From 924fa4c5d9992aa71eb95ef0b9ab90ac3bafc664 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 1 May 2022 13:01:46 +0300 Subject: [PATCH] tests: IMSI privacy with imsi_privacy_key on peer Signed-off-by: Jouni Malinen --- tests/hwsim/test_ap_eap.py | 54 ++++++++++++++++++++++++++++++++++++ tests/hwsim/test_ap_hs20.py | 27 ++++++++++++++++-- tests/hwsim/wpasupplicant.py | 4 +-- 3 files changed, 80 insertions(+), 5 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index afdeb5541..e31770e5e 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -345,6 +345,24 @@ def test_ap_wpa2_eap_sim_imsi_identity(dev, apdev, params): password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581") eap_reauth(dev[0], "SIM") +def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev): + """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_key""" + tls = dev[0].request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) + check_hlr_auc_gw_support() + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + tls = hapd.request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) + + eap_connect(dev[0], hapd, "SIM", + "1232010000000000@wlan.mnc232.mcc02.3gppnetwork.org", + imsi_privacy_key="auth_serv/imsi-privacy-cert.pem", + password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581") + eap_reauth(dev[0], "SIM") + def test_ap_wpa2_eap_sim_sql(dev, apdev, params): """WPA2-Enterprise connection using EAP-SIM (SQL)""" check_hlr_auc_gw_support() @@ -1112,6 +1130,24 @@ def test_ap_wpa2_eap_aka_imsi_identity(dev, apdev, params): password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") eap_reauth(dev[0], "AKA") +def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev): + """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_key""" + tls = dev[0].request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) + check_hlr_auc_gw_support() + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + tls = hapd.request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) + + eap_connect(dev[0], hapd, "AKA", + "0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org", + imsi_privacy_key="auth_serv/imsi-privacy-cert.pem", + password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") + eap_reauth(dev[0], "AKA") + def test_ap_wpa2_eap_aka_sql(dev, apdev, params): """WPA2-Enterprise connection using EAP-AKA (SQL)""" check_hlr_auc_gw_support() @@ -1367,6 +1403,24 @@ def test_ap_wpa2_eap_aka_prime_imsi_identity(dev, apdev, params): password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123") eap_reauth(dev[0], "AKA'") +def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev): + """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_key""" + tls = dev[0].request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) + check_hlr_auc_gw_support() + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + tls = hapd.request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) + + eap_connect(dev[0], hapd, "AKA'", + "6555444333222111@wlan.mnc555.mcc44.3gppnetwork.org", + imsi_privacy_key="auth_serv/imsi-privacy-cert.pem", + password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123") + eap_reauth(dev[0], "AKA'") + def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params): """WPA2-Enterprise connection using EAP-AKA' (SQL)""" check_hlr_auc_gw_support() diff --git a/tests/hwsim/test_ap_hs20.py b/tests/hwsim/test_ap_hs20.py index c5317d1c6..ad2d05f16 100644 --- a/tests/hwsim/test_ap_hs20.py +++ b/tests/hwsim/test_ap_hs20.py @@ -530,7 +530,7 @@ def test_ap_hs20_select(dev, apdev): 'domain': "example.org"}) interworking_select(dev[0], bssid2, "home", freq="2412") -def hs20_simulated_sim(dev, ap, method): +def hs20_simulated_sim(dev, ap, method, imsi_privacy=False): bssid = ap['bssid'] params = hs20_ap_params() params['hessid'] = bssid @@ -539,8 +539,14 @@ def hs20_simulated_sim(dev, ap, method): hostapd.add_ap(ap, params) dev.hs20_enable() - dev.add_cred_values({'imsi': "555444-333222111", 'eap': method, - 'milenage': "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123"}) + params = {'imsi': "555444-333222111", 'eap': method, + 'milenage': "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123"} + if imsi_privacy: + tls = dev.request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) + params['imsi_privacy_key'] = "auth_serv/imsi-privacy-cert.pem" + dev.add_cred_values(params) interworking_select(dev, bssid, "home", freq="2412") interworking_connect(dev, bssid, method) check_sp_type(dev, "home") @@ -554,6 +560,11 @@ def test_ap_hs20_sim(dev, apdev): if ev is None: raise Exception("Timeout on already-connected event") +def test_ap_hs20_sim_imsi_privacy(dev, apdev): + """Hotspot 2.0 with simulated SIM and EAP-SIM with IMSI privacy""" + hlr_auc_gw_available() + hs20_simulated_sim(dev[0], apdev[0], "SIM", imsi_privacy=True) + def test_ap_hs20_sim_invalid(dev, apdev): """Hotspot 2.0 with simulated SIM and EAP-SIM - invalid IMSI""" hlr_auc_gw_available() @@ -599,11 +610,21 @@ def test_ap_hs20_aka(dev, apdev): hlr_auc_gw_available() hs20_simulated_sim(dev[0], apdev[0], "AKA") +def test_ap_hs20_aka_imsi_privacy(dev, apdev): + """Hotspot 2.0 with simulated USIM and EAP-AKA with IMSI privacy""" + hlr_auc_gw_available() + hs20_simulated_sim(dev[0], apdev[0], "AKA", imsi_privacy=True) + def test_ap_hs20_aka_prime(dev, apdev): """Hotspot 2.0 with simulated USIM and EAP-AKA'""" hlr_auc_gw_available() hs20_simulated_sim(dev[0], apdev[0], "AKA'") +def test_ap_hs20_aka_prime_imsi_privacy(dev, apdev): + """Hotspot 2.0 with simulated USIM and EAP-AKA with IMSI privacy'""" + hlr_auc_gw_available() + hs20_simulated_sim(dev[0], apdev[0], "AKA'", imsi_privacy=True) + def test_ap_hs20_ext_sim(dev, apdev): """Hotspot 2.0 with external SIM processing""" hlr_auc_gw_available() diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index 08bf1f649..2f9a64653 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -454,7 +454,7 @@ class WpaSupplicant: "excluded_ssid", "milenage", "ca_cert", "client_cert", "private_key", "domain_suffix_match", "provisioning_sp", "roaming_partner", "phase1", "phase2", "private_key_passwd", - "roaming_consortiums"] + "roaming_consortiums", "imsi_privacy_key"] for field in quoted: if field in params: self.set_cred_quoted(id, field, params[field]) @@ -1083,7 +1083,7 @@ class WpaSupplicant: "sae_password_id", "check_cert_subject", "machine_ca_cert", "machine_client_cert", "machine_private_key", "machine_phase2", - "imsi_identity"] + "imsi_identity", "imsi_privacy_key"] for field in quoted: if field in kwargs and kwargs[field]: self.set_network_quoted(id, field, kwargs[field])