a7fdd58039
Signed-off-by: Jouni Malinen <j@w1.fi>
855 lines
35 KiB
Python
855 lines
35 KiB
Python
# Suite B tests
|
|
# Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
|
|
#
|
|
# This software may be distributed under the terms of the BSD license.
|
|
# See README for more details.
|
|
|
|
import time
|
|
import logging
|
|
logger = logging.getLogger()
|
|
|
|
import hostapd
|
|
from utils import HwsimSkip, fail_test
|
|
from test_ap_eap import check_tls13_support
|
|
|
|
def check_suite_b_capa(dev):
|
|
if "GCMP" not in dev[0].get_capability("pairwise"):
|
|
raise HwsimSkip("GCMP not supported")
|
|
if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"):
|
|
raise HwsimSkip("BIP-GMAC-128 not supported")
|
|
if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"):
|
|
raise HwsimSkip("WPA-EAP-SUITE-B not supported")
|
|
check_suite_b_tls_lib(dev, level128=True)
|
|
|
|
def check_suite_b_tls_lib(dev, dhe=False, level128=False):
|
|
tls = dev[0].request("GET tls_library")
|
|
if tls.startswith("GnuTLS"):
|
|
return
|
|
if tls.startswith("wolfSSL"):
|
|
return
|
|
if not tls.startswith("OpenSSL"):
|
|
raise HwsimSkip("TLS library not supported for Suite B: " + tls)
|
|
supported = False
|
|
for ver in ['1.0.2', '1.1.0', '1.1.1', '3.']:
|
|
if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls:
|
|
supported = True
|
|
break
|
|
if not dhe and not level128 and "build=OpenSSL " + ver in tls and "run=BoringSSL" in tls:
|
|
supported = True
|
|
break
|
|
if not supported:
|
|
raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
|
|
|
|
def suite_b_ap_params():
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B",
|
|
"rsn_pairwise": "GCMP",
|
|
"group_mgmt_cipher": "BIP-GMAC-128",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
"openssl_ciphers": "SUITEB128",
|
|
#"dh_file": "auth_serv/dh.conf",
|
|
"eap_server": "1",
|
|
"eap_user_file": "auth_serv/eap_user.conf",
|
|
"ca_cert": "auth_serv/ec-ca.pem",
|
|
"server_cert": "auth_serv/ec-server.pem",
|
|
"private_key": "auth_serv/ec-server.key"}
|
|
return params
|
|
|
|
def test_suite_b(dev, apdev):
|
|
"""WPA2/GCMP connection at Suite B 128-bit level"""
|
|
check_suite_b_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_ap_params()
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
|
|
openssl_ciphers="SUITEB128",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec-ca.pem",
|
|
client_cert="auth_serv/ec-user.pem",
|
|
private_key="auth_serv/ec-user.key",
|
|
pairwise="GCMP", group="GCMP", scan_freq="2412")
|
|
hapd.wait_sta()
|
|
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
|
|
if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256" and \
|
|
tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD":
|
|
raise Exception("Unexpected TLS cipher: " + tls_cipher)
|
|
|
|
bss = dev[0].get_bss(apdev[0]['bssid'])
|
|
if 'flags' not in bss:
|
|
raise Exception("Could not get BSS flags from BSS table")
|
|
if "[WPA2-EAP-SUITE-B-GCMP]" not in bss['flags']:
|
|
raise Exception("Unexpected BSS flags: " + bss['flags'])
|
|
|
|
dev[0].request("DISCONNECT")
|
|
dev[0].wait_disconnected(timeout=20)
|
|
dev[0].dump_monitor()
|
|
dev[0].request("RECONNECT")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
|
|
conf = hapd.get_config()
|
|
if conf['key_mgmt'] != 'WPA-EAP-SUITE-B':
|
|
raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
|
|
|
|
hapd.wait_sta()
|
|
dev[0].request("DISCONNECT")
|
|
dev[0].wait_disconnected(timeout=20)
|
|
dev[0].dump_monitor()
|
|
dev[0].request("RECONNECT")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out (2)")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange (2)")
|
|
|
|
def suite_b_as_params():
|
|
params = {}
|
|
params['ssid'] = 'as'
|
|
params['beacon_int'] = '2000'
|
|
params['radius_server_clients'] = 'auth_serv/radius_clients.conf'
|
|
params['radius_server_auth_port'] = '18129'
|
|
params['eap_server'] = '1'
|
|
params['eap_user_file'] = 'auth_serv/eap_user.conf'
|
|
params['ca_cert'] = 'auth_serv/ec-ca.pem'
|
|
params['server_cert'] = 'auth_serv/ec-server.pem'
|
|
params['private_key'] = 'auth_serv/ec-server.key'
|
|
params['openssl_ciphers'] = 'SUITEB128'
|
|
return params
|
|
|
|
def test_suite_b_radius(dev, apdev):
|
|
"""WPA2/GCMP (RADIUS) connection at Suite B 128-bit level"""
|
|
check_suite_b_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_as_params()
|
|
hostapd.add_ap(apdev[1], params)
|
|
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B",
|
|
"rsn_pairwise": "GCMP",
|
|
"group_mgmt_cipher": "BIP-GMAC-128",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
'auth_server_addr': "127.0.0.1",
|
|
'auth_server_port': "18129",
|
|
'auth_server_shared_secret': "radius",
|
|
'nas_identifier': "nas.w1.fi"}
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
|
|
openssl_ciphers="SUITEB128",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec-ca.pem",
|
|
client_cert="auth_serv/ec-user.pem",
|
|
private_key="auth_serv/ec-user.key",
|
|
pairwise="GCMP", group="GCMP", scan_freq="2412")
|
|
|
|
def check_suite_b_192_capa(dev, dhe=False):
|
|
if "GCMP-256" not in dev[0].get_capability("pairwise"):
|
|
raise HwsimSkip("GCMP-256 not supported")
|
|
if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
|
|
raise HwsimSkip("BIP-GMAC-256 not supported")
|
|
if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
|
|
raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
|
|
check_suite_b_tls_lib(dev, dhe=dhe)
|
|
|
|
def suite_b_192_ap_params():
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
|
"rsn_pairwise": "GCMP-256",
|
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
"openssl_ciphers": "SUITEB192",
|
|
"eap_server": "1",
|
|
"eap_user_file": "auth_serv/eap_user.conf",
|
|
"ca_cert": "auth_serv/ec2-ca.pem",
|
|
"server_cert": "auth_serv/ec2-server.pem",
|
|
"private_key": "auth_serv/ec2-server.key"}
|
|
return params
|
|
|
|
def test_suite_b_192(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_ap_params()
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
|
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
|
|
if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384" and \
|
|
tls_cipher != "ECDHE-ECDSA-AES-256-GCM-AEAD":
|
|
raise Exception("Unexpected TLS cipher: " + tls_cipher)
|
|
cipher = dev[0].get_status_field("mgmt_group_cipher")
|
|
if cipher != "BIP-GMAC-256":
|
|
raise Exception("Unexpected mgmt_group_cipher: " + cipher)
|
|
|
|
bss = dev[0].get_bss(apdev[0]['bssid'])
|
|
if 'flags' not in bss:
|
|
raise Exception("Could not get BSS flags from BSS table")
|
|
if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
|
|
raise Exception("Unexpected BSS flags: " + bss['flags'])
|
|
|
|
hapd.wait_sta()
|
|
dev[0].request("DISCONNECT")
|
|
dev[0].wait_disconnected(timeout=20)
|
|
dev[0].dump_monitor()
|
|
dev[0].request("RECONNECT")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
|
|
conf = hapd.get_config()
|
|
if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192':
|
|
raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
|
|
|
|
hapd.wait_sta()
|
|
dev[0].request("DISCONNECT")
|
|
dev[0].wait_disconnected(timeout=20)
|
|
dev[0].dump_monitor()
|
|
dev[0].request("RECONNECT")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out (2)")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange (2)")
|
|
|
|
def test_suite_b_192_radius(dev, apdev):
|
|
"""WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_as_params()
|
|
params['ca_cert'] = 'auth_serv/ec2-ca.pem'
|
|
params['server_cert'] = 'auth_serv/ec2-server.pem'
|
|
params['private_key'] = 'auth_serv/ec2-server.key'
|
|
params['openssl_ciphers'] = 'SUITEB192'
|
|
hostapd.add_ap(apdev[1], params)
|
|
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
|
"rsn_pairwise": "GCMP-256",
|
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
'auth_server_addr': "127.0.0.1",
|
|
'auth_server_port': "18129",
|
|
'auth_server_shared_secret': "radius",
|
|
'nas_identifier': "nas.w1.fi"}
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
|
|
|
def test_suite_b_192_radius_and_p256_cert(dev, apdev):
|
|
"""Suite B 192-bit level and p256 client cert"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_as_params()
|
|
params['ca_cert'] = 'auth_serv/ec2-ca.pem'
|
|
params['server_cert'] = 'auth_serv/ec2-server.pem'
|
|
params['private_key'] = 'auth_serv/ec2-server.key'
|
|
params['openssl_ciphers'] = 'SUITEB192'
|
|
hostapd.add_ap(apdev[1], params)
|
|
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
|
"rsn_pairwise": "GCMP-256",
|
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
'auth_server_addr': "127.0.0.1",
|
|
'auth_server_port': "18129",
|
|
'auth_server_shared_secret': "radius",
|
|
'nas_identifier': "nas.w1.fi"}
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
#openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user-p256.pem",
|
|
private_key="auth_serv/ec2-user-p256.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
|
|
wait_connect=False)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("EAP-Failure not reported")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
|
|
if ev is None:
|
|
raise Exception("Disconnection not reported")
|
|
if "reason=23" not in ev:
|
|
raise Exception("Unexpected disconnection reason: " + ev)
|
|
|
|
def test_suite_b_pmkid_failure(dev, apdev):
|
|
"""WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
|
|
check_suite_b_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_ap_params()
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
with fail_test(dev[0], 1, "rsn_pmkid_suite_b"):
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB128",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec-ca.pem",
|
|
client_cert="auth_serv/ec-user.pem",
|
|
private_key="auth_serv/ec-user.key",
|
|
pairwise="GCMP", group="GCMP", scan_freq="2412")
|
|
|
|
def test_suite_b_192_pmkid_failure(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level and PMKID derivation failure"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_ap_params()
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
with fail_test(dev[0], 1, "rsn_pmkid_suite_b"):
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
|
|
|
def test_suite_b_mic_failure(dev, apdev):
|
|
"""WPA2/GCMP connection at Suite B 128-bit level and MIC derivation failure"""
|
|
check_suite_b_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_ap_params()
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
with fail_test(dev[0], 1, "wpa_eapol_key_mic"):
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB128",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec-ca.pem",
|
|
client_cert="auth_serv/ec-user.pem",
|
|
private_key="auth_serv/ec-user.key",
|
|
pairwise="GCMP", group="GCMP", scan_freq="2412",
|
|
wait_connect=False)
|
|
dev[0].wait_disconnected()
|
|
|
|
def test_suite_b_192_mic_failure(dev, apdev):
|
|
"""WPA2/GCMP connection at Suite B 192-bit level and MIC derivation failure"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_ap_params()
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
with fail_test(dev[0], 1, "wpa_eapol_key_mic"):
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
|
|
wait_connect=False)
|
|
dev[0].wait_disconnected()
|
|
|
|
def suite_b_192_rsa_ap_params():
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
|
"rsn_pairwise": "GCMP-256",
|
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
"tls_flags": "[SUITEB]",
|
|
"dh_file": "auth_serv/dh_param_3072.pem",
|
|
"eap_server": "1",
|
|
"eap_user_file": "auth_serv/eap_user.conf",
|
|
"ca_cert": "auth_serv/rsa3072-ca.pem",
|
|
"server_cert": "auth_serv/rsa3072-server.pem",
|
|
"private_key": "auth_serv/rsa3072-server.key"}
|
|
return params
|
|
|
|
def test_suite_b_192_rsa(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level and RSA"""
|
|
run_suite_b_192_rsa(dev, apdev)
|
|
|
|
def test_suite_b_192_rsa_tls_13(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (TLS v1.3)"""
|
|
check_tls13_support(dev[0])
|
|
run_suite_b_192_rsa(dev, apdev, tls13=True)
|
|
|
|
def test_suite_b_192_rsa_ecdhe(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (ECDHE)"""
|
|
run_suite_b_192_rsa(dev, apdev, no_dhe=True)
|
|
|
|
def test_suite_b_192_rsa_dhe(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (DHE)"""
|
|
run_suite_b_192_rsa(dev, apdev, no_ecdh=True)
|
|
|
|
def run_suite_b_192_rsa(dev, apdev, no_ecdh=False, no_dhe=False, tls13=False):
|
|
check_suite_b_192_capa(dev, dhe=no_ecdh)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_rsa_ap_params()
|
|
tls_flags = ""
|
|
if no_ecdh:
|
|
tls_flags += "[SUITEB-NO-ECDH]"
|
|
if no_dhe:
|
|
del params["dh_file"]
|
|
if tls13:
|
|
if not no_ecdh:
|
|
tls_flags += "[SUITEB]"
|
|
tls_flags += "[ENABLE-TLSv1.3]"
|
|
if len(tls_flags) > 0:
|
|
params["tls_flags"] = tls_flags
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
phase1 = "tls_suiteb=1"
|
|
if tls13:
|
|
phase1 += " tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0"
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
phase1=phase1,
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/rsa3072-ca.pem",
|
|
client_cert="auth_serv/rsa3072-user.pem",
|
|
private_key="auth_serv/rsa3072-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
|
ver = dev[0].get_status_field("eap_tls_version")
|
|
logger.info("TLS version: " + ver)
|
|
if tls13 and ver != "TLSv1.3":
|
|
raise Exception("Unexpected TLS version: " + ver)
|
|
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
|
|
if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \
|
|
tls_cipher != "DHE-RSA-AES256-GCM-SHA384" and \
|
|
tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD" and \
|
|
tls_cipher != "DHE-RSA-AES-256-GCM-AEAD" and \
|
|
tls_cipher != "TLS_AES_256_GCM_SHA384":
|
|
raise Exception("Unexpected TLS cipher: " + tls_cipher)
|
|
cipher = dev[0].get_status_field("mgmt_group_cipher")
|
|
if cipher != "BIP-GMAC-256":
|
|
raise Exception("Unexpected mgmt_group_cipher: " + cipher)
|
|
|
|
bss = dev[0].get_bss(apdev[0]['bssid'])
|
|
if 'flags' not in bss:
|
|
raise Exception("Could not get BSS flags from BSS table")
|
|
if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
|
|
raise Exception("Unexpected BSS flags: " + bss['flags'])
|
|
|
|
hapd.wait_sta()
|
|
dev[0].request("DISCONNECT")
|
|
dev[0].wait_disconnected(timeout=20)
|
|
dev[0].dump_monitor()
|
|
dev[0].request("RECONNECT")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
|
|
conf = hapd.get_config()
|
|
if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192':
|
|
raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
|
|
|
|
def test_suite_b_192_rsa_insufficient_key(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient key length"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_rsa_ap_params()
|
|
params["ca_cert"] = "auth_serv/ca.pem"
|
|
params["server_cert"] = "auth_serv/server.pem"
|
|
params["private_key"] = "auth_serv/server.key"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
phase1="tls_suiteb=1",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ca.pem",
|
|
client_cert="auth_serv/user.pem",
|
|
private_key="auth_serv/user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
|
|
wait_connect=False)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
|
|
dev[0].request("DISCONNECT")
|
|
if ev is None:
|
|
raise Exception("Certificate error not reported")
|
|
if "reason=11" in ev and "err='Insufficient RSA modulus size'" in ev:
|
|
return
|
|
if "reason=7" in ev and "err='certificate uses insecure algorithm'" in ev:
|
|
return
|
|
raise Exception("Unexpected error reason: " + ev)
|
|
|
|
def test_suite_b_192_rsa_insufficient_dh(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient DH key length"""
|
|
check_suite_b_192_capa(dev, dhe=True)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_rsa_ap_params()
|
|
params["tls_flags"] = "[SUITEB-NO-ECDH]"
|
|
params["dh_file"] = "auth_serv/dh.conf"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
phase1="tls_suiteb=1",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/rsa3072-ca.pem",
|
|
client_cert="auth_serv/rsa3072-user.pem",
|
|
private_key="auth_serv/rsa3072-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
|
|
wait_connect=False)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'",
|
|
"CTRL-EVENT-CONNECTED"],
|
|
timeout=10)
|
|
dev[0].request("DISCONNECT")
|
|
if ev is None:
|
|
raise Exception("DH error not reported")
|
|
if "CTRL-EVENT-CONNECTED" in ev:
|
|
raise Exception("Unexpected connection")
|
|
if "insufficient security" not in ev and "internal error" not in ev:
|
|
raise Exception("Unexpected error reason: " + ev)
|
|
|
|
def test_suite_b_192_rsa_radius(dev, apdev):
|
|
"""WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level and RSA (ECDHE)"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_as_params()
|
|
params['ca_cert'] = 'auth_serv/rsa3072-ca.pem'
|
|
params['server_cert'] = 'auth_serv/rsa3072-server.pem'
|
|
params['private_key'] = 'auth_serv/rsa3072-server.key'
|
|
del params['openssl_ciphers']
|
|
params["tls_flags"] = "[SUITEB]"
|
|
|
|
hostapd.add_ap(apdev[1], params)
|
|
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
|
"rsn_pairwise": "GCMP-256",
|
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
'auth_server_addr': "127.0.0.1",
|
|
'auth_server_port': "18129",
|
|
'auth_server_shared_secret': "radius",
|
|
'nas_identifier': "nas.w1.fi"}
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
|
|
phase1="tls_suiteb=1",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/rsa3072-ca.pem",
|
|
client_cert="auth_serv/rsa3072-user.pem",
|
|
private_key="auth_serv/rsa3072-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256",
|
|
group_mgmt="BIP-GMAC-256", scan_freq="2412")
|
|
tls_cipher = dev[0].get_status_field("EAP TLS cipher")
|
|
if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \
|
|
tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD":
|
|
raise Exception("Unexpected TLS cipher: " + tls_cipher)
|
|
|
|
def test_suite_b_192_rsa_ecdhe_radius_rsa2048_client(dev, apdev):
|
|
"""Suite B 192-bit level and RSA (ECDHE) and RSA2048 client"""
|
|
run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, True)
|
|
|
|
def test_suite_b_192_rsa_dhe_radius_rsa2048_client(dev, apdev):
|
|
"""Suite B 192-bit level and RSA (DHE) and RSA2048 client"""
|
|
run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, False)
|
|
|
|
def run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, ecdhe):
|
|
check_suite_b_192_capa(dev, dhe=not ecdhe)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_as_params()
|
|
params['ca_cert'] = 'auth_serv/rsa3072-ca.pem'
|
|
params['server_cert'] = 'auth_serv/rsa3072-server.pem'
|
|
params['private_key'] = 'auth_serv/rsa3072-server.key'
|
|
del params['openssl_ciphers']
|
|
if ecdhe:
|
|
params["tls_flags"] = "[SUITEB]"
|
|
ciphers = "ECDHE-RSA-AES256-GCM-SHA384"
|
|
else:
|
|
params["tls_flags"] = "[SUITEB-NO-ECDH]"
|
|
params["dh_file"] = "auth_serv/dh_param_3072.pem"
|
|
ciphers = "DHE-RSA-AES256-GCM-SHA384"
|
|
|
|
hostapd.add_ap(apdev[1], params)
|
|
|
|
params = {"ssid": "test-suite-b",
|
|
"wpa": "2",
|
|
"wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
|
|
"rsn_pairwise": "GCMP-256",
|
|
"group_mgmt_cipher": "BIP-GMAC-256",
|
|
"ieee80211w": "2",
|
|
"ieee8021x": "1",
|
|
'auth_server_addr': "127.0.0.1",
|
|
'auth_server_port': "18129",
|
|
'auth_server_shared_secret': "radius",
|
|
'nas_identifier': "nas.w1.fi"}
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers=ciphers,
|
|
phase1="tls_suiteb=1",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/rsa3072-ca.pem",
|
|
client_cert="auth_serv/rsa3072-user-rsa2048.pem",
|
|
private_key="auth_serv/rsa3072-user-rsa2048.key",
|
|
pairwise="GCMP-256", group="GCMP-256",
|
|
group_mgmt="BIP-GMAC-256", scan_freq="2412",
|
|
wait_connect=False)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("EAP-Failure not reported")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
|
|
if ev is None:
|
|
raise Exception("Disconnection not reported")
|
|
if "reason=23" not in ev:
|
|
raise Exception("Unexpected disconnection reason: " + ev)
|
|
|
|
def test_openssl_ecdh_curves(dev, apdev):
|
|
"""OpenSSL ECDH curve configuration"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_ap_params()
|
|
params['wpa_key_mgmt'] = "WPA-EAP"
|
|
del params['openssl_ciphers']
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
|
|
hapd.disable()
|
|
hapd.set('openssl_ecdh_curves', 'foo')
|
|
if "FAIL" not in hapd.request("ENABLE"):
|
|
raise Exception("Invalid openssl_ecdh_curves value accepted")
|
|
hapd.set('openssl_ecdh_curves', 'P-384')
|
|
hapd.enable()
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
|
|
# Check with server enforcing P-256 and client allowing only P-384
|
|
hapd.disable()
|
|
hapd.set('openssl_ecdh_curves', 'P-256')
|
|
hapd.enable()
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
|
|
wait_connect=False)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("EAP failure not reported")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
|
|
def test_suite_b_192_pmksa_caching_roam(dev, apdev):
|
|
"""WPA2/GCMP-256 connection at Suite B 192-bit level using PMKSA caching and roaming"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_ap_params()
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
bssid = hapd.own_addr()
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
|
ev = dev[0].wait_event(["PMKSA-CACHE-ADDED"], timeout=5)
|
|
if ev is None:
|
|
raise Exception("PMKSA cache entry not added for AP1")
|
|
hapd.wait_sta()
|
|
dev[0].dump_monitor()
|
|
|
|
hapd2 = hostapd.add_ap(apdev[1], params)
|
|
bssid2 = hapd2.own_addr()
|
|
dev[0].scan_for_bss(bssid2, freq=2412)
|
|
dev[0].request("ROAM " + bssid2)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" not in ev:
|
|
raise Exception("EAP exchange not seen")
|
|
ev = dev[0].wait_connected()
|
|
if bssid2 not in ev:
|
|
raise Exception("Roam to AP2 connected back to AP1")
|
|
ev = dev[0].wait_event(["PMKSA-CACHE-ADDED"], timeout=5)
|
|
if ev is None:
|
|
raise Exception("PMKSA cache entry not added for AP2")
|
|
hapd2.wait_sta()
|
|
dev[0].dump_monitor()
|
|
|
|
dev[0].request("ROAM " + bssid)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
if bssid not in ev:
|
|
raise Exception("Roam to AP1 connected back to AP2")
|
|
hapd.wait_sta()
|
|
dev[0].dump_monitor()
|
|
|
|
dev[0].request("ROAM " + bssid2)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=20)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
if bssid2 not in ev:
|
|
raise Exception("Second roam to AP2 connected back to AP1")
|
|
hapd2.wait_sta()
|
|
dev[0].dump_monitor()
|
|
|
|
def test_suite_b_192_okc(dev, apdev):
|
|
"""WPA3/GCMP-256 connection at Suite B 192-bit level and OKC"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_ap_params()
|
|
params['okc'] = "1"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
bssid = hapd.own_addr()
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
openssl_ciphers="SUITEB192",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/ec2-ca.pem",
|
|
client_cert="auth_serv/ec2-user.pem",
|
|
private_key="auth_serv/ec2-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", okc=True,
|
|
scan_freq="2412")
|
|
hapd.wait_sta()
|
|
|
|
pmksa = dev[0].get_pmksa(bssid)
|
|
if pmksa is None:
|
|
raise Exception("No PMKSA cache entry created")
|
|
if pmksa['opportunistic'] != '0':
|
|
raise Exception("Unexpected opportunistic PMKSA cache entry")
|
|
|
|
hapd2 = hostapd.add_ap(apdev[1], params)
|
|
bssid2 = hapd2.own_addr()
|
|
dev[0].scan_for_bss(bssid2, freq=2412)
|
|
dev[0].request("ROAM " + bssid2)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
pmksa2 = dev[0].get_pmksa(bssid2)
|
|
if pmksa2 is None:
|
|
raise Exception("No PMKSA cache entry created")
|
|
|
|
dev[0].request("ROAM " + bssid)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
|
|
pmksa1b = dev[0].get_pmksa(bssid)
|
|
if pmksa1b is None:
|
|
raise Exception("No PMKSA cache entry found")
|
|
if pmksa['pmkid'] != pmksa1b['pmkid']:
|
|
raise Exception("Unexpected PMKID change for AP1")
|
|
|
|
dev[0].request("ROAM " + bssid2)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
|
|
"CTRL-EVENT-CONNECTED"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("Roaming with the AP timed out")
|
|
if "CTRL-EVENT-EAP-STARTED" in ev:
|
|
raise Exception("Unexpected EAP exchange")
|
|
pmksa2b = dev[0].get_pmksa(bssid2)
|
|
if pmksa2b is None:
|
|
raise Exception("No PMKSA cache entry created")
|
|
if pmksa2['pmkid'] != pmksa2b['pmkid']:
|
|
raise Exception("Unexpected PMKID change for AP2")
|
|
|
|
def test_suite_b_192_rsa_no_cs_match(dev, apdev):
|
|
"""Suite B 192-bit level RSA failing (no CS match)"""
|
|
check_suite_b_192_capa(dev)
|
|
dev[0].flush_scan_cache()
|
|
params = suite_b_192_rsa_ap_params()
|
|
params['openssl_ciphers'] = "DHE-RSA-AES256-SHA"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
|
|
ieee80211w="2",
|
|
phase1="tls_suiteb=1",
|
|
eap="TLS", identity="tls user",
|
|
ca_cert="auth_serv/rsa3072-ca.pem",
|
|
client_cert="auth_serv/rsa3072-user.pem",
|
|
private_key="auth_serv/rsa3072-user.key",
|
|
pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
|
|
wait_connect=False)
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("EAP-Failure not reported")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
|
|
if ev is None:
|
|
raise Exception("Disconnection not reported")
|
|
if "reason=23" not in ev:
|
|
raise Exception("Unexpected disconnection reason: " + ev)
|