ciphers: %s", openssl_ciphers ? openssl_ciphers : "N/A"); + wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", ciphers ? ciphers : "N/A"); + wpa_printf(MSG_DEBUG, "wolfSSL: sigalgs: %s", sigalgs ? sigalgs : "N/A"); + wpa_printf(MSG_DEBUG, "wolfSSL: key size: %d", keySz); + if (ciphers) { + if ((ssl_ctx && wolfSSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) || + (ssl && wolfSSL_set_cipher_list(ssl, ciphers) != 1)) { + wpa_printf(MSG_ERROR, + "wolfSSL: Failed to set cipher string '%s'", ciphers); + return -1; + } + } + if (sigalgs) { + if ((ssl_ctx && wolfSSL_CTX_set1_sigalgs_list(ssl_ctx, sigalgs) != 1) || + (ssl && wolfSSL_set1_sigalgs_list(ssl, sigalgs) != 1)) { + wpa_printf(MSG_ERROR, + "wolfSSL: Failed to set sigalgs '%s'", sigalgs); + return -1; + } + } + if (keySz) { + if ((ssl_ctx && wolfSSL_CTX_SetMinRsaKey_Sz(ssl_ctx, keySz) != 1) || + (ssl && wolfSSL_SetMinRsaKey_Sz(ssl, keySz) != 1) || + (ssl_ctx && wolfSSL_CTX_SetMinDhKey_Sz(ssl_ctx, keySz) != 1) || + (ssl && wolfSSL_SetMinDhKey_Sz(ssl, keySz) != 1)) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set min key size"); + return -1; + } + } + if (eccKeySz) { + if ((ssl_ctx && wolfSSL_CTX_SetMinEccKey_Sz(ssl_ctx, eccKeySz) != 1) || + (ssl && wolfSSL_SetMinEccKey_Sz(ssl, eccKeySz) != 1) || + (ssl_ctx && wolfSSL_CTX_SetTmpEC_DHE_Sz(ssl_ctx, eccKeySz/8) != 1) || + (ssl && wolfSSL_SetTmpEC_DHE_Sz(ssl, eccKeySz/8) != 1)) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set min ecc key size"); + return -1; + } + } + if (curves) { + if ((ssl_ctx && wolfSSL_CTX_set1_curves_list(ssl_ctx, curves) != 1) || + (ssl && wolfSSL_set1_curves_list(ssl, curves) != 1)) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set curves"); + return -1; + } + } + return 0; +} + void * tls_init(const struct tls_config *conf) { WOLFSSL_CTX *ssl_ctx; struct tls_context *context; - const char *ciphers; #ifdef DEBUG_WOLFSSL wolfSSL_SetLoggingCb(wolfSSL_logging_cb); @@ -280,19 +396,14 @@ void * tls_init(const struct tls_config *conf) WOLFSSL_SESS_CACHE_OFF); } - if (conf && conf->openssl_ciphers) - ciphers = conf->openssl_ciphers; - else - ciphers = "ALL"; - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", ciphers); - if (wolfSSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { - wpa_printf(MSG_ERROR, - "wolfSSL: Failed to set cipher string '%s'", - ciphers); + if (handle_ciphersuites(ssl_ctx, NULL, conf->openssl_ciphers, + conf ? conf->tls_flags : 0) != 0) { + wpa_printf(MSG_INFO, "Error setting ciphersuites"); tls_deinit(ssl_ctx); return NULL; } + return ssl_ctx; } @@ -819,6 +930,8 @@ static enum tls_fail_reason wolfssl_tls_fail_reason(int err) case X509_V_ERR_CERT_UNTRUSTED: case X509_V_ERR_CERT_REJECTED: return TLS_FAIL_BAD_CERTIFICATE; + case RSA_KEY_SIZE_E: + return TLS_FAIL_INSUFFICIENT_KEY_LEN; default: return TLS_FAIL_UNSPECIFIED; } @@ -1324,13 +1437,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", - params->openssl_ciphers ? params->openssl_ciphers : "N/A"); - if (params->openssl_ciphers && - wolfSSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) { - wpa_printf(MSG_INFO, - "wolfSSL: Failed to set cipher string '%s'", - params->openssl_ciphers); + if (handle_ciphersuites(NULL, conn->ssl, params->openssl_ciphers, + params->flags) != 0) { + wpa_printf(MSG_INFO, "Error setting ciphersuites"); return -1; } @@ -1556,14 +1665,9 @@ int tls_global_set_params(void *tls_ctx, return -1; } - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", - params->openssl_ciphers ? params->openssl_ciphers : "N/A"); - if (params->openssl_ciphers && - wolfSSL_CTX_set_cipher_list(tls_ctx, - params->openssl_ciphers) != 1) { - wpa_printf(MSG_INFO, - "wolfSSL: Failed to set cipher string '%s'", - params->openssl_ciphers); + if (handle_ciphersuites(tls_ctx, NULL, params->openssl_ciphers, + params->flags) != 0) { + wpa_printf(MSG_INFO, "Error setting ciphersuites"); return -1; } @@ -1870,7 +1974,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, if (!conn || !conn->ssl || !ciphers) return -1; - buf[0] = '\0'; + buf[0] = buf[1] = '\0'; pos = buf; end = pos + sizeof(buf); @@ -1910,9 +2014,8 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, c++; } - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", buf + 1); - - if (wolfSSL_set_cipher_list(conn->ssl, buf + 1) != 1) { + /* +1 to skip the ":" */ + if (handle_ciphersuites(NULL, conn->ssl, buf + 1, conn->flags) != 0) { wpa_printf(MSG_DEBUG, "Cipher suite configuration failed"); return -1; } @@ -1929,7 +2032,10 @@ int tls_get_cipher(void *tls_ctx, struct tls_connection *conn, if (!conn || !conn->ssl) return -1; - name = wolfSSL_get_cipher_name(conn->ssl); + if (wolfSSL_version(conn->ssl) == TLS1_3_VERSION) + name = wolfSSL_get_cipher(conn->ssl); + else + name = wolfSSL_get_cipher_name(conn->ssl); if (!name) return -1; diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py index d03a39deef..59e255a3c6 100644 --- a/tests/hwsim/test_suite_b.py +++ b/tests/hwsim/test_suite_b.py @@ -74,7 +74,8 @@ def test_suite_b(dev, apdev): hapd.wait_sta() tls_cipher = dev[0].get_status_field("EAP TLS cipher") if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256" and \ - tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD": + tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD" and \ + tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384": raise Exception("Unexpected TLS cipher: " + tls_cipher) bss = dev[0].get_bss(apdev[0]['bssid']) @@ -488,7 +489,16 @@ def test_suite_b_192_rsa_insufficient_key(dev, apdev): params["ca_cert"] = "auth_serv/ca.pem" params["server_cert"] = "auth_serv/server.pem" params["private_key"] = "auth_serv/server.key" - hapd = hostapd.add_ap(apdev[0], params) + + try: + hapd = hostapd.add_ap(apdev[0], params) + except: + hapd = hostapd.add_ap(apdev[0], suite_b_192_rsa_ap_params()) + tls = hapd.request("GET tls_library") + if tls.startswith("wolfSSL"): + # wolfSSL fails during key loading with too short key + return + raise dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", ieee80211w="2", @@ -505,6 +515,8 @@ def test_suite_b_192_rsa_insufficient_key(dev, apdev): raise Exception("Certificate error not reported") if "reason=11" in ev and "err='Insufficient RSA modulus size'" in ev: return + if "reason=11" in ev and "err='RSA key too small'" in ev: + return if "reason=7" in ev and "err='certificate uses insecure algorithm'" in ev: return raise Exception("Unexpected error reason: " + ev) @@ -516,7 +528,16 @@ def test_suite_b_192_rsa_insufficient_dh(dev, apdev): params = suite_b_192_rsa_ap_params() params["tls_flags"] = "[SUITEB-NO-ECDH]" params["dh_file"] = "auth_serv/dh.conf" - hapd = hostapd.add_ap(apdev[0], params) + try: + hapd = hostapd.add_ap(apdev[0], params) + except: + hapd = hostapd.add_ap(apdev[0], suite_b_192_rsa_ap_params()) + tls = hapd.request("GET tls_library") + if tls.startswith("wolfSSL"): + # wolfSSL fails during key loading with too short key + return + raise + dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", ieee80211w="2", @@ -528,14 +549,14 @@ def test_suite_b_192_rsa_insufficient_dh(dev, apdev): pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'", - "CTRL-EVENT-CONNECTED"], + "CTRL-EVENT-CONNECTED", "CTRL-EVENT-EAP-FAILURE"], timeout=10) dev[0].request("DISCONNECT") if ev is None: raise Exception("DH error not reported") if "CTRL-EVENT-CONNECTED" in ev: raise Exception("Unexpected connection") - if "insufficient security" not in ev and "internal error" not in ev: + if "insufficient security" not in ev and "internal error" not in ev and "authentication failed" not in ev: raise Exception("Unexpected error reason: " + ev) def test_suite_b_192_rsa_radius(dev, apdev):