From patchwork Fri Apr 16 06:13:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 1466854 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=SrDq/Id5; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=f9cVHKMM; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FM5bB6GLmz9sRK for ; Fri, 16 Apr 2021 16:17:10 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=5+8litZDrHsVBQMcPiPzxzNBKvpb0WpSAqdtIt8m718=; b=SrDq/Id52pOzbKCvqmEyam3Uj qykTqOhwGmnrGVzLPSFErkr1lwGoFOMlo3rUICIWmlWZc4E26kyeQ3Tpzff3SlNMU6Aq1uPfuQkbU F5EixqNU8nTZ7Vqnn4T1LuzEWSoaktLLXRMcyf+XNUFVyZw61xslkKyg5wlQ6K/BrgGMenViRbZev bh+t7XLJlM/IMku+/uFJKEJOgwaCe8BXAoM6wtHjzG07Ww1LEzqRpIzBpEQwuS859llhHG3NwBI5w L6crNhrw3nVn3VL9Byb/qtvHQNMEEH75wnLVMtvE85Y52ktfD9YAfmX1aciwjrbgCi5tfqThdo9zw q7f9rQKHg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lXHm2-000zei-PG; Fri, 16 Apr 2021 06:16:15 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lXHjX-000z9u-Ae for hostap@desiato.infradead.org; Fri, 16 Apr 2021 06:13:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender :Reply-To:Content-Type:Content-ID:Content-Description; bh=rhAjSBztXGUCBHL7JBbuamAjaqwjjzDRktUqop6+7RU=; b=f9cVHKMMQeCbD0Zt14kGyCUhQG SnZfbvCrK4Ds9voKH3PAaSDOOnf1OfObAHznxqjavEzlRPTfrfJ/68Ke4wOJjk7ybQVLTA1l2t1ER bxorBcIhY9neS2h5tCU1Z1GrPr2jzaHt3iMjL00nOBxXFlYrpNvIKlnpMBr7A5dVF0UQDnYygGMr3 3Gde7cv3aBxuXYbOWce5i/Y8kIl2JpXiAcs+Ae5702gVLYK+pr/XrSeEHvjdRY9gn5uz5rrec8JMr wEcGwbZpHTRwIj9DVNnjmdTykAejLYUTjMOsfY1x3NVxIIrWJIp0x7UX61Xf7LM0I0aECtDDix7PY vvqZozag==; Received: from smail2.fem.tu-ilmenau.de ([141.24.40.15]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lXHjU-0096nH-9i for hostap@lists.infradead.org; Fri, 16 Apr 2021 06:13:38 +0000 Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by smail2.fem.tu-ilmenau.de (Postfix) with ESMTP id D4561DEC9E; Fri, 16 Apr 2021 08:13:34 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id B717230DAC3E; Fri, 16 Apr 2021 08:13:34 +0200 (CEST) From: michael-dev@fami-braun.de To: hostap@lists.infradead.org Cc: projekt-wlan@fem.tu-ilmenau.de, michael-dev@fami-braun.de Subject: [PATCH 2/2] test: SAE password with Tunnel-Password Date: Fri, 16 Apr 2021 08:13:32 +0200 Message-Id: <20210416061332.16388-3-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210416061332.16388-1-michael-dev@fami-braun.de> References: <20210416061332.16388-1-michael-dev@fami-braun.de> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210415_231336_671185_17AB8344 X-CRM114-Status: UNSURE ( 9.79 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Michael Braun Signed-off-by: Michael Braun --- tests/hwsim/dictionary.radius | 1 + tests/hwsim/test_radius.py | 119 +++++++++++++++++++++++++++++++++- 2 files changed, 119 insertions(+), [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Michael Braun Signed-off-by: Michael Braun --- tests/hwsim/dictionary.radius | 1 + tests/hwsim/test_radius.py | 119 +++++++++++++++++++++++++++++++++- 2 files changed, 119 insertions(+), 1 deletion(-) diff --git a/tests/hwsim/dictionary.radius b/tests/hwsim/dictionary.radius index d2112dad3..923c1220e 100644 --- a/tests/hwsim/dictionary.radius +++ b/tests/hwsim/dictionary.radius @@ -17,4 +17,5 @@ ATTRIBUTE Message-Authenticator 80 octets ATTRIBUTE Tunnel-Private-Group-ID 81 string ATTRIBUTE Acct-Interim-Interval 85 integer ATTRIBUTE Chargeable-User-Identity 89 string +ATTRIBUTE Tunnel-Client-Auth-ID 90 octets ATTRIBUTE Error-Cause 101 integer diff --git a/tests/hwsim/test_radius.py b/tests/hwsim/test_radius.py index ca96c979e..ec359bd0e 100644 --- a/tests/hwsim/test_radius.py +++ b/tests/hwsim/test_radius.py @@ -1167,8 +1167,12 @@ def build_tunnel_password(secret, authenticator, psk): data = b'\x00' + a + bytes(cc_all) return data +def build_tunnel_identity(id): + return b'\x00' + id.encode() + def start_radius_psk_server(psk, invalid_code=False, acct_interim_interval=0, - session_timeout=0, reject=False): + session_timeout=0, reject=False, sae_identity=None, + sae_identity2=None): try: import pyrad.server import pyrad.packet @@ -1195,6 +1199,13 @@ def start_radius_psk_server(psk, invalid_code=False, acct_interim_interval=0, if self.t_events['session_timeout']: reply.AddAttribute("Session-Timeout", self.t_events['session_timeout']) + if self.t_events['sae_identity']: + data = build_tunnel_identity(self.t_events['sae_identity']) + reply.AddAttribute("Tunnel-Client-Auth-ID", data) + if self.t_events['sae_identity2']: + data = build_tunnel_identity(self.t_events['sae_identity2']) + reply.AddAttribute("Tunnel-Client-Auth-ID", data) + self.SendReplyPacket(pkt.fd, reply) def RunWithStop(self, t_events): @@ -1231,6 +1242,8 @@ def start_radius_psk_server(psk, invalid_code=False, acct_interim_interval=0, t_events['invalid_code'] = invalid_code t_events['acct_interim_interval'] = acct_interim_interval t_events['session_timeout'] = session_timeout + t_events['sae_identity'] = sae_identity + t_events['sae_identity2'] = sae_identity2 t_events['reject'] = reject t = threading.Thread(target=run_pyrad_server, args=(srv, t_events)) t.start() @@ -1247,6 +1260,28 @@ def hostapd_radius_psk_test_params(): params['auth_server_port'] = "18138" return params +def hostapd_radius_sae_test_params(): + params = hostapd.radius_params() + params['ssid'] = "test-wpa3-sae" + params["wpa"] = "2" + params["wpa_key_mgmt"] = "SAE" + params["rsn_pairwise"] = "CCMP" + params['macaddr_acl'] = '2' + params['wpa_psk_radius'] = '2' + params['auth_server_port'] = "18138" + return params + +def hostapd_radius_sae_ft_test_params(): + params = hostapd.radius_params() + params['ssid'] = "test-wpa3-sae-ft" + params["wpa"] = "2" + params["wpa_key_mgmt"] = "FT-SAE" + params["rsn_pairwise"] = "CCMP" + params['macaddr_acl'] = '2' + params['wpa_psk_radius'] = '2' + params['auth_server_port'] = "18138" + return params + def test_radius_psk(dev, apdev): """WPA2 with PSK from RADIUS""" t, t_events = start_radius_psk_server("12345678") @@ -1708,3 +1743,85 @@ def test_radius_acct_failure_sta_data(dev, apdev): dev[0].request("DISCONNECT") dev[0].wait_disconnected() hapd.wait_event(["AP-STA-DISCONNECTED"], timeout=1) + +def test_radius_sae(dev, apdev): + """WPA3 with SAE from RADIUS""" + t, t_events = start_radius_psk_server("12345678") + + try: + params = hostapd_radius_sae_test_params() + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE", + scan_freq="2412") + t_events['psk'] = "0123456789abcdef" + dev[1].connect("test-wpa3-sae", sae_password="0123456789abcdef", key_mgmt="SAE", + scan_freq="2412") + finally: + t_events['stop'].set() + t.join() + +def test_radius_sae_ft(dev, apdev): + """WPA3 with FT-SAE from RADIUS""" + t, t_events = start_radius_psk_server("12345678") + + try: + params = hostapd_radius_sae_ft_test_params() + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect("test-wpa3-sae-ft", sae_password="12345678", key_mgmt="FT-SAE", + scan_freq="2412") + t_events['psk'] = "0123456789abcdef" + dev[1].connect("test-wpa3-sae-ft", sae_password="0123456789abcdef", key_mgmt="FT-SAE", + scan_freq="2412") + finally: + t_events['stop'].set() + t.join() + +def test_radius_sae_id(dev, apdev): + """WPA3 with SAE from RADIUS with SAE password identity""" + t, t_events = start_radius_psk_server("12345678", sae_identity="user0") + + try: + params = hostapd_radius_sae_test_params() + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE", + scan_freq="2412", sae_password_id="user0") + t_events['psk'] = "0123456789abcdef" + t_events['sae_identity'] = "user1" + dev[1].connect("test-wpa3-sae", sae_password="0123456789abcdef", key_mgmt="SAE", + scan_freq="2412", sae_password_id="user1") + finally: + t_events['stop'].set() + t.join() + +def test_radius_sae_id_ft(dev, apdev): + """WPA3 with FT-SAE from RADIUS with SAE password identity""" + t, t_events = start_radius_psk_server("12345678", sae_identity="user0") + + try: + params = hostapd_radius_sae_ft_test_params() + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect("test-wpa3-sae-ft", sae_password="12345678", key_mgmt="FT-SAE", + scan_freq="2412", sae_password_id="user0") + t_events['psk'] = "0123456789abcdef" + t_events['sae_identity'] = "user1" + dev[1].connect("test-wpa3-sae-ft", sae_password="0123456789abcdef", key_mgmt="FT-SAE", + scan_freq="2412", sae_password_id="user1") + finally: + t_events['stop'].set() + t.join() + +def test_radius_sae_multi_id(dev, apdev): + """WPA3 with SAE from RADIUS with multiple SAE password identity""" + t, t_events = start_radius_psk_server("12345678", sae_identity="user0", sae_identity2="user1") + + try: + params = hostapd_radius_sae_test_params() + hapd = hostapd.add_ap(apdev[0], params) + dev[0].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE", + scan_freq="2412", sae_password_id="user0") + dev[1].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE", + scan_freq="2412", sae_password_id="user1") + finally: + t_events['stop'].set() + t.join() +