]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_suite_b.py
2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
9 logger
= logging
.getLogger()
12 from utils
import HwsimSkip
, fail_test
14 def check_suite_b_capa(dev
):
15 if "GCMP" not in dev
[0].get_capability("pairwise"):
16 raise HwsimSkip("GCMP not supported")
17 if "BIP-GMAC-128" not in dev
[0].get_capability("group_mgmt"):
18 raise HwsimSkip("BIP-GMAC-128 not supported")
19 if "WPA-EAP-SUITE-B" not in dev
[0].get_capability("key_mgmt"):
20 raise HwsimSkip("WPA-EAP-SUITE-B not supported")
21 check_suite_b_tls_lib(dev
)
23 def check_suite_b_tls_lib(dev
):
24 tls
= dev
[0].request("GET tls_library")
25 if not tls
.startswith("OpenSSL"):
26 raise HwsimSkip("TLS library not supported for Suite B: " + tls
);
28 for ver
in [ '1.0.2', '1.1.0' ]:
29 if "build=OpenSSL " + ver
in tls
and "run=OpenSSL " + ver
in tls
:
33 raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls
)
35 def suite_b_ap_params():
36 params
= { "ssid": "test-suite-b",
38 "wpa_key_mgmt": "WPA-EAP-SUITE-B",
39 "rsn_pairwise": "GCMP",
40 "group_mgmt_cipher": "BIP-GMAC-128",
43 "openssl_ciphers": "SUITEB128",
44 #"dh_file": "auth_serv/dh.conf",
46 "eap_user_file": "auth_serv/eap_user.conf",
47 "ca_cert": "auth_serv/ec-ca.pem",
48 "server_cert": "auth_serv/ec-server.pem",
49 "private_key": "auth_serv/ec-server.key" }
52 def test_suite_b(dev
, apdev
):
53 """WPA2/GCMP connection at Suite B 128-bit level"""
54 check_suite_b_capa(dev
)
55 dev
[0].flush_scan_cache()
56 params
= suite_b_ap_params()
57 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
59 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B", ieee80211w
="2",
60 openssl_ciphers
="SUITEB128",
61 eap
="TLS", identity
="tls user",
62 ca_cert
="auth_serv/ec-ca.pem",
63 client_cert
="auth_serv/ec-user.pem",
64 private_key
="auth_serv/ec-user.key",
65 pairwise
="GCMP", group
="GCMP", scan_freq
="2412")
66 tls_cipher
= dev
[0].get_status_field("EAP TLS cipher")
67 if tls_cipher
!= "ECDHE-ECDSA-AES128-GCM-SHA256":
68 raise Exception("Unexpected TLS cipher: " + tls_cipher
)
70 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
71 if 'flags' not in bss
:
72 raise Exception("Could not get BSS flags from BSS table")
73 if "[WPA2-EAP-SUITE-B-GCMP]" not in bss
['flags']:
74 raise Exception("Unexpected BSS flags: " + bss
['flags'])
76 dev
[0].request("DISCONNECT")
77 dev
[0].wait_disconnected(timeout
=20)
79 dev
[0].request("RECONNECT")
80 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
81 "CTRL-EVENT-CONNECTED"], timeout
=20)
83 raise Exception("Roaming with the AP timed out")
84 if "CTRL-EVENT-EAP-STARTED" in ev
:
85 raise Exception("Unexpected EAP exchange")
87 def suite_b_as_params():
90 params
['beacon_int'] = '2000'
91 params
['radius_server_clients'] = 'auth_serv/radius_clients.conf'
92 params
['radius_server_auth_port'] = '18129'
93 params
['eap_server'] = '1'
94 params
['eap_user_file'] = 'auth_serv/eap_user.conf'
95 params
['ca_cert'] = 'auth_serv/ec-ca.pem'
96 params
['server_cert'] = 'auth_serv/ec-server.pem'
97 params
['private_key'] = 'auth_serv/ec-server.key'
98 params
['openssl_ciphers'] = 'SUITEB128'
101 def test_suite_b_radius(dev
, apdev
):
102 """WPA2/GCMP (RADIUS) connection at Suite B 128-bit level"""
103 check_suite_b_capa(dev
)
104 dev
[0].flush_scan_cache()
105 params
= suite_b_as_params()
106 hostapd
.add_ap(apdev
[1]['ifname'], params
)
108 params
= { "ssid": "test-suite-b",
110 "wpa_key_mgmt": "WPA-EAP-SUITE-B",
111 "rsn_pairwise": "GCMP",
112 "group_mgmt_cipher": "BIP-GMAC-128",
115 'auth_server_addr': "127.0.0.1",
116 'auth_server_port': "18129",
117 'auth_server_shared_secret': "radius",
118 'nas_identifier': "nas.w1.fi" }
119 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
121 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B", ieee80211w
="2",
122 openssl_ciphers
="SUITEB128",
123 eap
="TLS", identity
="tls user",
124 ca_cert
="auth_serv/ec-ca.pem",
125 client_cert
="auth_serv/ec-user.pem",
126 private_key
="auth_serv/ec-user.key",
127 pairwise
="GCMP", group
="GCMP", scan_freq
="2412")
129 def check_suite_b_192_capa(dev
):
130 if "GCMP-256" not in dev
[0].get_capability("pairwise"):
131 raise HwsimSkip("GCMP-256 not supported")
132 if "BIP-GMAC-256" not in dev
[0].get_capability("group_mgmt"):
133 raise HwsimSkip("BIP-GMAC-256 not supported")
134 if "WPA-EAP-SUITE-B-192" not in dev
[0].get_capability("key_mgmt"):
135 raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
136 check_suite_b_tls_lib(dev
)
138 def suite_b_192_ap_params():
139 params
= { "ssid": "test-suite-b",
141 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
142 "rsn_pairwise": "GCMP-256",
143 "group_mgmt_cipher": "BIP-GMAC-256",
146 "openssl_ciphers": "SUITEB192",
148 "eap_user_file": "auth_serv/eap_user.conf",
149 "ca_cert": "auth_serv/ec2-ca.pem",
150 "server_cert": "auth_serv/ec2-server.pem",
151 "private_key": "auth_serv/ec2-server.key" }
154 def test_suite_b_192(dev
, apdev
):
155 """WPA2/GCMP-256 connection at Suite B 192-bit level"""
156 check_suite_b_192_capa(dev
)
157 dev
[0].flush_scan_cache()
158 params
= suite_b_192_ap_params()
159 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
161 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B-192",
163 openssl_ciphers
="SUITEB192",
164 eap
="TLS", identity
="tls user",
165 ca_cert
="auth_serv/ec2-ca.pem",
166 client_cert
="auth_serv/ec2-user.pem",
167 private_key
="auth_serv/ec2-user.key",
168 pairwise
="GCMP-256", group
="GCMP-256", scan_freq
="2412")
169 tls_cipher
= dev
[0].get_status_field("EAP TLS cipher")
170 if tls_cipher
!= "ECDHE-ECDSA-AES256-GCM-SHA384":
171 raise Exception("Unexpected TLS cipher: " + tls_cipher
)
173 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
174 if 'flags' not in bss
:
175 raise Exception("Could not get BSS flags from BSS table")
176 if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss
['flags']:
177 raise Exception("Unexpected BSS flags: " + bss
['flags'])
179 dev
[0].request("DISCONNECT")
180 dev
[0].wait_disconnected(timeout
=20)
181 dev
[0].dump_monitor()
182 dev
[0].request("RECONNECT")
183 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
184 "CTRL-EVENT-CONNECTED"], timeout
=20)
186 raise Exception("Roaming with the AP timed out")
187 if "CTRL-EVENT-EAP-STARTED" in ev
:
188 raise Exception("Unexpected EAP exchange")
190 def test_suite_b_192_radius(dev
, apdev
):
191 """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level"""
192 check_suite_b_192_capa(dev
)
193 dev
[0].flush_scan_cache()
194 params
= suite_b_as_params()
195 params
['ca_cert'] = 'auth_serv/ec2-ca.pem'
196 params
['server_cert'] = 'auth_serv/ec2-server.pem'
197 params
['private_key'] = 'auth_serv/ec2-server.key'
198 params
['openssl_ciphers'] = 'SUITEB192'
199 hostapd
.add_ap(apdev
[1]['ifname'], params
)
201 params
= { "ssid": "test-suite-b",
203 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
204 "rsn_pairwise": "GCMP-256",
205 "group_mgmt_cipher": "BIP-GMAC-256",
208 'auth_server_addr': "127.0.0.1",
209 'auth_server_port': "18129",
210 'auth_server_shared_secret': "radius",
211 'nas_identifier': "nas.w1.fi" }
212 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
214 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B-192",
216 openssl_ciphers
="SUITEB192",
217 eap
="TLS", identity
="tls user",
218 ca_cert
="auth_serv/ec2-ca.pem",
219 client_cert
="auth_serv/ec2-user.pem",
220 private_key
="auth_serv/ec2-user.key",
221 pairwise
="GCMP-256", group
="GCMP-256", scan_freq
="2412")
223 def test_suite_b_pmkid_failure(dev
, apdev
):
224 """WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
225 check_suite_b_capa(dev
)
226 dev
[0].flush_scan_cache()
227 params
= suite_b_ap_params()
228 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
230 with
fail_test(dev
[0], 1, "rsn_pmkid_suite_b"):
231 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B",
233 openssl_ciphers
="SUITEB128",
234 eap
="TLS", identity
="tls user",
235 ca_cert
="auth_serv/ec-ca.pem",
236 client_cert
="auth_serv/ec-user.pem",
237 private_key
="auth_serv/ec-user.key",
238 pairwise
="GCMP", group
="GCMP", scan_freq
="2412")
240 def test_suite_b_192_pmkid_failure(dev
, apdev
):
241 """WPA2/GCMP-256 connection at Suite B 192-bit level and PMKID derivation failure"""
242 check_suite_b_192_capa(dev
)
243 dev
[0].flush_scan_cache()
244 params
= suite_b_192_ap_params()
245 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
247 with
fail_test(dev
[0], 1, "rsn_pmkid_suite_b"):
248 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B-192",
250 openssl_ciphers
="SUITEB192",
251 eap
="TLS", identity
="tls user",
252 ca_cert
="auth_serv/ec2-ca.pem",
253 client_cert
="auth_serv/ec2-user.pem",
254 private_key
="auth_serv/ec2-user.key",
255 pairwise
="GCMP-256", group
="GCMP-256", scan_freq
="2412")
257 def test_suite_b_mic_failure(dev
, apdev
):
258 """WPA2/GCMP connection at Suite B 128-bit level and MIC derivation failure"""
259 check_suite_b_capa(dev
)
260 dev
[0].flush_scan_cache()
261 params
= suite_b_ap_params()
262 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
264 with
fail_test(dev
[0], 1, "wpa_eapol_key_mic"):
265 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B",
267 openssl_ciphers
="SUITEB128",
268 eap
="TLS", identity
="tls user",
269 ca_cert
="auth_serv/ec-ca.pem",
270 client_cert
="auth_serv/ec-user.pem",
271 private_key
="auth_serv/ec-user.key",
272 pairwise
="GCMP", group
="GCMP", scan_freq
="2412",
274 dev
[0].wait_disconnected()
276 def test_suite_b_192_mic_failure(dev
, apdev
):
277 """WPA2/GCMP connection at Suite B 192-bit level and MIC derivation failure"""
278 check_suite_b_capa(dev
)
279 dev
[0].flush_scan_cache()
280 params
= suite_b_192_ap_params()
281 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
283 with
fail_test(dev
[0], 1, "wpa_eapol_key_mic"):
284 dev
[0].connect("test-suite-b", key_mgmt
="WPA-EAP-SUITE-B-192",
286 openssl_ciphers
="SUITEB192",
287 eap
="TLS", identity
="tls user",
288 ca_cert
="auth_serv/ec2-ca.pem",
289 client_cert
="auth_serv/ec2-user.pem",
290 private_key
="auth_serv/ec2-user.key",
291 pairwise
="GCMP-256", group
="GCMP-256", scan_freq
="2412",
293 dev
[0].wait_disconnected()