diff --git a/tests/hwsim/auth_serv/ec-ca-openssl.cnf b/tests/hwsim/auth_serv/ec-ca-openssl.cnf new file mode 100644 index 000000000..c803dd35c --- /dev/null +++ b/tests/hwsim/auth_serv/ec-ca-openssl.cnf @@ -0,0 +1,111 @@ +# OpenSSL configuration file for Suite B + +HOME = . +RANDFILE = $ENV::HOME/.rnd +oid_section = new_oids + +[ new_oids ] + +[ ca ] +default_ca = CA_default + +[ CA_default ] + +dir = ./ec-ca +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +#unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = ext_client + +name_opt = ca_default +cert_opt = ca_default + +copy_extensions = copy + +default_days = 365 +default_crl_days= 30 +default_md = default +preserve = no + +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = optional +organizationName = match +organizationalUnitName = optional +commonName = supplied +#emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +#emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca + +string_mask = utf8only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = FI +countryName_min = 2 +countryName_max = 2 + +localityName = Locality Name (eg, city) +localityName_default = Helsinki + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = w1.fi + +commonName = Common Name (e.g. server FQDN or YOUR name) +#@CN@ +commonName_max = 64 + +[ req_attributes ] + +[ v3_ca ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, cRLSign, keyCertSign + +[ crl_ext ] + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ ext_client ] + +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +#@ALTNAME@ +extendedKeyUsage = clientAuth +keyUsage = digitalSignature, keyEncipherment + +[ ext_server ] + +basicConstraints=critical, CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +#@ALTNAME@ +extendedKeyUsage = critical, serverAuth +keyUsage = digitalSignature, keyEncipherment diff --git a/tests/hwsim/auth_serv/ec-ca.pem b/tests/hwsim/auth_serv/ec-ca.pem new file mode 100644 index 000000000..a04b88667 --- /dev/null +++ b/tests/hwsim/auth_serv/ec-ca.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICAjCCAaegAwIBAgIJANry4MnEh6ybMAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT +AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM +F1N1aXRlIEIgMTI4LWJpdCBSb290IENBMB4XDTE1MDEyNTExMjk1M1oXDTI1MDEy +MjExMjk1M1owUjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4wDAYD +VQQKDAV3MS5maTEgMB4GA1UEAwwXU3VpdGUgQiAxMjgtYml0IFJvb3QgQ0EwWTAT +BgcqhkjOPQIBBggqhkjOPQMBBwNCAASqUNEASvF83W/PA2xqq/2fhIgZeLdSnnLc +0yLcjku5WvpLHGy/pLhRsvghtjWjTsgqBqfeW8tq0ywsUdY0ylsNo2YwZDAdBgNV +HQ4EFgQU/IP6SzTrGV4cfeWF7Mf8IfXodWgwHwYDVR0jBBgwFoAU/IP6SzTrGV4c +feWF7Mf8IfXodWgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYw +CgYIKoZIzj0EAwIDSQAwRgIhAIfEWvUO4+28moKfVL8RXbKKexTZk82UCRL2yi01 +c81AAiEAxBGPZU0vnwxjAaCOhRIH+5X9PDkdLSs25S4ua6BicT8= +-----END CERTIFICATE----- diff --git a/tests/hwsim/auth_serv/ec-generate.sh b/tests/hwsim/auth_serv/ec-generate.sh new file mode 100755 index 000000000..c9fdabc6b --- /dev/null +++ b/tests/hwsim/auth_serv/ec-generate.sh @@ -0,0 +1,53 @@ +#!/bin/sh + +OPENSSL=openssl + +CURVE=prime256v1 +DIGEST="-sha256" +DIGEST_CA="-md sha256" + +echo +echo "---[ Root CA ]----------------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = Suite B 128-bit Root CA/" \ + > ec-ca-openssl.cnf.tmp +$OPENSSL ecparam -out ec-ca.key -name $CURVE -genkey +$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec-ca.key -out ec-ca.pem -outform PEM -days 3650 $DIGEST +mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private +touch ec-ca/index.txt +rm ec-ca-openssl.cnf.tmp + +echo +echo "---[ Server ]-----------------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = server.w1.fi/" | + sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \ + > ec-ca-openssl.cnf.tmp +$OPENSSL ecparam -out ec-server.key -name $CURVE -genkey +$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec-server.key -out ec-server.req -outform PEM $DIGEST +$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec-ca.key -cert ec-ca.pem -create_serial -in ec-server.req -out ec-server.pem -extensions ext_server $DIGEST_CA +rm ec-ca-openssl.cnf.tmp + +echo +echo "---[ User ]-------------------------------------------------------------" +echo + +cat ec-ca-openssl.cnf | + sed "s/#@CN@/commonName_default = user/" | + sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \ + > ec-ca-openssl.cnf.tmp +$OPENSSL ecparam -out ec-user.key -name $CURVE -genkey +$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec-user.key -out ec-user.req -outform PEM -extensions ext_client $DIGEST +$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec-ca.key -cert ec-ca.pem -create_serial -in ec-user.req -out ec-user.pem -extensions ext_client $DIGEST_CA +rm ec-ca-openssl.cnf.tmp + +echo +echo "---[ Verify ]-----------------------------------------------------------" +echo + +$OPENSSL verify -CAfile ec-ca.pem ec-server.pem +$OPENSSL verify -CAfile ec-ca.pem ec-user.pem diff --git a/tests/hwsim/auth_serv/ec-server.key b/tests/hwsim/auth_serv/ec-server.key new file mode 100644 index 000000000..391e9ed96 --- /dev/null +++ b/tests/hwsim/auth_serv/ec-server.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIN/qNiKLsQDpQWumSiRRF6LM7TP7GTwdS8vG7xP8vKz/oAoGCCqGSM49 +AwEHoUQDQgAEvl8WCLIK1vIZbxQZ7yDyKzzgvoxlhl+VwbuQNuzcWTq6QJqdEXbH +gFohTPzAXxlSyHi45Uz6yWrR/uq2OldcmQ== +-----END EC PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/ec-server.pem b/tests/hwsim/auth_serv/ec-server.pem new file mode 100644 index 000000000..4222b1e59 --- /dev/null +++ b/tests/hwsim/auth_serv/ec-server.pem @@ -0,0 +1,53 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9573410140069116734 (0x84db95ccdff13b3e) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 128-bit Root CA + Validity + Not Before: Jan 25 11:29:53 2015 GMT + Not After : Jan 25 11:29:53 2016 GMT + Subject: C=FI, O=w1.fi, CN=server.w1.fi + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:be:5f:16:08:b2:0a:d6:f2:19:6f:14:19:ef:20: + f2:2b:3c:e0:be:8c:65:86:5f:95:c1:bb:90:36:ec: + dc:59:3a:ba:40:9a:9d:11:76:c7:80:5a:21:4c:fc: + c0:5f:19:52:c8:78:b8:e5:4c:fa:c9:6a:d1:fe:ea: + b6:3a:57:5c:99 + ASN1 OID: prime256v1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Subject Key Identifier: + 6E:21:26:96:72:29:39:BF:8B:EF:EB:65:CD:E0:4E:97:6F:1A:2C:E5 + X509v3 Authority Key Identifier: + keyid:FC:83:FA:4B:34:EB:19:5E:1C:7D:E5:85:EC:C7:FC:21:F5:E8:75:68 + + X509v3 Subject Alternative Name: critical + DNS:server.w1.fi + X509v3 Extended Key Usage: critical + TLS Web Server Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:47:b1:5e:57:ae:6c:0b:df:78:11:79:5c:b2:60: + fd:0c:9c:37:18:19:fe:c1:b6:ca:f6:4f:62:63:13:ff:ff:64: + 02:20:07:1f:3b:1d:c7:d8:fe:ff:26:0b:68:d0:85:bc:01:15: + 62:e4:7f:f4:c7:e4:ad:d5:da:40:44:5a:0b:f5:72:9e +-----BEGIN CERTIFICATE----- +MIICDzCCAbagAwIBAgIJAITblczf8Ts+MAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT +AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM +F1N1aXRlIEIgMTI4LWJpdCBSb290IENBMB4XDTE1MDEyNTExMjk1M1oXDTE2MDEy +NTExMjk1M1owNDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRUwEwYDVQQD +DAxzZXJ2ZXIudzEuZmkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS+XxYIsgrW +8hlvFBnvIPIrPOC+jGWGX5XBu5A27NxZOrpAmp0RdseAWiFM/MBfGVLIeLjlTPrJ +atH+6rY6V1yZo4GSMIGPMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFG4hJpZyKTm/ +i+/rZc3gTpdvGizlMB8GA1UdIwQYMBaAFPyD+ks06xleHH3lhezH/CH16HVoMBoG +A1UdEQEB/wQQMA6CDHNlcnZlci53MS5maTAWBgNVHSUBAf8EDDAKBggrBgEFBQcD +ATALBgNVHQ8EBAMCBaAwCgYIKoZIzj0EAwIDRwAwRAIgR7FeV65sC994EXlcsmD9 +DJw3GBn+wbbK9k9iYxP//2QCIAcfOx3H2P7/Jgto0IW8ARVi5H/0x+St1dpARFoL +9XKe +-----END CERTIFICATE----- diff --git a/tests/hwsim/auth_serv/ec-user.key b/tests/hwsim/auth_serv/ec-user.key new file mode 100644 index 000000000..e390c06e4 --- /dev/null +++ b/tests/hwsim/auth_serv/ec-user.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIL52ZfaYm8GAzhot94BCQriTmQEq2+JPkS+HCwUpLuwaoAoGCCqGSM49 +AwEHoUQDQgAEnE2sSN8ZOateUoi3Ao0VewSH+1ceTf+NkiJpoymO6U6q0CSlG2bp +dZyBk+6UIOD9WiCi2tN+QGbvPnPrlLfBOg== +-----END EC PRIVATE KEY----- diff --git a/tests/hwsim/auth_serv/ec-user.pem b/tests/hwsim/auth_serv/ec-user.pem new file mode 100644 index 000000000..9a6aba860 --- /dev/null +++ b/tests/hwsim/auth_serv/ec-user.pem @@ -0,0 +1,52 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9573410140069116735 (0x84db95ccdff13b3f) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 128-bit Root CA + Validity + Not Before: Jan 25 11:29:53 2015 GMT + Not After : Jan 25 11:29:53 2016 GMT + Subject: C=FI, O=w1.fi, CN=user + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:9c:4d:ac:48:df:19:39:ab:5e:52:88:b7:02:8d: + 15:7b:04:87:fb:57:1e:4d:ff:8d:92:22:69:a3:29: + 8e:e9:4e:aa:d0:24:a5:1b:66:e9:75:9c:81:93:ee: + 94:20:e0:fd:5a:20:a2:da:d3:7e:40:66:ef:3e:73: + eb:94:b7:c1:3a + ASN1 OID: prime256v1 + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 89:28:76:9A:42:DB:B6:F8:36:97:63:8F:7D:0A:EA:0B:FE:66:2B:CD + X509v3 Authority Key Identifier: + keyid:FC:83:FA:4B:34:EB:19:5E:1C:7D:E5:85:EC:C7:FC:21:F5:E8:75:68 + + X509v3 Subject Alternative Name: + email:user@w1.fi + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature, Key Encipherment + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:26:84:14:f6:50:ac:ed:da:88:27:6d:18:d5:b3: + 2c:c8:59:ea:2a:c3:ae:69:03:79:0d:66:5e:5f:a5:52:27:92: + 02:21:00:db:8d:fd:58:e5:22:9b:17:32:57:34:e9:2e:30:da: + 1d:77:4c:15:18:9b:7d:e4:5d:bc:64:cd:21:ff:57:df:16 +-----BEGIN CERTIFICATE----- +MIIB/TCCAaOgAwIBAgIJAITblczf8Ts/MAoGCCqGSM49BAMCMFIxCzAJBgNVBAYT +AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM +F1N1aXRlIEIgMTI4LWJpdCBSb290IENBMB4XDTE1MDEyNTExMjk1M1oXDTE2MDEy +NTExMjk1M1owLDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMQ0wCwYDVQQD +DAR1c2VyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnE2sSN8ZOateUoi3Ao0V +ewSH+1ceTf+NkiJpoymO6U6q0CSlG2bpdZyBk+6UIOD9WiCi2tN+QGbvPnPrlLfB +OqOBhzCBhDAJBgNVHRMEAjAAMB0GA1UdDgQWBBSJKHaaQtu2+DaXY499CuoL/mYr +zTAfBgNVHSMEGDAWgBT8g/pLNOsZXhx95YXsx/wh9eh1aDAVBgNVHREEDjAMgQp1 +c2VyQHcxLmZpMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIFoDAKBggq +hkjOPQQDAgNIADBFAiAmhBT2UKzt2ognbRjVsyzIWeoqw65pA3kNZl5fpVInkgIh +ANuN/VjlIpsXMlc06S4w2h13TBUYm33kXbxkzSH/V98W +-----END CERTIFICATE----- diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py index 2b2c9c2dc..fa17ed9f5 100644 --- a/tests/hwsim/test_suite_b.py +++ b/tests/hwsim/test_suite_b.py @@ -1,5 +1,5 @@ # Suite B tests -# Copyright (c) 2014, Jouni Malinen +# Copyright (c) 2014-2015, Jouni Malinen # # This software may be distributed under the terms of the BSD license. # See README for more details. @@ -12,19 +12,45 @@ import hostapd from utils import HwsimSkip def test_suite_b(dev, apdev): - """WPA2-PSK/GCMP connection""" + """WPA2-PSK/GCMP connection at Suite B 128-bit level""" if "GCMP" not in dev[0].get_capability("pairwise"): raise HwsimSkip("GCMP not supported") - params = hostapd.wpa2_eap_params(ssid="test-suite-b") - params["wpa_key_mgmt"] = "WPA-EAP-SUITE-B" - params['rsn_pairwise'] = "GCMP" + if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"): + raise HwsimSkip("BIP-GMAC-128 not supported") + if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"): + raise HwsimSkip("WPA-EAP-SUITE-B not supported") + tls = dev[0].request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("TLS library not supported for Suite B: " + tls); + if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls: + raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls) + + params = { "ssid": "test-suite-b", + "wpa": "2", + "wpa_key_mgmt": "WPA-EAP-SUITE-B", + "rsn_pairwise": "GCMP", + "group_mgmt_cipher": "BIP-GMAC-128", + "ieee80211w": "2", + "ieee8021x": "1", + "openssl_ciphers": "SUITEB128", + #"dh_file": "auth_serv/dh.conf", + "eap_server": "1", + "eap_user_file": "auth_serv/eap_user.conf", + "ca_cert": "auth_serv/ec-ca.pem", + "server_cert": "auth_serv/ec-server.pem", + "private_key": "auth_serv/ec-server.key" } hapd = hostapd.add_ap(apdev[0]['ifname'], params) - # TODO: Force Suite B configuration for TLS - dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", - eap="TLS", identity="tls user", ca_cert="auth_serv/ca.pem", - client_cert="auth_serv/user.pem", - private_key="auth_serv/user.key", + + dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2", + openssl_ciphers="SUITEB128", + eap="TLS", identity="tls user", + ca_cert="auth_serv/ec-ca.pem", + client_cert="auth_serv/ec-user.pem", + private_key="auth_serv/ec-user.key", pairwise="GCMP", group="GCMP", scan_freq="2412") + tls_cipher = dev[0].get_status_field("EAP TLS cipher") + if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256": + raise Exception("Unexpected TLS cipher: " + tls_cipher) bss = dev[0].get_bss(apdev[0]['bssid']) if 'flags' not in bss: