[PATCH 01/11] doc: Document UseDefaultEccGroup

[PATCH 01/11] doc: Document UseDefaultEccGroup

[James Prestwood]

---
 src/iwd.network.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/iwd.network.rst b/src/iwd.network.rst
index 734dcfa1..b178c20c 100644
--- a/src/iwd.network.rst
+++ b/src/iwd.network.rst
@@ -174,6 +174,13 @@ The group ``[Settings]`` contains general settings.
        Properly configured Access Points will typically update this setting
        appropriately via Transition Disable indications.  User customization
        of this value is thus typically not required.
+   * - UseDefaultEccGroup
+     - Values: true, false
+
+       Forces the use of the default ECC group (19) for protocols using ECC
+       (WPA3 and OWE) if set true. If unset IWD will learn the capabilities of
+       the network based on its initial association and retain that setting for
+       the duration of its process lifetime.
 
 Network Authentication Settings
 -------------------------------
-- 
2.34.1

[PATCH 02/11] knownnetworks: add option to force a default ECC group

[James Prestwood]

This adds the option [Settings].UseDefaultEccGroup which allows a
network profile to specify the behavior when using an ECC-based
protocol. If unset (default) IWD will learn the behavior of the
network for the lifetime of its process.

Many APs do not support group 20 which IWD tries first by default.
This leads to an initial failure followed by a retry using group 19.
This option will allow the user to configure IWD to use group 19
first or learn the network capabilities, if the authentication fails
with group 20 IWD will always use group 19 for the process lifetime.
---
 src/knownnetworks.c | 11 +++++++++++
 src/knownnetworks.h |  8 ++++++++
 2 files changed, 19 insertions(+)

diff --git a/src/knownnetworks.c b/src/knownnetworks.c
index fc810057..6f65d2b3 100644
--- a/src/knownnetworks.c
+++ b/src/knownnetworks.c
@@ -123,6 +123,17 @@ void __network_config_parse(const struct l_settings *settings,
 
 		l_strfreev(modes);
 	}
+
+	if (l_settings_has_key(settings, NET_USE_DEFAULT_ECC_GROUP)) {
+		if (l_settings_get_bool(settings,
+					NET_USE_DEFAULT_ECC_GROUP, &b)) {
+			config->ecc_group = b ? KNOWN_NETWORK_ECC_GROUP_DEFAULT
+					: KNOWN_NETWORK_ECC_GROUP_MOST_SECURE;
+		} else
+			l_warn("[%s].%s is not a boolean value",
+					NET_USE_DEFAULT_ECC_GROUP);
+	} else
+		config->ecc_group = KNOWN_NETWORK_ECC_GROUP_AUTO;
 }
 
 void __network_info_init(struct network_info *info,
diff --git a/src/knownnetworks.h b/src/knownnetworks.h
index 741d42ed..c81bd9aa 100644
--- a/src/knownnetworks.h
+++ b/src/knownnetworks.h
@@ -27,6 +27,7 @@
 #define NET_ADDRESS_OVERRIDE SETTINGS, "AddressOverride"
 #define NET_TRANSITION_DISABLE SETTINGS, "TransitionDisable"
 #define NET_TRANSITION_DISABLE_MODES SETTINGS, "DisabledTransitionModes"
+#define NET_USE_DEFAULT_ECC_GROUP SETTINGS, "UseDefaultEccGroup"
 
 enum security;
 struct scan_freq_set;
@@ -38,6 +39,12 @@ enum known_networks_event {
 	KNOWN_NETWORKS_EVENT_UPDATED,
 };
 
+enum known_network_ecc_group {
+	KNOWN_NETWORK_ECC_GROUP_AUTO = 0,
+	KNOWN_NETWORK_ECC_GROUP_DEFAULT,
+	KNOWN_NETWORK_ECC_GROUP_MOST_SECURE,
+};
+
 struct network_info_ops {
 	struct l_settings *(*open)(struct network_info *info);
 	int (*touch)(struct network_info *info);
@@ -72,6 +79,7 @@ struct network_config {
 	uint8_t sta_addr[6];
 	bool have_transition_disable : 1;
 	uint8_t transition_disable;
+	enum known_network_ecc_group ecc_group;
 };
 
 struct network_info {
-- 
2.34.1

[PATCH 03/11] network: retain default ECC group for OWE after setting

[James Prestwood]

There is special handling for buggy OWE APs which set a network flag
to use the default OWE group. Utilize the more persistent setting
within known-networks as well as the network object (in case there
is no profile).

This also renames the get/set APIs to be generic to ECC groups rather
than only OWE.
---
 src/network.c | 38 +++++++++++++++++++++++++++++++-------
 src/network.h |  4 ++--
 src/station.c |  4 ++--
 3 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/src/network.c b/src/network.c
index 287e2be0..a0a89e63 100644
--- a/src/network.c
+++ b/src/network.c
@@ -89,7 +89,7 @@ struct network {
 	bool provisioning_hidden:1;
 	uint8_t transition_disable; /* Temporary cache until info is set */
 	bool have_transition_disable:1;
-	bool force_default_owe_group:1;
+	bool force_default_ecc_group:1;
 	int rank;
 	/* Holds DBus Connect() message if it comes in before ANQP finishes */
 	struct l_dbus_message *connect_after_anqp;
@@ -271,8 +271,12 @@ struct network *network_create(struct station *station, const char *ssid,
 	network->security = security;
 
 	network->info = known_networks_find(ssid, security);
-	if (network->info)
+	if (network->info) {
 		network->info->seen_count++;
+		if (network->info->config.ecc_group ==
+						KNOWN_NETWORK_ECC_GROUP_DEFAULT)
+			network->force_default_ecc_group = true;
+	}
 
 	network->bss_list = l_queue_new();
 	network->blacklist = l_queue_new();
@@ -553,7 +557,7 @@ int network_handshake_setup(struct network *network, struct scan_bss *bss,
 	}
 
 	if (hs->akm_suite == IE_RSN_AKM_SUITE_OWE)
-		hs->force_default_owe_group = network->force_default_owe_group;
+		hs->force_default_owe_group = network->force_default_ecc_group;
 
 	/*
 	 * The randomization options in the provisioning file are dependent on
@@ -818,14 +822,34 @@ void network_set_info(struct network *network, struct network_info *info)
 					IWD_NETWORK_INTERFACE, "KnownNetwork");
 }
 
-void network_set_force_default_owe_group(struct network *network)
+void network_set_force_default_ecc_group(struct network *network)
 {
-	network->force_default_owe_group = true;
+	/* No network info, likely a failed OWE connection */
+	if (!network->info) {
+		network->force_default_ecc_group = true;
+		return;
+	}
+
+	/* Profile explicitly wants to try the most secure group */
+	if (network->info->config.ecc_group ==
+					KNOWN_NETWORK_ECC_GROUP_MOST_SECURE)
+		return;
+
+	l_debug("Forcing default group for %s", network->ssid);
+
+	network->force_default_ecc_group = true;
+	network->info->config.ecc_group = KNOWN_NETWORK_ECC_GROUP_DEFAULT;
 }
 
-bool network_get_force_default_owe_group(struct network *network)
+bool network_get_force_default_ecc_group(struct network *network)
 {
-	return network->force_default_owe_group;
+	if (!network->info)
+		return network->force_default_ecc_group;
+
+	if (network->info->config.ecc_group == KNOWN_NETWORK_ECC_GROUP_DEFAULT)
+		return true;
+
+	return false;
 }
 
 int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
diff --git a/src/network.h b/src/network.h
index ea619f3f..17dfcca8 100644
--- a/src/network.h
+++ b/src/network.h
@@ -58,8 +58,8 @@ void network_sync_settings(struct network *network);
 
 const struct network_info *network_get_info(const struct network *network);
 void network_set_info(struct network *network, struct network_info *info);
-void network_set_force_default_owe_group(struct network *network);
-bool network_get_force_default_owe_group(struct network *network);
+void network_set_force_default_ecc_group(struct network *network);
+bool network_get_force_default_ecc_group(struct network *network);
 
 bool network_update_known_frequencies(struct network *network);
 
diff --git a/src/station.c b/src/station.c
index 8817637b..3712d5bb 100644
--- a/src/station.c
+++ b/src/station.c
@@ -3152,7 +3152,7 @@ static bool station_retry_owe_default_group(struct station *station)
 		return false;
 
 	/* If we already forced group 19, allow the BSS to be blacklisted */
-	if (network_get_force_default_owe_group(station->connected_network))
+	if (network_get_force_default_ecc_group(station->connected_network))
 		return false;
 
 	l_warn("Failed to connect to OWE BSS "MAC" possibly because the AP is "
@@ -3160,7 +3160,7 @@ static bool station_retry_owe_default_group(struct station *station)
 		"Retrying with group 19 as a workaround",
 		MAC_STR(station->connected_bss->addr));
 
-	network_set_force_default_owe_group(station->connected_network);
+	network_set_force_default_ecc_group(station->connected_network);
 
 	return true;
 }
-- 
2.34.1

[PATCH 04/11] network: set use default ECC group in handshake setup

[James Prestwood]

If either the settings specify it, or the scan_bss is flagged, set
the use_default_ecc_group flag in the handshake.

This also renames the flag to cover both OWE and SAE
---
 src/handshake.h | 2 +-
 src/network.c   | 4 ++--
 src/owe.c       | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/handshake.h b/src/handshake.h
index 6c58e4d2..62118fe2 100644
--- a/src/handshake.h
+++ b/src/handshake.h
@@ -140,7 +140,7 @@ struct handshake_state {
 	bool authenticator_ocvc : 1;
 	bool supplicant_ocvc : 1;
 	bool ext_key_id_capable : 1;
-	bool force_default_owe_group : 1;
+	bool force_default_ecc_group : 1;
 	uint8_t ssid[32];
 	size_t ssid_len;
 	char *passphrase;
diff --git a/src/network.c b/src/network.c
index a0a89e63..7b996f51 100644
--- a/src/network.c
+++ b/src/network.c
@@ -556,8 +556,8 @@ int network_handshake_setup(struct network *network, struct scan_bss *bss,
 		handshake_state_set_protocol_version(hs, eapol_proto_version);
 	}
 
-	if (hs->akm_suite == IE_RSN_AKM_SUITE_OWE)
-		hs->force_default_owe_group = network->force_default_ecc_group;
+	hs->force_default_ecc_group = network->force_default_ecc_group ||
+						bss->force_default_sae_group;
 
 	/*
 	 * The randomization options in the provisioning file are dependent on
diff --git a/src/owe.c b/src/owe.c
index faa4e17d..da1d643b 100644
--- a/src/owe.c
+++ b/src/owe.c
@@ -45,7 +45,7 @@ struct owe_sm {
 
 static bool owe_reset(struct owe_sm *owe)
 {
-	if (owe->hs->force_default_owe_group) {
+	if (owe->hs->force_default_ecc_group) {
 		if (owe->retry != 0) {
 			l_warn("Forced default OWE group but was rejected!");
 			return false;
-- 
2.34.1

[PATCH 05/11] sae: remove sae_sm_set_force_group_19, use handshake

[James Prestwood]

Use the flag set into the handshake to force the default ECC group
---
 src/netdev.c | 3 ---
 src/sae.c    | 8 +-------
 src/sae.h    | 2 --
 3 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/src/netdev.c b/src/netdev.c
index 8a7ff092..d80ce10f 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -3834,9 +3834,6 @@ static void netdev_connect_common(struct netdev *netdev,
 			}
 		}
 
-		if (bss->force_default_sae_group)
-			sae_sm_set_force_group_19(netdev->ap);
-
 		break;
 	case IE_RSN_AKM_SUITE_OWE:
 		netdev->owe_sm = owe_sm_new(hs);
diff --git a/src/sae.c b/src/sae.c
index 9a10292e..bf9fb0ff 100644
--- a/src/sae.c
+++ b/src/sae.c
@@ -1459,13 +1459,6 @@ bool sae_sm_is_h2e(struct auth_proto *ap)
 	return sm->sae_type != CRYPTO_SAE_LOOPING;
 }
 
-void sae_sm_set_force_group_19(struct auth_proto *ap)
-{
-	struct sae_sm *sm = l_container_of(ap, struct sae_sm, ap);
-
-	sm->force_default_group = true;
-}
-
 static void sae_free(struct auth_proto *ap)
 {
 	struct sae_sm *sm = l_container_of(ap, struct sae_sm, ap);
@@ -1501,6 +1494,7 @@ struct auth_proto *sae_sm_new(struct handshake_state *hs,
 	sm->user_data = user_data;
 	sm->handshake = hs;
 	sm->state = SAE_STATE_NOTHING;
+	sm->force_default_group = hs->force_default_ecc_group;
 
 	sm->ap.start = sae_start;
 	sm->ap.free = sae_free;
diff --git a/src/sae.h b/src/sae.h
index ec29e624..668d084f 100644
--- a/src/sae.h
+++ b/src/sae.h
@@ -30,8 +30,6 @@ typedef void (*sae_tx_associate_func_t)(void *user_data);
 
 bool sae_sm_is_h2e(struct auth_proto *ap);
 
-void sae_sm_set_force_group_19(struct auth_proto *ap);
-
 struct auth_proto *sae_sm_new(struct handshake_state *hs,
 				sae_tx_authenticate_func_t tx_auth,
 				sae_tx_associate_func_t tx_assoc,
-- 
2.34.1

[PATCH 06/11] netdev: add NETDEV_EVENT_ECC_GROUP_RETRY, handle in station

[James Prestwood]

In order to complete the learned default group behavior station needs
to be aware of when an SAE/OWE connection retried. This is all
handled within netdev/sae so add a new netdev event so station can
set the appropriate network flags to prevent trying the non-default
group again.
---
 src/netdev.c  | 15 +++++++++++++++
 src/netdev.h  |  1 +
 src/station.c | 15 +++++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/src/netdev.c b/src/netdev.c
index d80ce10f..09fac959 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2559,6 +2559,10 @@ static bool netdev_retry_owe(struct netdev *netdev)
 	if (!owe_next_group(netdev->owe_sm))
 		return false;
 
+	if (netdev->event_filter)
+		netdev->event_filter(netdev, NETDEV_EVENT_ECC_GROUP_RETRY,
+					NULL, netdev->user_data);
+
 	connect_cmd = netdev_build_cmd_connect(netdev, netdev->handshake, NULL);
 
 	netdev->connect_cmd_id = l_genl_family_send(nl80211, connect_cmd,
@@ -2966,6 +2970,17 @@ static void netdev_authenticate_event(struct l_genl_msg *msg,
 
 		ret = auth_proto_rx_authenticate(netdev->ap, frame, frame_len);
 
+		/*
+		 * Allows station to persist settings so it does not retry
+		 * the higher order ECC group again
+		 */
+		if (status_code ==
+				MMPDU_STATUS_CODE_UNSUPP_FINITE_CYCLIC_GROUP &&
+				netdev->event_filter)
+			netdev->event_filter(netdev,
+						NETDEV_EVENT_ECC_GROUP_RETRY,
+						NULL, netdev->user_data);
+
 		/* We have sent another CMD_AUTHENTICATE / CMD_ASSOCIATE */
 		if (ret == 0 || ret == -EAGAIN)
 			return;
diff --git a/src/netdev.h b/src/netdev.h
index d87f09f4..671d0d40 100644
--- a/src/netdev.h
+++ b/src/netdev.h
@@ -51,6 +51,7 @@ enum netdev_event {
 	NETDEV_EVENT_RSSI_LEVEL_NOTIFY,
 	NETDEV_EVENT_PACKET_LOSS_NOTIFY,
 	NETDEV_EVENT_BEACON_LOSS_NOTIFY,
+	NETDEV_EVENT_ECC_GROUP_RETRY,
 };
 
 enum netdev_watch_event {
diff --git a/src/station.c b/src/station.c
index 3712d5bb..77d4a547 100644
--- a/src/station.c
+++ b/src/station.c
@@ -3456,6 +3456,18 @@ static void station_event_roaming(struct station *station)
 	station_enter_state(station, STATION_STATE_FW_ROAMING);
 }
 
+static void station_ecc_group_retry(struct station *station)
+{
+	struct network *network = station_get_connected_network(station);
+
+	if (L_WARN_ON(!network))
+		return;
+
+	station_debug_event(station, "ecc-group-rejected");
+
+	network_set_force_default_ecc_group(network);
+}
+
 static void station_netdev_event(struct netdev *netdev, enum netdev_event event,
 					void *event_data, void *user_data)
 {
@@ -3497,6 +3509,9 @@ static void station_netdev_event(struct netdev *netdev, enum netdev_event event,
 	case NETDEV_EVENT_BEACON_LOSS_NOTIFY:
 		station_beacon_lost(station);
 		break;
+	case NETDEV_EVENT_ECC_GROUP_RETRY:
+		station_ecc_group_retry(station);
+		break;
 	}
 }
 
-- 
2.34.1

[PATCH 07/11] auto-t: add Device.event_ocurred

[James Prestwood]

Checks that an event happened previously, and consumes events. This
is useful for checking that an event did not happen after some
testing operations.
---
 autotests/util/iwd.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/autotests/util/iwd.py b/autotests/util/iwd.py
index 52c35e3d..511fb3a5 100755
--- a/autotests/util/iwd.py
+++ b/autotests/util/iwd.py
@@ -303,6 +303,9 @@ class StationDebug(IWDDBusAbstract):
         return ctx.non_block_wait(self._poll_event, timeout, event,
                                     exception=TimeoutError("waiting for event"))
 
+    def event_ocurred(self, event):
+        return self._poll_event(event)
+
 class DeviceProvisioning(IWDDBusAbstract):
     '''
         Class represents net.connman.iwd.DeviceProvisioning
@@ -856,6 +859,9 @@ class Device(IWDDBusAbstract):
     def wait_for_event(self, event, timeout=10):
         self._station_debug.wait_for_event(event, timeout)
 
+    def event_ocurred(self, event):
+        return self._station_debug.event_ocurred(event)
+
     def dpp_start_enrollee(self):
         ret = self._device_provisioning.start_enrollee()
 
-- 
2.34.1

[PATCH 08/11] auto-t: add HostapdCLI.sta_status

[James Prestwood]

Gets information about a specific STA hostapd is tracking. This
object will contain detailed information such as the SAE group
number used.
---
 autotests/util/hostapd.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/autotests/util/hostapd.py b/autotests/util/hostapd.py
index cee08092..2f92e330 100644
--- a/autotests/util/hostapd.py
+++ b/autotests/util/hostapd.py
@@ -306,6 +306,22 @@ class HostapdCLI(object):
 
         return ret
 
+    def sta_status(self, address):
+        ret = {}
+
+        cmd = self.cmdline + ['sta', address]
+        proc = ctx.start_process(cmd)
+        proc.wait()
+        status = proc.out.strip().split('\n')
+
+        # Pop address
+        status.pop(0)
+        for kv in status:
+            k, v = kv.split('=', 1)
+            ret[k] = v
+
+        return ret
+
     @property
     def bssid(self):
         return self._get_status()['bssid[0]']
-- 
2.34.1

[PATCH 09/11] auto-t: refactor/fix testSAE

[James Prestwood]

The SAE test made some assumptions on certain conditions due to
there being no way of checking if those conditions were met
Mainly the use of H2E/hunt-and-peck.

We assumed that when we told hostapd to use H2E or hunt/peck it
would but in reality it was not. Hostapd is apparently not very
good at swapping between the two with a simple "reload" command.
Once H2E is enabled it appears that it cannot be undone.
Similarly the vendor elements seem to carry over from test to
test, and sometimes not which causes unintended behavior.

To fix this create separate APs for the specific scenario being
tested:
 - Hunt and peck
 - H2E
 - Special vendor_element simulating buggy APs

Another issue found was that if password identifies are used
hostapd automatically chooses H2E which was not intented, at
least based on the test names (in reality it wasn't causing any
problems).

The tests have also been improved to use hostapds "sta_status"
command which contains the group number used when authenticating,
so now that at least can be verified.
---
 autotests/testSAE/autoconnect_test.py         | 32 +++++++-------
 autotests/testSAE/connection_test.py          | 42 +++++++++----------
 autotests/testSAE/hw.conf                     |  3 +-
 .../ssidSAE-H2E.psk.default}                  |  0
 .../testSAE/profiles/ssidSAE.psk.default      |  2 +
 .../{ => profiles}/ssidSAE.psk.identifier     |  0
 autotests/testSAE/ssidSAE-H2E.conf            | 12 ++++++
 autotests/testSAE/ssidSAE.conf                |  1 -
 8 files changed, 52 insertions(+), 40 deletions(-)
 rename autotests/testSAE/{ssidSAE.psk.default => profiles/ssidSAE-H2E.psk.default} (100%)
 create mode 100644 autotests/testSAE/profiles/ssidSAE.psk.default
 rename autotests/testSAE/{ => profiles}/ssidSAE.psk.identifier (100%)
 create mode 100644 autotests/testSAE/ssidSAE-H2E.conf

diff --git a/autotests/testSAE/autoconnect_test.py b/autotests/testSAE/autoconnect_test.py
index 4ce3b845..605de14d 100644
--- a/autotests/testSAE/autoconnect_test.py
+++ b/autotests/testSAE/autoconnect_test.py
@@ -12,8 +12,7 @@ from hostapd import HostapdCLI
 
 class Test(unittest.TestCase):
 
-    def validate_connection(self, wd):
-
+    def validate_connection(self, wd, ssid):
         devices = wd.list_devices(1)
         self.assertIsNotNone(devices)
         device = devices[0]
@@ -25,7 +24,7 @@ class Test(unittest.TestCase):
         condition = 'obj.connected_network is not None'
         wd.wait_for_object_condition(device, condition)
 
-        ordered_network = device.get_ordered_network('ssidSAE')
+        ordered_network = device.get_ordered_network(ssid)
 
         self.assertTrue(ordered_network.network_object.connected)
 
@@ -35,29 +34,27 @@ class Test(unittest.TestCase):
         wd.wait_for_object_condition(ordered_network.network_object, condition)
 
     def test_SAE(self):
-        IWD.copy_to_storage("ssidSAE.psk.default", name="ssidSAE.psk")
+        IWD.copy_to_storage("profiles/ssidSAE.psk.default", name="ssidSAE.psk")
         self.hostapd.wait_for_event("AP-ENABLED")
 
         wd = IWD(True)
-        self.validate_connection(wd)
+        self.validate_connection(wd, "ssidSAE")
 
     def test_SAE_H2E(self):
-        IWD.copy_to_storage("ssidSAE.psk.default", name="ssidSAE.psk")
-        self.hostapd.set_value('sae_pwe', '1')
-        self.hostapd.set_value('sae_groups', '20')
-        self.hostapd.reload()
-        self.hostapd.wait_for_event("AP-ENABLED")
+        IWD.copy_to_storage("profiles/ssidSAE.psk.default", name="ssidSAE-H2E.psk")
+        self.hostapd_h2e.set_value('sae_groups', '20')
+        self.hostapd_h2e.reload()
+        self.hostapd_h2e.wait_for_event("AP-ENABLED")
         wd = IWD(True)
-        self.validate_connection(wd)
+        self.validate_connection(wd, "ssidSAE-H2E")
 
     def test_SAE_H2E_password_identifier(self):
-        IWD.copy_to_storage("ssidSAE.psk.identifier", name="ssidSAE.psk")
-        self.hostapd.set_value('sae_pwe', '1')
-        self.hostapd.set_value('sae_groups', '20')
-        self.hostapd.reload()
-        self.hostapd.wait_for_event("AP-ENABLED")
+        IWD.copy_to_storage("profiles/ssidSAE.psk.identifier", name="ssidSAE-H2E.psk")
+        self.hostapd_h2e.set_value('sae_groups', '20')
+        self.hostapd_h2e.reload()
+        self.hostapd_h2e.wait_for_event("AP-ENABLED")
         wd = IWD(True)
-        self.validate_connection(wd)
+        self.validate_connection(wd, "ssidSAE-H2E")
 
     def setUp(self):
         self.hostapd.default()
@@ -68,6 +65,7 @@ class Test(unittest.TestCase):
     @classmethod
     def setUpClass(cls):
         cls.hostapd = HostapdCLI(config='ssidSAE.conf')
+        cls.hostapd_h2e = HostapdCLI(config='ssidSAE-H2E.conf')
 
 if __name__ == '__main__':
     unittest.main(exit=True)
diff --git a/autotests/testSAE/connection_test.py b/autotests/testSAE/connection_test.py
index ecb464e2..f7776385 100644
--- a/autotests/testSAE/connection_test.py
+++ b/autotests/testSAE/connection_test.py
@@ -13,7 +13,7 @@ import testutil
 
 class Test(unittest.TestCase):
 
-    def validate_connection(self, wd):
+    def validate_connection(self, wd, ssid, hostapd, expected_group):
         psk_agent = PSKAgent("secret123")
         wd.register_psk_agent(psk_agent)
 
@@ -23,11 +23,11 @@ class Test(unittest.TestCase):
 
         device.disconnect()
 
-        network = device.get_ordered_network('ssidSAE', full_scan=True)
+        network = device.get_ordered_network(ssid, full_scan=True)
 
         self.assertEqual(network.type, NetworkType.psk)
 
-        network.network_object.connect()
+        network.network_object.connect(wait=False)
 
         condition = 'obj.state == DeviceState.connected'
         wd.wait_for_object_condition(device, condition)
@@ -35,7 +35,11 @@ class Test(unittest.TestCase):
         wd.wait(2)
 
         testutil.test_iface_operstate(intf=device.name)
-        testutil.test_ifaces_connected(if0=device.name, if1=self.hostapd.ifname)
+        testutil.test_ifaces_connected(if0=device.name, if1=hostapd.ifname)
+
+        sta_status = hostapd.sta_status(device.address)
+
+        self.assertEqual(int(sta_status["sae_group"]), expected_group)
 
         device.disconnect()
 
@@ -46,37 +50,31 @@ class Test(unittest.TestCase):
 
     def test_SAE(self):
         self.hostapd.wait_for_event("AP-ENABLED")
-        self.validate_connection(self.wd)
+        self.validate_connection(self.wd, "ssidSAE", self.hostapd, 19)
 
     def test_SAE_force_group_19(self):
         # Vendor data from APs which require group 19 be used first
-        # TODO: (for all tests) verify the expected group was used
-        self.hostapd.set_value('vendor_elements', 'dd0cf4f5e8050500000000000000')
         self.hostapd.reload()
         self.hostapd.wait_for_event("AP-ENABLED")
-        self.validate_connection(self.wd)
+        self.validate_connection(self.wd, "ssidSAE-default-group", self.hostapd_defgroup, 19)
 
     def test_SAE_Group20(self):
         self.hostapd.set_value('sae_groups', '20')
-        self.hostapd.set_value('vendor_elements', '')
         self.hostapd.reload()
         self.hostapd.wait_for_event("AP-ENABLED")
-        self.validate_connection(self.wd)
+        self.validate_connection(self.wd, "ssidSAE", self.hostapd, 20)
 
     def test_SAE_H2E(self):
-        self.hostapd.set_value('sae_pwe', '1')
-        self.hostapd.set_value('vendor_elements', '')
-        self.hostapd.reload()
-        self.hostapd.wait_for_event("AP-ENABLED")
-        self.validate_connection(self.wd)
+        self.hostapd_h2e.set_value('sae_groups', '19')
+        self.hostapd_h2e.reload()
+        self.hostapd_h2e.wait_for_event("AP-ENABLED")
+        self.validate_connection(self.wd, "ssidSAE-H2E", self.hostapd_h2e, 19)
 
     def test_SAE_H2E_Group20(self):
-        self.hostapd.set_value('sae_pwe', '1')
-        self.hostapd.set_value('sae_groups', '20')
-        self.hostapd.set_value('vendor_elements', '')
-        self.hostapd.reload()
-        self.hostapd.wait_for_event("AP-ENABLED")
-        self.validate_connection(self.wd)
+        self.hostapd_h2e.set_value('sae_groups', '20')
+        self.hostapd_h2e.reload()
+        self.hostapd_h2e.wait_for_event("AP-ENABLED")
+        self.validate_connection(self.wd, "ssidSAE-H2E", self.hostapd_h2e, 20)
 
     def setUp(self):
         self.hostapd.default()
@@ -89,6 +87,8 @@ class Test(unittest.TestCase):
     @classmethod
     def setUpClass(cls):
         cls.hostapd = HostapdCLI(config='ssidSAE.conf')
+        cls.hostapd_h2e = HostapdCLI(config='ssidSAE-H2E.conf')
+        cls.hostapd_defgroup = HostapdCLI(config='ssidSAE-default-group.conf')
 
     @classmethod
     def tearDownClass(cls):
diff --git a/autotests/testSAE/hw.conf b/autotests/testSAE/hw.conf
index 72b161b8..cc0836b7 100644
--- a/autotests/testSAE/hw.conf
+++ b/autotests/testSAE/hw.conf
@@ -1,7 +1,8 @@
 [SETUP]
-num_radios=2
+num_radios=3
 start_iwd=0
 hwsim_medium=yes
 
 [HOSTAPD]
 rad0=ssidSAE.conf
+rad1=ssidSAE-H2E.conf
diff --git a/autotests/testSAE/ssidSAE.psk.default b/autotests/testSAE/profiles/ssidSAE-H2E.psk.default
similarity index 100%
rename from autotests/testSAE/ssidSAE.psk.default
rename to autotests/testSAE/profiles/ssidSAE-H2E.psk.default
diff --git a/autotests/testSAE/profiles/ssidSAE.psk.default b/autotests/testSAE/profiles/ssidSAE.psk.default
new file mode 100644
index 00000000..abafdb66
--- /dev/null
+++ b/autotests/testSAE/profiles/ssidSAE.psk.default
@@ -0,0 +1,2 @@
+[Security]
+Passphrase=secret123
diff --git a/autotests/testSAE/ssidSAE.psk.identifier b/autotests/testSAE/profiles/ssidSAE.psk.identifier
similarity index 100%
rename from autotests/testSAE/ssidSAE.psk.identifier
rename to autotests/testSAE/profiles/ssidSAE.psk.identifier
diff --git a/autotests/testSAE/ssidSAE-H2E.conf b/autotests/testSAE/ssidSAE-H2E.conf
new file mode 100644
index 00000000..ea963135
--- /dev/null
+++ b/autotests/testSAE/ssidSAE-H2E.conf
@@ -0,0 +1,12 @@
+hw_mode=g
+channel=1
+ssid=ssidSAE-H2E
+
+wpa=2
+wpa_key_mgmt=SAE
+wpa_pairwise=CCMP
+sae_password=secret123
+sae_password=withidentifier|id=myidentifier
+sae_groups=19
+ieee80211w=2
+sae_pwe=1
diff --git a/autotests/testSAE/ssidSAE.conf b/autotests/testSAE/ssidSAE.conf
index f5ce537d..4ec254aa 100644
--- a/autotests/testSAE/ssidSAE.conf
+++ b/autotests/testSAE/ssidSAE.conf
@@ -6,7 +6,6 @@ wpa=2
 wpa_key_mgmt=SAE
 wpa_pairwise=CCMP
 sae_password=secret123
-sae_password=withidentifier|id=myidentifier
 sae_groups=19
 ieee80211w=2
 sae_pwe=0
-- 
2.34.1

[PATCH 10/11] auto-t: Add test for new SAE default group behavior

[James Prestwood]

Tests the 3 possible options to UseDefaultEccGroup behave as
expected:
 - When not provided use the "auto" behavior.
 - When false, always use higher order groups
 - When true, always use default group
---
 autotests/testSAE/default_group_test.py       | 96 +++++++++++++++++++
 autotests/testSAE/hw.conf                     |  3 +-
 .../profiles/ssidSAE.psk.default_group        |  5 +
 .../testSAE/profiles/ssidSAE.psk.most_secure  |  5 +
 autotests/testSAE/ssidSAE-default-group.conf  | 12 +++
 5 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 autotests/testSAE/default_group_test.py
 create mode 100644 autotests/testSAE/profiles/ssidSAE.psk.default_group
 create mode 100644 autotests/testSAE/profiles/ssidSAE.psk.most_secure
 create mode 100644 autotests/testSAE/ssidSAE-default-group.conf

diff --git a/autotests/testSAE/default_group_test.py b/autotests/testSAE/default_group_test.py
new file mode 100644
index 00000000..d72c96ca
--- /dev/null
+++ b/autotests/testSAE/default_group_test.py
@@ -0,0 +1,96 @@
+#!/usr/bin/python3
+
+import unittest
+import sys
+import os
+sys.path.append('../util')
+import iwd
+from iwd import IWD
+from iwd import PSKAgent
+from iwd import NetworkType
+from hostapd import HostapdCLI
+import testutil
+
+class Test(unittest.TestCase):
+
+    def validate_connection(self, wd, rejected=False):
+        devices = wd.list_devices(1)
+        self.assertIsNotNone(devices)
+        device = devices[0]
+
+        device.autoconnect = True
+
+        if rejected:
+            device.wait_for_event("ecc-group-rejected", timeout=60)
+
+        condition = 'obj.state == DeviceState.connected'
+        wd.wait_for_object_condition(device, condition)
+
+        wd.wait(2)
+
+        testutil.test_iface_operstate(intf=device.name)
+        testutil.test_ifaces_connected(if0=device.name, if1=self.hostapd.ifname)
+
+        if not rejected:
+            self.assertEqual(device.event_ocurred("ecc-group-rejected"), False)
+
+        print(self.hostapd._get_status())
+
+        sta_status = self.hostapd.sta_status(device.address)
+
+        print(sta_status)
+
+        self.assertEqual(int(sta_status["sae_group"]), 19)
+
+        device.disconnect()
+
+    # IWD should:
+    #   - Connect, fail with group 20
+    #   - Retry, succeed with group 19
+    #   - Disconnect
+    #   - Connect, try only group 19
+    def test_auto_selection(self):
+        IWD.copy_to_storage("profiles/ssidSAE.psk.default", name="ssidSAE.psk")
+        self.validate_connection(self.wd, rejected=True)
+
+        self.validate_connection(self.wd, rejected=False)
+
+    # Try group 19 first
+    def test_default_group_enabled(self):
+        IWD.copy_to_storage("profiles/ssidSAE.psk.default_group", name="ssidSAE.psk")
+        self.validate_connection(self.wd)
+
+    # Same as auto-selection but won't retain the default group setting
+    def test_default_group_disabled(self):
+        IWD.copy_to_storage("profiles/ssidSAE.psk.most_secure", name="ssidSAE.psk")
+        self.validate_connection(self.wd, rejected=True)
+
+        # IWD should then retry but use only group 19
+        self.validate_connection(self.wd, rejected=True)
+
+    def setUp(self):
+        self.hostapd.default()
+        self.hostapd.set_value('sae_groups', '19')
+        self.hostapd.set_value('sae_pwe', '0')
+        self.hostapd.reload()
+        self.hostapd.wait_for_event("AP-ENABLED")
+        self.wd = IWD(True)
+
+        self.wd.clear_storage()
+        os.system("ls /tmp/iwd")
+
+    def tearDown(self):
+        self.wd.clear_storage()
+        self.wd = None
+
+    @classmethod
+    def setUpClass(cls):
+        cls.hostapd = HostapdCLI(config='ssidSAE.conf')
+        cls.hostapd.default()
+
+    @classmethod
+    def tearDownClass(cls):
+        pass
+
+if __name__ == '__main__':
+    unittest.main(exit=True)
diff --git a/autotests/testSAE/hw.conf b/autotests/testSAE/hw.conf
index cc0836b7..127bbb31 100644
--- a/autotests/testSAE/hw.conf
+++ b/autotests/testSAE/hw.conf
@@ -1,8 +1,9 @@
 [SETUP]
-num_radios=3
+num_radios=4
 start_iwd=0
 hwsim_medium=yes
 
 [HOSTAPD]
 rad0=ssidSAE.conf
 rad1=ssidSAE-H2E.conf
+rad2=ssidSAE-default-group.conf
diff --git a/autotests/testSAE/profiles/ssidSAE.psk.default_group b/autotests/testSAE/profiles/ssidSAE.psk.default_group
new file mode 100644
index 00000000..2a016107
--- /dev/null
+++ b/autotests/testSAE/profiles/ssidSAE.psk.default_group
@@ -0,0 +1,5 @@
+[Security]
+Passphrase=secret123
+
+[Settings]
+UseDefaultEccGroup=true
diff --git a/autotests/testSAE/profiles/ssidSAE.psk.most_secure b/autotests/testSAE/profiles/ssidSAE.psk.most_secure
new file mode 100644
index 00000000..3a511991
--- /dev/null
+++ b/autotests/testSAE/profiles/ssidSAE.psk.most_secure
@@ -0,0 +1,5 @@
+[Security]
+Passphrase=secret123
+
+[Settings]
+UseDefaultEccGroup=false
\ No newline at end of file
diff --git a/autotests/testSAE/ssidSAE-default-group.conf b/autotests/testSAE/ssidSAE-default-group.conf
new file mode 100644
index 00000000..752e9c7b
--- /dev/null
+++ b/autotests/testSAE/ssidSAE-default-group.conf
@@ -0,0 +1,12 @@
+hw_mode=g
+channel=1
+ssid=ssidSAE-default-group
+
+wpa=2
+wpa_key_mgmt=SAE
+wpa_pairwise=CCMP
+sae_password=secret123
+sae_groups=19
+ieee80211w=2
+sae_pwe=0
+vendor_elements=dd0cf4f5e8050500000000000000
-- 
2.34.1

[PATCH 11/11] auto-t: add OWE test for auto default group

[James Prestwood]

---
 autotests/testOWE/connection_test.py | 33 ++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/autotests/testOWE/connection_test.py b/autotests/testOWE/connection_test.py
index 1fdc990a..58e6560f 100644
--- a/autotests/testOWE/connection_test.py
+++ b/autotests/testOWE/connection_test.py
@@ -64,6 +64,39 @@ class Test(unittest.TestCase):
         self.assertRaises(Exception, testutil.test_ifaces_connected,
                           (hapd0.ifname, device.name, True, True))
 
+    def test_auto_default_group(self):
+        wd = IWD()
+        hapd = HostapdCLI(config='ssidOWE-1.conf')
+
+        devices = wd.list_devices(1)
+        device = devices[0]
+
+        device.get_ordered_network('ssidOWE')
+
+        device.connect_bssid(hapd.bssid)
+
+        condition = 'obj.state == DeviceState.connected'
+        wd.wait_for_object_condition(device, condition)
+
+        # Should have rejected group 20, but still connected on 19
+        self.assertEqual(device.event_ocurred("ecc-group-rejected"), True)
+
+        testutil.test_iface_operstate()
+        testutil.test_ifaces_connected(device.name, hapd.ifname)
+
+        device.disconnect()
+
+        device.connect_bssid(hapd.bssid)
+
+        condition = 'obj.state == DeviceState.connected'
+        wd.wait_for_object_condition(device, condition)
+
+        # IWD should have used the default group, no rejection
+        self.assertEqual(device.event_ocurred("ecc-group-rejected"), False)
+
+        testutil.test_iface_operstate()
+        testutil.test_ifaces_connected(device.name, hapd.ifname)
+
     @classmethod
     def setUpClass(cls):
         pass
-- 
2.34.1

Re: [PATCH 01/11] doc: Document UseDefaultEccGroup

[Denis Kenzior]

Hi James,

On 2/27/24 12:33, James Prestwood wrote:
> ---
>   src/iwd.network.rst | 7 +++++++
>   1 file changed, 7 insertions(+)

All applied, thanks.

Regards,
-Denis