3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-21 03:32:42 +01:00
iwd/unit/test-sae.c
John Brandt 49cddea10b unit: fix SAE unit tests
Don't mark either client as being the authenticator. In the current unit
tests, both instances act as clients to test functionality. This ensures
the unit does not show an error during the following commits where SAE
for AP mode is added.
2024-05-07 10:50:39 -05:00

902 lines
27 KiB
C

/*
*
* Wireless daemon for Linux
*
* Copyright (C) 2018-2019 Intel Corporation. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <string.h>
#include <assert.h>
#include <ell/ell.h>
#include "src/util.h"
#include "src/ie.h"
#include "src/handshake.h"
#include "src/mpdu.h"
#include "src/sae.h"
#include "src/auth-proto.h"
#include "src/crypto.h"
const unsigned int *__wrap_l_ecc_supported_ike_groups(void);
const unsigned int *__wrap_l_ecc_supported_ike_groups(void)
{
static unsigned int supported_ike_groups[2] = { 19, 0 };
return supported_ike_groups;
}
struct test_handshake_state {
struct handshake_state super;
};
struct test_data {
/* flag for testing anti clogging */
bool test_anti_clogging;
/* true if a commit message was sent and verified */
bool commit_success;
/* true if a confirm message was sent and verified */
bool confirm_success;
/* true if a rejection packet was sent */
bool tx_reject_occurred;
/* true if the tx function was called */
bool tx_auth_called;
bool tx_assoc_called;
/* copy of clogging token (if present) */
uint8_t test_clogging_token[32];
/* copy of last packet sent */
uint8_t tx_packet[512];
size_t tx_packet_len;
/* status in complete callback */
uint16_t status;
struct handshake_state *handshake;
};
struct authenticate_frame {
struct mmpdu_header hdr;
struct mmpdu_authentication auth;
} __attribute__ ((packed));
struct associate_frame {
struct mmpdu_header hdr;
struct mmpdu_association_response assoc;
} __attribute__ ((packed));
static uint8_t spa[] = {2, 0, 0, 0, 0, 0};
static uint8_t aa[] = {2, 0, 0, 0, 0, 1};
static char *passphrase = "secret123";
static void test_handshake_state_free(struct handshake_state *hs)
{
struct test_handshake_state *ths =
l_container_of(hs, struct test_handshake_state, super);
l_free(ths);
}
static struct handshake_state *test_handshake_state_new(uint32_t ifindex)
{
struct test_handshake_state *ths;
ths = l_new(struct test_handshake_state, 1);
ths->super.ifindex = ifindex;
ths->super.free = test_handshake_state_free;
return &ths->super;
}
static void test_tx_auth_func(const uint8_t *frame, size_t len, void *user_data)
{
struct test_data *td = user_data;
uint16_t trans;
td->tx_auth_called = true;
memset(td->tx_packet, 0, sizeof(td->tx_packet));
memcpy(td->tx_packet, frame, len);
td->tx_packet_len = len;
if (len <= 6 && l_get_le16(frame + 2) != 0) {
td->tx_reject_occurred = true;
return;
}
trans = l_get_le16(frame); /* transaction */
switch (trans) {
case 1:
assert(l_get_le16(frame + 2) == 0); /* status */
assert(l_get_le16(frame + 4) == 19); /* group */
if (len > 102) {
/* clogging token */
assert(len == 134);
assert(!memcmp(frame + 6, td->test_clogging_token, 32));
} else {
assert(len == 102);
}
td->commit_success = true;
return;
case 2:
assert(l_get_le16(frame + 2) == 0);
assert(len == 38);
td->confirm_success = true;
return;
}
assert(false);
}
static void test_tx_assoc_func(void *user_data)
{
struct test_data *td = user_data;
td->tx_assoc_called = true;
}
static struct auth_proto *test_initialize(struct test_data *td)
{
struct auth_proto *ap;
struct handshake_state *hs = test_handshake_state_new(1);
td->handshake = hs;
handshake_state_set_supplicant_address(hs, spa);
handshake_state_set_authenticator_address(hs, aa);
handshake_state_set_passphrase(hs, passphrase);
memset(td->test_clogging_token, 0xde, 32);
ap = sae_sm_new(hs, test_tx_auth_func, test_tx_assoc_func, td);
td->commit_success = false;
auth_proto_start(ap);
assert(td->commit_success == true);
return ap;
}
static void test_destruct(struct test_data *td)
{
handshake_state_free(td->handshake);
l_free(td);
}
static uint8_t aa_commit[] = {
0x13, 0x00, 0x50, 0x5b, 0xb2, 0x1f, 0xaf, 0x7d,
0xaf, 0x14, 0x7c, 0x7b, 0x19, 0xc9, 0x72, 0x82, 0xbc, 0x1a, 0xdb, 0xa1,
0xbd, 0x6e, 0x5a, 0xc7, 0x58, 0x0a, 0x65, 0x1f, 0xd2, 0xde, 0xb0, 0x66,
0xa5, 0xf9, 0x3e, 0x95, 0x4a, 0xe1, 0x83, 0xdb, 0x8a, 0xf5, 0x47, 0x8a,
0x9d, 0x88, 0x5b, 0x58, 0xb9, 0x5b, 0xfb, 0x99, 0xff, 0xbe, 0xa0, 0xe8,
0x70, 0x9d, 0x99, 0x2e, 0x8f, 0xa3, 0x53, 0x57, 0x3c, 0x49, 0x81, 0x0e,
0xbc, 0x8f, 0xbc, 0xe7, 0x77, 0x8a, 0x5b, 0xf0, 0xae, 0x4a, 0xfb, 0xcd,
0x81, 0xc0, 0x97, 0xb2, 0xf8, 0xb9, 0x12, 0xed, 0x3b, 0xd5, 0x3c, 0x5c,
0xb2, 0x3a, 0xcc, 0x22, 0xe3, 0x9e
};
static uint8_t aa_confirm[] = {
0x00, 0x00, 0x03, 0x0e, 0xf7, 0x5c, 0x1c, 0xab,
0x7c, 0x29, 0xa1, 0x79, 0x22, 0xe4, 0x3b, 0x64, 0xb8, 0xf0, 0x70, 0x25,
0x40, 0xcc, 0x78, 0x81, 0x27, 0x12, 0xca, 0xa9, 0xf5, 0xe5, 0x0f, 0xa7,
0x73, 0x6d
};
static size_t setup_auth_frame(struct authenticate_frame *frame,
const uint8_t *addr,
uint16_t trans, uint16_t status,
const uint8_t *data, size_t len)
{
memset(frame, 0, sizeof(struct authenticate_frame));
memcpy(frame->hdr.address_2, addr, 6);
frame->hdr.fc.type = MPDU_TYPE_MANAGEMENT;
frame->hdr.fc.subtype = MPDU_MANAGEMENT_SUBTYPE_AUTHENTICATION;
frame->hdr.fc.order = 1;
l_put_le16(MMPDU_AUTH_ALGO_SAE, &frame->auth.algorithm);
l_put_le16(trans, &frame->auth.transaction_sequence);
l_put_le16(status, &frame->auth.status);
if (data)
memcpy(frame->auth.ies, data, len);
return sizeof(frame->hdr) + sizeof(frame->auth) + len;
}
static size_t setup_assoc_frame(struct associate_frame *frame, uint16_t status)
{
/*
* Only need the frame to verify with mpdu_validate and have status
* code set.
*/
memset(frame, 0, sizeof(struct associate_frame));
frame->hdr.fc.type = MPDU_TYPE_MANAGEMENT;
frame->hdr.fc.subtype = MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST;
frame->hdr.fc.order = 1;
l_put_le16(status, &frame->assoc.status_code);
return sizeof(frame->hdr) + sizeof(frame->assoc);
}
static void test_clogging(const void *arg)
{
struct test_data *td = l_new(struct test_data, 1);
struct auth_proto *ap = test_initialize(td);
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) + 34);
uint8_t extra[34];
size_t len;
l_put_le16(19, extra);
memcpy(extra + 2, td->test_clogging_token, 32);
len = setup_auth_frame(frame, aa, 1,
MMPDU_STATUS_CODE_ANTI_CLOGGING_TOKEN_REQ,
extra, sizeof(extra));
td->test_anti_clogging = true;
td->commit_success = false;
assert(auth_proto_rx_authenticate(ap, (uint8_t *)frame, len) ==
-EAGAIN);
assert(td->commit_success == true);
test_destruct(td);
auth_proto_free(ap);
}
static void test_early_confirm(const void *arg)
{
struct test_data *td = l_new(struct test_data, 1);
struct auth_proto *ap = test_initialize(td);
uint8_t first_commit[102];
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) + 32);
size_t len;
/* save the initial commit */
memcpy(first_commit, td->tx_packet, td->tx_packet_len);
len = setup_auth_frame(frame, aa, 2, 0, NULL, 32);
memset(frame->auth.ies, 0xfe, 32);
td->test_anti_clogging = false;
assert(auth_proto_rx_authenticate(ap, (uint8_t *)frame, len) ==
-EAGAIN);
/* verify earlier commit matched most recent */
assert(!memcmp(td->tx_packet, first_commit, td->tx_packet_len));
test_destruct(td);
auth_proto_free(ap);
}
static void test_reflection(const void *arg)
{
struct test_data *td = l_new(struct test_data, 1);
struct auth_proto *ap = test_initialize(td);
td->tx_auth_called = false;
/* send reflect same commit */
ap->rx_authenticate(ap, td->tx_packet, td->tx_packet_len);
assert(td->tx_auth_called == false);
test_destruct(td);
auth_proto_free(ap);
}
static void test_malformed_commit(const void *arg)
{
struct test_data *td = l_new(struct test_data, 1);
struct auth_proto *ap = test_initialize(td);
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) +
sizeof(aa_commit));
size_t len;
len = setup_auth_frame(frame, aa, 1, 0, aa_commit, sizeof(aa_commit));
/* don't send entire commit */
assert(auth_proto_rx_authenticate(ap, (uint8_t *)frame, len - 20) != 0);
test_destruct(td);
auth_proto_free(ap);
}
static void test_malformed_confirm(const void *arg)
{
struct test_data *td = l_new(struct test_data, 1);
struct auth_proto *ap = test_initialize(td);
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) +
sizeof(aa_commit));
size_t len;
len = setup_auth_frame(frame, aa, 1, 0, aa_commit, sizeof(aa_commit));
assert(auth_proto_rx_authenticate(ap, (uint8_t *)frame, len) == 0);
assert(td->commit_success);
frame = alloca(sizeof(struct authenticate_frame) + sizeof(aa_confirm));
len = setup_auth_frame(frame, aa, 2, 0, aa_confirm, sizeof(aa_confirm));
/* don't send entire confirm */
assert(auth_proto_rx_authenticate(ap, (uint8_t *)frame, len - 10) != 0);
test_destruct(td);
auth_proto_free(ap);
}
static uint8_t aa_commit_bad_group[] = {
0xff, 0x00, 0x50, 0x5b, 0xb2, 0x1f, 0xaf, 0x7d,
0xaf, 0x14, 0x7c, 0x7b, 0x19, 0xc9, 0x72, 0x82, 0xbc, 0x1a, 0xdb, 0xa1,
0xbd, 0x6e, 0x5a, 0xc7, 0x58, 0x0a, 0x65, 0x1f, 0xd2, 0xde, 0xb0, 0x66,
0xa5, 0xf9, 0x3e, 0x95, 0x4a, 0xe1, 0x83, 0xdb, 0x8a, 0xf5, 0x47, 0x8a,
0x9d, 0x88, 0x5b, 0x58, 0xb9, 0x5b, 0xfb, 0x99, 0xff, 0xbe, 0xa0, 0xe8,
0x70, 0x9d, 0x99, 0x2e, 0x8f, 0xa3, 0x53, 0x57, 0x3c, 0x49, 0x81, 0x0e,
0xbc, 0x8f, 0xbc, 0xe7, 0x77, 0x8a, 0x5b, 0xf0, 0xae, 0x4a, 0xfb, 0xcd,
0x81, 0xc0, 0x97, 0xb2, 0xf8, 0xb9, 0x12, 0xed, 0x3b, 0xd5, 0x3c, 0x5c,
0xb2, 0x3a, 0xcc, 0x22, 0xe3, 0x9e
};
static void test_bad_group(const void *arg)
{
struct test_data *td = l_new(struct test_data, 1);
struct auth_proto *ap = test_initialize(td);
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) +
sizeof(aa_commit_bad_group));
size_t len;
len = setup_auth_frame(frame, aa, 1, 0, aa_commit_bad_group,
sizeof(aa_commit_bad_group));
assert(auth_proto_rx_authenticate(ap, (uint8_t *)frame, len) ==
-EPROTO);
test_destruct(td);
auth_proto_free(ap);
}
static void end_to_end_tx_func(const uint8_t *frame, size_t len, void *user_data)
{
struct test_data *td = user_data;
memcpy(td->tx_packet, frame, len);
td->tx_packet_len = len;
}
static void test_bad_confirm(const void *arg)
{
struct auth_proto *ap1;
struct auth_proto *ap2;
struct test_data *td1 = l_new(struct test_data, 1);
struct test_data *td2 = l_new(struct test_data, 1);
struct handshake_state *hs1 = test_handshake_state_new(1);
struct handshake_state *hs2 = test_handshake_state_new(2);
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) + 512);
size_t frame_len;
uint8_t tmp_commit[512];
size_t tmp_commit_len;
td1->status = 0xffff;
td2->status = 0xffff;
handshake_state_set_supplicant_address(hs1, spa);
handshake_state_set_authenticator_address(hs1, aa);
handshake_state_set_passphrase(hs1, passphrase);
handshake_state_set_supplicant_address(hs2, aa);
handshake_state_set_authenticator_address(hs2, spa);
handshake_state_set_passphrase(hs2, passphrase);
ap1 = sae_sm_new(hs1, end_to_end_tx_func, test_tx_assoc_func, td1);
ap2 = sae_sm_new(hs2, end_to_end_tx_func, test_tx_assoc_func, td2);
/* both peers send out commit */
ap1->start(ap1);
ap2->start(ap2);
/* save sm1 commit, tx_packet will get overwritten with confirm */
memcpy(tmp_commit, td1->tx_packet, td1->tx_packet_len);
tmp_commit_len = td1->tx_packet_len;
/* Setup whole frame */
frame_len = setup_auth_frame(frame, aa, 1, 0, td2->tx_packet + 4,
td2->tx_packet_len - 4);
/* rx commit for both peers */
ap1->rx_authenticate(ap1, (uint8_t *) frame, frame_len);
frame_len = setup_auth_frame(frame, spa, 1, 0, tmp_commit + 4,
tmp_commit_len - 4);
ap2->rx_authenticate(ap2, (uint8_t *)frame, frame_len);
/* both peers should now have sent confirm */
/* rx confirm for both peers */
frame_len = setup_auth_frame(frame, aa, 2, 0, td2->tx_packet + 4,
td2->tx_packet_len - 4);
ap1->rx_authenticate(ap1, (uint8_t *)frame, frame_len);
/* muck with a byte in the confirm */
td1->tx_packet[10] = ~td1->tx_packet[10];
frame_len = setup_auth_frame(frame, spa, 2, 0, td1->tx_packet + 4,
td1->tx_packet_len - 4);
ap2->rx_authenticate(ap2, (uint8_t *)frame, frame_len);
assert(td1->tx_assoc_called);
assert(td2->status != 0);
handshake_state_free(hs1);
handshake_state_free(hs2);
ap1->free(ap1);
ap2->free(ap2);
/* sm2 gets freed by sae since it failed */
l_free(td1);
l_free(td2);
}
static void test_confirm_after_accept(const void *arg)
{
struct auth_proto *ap1;
struct auth_proto *ap2;
struct test_data *td1 = l_new(struct test_data, 1);
struct test_data *td2 = l_new(struct test_data, 1);
struct handshake_state *hs1 = test_handshake_state_new(1);
struct handshake_state *hs2 = test_handshake_state_new(2);
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) + 512);
struct associate_frame *assoc = alloca(sizeof(struct associate_frame));
size_t frame_len;
uint8_t tmp_commit[512];
size_t tmp_commit_len;
td1->status = 0xffff;
td2->status = 0xffff;
handshake_state_set_supplicant_address(hs1, spa);
handshake_state_set_authenticator_address(hs1, aa);
handshake_state_set_passphrase(hs1, passphrase);
handshake_state_set_supplicant_address(hs2, aa);
handshake_state_set_authenticator_address(hs2, spa);
handshake_state_set_passphrase(hs2, passphrase);
ap1 = sae_sm_new(hs1, end_to_end_tx_func, test_tx_assoc_func, td1);
ap2 = sae_sm_new(hs2, end_to_end_tx_func, test_tx_assoc_func, td2);
/* both peers send out commit */
auth_proto_start(ap1);
auth_proto_start(ap2);
/* save sm1 commit, tx_packet will get overwritten with confirm */
memcpy(tmp_commit, td1->tx_packet, td1->tx_packet_len);
tmp_commit_len = td1->tx_packet_len;
/* rx commit for both peers */
frame_len = setup_auth_frame(frame, aa, 1, 0, td2->tx_packet + 4,
td2->tx_packet_len - 4);
assert(auth_proto_rx_authenticate(ap1, (uint8_t *)frame,
frame_len) == 0);
frame_len = setup_auth_frame(frame, spa, 1, 0, tmp_commit + 4,
tmp_commit_len - 4);
assert(auth_proto_rx_authenticate(ap2, (uint8_t *)frame,
frame_len) == 0);
/* both peers should now have sent confirm */
/* rx confirm for one peer, sm1 should accept confirm */
frame_len = setup_auth_frame(frame, aa, 2, 0, td2->tx_packet + 4,
td2->tx_packet_len - 4);
assert(auth_proto_rx_authenticate(ap1, (uint8_t *)frame,
frame_len) == 0);
assert(td1->tx_assoc_called);
/* sm1 should respond with a confirm, and accept */
frame_len = setup_auth_frame(frame, spa, 2, 0, td1->tx_packet + 4,
td1->tx_packet_len - 4);
assert(auth_proto_rx_authenticate(ap2, (uint8_t *)frame,
frame_len) == 0);
assert(td1->tx_assoc_called);
frame_len = setup_assoc_frame(assoc, 0);
/*
* This is just to complete the connection, SAE just verifies status
* so the same frame can be used for both SMs
*/
assert(auth_proto_rx_associate(ap1, (uint8_t *)assoc, frame_len) == 0);
assert(auth_proto_rx_associate(ap2, (uint8_t *)assoc, frame_len) == 0);
handshake_state_free(hs1);
handshake_state_free(hs2);
auth_proto_free(ap1);
auth_proto_free(ap2);
l_free(td1);
l_free(td2);
}
static void test_end_to_end(const void *arg)
{
struct auth_proto *ap1;
struct auth_proto *ap2;
struct test_data *td1 = l_new(struct test_data, 1);
struct test_data *td2 = l_new(struct test_data, 1);
struct handshake_state *hs1 = test_handshake_state_new(1);
struct handshake_state *hs2 = test_handshake_state_new(2);
struct authenticate_frame *frame = alloca(
sizeof(struct authenticate_frame) + 512);
struct associate_frame *assoc = alloca(sizeof(struct associate_frame));
size_t frame_len;
uint8_t tmp_commit[512];
size_t tmp_commit_len;
td1->status = 0xffff;
td2->status = 0xffff;
handshake_state_set_supplicant_address(hs1, spa);
handshake_state_set_authenticator_address(hs1, aa);
handshake_state_set_passphrase(hs1, passphrase);
handshake_state_set_supplicant_address(hs2, aa);
handshake_state_set_authenticator_address(hs2, spa);
handshake_state_set_passphrase(hs2, passphrase);
ap1 = sae_sm_new(hs1, end_to_end_tx_func, test_tx_assoc_func, td1);
ap2 = sae_sm_new(hs2, end_to_end_tx_func, test_tx_assoc_func, td2);
/* both peers send out commit */
auth_proto_start(ap1);
auth_proto_start(ap2);
/* save sm1 commit, tx_packet will get overwritten with confirm */
memcpy(tmp_commit, td1->tx_packet, td1->tx_packet_len);
tmp_commit_len = td1->tx_packet_len;
/* rx commit for both peers */
frame_len = setup_auth_frame(frame, aa, 1, 0, td2->tx_packet + 4,
td2->tx_packet_len - 4);
assert(auth_proto_rx_authenticate(ap1, (uint8_t *)frame,
frame_len) == 0);
/* both peers should now have sent confirm */
frame_len = setup_auth_frame(frame, spa, 1, 0, tmp_commit + 4,
tmp_commit_len - 4);
assert(auth_proto_rx_authenticate(ap2, (uint8_t *)frame,
frame_len) == 0);
/* rx confirm for both peers */
frame_len = setup_auth_frame(frame, aa, 2, 0, td2->tx_packet + 4,
td2->tx_packet_len - 4);
assert(auth_proto_rx_authenticate(ap1, (uint8_t *)frame,
frame_len) == 0);
frame_len = setup_auth_frame(frame, spa, 2, 0, td1->tx_packet + 4,
td1->tx_packet_len - 4);
assert(auth_proto_rx_authenticate(ap2, (uint8_t *)frame,
frame_len) == 0);
assert(td1->tx_assoc_called);
assert(td2->tx_assoc_called);
frame_len = setup_assoc_frame(assoc, 0);
assert(auth_proto_rx_associate(ap1, (uint8_t *)assoc, frame_len) == 0);
assert(auth_proto_rx_associate(ap2, (uint8_t *)assoc, frame_len) == 0);
handshake_state_free(hs1);
handshake_state_free(hs2);
auth_proto_free(ap1);
auth_proto_free(ap2);
l_free(td1);
l_free(td2);
}
static void test_pt_pwe(const void *data)
{
static const char *ssid = "byteme";
static const char *identifier = "psk4internet";
static const char *password = "mekmitasdigoat";
static const uint8_t mac1[] = { 0x00, 0x09, 0x5b, 0x66, 0xec, 0x1e };
static const uint8_t mac2[] = { 0x00, 0x0b, 0x6b, 0xd9, 0x02, 0x46 };
static const uint8_t prk[] = {
0x3b, 0xd5, 0x3f, 0xe9, 0x22, 0x3d, 0xc0, 0x28,
0x0f, 0xbf, 0xce, 0x17, 0xd7, 0xa3, 0x56, 0x40,
0x64, 0xe2, 0x0f, 0x48, 0xc6, 0xec, 0x72, 0x24,
0x6c, 0xe3, 0x67, 0xb5, 0x56, 0x9a, 0x22, 0xaf,
};
static const uint8_t okm1[] = {
0xa5, 0x04, 0x44, 0x69, 0xab, 0x16, 0xf2, 0x5b,
0x6a, 0xbf, 0x1e, 0x0e, 0x37, 0xa3, 0x6b, 0x56,
0xf5, 0x0b, 0xe7, 0x33, 0x69, 0x05, 0x3d, 0xf8,
0xdb, 0x87, 0x98, 0x9a, 0x6b, 0x66, 0xfd, 0x1a,
0x49, 0x1f, 0x1c, 0xda, 0xcb, 0xd0, 0x79, 0x31,
0x62, 0x0f, 0x83, 0x00, 0x8f, 0xfc, 0x0e, 0xcc,
};
static const uint8_t u1_data[] = {
0xdc, 0x94, 0x1b, 0xc3, 0xc6, 0xa2, 0xb4, 0x94,
0x8b, 0x6c, 0x61, 0xd5, 0x55, 0x90, 0xec, 0xb1,
0xf0, 0xc5, 0x1c, 0x4b, 0x1b, 0xeb, 0xaf, 0xf6,
0x77, 0xe5, 0x93, 0x69, 0x8d, 0x5a, 0x53, 0xc6,
};
static const uint8_t okm2[] = {
0x9b, 0x4e, 0x0d, 0x5b, 0x18, 0x79, 0xf2, 0x53,
0xc5, 0x31, 0x96, 0x15, 0x09, 0x9b, 0x05, 0xae,
0xc5, 0xb0, 0x6f, 0xa5, 0xe7, 0x88, 0xbc, 0xfd,
0x1e, 0x9e, 0xa6, 0x0d, 0x33, 0x43, 0x69, 0x27,
0x19, 0x08, 0x14, 0xc3, 0x22, 0xa6, 0x25, 0x85,
0xc9, 0x3c, 0x57, 0x7b, 0xba, 0xa3, 0xd3, 0x07,
};
static const uint8_t u2_data[] = {
0x1b, 0x83, 0x75, 0xa5, 0x18, 0xbc, 0x21, 0x39,
0x6a, 0xd6, 0xa6, 0x5e, 0x55, 0x97, 0xe0, 0xbf,
0x80, 0xd7, 0x93, 0xb6, 0xd6, 0x6e, 0x25, 0x34,
0xa6, 0xe7, 0xdf, 0xe3, 0xee, 0x22, 0x61, 0x6f,
};
static const uint8_t p1x_data[] = {
0xa0, 0x7c, 0x26, 0x07, 0x64, 0xa1, 0x34, 0x45,
0xff, 0x8c, 0xd9, 0x7c, 0x5a, 0xcc, 0x64, 0x4e,
0x71, 0x19, 0xbd, 0xe5, 0x1b, 0xad, 0x42, 0x58,
0x3e, 0xed, 0x6f, 0x41, 0x09, 0x63, 0x9e, 0x6b,
};
static const uint8_t p1y_data[] = {
0x3b, 0xdc, 0x8d, 0xf0, 0xd3, 0x23, 0x37, 0x93,
0x6c, 0x74, 0xdf, 0x60, 0x49, 0x33, 0xa4, 0x54,
0x14, 0x22, 0x51, 0xc5, 0x3c, 0x57, 0x6c, 0x03,
0x51, 0xb2, 0x8d, 0xea, 0xf9, 0x42, 0x8d, 0x7e,
};
static const uint8_t p2x_data[] = {
0x72, 0xcd, 0x2a, 0x96, 0x7a, 0x83, 0x7f, 0xea,
0x50, 0x51, 0xf0, 0x13, 0x3d, 0xb4, 0x62, 0x27,
0x77, 0x5b, 0xa0, 0x9f, 0x7b, 0x6d, 0xfb, 0x99,
0xae, 0x7a, 0x8e, 0xf2, 0x2c, 0x7d, 0x34, 0xa0,
};
static const uint8_t p2y_data[] = {
0x86, 0x43, 0x90, 0xd7, 0x97, 0xd3, 0x52, 0xb3,
0x68, 0xd3, 0x11, 0xaf, 0x51, 0x5b, 0xde, 0x11,
0x6f, 0xe5, 0x44, 0x59, 0xfe, 0xc8, 0x67, 0xee,
0x18, 0xa8, 0xa1, 0x61, 0x9c, 0xa3, 0xff, 0x59,
};
static const uint8_t ptx_data[] = {
0xb6, 0xe3, 0x8c, 0x98, 0x75, 0x0c, 0x68, 0x4b,
0x5d, 0x17, 0xc3, 0xd8, 0xc9, 0xa4, 0x10, 0x0b,
0x39, 0x93, 0x12, 0x79, 0x18, 0x7c, 0xa6, 0xcc,
0xed, 0x5f, 0x37, 0xef, 0x46, 0xdd, 0xfa, 0x97,
};
static const uint8_t pty_data[] = {
0x56, 0x87, 0xe9, 0x72, 0xe5, 0x0f, 0x73, 0xe3,
0x89, 0x88, 0x61, 0xe7, 0xed, 0xad, 0x21, 0xbe,
0xa7, 0xd5, 0xf6, 0x22, 0xdf, 0x88, 0x24, 0x3b,
0xb8, 0x04, 0x92, 0x0a, 0xe8, 0xe6, 0x47, 0xfa,
};
static const uint8_t val_data[] = {
0xbb, 0x7f, 0x9c, 0xac, 0x5a, 0xa8, 0xb7, 0x2c,
0x02, 0xb5, 0xda, 0xac, 0xc2, 0x77, 0x1a, 0xbe,
0x74, 0xe7, 0x26, 0x04, 0x61, 0x22, 0x95, 0xec,
0xa2, 0xce, 0x18, 0x36, 0x3a, 0xe9, 0xa9, 0x27,
};
static const uint8_t pwex_data[] = {
0xc9, 0x30, 0x49, 0xb9, 0xe6, 0x40, 0x00, 0xf8,
0x48, 0x20, 0x16, 0x49, 0xe9, 0x99, 0xf2, 0xb5,
0xc2, 0x2d, 0xea, 0x69, 0xb5, 0x63, 0x2c, 0x9d,
0xf4, 0xd6, 0x33, 0xb8, 0xaa, 0x1f, 0x6c, 0x1e,
};
static const uint8_t pwey_data[] = {
0x73, 0x63, 0x4e, 0x94, 0xb5, 0x3d, 0x82, 0xe7,
0x38, 0x3a, 0x8d, 0x25, 0x81, 0x99, 0xd9, 0xdc,
0x1a, 0x5e, 0xe8, 0x26, 0x9d, 0x06, 0x03, 0x82,
0xcc, 0xbf, 0x33, 0xe6, 0x14, 0xff, 0x59, 0xa0,
};
const struct l_ecc_curve *curve;
struct l_ecc_scalar *u1;
struct l_ecc_scalar *u2;
struct l_ecc_scalar *val;
struct l_ecc_point *p1;
struct l_ecc_point *p2;
struct l_ecc_point *pt;
struct l_ecc_point *pwe;
enum l_checksum_type hash;
size_t hash_len;
uint8_t pwd_seed[64]; /* SHA512 is the biggest possible right now */
uint8_t pwd_value[128];
size_t pwd_value_len;
uint8_t ubuf[64];
uint64_t num[L_ECC_MAX_DIGITS];
uint8_t zero[64] = { 0 };
uint8_t val_buf[32];
uint8_t sorted_macs[12];
curve = l_ecc_curve_from_ike_group(19);
assert(curve);
hash = crypto_sae_hash_from_ecc_prime_len(CRYPTO_SAE_HASH_TO_ELEMENT,
l_ecc_curve_get_scalar_bytes(curve));
hash_len = l_checksum_digest_length(hash);
assert(hash_len == 32);
/* pwd-seed = HKDF-Extract(ssid, password [|| identifier]) */
assert(hkdf_extract(hash, ssid, strlen(ssid), 2, pwd_seed,
password, strlen(password),
identifier, strlen(identifier)));
assert(!memcmp(pwd_seed, prk, sizeof(prk)));
/* len = olen(p) + floor(olen(p)/2) */
pwd_value_len = l_ecc_curve_get_scalar_bytes(curve);
pwd_value_len += pwd_value_len / 2;
/*
* pwd-value = HKDF-Expand(pwd-seed, "SAE Hash to Element u1 P1", len)
*/
assert(hkdf_expand(hash, pwd_seed, hash_len,
"SAE Hash to Element u1 P1",
pwd_value, pwd_value_len));
assert(!memcmp(pwd_value, okm1, sizeof(okm1)));
u1 = l_ecc_scalar_new_modp(curve, pwd_value, pwd_value_len);
assert(u1);
assert(l_ecc_scalar_get_data(u1, ubuf, sizeof(ubuf)) ==
(ssize_t) sizeof(u1_data));
assert(!memcmp(ubuf, u1_data, sizeof(u1_data)));
/*
* pwd-value = HKDF-Expand(pwd-seed, "SAE Hash to Element u2 P2", len)
*/
assert(hkdf_expand(hash, pwd_seed, hash_len,
"SAE Hash to Element u2 P2",
pwd_value, pwd_value_len));
assert(!memcmp(pwd_value, okm2, sizeof(okm2)));
u2 = l_ecc_scalar_new_modp(curve, pwd_value, pwd_value_len);
assert(u2);
assert(l_ecc_scalar_get_data(u2, ubuf, sizeof(ubuf)) ==
(ssize_t) sizeof(u2_data));
assert(!memcmp(ubuf, u2_data, sizeof(u2_data)));
p1 = l_ecc_point_from_sswu(u1);
assert(p1);
assert(l_ecc_point_get_x(p1, num, sizeof(num)) > 0);
assert(!memcmp(num, p1x_data, sizeof(p1x_data)));
assert(l_ecc_point_get_y(p1, num, sizeof(num)) > 0);
assert(!memcmp(num, p1y_data, sizeof(p1y_data)));
p2 = l_ecc_point_from_sswu(u2);
assert(p2);
assert(l_ecc_point_get_x(p2, num, sizeof(num)) > 0);
assert(!memcmp(num, p2x_data, sizeof(p2x_data)));
assert(l_ecc_point_get_y(p2, num, sizeof(num)) > 0);
assert(!memcmp(num, p2y_data, sizeof(p2y_data)));
pt = l_ecc_point_new(curve);
assert(pt);
assert(l_ecc_point_add(pt, p1, p2));
assert(l_ecc_point_get_x(pt, num, sizeof(num)) > 0);
assert(!memcmp(num, ptx_data, sizeof(ptx_data)));
assert(l_ecc_point_get_y(pt, num, sizeof(num)) > 0);
assert(!memcmp(num, pty_data, sizeof(pty_data)));
l_ecc_point_free(p1);
l_ecc_point_free(p2);
l_ecc_scalar_free(u1);
l_ecc_scalar_free(u2);
p1 = crypto_derive_sae_pt_ecc(19, ssid, password, identifier);
assert(p1);
assert(l_ecc_points_are_equal(p1, pt));
l_ecc_point_free(p1);
if (memcmp(mac1, mac2, 6) > 0) {
memcpy(sorted_macs, mac1, 6);
memcpy(sorted_macs + 6, mac2, 6);
} else {
memcpy(sorted_macs, mac2, 6);
memcpy(sorted_macs + 6, mac1, 6);
}
assert(hkdf_extract(hash, zero, hash_len, 1, val_buf,
sorted_macs, sizeof(sorted_macs)));
val = l_ecc_scalar_new_reduced_1_to_n(curve, val_buf, sizeof(val_buf));
assert(val);
assert(l_ecc_scalar_get_data(val, ubuf, sizeof(ubuf)) ==
(ssize_t) sizeof(val_data));
assert(!memcmp(ubuf, val_data, sizeof(val_data)));
pwe = l_ecc_point_new(curve);
assert(pwe);
assert(l_ecc_point_multiply(pwe, val, pt));
assert(l_ecc_point_get_x(pwe, num, sizeof(num)) > 0);
assert(!memcmp(num, pwex_data, sizeof(pwex_data)));
assert(l_ecc_point_get_y(pwe, num, sizeof(num)) > 0);
assert(!memcmp(num, pwey_data, sizeof(pwey_data)));
l_ecc_scalar_free(val);
p1 = crypto_derive_sae_pwe_from_pt_ecc(mac1, mac2, pt);
assert(p1);
assert(l_ecc_points_are_equal(p1, pwe));
l_ecc_point_free(p1);
l_ecc_point_free(pwe);
l_ecc_point_free(pt);
}
int main(int argc, char *argv[])
{
l_test_init(&argc, &argv);
if (!l_getrandom_is_supported()) {
l_info("l_getrandom not supported, skipping...");
goto done;
}
if (!l_checksum_is_supported(L_CHECKSUM_SHA256, true)) {
l_info("SHA256/HMAC_SHA256 not supported, skipping...");
goto done;
}
l_test_add("SAE anti-clogging", test_clogging, NULL);
l_test_add("SAE early confirm", test_early_confirm, NULL);
l_test_add("SAE reflection", test_reflection, NULL);
l_test_add("SAE malformed commit", test_malformed_commit, NULL);
l_test_add("SAE malformed confirm", test_malformed_confirm, NULL);
l_test_add("SAE bad group", test_bad_group, NULL);
l_test_add("SAE bad confirm", test_bad_confirm, NULL);
l_test_add("SAE confirm after accept", test_confirm_after_accept, NULL);
l_test_add("SAE end-to-end", test_end_to_end, NULL);
l_test_add("SAE pt-pwe", test_pt_pwe, NULL);
done:
return l_test_run();
}