tests: IMSI privacy with imsi_privacy_key on peer

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 13:01:46 +03:00 · 2022-05-01 13:01:46 +03:00 · 924fa4c5d9
commit 924fa4c5d9
parent 42871a5d25
3 changed files with 80 additions and 5 deletions
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@ -345,6 +345,24 @@ def test_ap_wpa2_eap_sim_imsi_identity(dev, apdev, params):
                password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    eap_reauth(dev[0], "SIM")

+def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev):
+    """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_key"""
+    tls = dev[0].request("GET tls_library")
+    if not tls.startswith("OpenSSL"):
+        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
+    check_hlr_auc_gw_support()
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hapd = hostapd.add_ap(apdev[0], params)
+    tls = hapd.request("GET tls_library")
+    if not tls.startswith("OpenSSL"):
+        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
+
+    eap_connect(dev[0], hapd, "SIM",
+                "1232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
+                imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+                password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
+    eap_reauth(dev[0], "SIM")
+
 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
    """WPA2-Enterprise connection using EAP-SIM (SQL)"""
    check_hlr_auc_gw_support()
@ -1112,6 +1130,24 @@ def test_ap_wpa2_eap_aka_imsi_identity(dev, apdev, params):
                password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    eap_reauth(dev[0], "AKA")

+def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev):
+    """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_key"""
+    tls = dev[0].request("GET tls_library")
+    if not tls.startswith("OpenSSL"):
+        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
+    check_hlr_auc_gw_support()
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hapd = hostapd.add_ap(apdev[0], params)
+    tls = hapd.request("GET tls_library")
+    if not tls.startswith("OpenSSL"):
+        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
+
+    eap_connect(dev[0], hapd, "AKA",
+                "0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
+                imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+                password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
+    eap_reauth(dev[0], "AKA")
+
 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
    """WPA2-Enterprise connection using EAP-AKA (SQL)"""
    check_hlr_auc_gw_support()
@ -1367,6 +1403,24 @@ def test_ap_wpa2_eap_aka_prime_imsi_identity(dev, apdev, params):
                password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    eap_reauth(dev[0], "AKA'")

+def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev):
+    """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_key"""
+    tls = dev[0].request("GET tls_library")
+    if not tls.startswith("OpenSSL"):
+        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
+    check_hlr_auc_gw_support()
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hapd = hostapd.add_ap(apdev[0], params)
+    tls = hapd.request("GET tls_library")
+    if not tls.startswith("OpenSSL"):
+        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
+
+    eap_connect(dev[0], hapd, "AKA'",
+                "6555444333222111@wlan.mnc555.mcc44.3gppnetwork.org",
+                imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+                password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
+    eap_reauth(dev[0], "AKA'")
+
 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
    """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
    check_hlr_auc_gw_support()
--- a/tests/hwsim/test_ap_hs20.py
+++ b/tests/hwsim/test_ap_hs20.py
@ -530,7 +530,7 @@ def test_ap_hs20_select(dev, apdev):
                                 'domain': "example.org"})
    interworking_select(dev[0], bssid2, "home", freq="2412")

-def hs20_simulated_sim(dev, ap, method):
+def hs20_simulated_sim(dev, ap, method, imsi_privacy=False):
    bssid = ap['bssid']
    params = hs20_ap_params()
    params['hessid'] = bssid
@ -539,8 +539,14 @@ def hs20_simulated_sim(dev, ap, method):
    hostapd.add_ap(ap, params)

    dev.hs20_enable()
-    dev.add_cred_values({'imsi': "555444-333222111", 'eap': method,
-                         'milenage': "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123"})
+    params = {'imsi': "555444-333222111", 'eap': method,
+              'milenage': "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123"}
+    if imsi_privacy:
+        tls = dev.request("GET tls_library")
+        if not tls.startswith("OpenSSL"):
+            raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
+        params['imsi_privacy_key'] = "auth_serv/imsi-privacy-cert.pem"
+    dev.add_cred_values(params)
    interworking_select(dev, bssid, "home", freq="2412")
    interworking_connect(dev, bssid, method)
    check_sp_type(dev, "home")
@ -554,6 +560,11 @@ def test_ap_hs20_sim(dev, apdev):
    if ev is None:
        raise Exception("Timeout on already-connected event")

+def test_ap_hs20_sim_imsi_privacy(dev, apdev):
+    """Hotspot 2.0 with simulated SIM and EAP-SIM with IMSI privacy"""
+    hlr_auc_gw_available()
+    hs20_simulated_sim(dev[0], apdev[0], "SIM", imsi_privacy=True)
+
 def test_ap_hs20_sim_invalid(dev, apdev):
    """Hotspot 2.0 with simulated SIM and EAP-SIM - invalid IMSI"""
    hlr_auc_gw_available()
@ -599,11 +610,21 @@ def test_ap_hs20_aka(dev, apdev):
    hlr_auc_gw_available()
    hs20_simulated_sim(dev[0], apdev[0], "AKA")

+def test_ap_hs20_aka_imsi_privacy(dev, apdev):
+    """Hotspot 2.0 with simulated USIM and EAP-AKA with IMSI privacy"""
+    hlr_auc_gw_available()
+    hs20_simulated_sim(dev[0], apdev[0], "AKA", imsi_privacy=True)
+
 def test_ap_hs20_aka_prime(dev, apdev):
    """Hotspot 2.0 with simulated USIM and EAP-AKA'"""
    hlr_auc_gw_available()
    hs20_simulated_sim(dev[0], apdev[0], "AKA'")

+def test_ap_hs20_aka_prime_imsi_privacy(dev, apdev):
+    """Hotspot 2.0 with simulated USIM and EAP-AKA with IMSI privacy'"""
+    hlr_auc_gw_available()
+    hs20_simulated_sim(dev[0], apdev[0], "AKA'", imsi_privacy=True)
+
 def test_ap_hs20_ext_sim(dev, apdev):
    """Hotspot 2.0 with external SIM processing"""
    hlr_auc_gw_available()
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@ -454,7 +454,7 @@ class WpaSupplicant:
                  "excluded_ssid", "milenage", "ca_cert", "client_cert",
                  "private_key", "domain_suffix_match", "provisioning_sp",
                  "roaming_partner", "phase1", "phase2", "private_key_passwd",
-                  "roaming_consortiums"]
+                  "roaming_consortiums", "imsi_privacy_key"]
        for field in quoted:
            if field in params:
                self.set_cred_quoted(id, field, params[field])
@ -1083,7 +1083,7 @@ class WpaSupplicant:
                  "sae_password_id", "check_cert_subject",
                  "machine_ca_cert", "machine_client_cert",
                  "machine_private_key", "machine_phase2",
-                  "imsi_identity"]
+                  "imsi_identity", "imsi_privacy_key"]
        for field in quoted:
            if field in kwargs and kwargs[field]:
                self.set_network_quoted(id, field, kwargs[field])