]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_suite_b.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: Remove trailing semicolons from python code
[thirdparty/hostap.git] / tests / hwsim / test_suite_b.py
CommitLineData
b652daca 1# Suite B tests
4113a96b 2# Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
b652daca
JM		 3#
4# This software may be distributed under the terms of the BSD license.
5# See README for more details.
6
7import time
8import logging
9logger = logging.getLogger()
10
11import hostapd
fe6e56a2 12from utils import HwsimSkip, fail_test
b652daca 13
6e3ee4c5 14def check_suite_b_capa(dev):
b652daca 15 if "GCMP" not in dev[0].get_capability("pairwise"):
81e787b7 16 raise HwsimSkip("GCMP not supported")
4113a96b
JM		 17 if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"):
18 raise HwsimSkip("BIP-GMAC-128 not supported")
19 if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"):
20 raise HwsimSkip("WPA-EAP-SUITE-B not supported")
adc5e37a 21 check_suite_b_tls_lib(dev, level128=True)
a2bc326e 22
adc5e37a 23def check_suite_b_tls_lib(dev, dhe=False, level128=False):
4113a96b 24 tls = dev[0].request("GET tls_library")
9acd0beb
JM		 25 if tls.startswith("GnuTLS"):
26 return
4113a96b 27 if not tls.startswith("OpenSSL"):
bc6e3288 28 raise HwsimSkip("TLS library not supported for Suite B: " + tls)
a2bc326e 29 supported = False
d7e35c4e 30 for ver in [ '1.0.2', '1.1.0', '1.1.1' ]:
a2bc326e
JM		 31 if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls:
32 supported = True
33 break
adc5e37a
JM		 34 if not dhe and not level128 and "build=OpenSSL " + ver in tls and "run=BoringSSL" in tls:
35 supported = True
36 break
a2bc326e 37 if not supported:
4113a96b
JM		 38 raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
39
fe6e56a2 40def suite_b_ap_params():
4113a96b
JM		 41 params = { "ssid": "test-suite-b",
42 "wpa": "2",
43 "wpa_key_mgmt": "WPA-EAP-SUITE-B",
44 "rsn_pairwise": "GCMP",
45 "group_mgmt_cipher": "BIP-GMAC-128",
46 "ieee80211w": "2",
47 "ieee8021x": "1",
48 "openssl_ciphers": "SUITEB128",
49 #"dh_file": "auth_serv/dh.conf",
50 "eap_server": "1",
51 "eap_user_file": "auth_serv/eap_user.conf",
52 "ca_cert": "auth_serv/ec-ca.pem",
53 "server_cert": "auth_serv/ec-server.pem",
54 "private_key": "auth_serv/ec-server.key" }
fe6e56a2
JM		 55 return params
56
57def test_suite_b(dev, apdev):
58 """WPA2/GCMP connection at Suite B 128-bit level"""
59 check_suite_b_capa(dev)
60 dev[0].flush_scan_cache()
61 params = suite_b_ap_params()
8b8a1864 62 hapd = hostapd.add_ap(apdev[0], params)
4113a96b
JM		 63
64 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
65 openssl_ciphers="SUITEB128",
66 eap="TLS", identity="tls user",
67 ca_cert="auth_serv/ec-ca.pem",
68 client_cert="auth_serv/ec-user.pem",
69 private_key="auth_serv/ec-user.key",
b652daca 70 pairwise="GCMP", group="GCMP", scan_freq="2412")
4113a96b 71 tls_cipher = dev[0].get_status_field("EAP TLS cipher")
9acd0beb
JM		 72 if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256" and \
73 tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD":
4113a96b 74 raise Exception("Unexpected TLS cipher: " + tls_cipher)
d463c556
JM		 75
76 bss = dev[0].get_bss(apdev[0]['bssid'])
77 if 'flags' not in bss:
78 raise Exception("Could not get BSS flags from BSS table")
79 if "[WPA2-EAP-SUITE-B-GCMP]" not in bss['flags']:
80 raise Exception("Unexpected BSS flags: " + bss['flags'])
81
b652daca 82 dev[0].request("DISCONNECT")
5f35a5e2 83 dev[0].wait_disconnected(timeout=20)
b652daca
JM		 84 dev[0].dump_monitor()
85 dev[0].request("RECONNECT")
86 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
87 "CTRL-EVENT-CONNECTED"], timeout=20)
88 if ev is None:
89 raise Exception("Roaming with the AP timed out")
90 if "CTRL-EVENT-EAP-STARTED" in ev:
91 raise Exception("Unexpected EAP exchange")
37551fe3 92
a58bb54f
JM		 93 conf = hapd.get_config()
94 if conf['key_mgmt'] != 'WPA-EAP-SUITE-B':
95 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
96
0fa415a8
JM		 97 dev[0].request("DISCONNECT")
98 dev[0].wait_disconnected(timeout=20)
99 dev[0].dump_monitor()
100 dev[0].request("RECONNECT")
101 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
102 "CTRL-EVENT-CONNECTED"], timeout=20)
103 if ev is None:
104 raise Exception("Roaming with the AP timed out (2)")
105 if "CTRL-EVENT-EAP-STARTED" in ev:
106 raise Exception("Unexpected EAP exchange (2)")
107
6e3ee4c5
JM		 108def suite_b_as_params():
109 params = {}
110 params['ssid'] = 'as'
111 params['beacon_int'] = '2000'
112 params['radius_server_clients'] = 'auth_serv/radius_clients.conf'
113 params['radius_server_auth_port'] = '18129'
114 params['eap_server'] = '1'
115 params['eap_user_file'] = 'auth_serv/eap_user.conf'
116 params['ca_cert'] = 'auth_serv/ec-ca.pem'
117 params['server_cert'] = 'auth_serv/ec-server.pem'
118 params['private_key'] = 'auth_serv/ec-server.key'
119 params['openssl_ciphers'] = 'SUITEB128'
120 return params
121
122def test_suite_b_radius(dev, apdev):
123 """WPA2/GCMP (RADIUS) connection at Suite B 128-bit level"""
124 check_suite_b_capa(dev)
125 dev[0].flush_scan_cache()
126 params = suite_b_as_params()
8b8a1864 127 hostapd.add_ap(apdev[1], params)
6e3ee4c5
JM		 128
129 params = { "ssid": "test-suite-b",
130 "wpa": "2",
131 "wpa_key_mgmt": "WPA-EAP-SUITE-B",
132 "rsn_pairwise": "GCMP",
133 "group_mgmt_cipher": "BIP-GMAC-128",
134 "ieee80211w": "2",
135 "ieee8021x": "1",
136 'auth_server_addr': "127.0.0.1",
137 'auth_server_port': "18129",
138 'auth_server_shared_secret': "radius",
139 'nas_identifier': "nas.w1.fi" }
8b8a1864 140 hapd = hostapd.add_ap(apdev[0], params)
6e3ee4c5
JM		 141
142 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
143 openssl_ciphers="SUITEB128",
144 eap="TLS", identity="tls user",
145 ca_cert="auth_serv/ec-ca.pem",
146 client_cert="auth_serv/ec-user.pem",
147 private_key="auth_serv/ec-user.key",
148 pairwise="GCMP", group="GCMP", scan_freq="2412")
149
adc5e37a 150def check_suite_b_192_capa(dev, dhe=False):
37551fe3
JM		 151 if "GCMP-256" not in dev[0].get_capability("pairwise"):
152 raise HwsimSkip("GCMP-256 not supported")
153 if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
154 raise HwsimSkip("BIP-GMAC-256 not supported")
155 if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
156 raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
adc5e37a 157 check_suite_b_tls_lib(dev, dhe=dhe)
37551fe3 158
fe6e56a2 159def suite_b_192_ap_params():
37551fe3
JM		 160 params = { "ssid": "test-suite-b",
161 "wpa": "2",
162 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
163 "rsn_pairwise": "GCMP-256",
164 "group_mgmt_cipher": "BIP-GMAC-256",
165 "ieee80211w": "2",
166 "ieee8021x": "1",
167 "openssl_ciphers": "SUITEB192",
168 "eap_server": "1",
169 "eap_user_file": "auth_serv/eap_user.conf",
170 "ca_cert": "auth_serv/ec2-ca.pem",
171 "server_cert": "auth_serv/ec2-server.pem",
172 "private_key": "auth_serv/ec2-server.key" }
fe6e56a2
JM		 173 return params
174
175def test_suite_b_192(dev, apdev):
176 """WPA2/GCMP-256 connection at Suite B 192-bit level"""
177 check_suite_b_192_capa(dev)
178 dev[0].flush_scan_cache()
179 params = suite_b_192_ap_params()
8b8a1864 180 hapd = hostapd.add_ap(apdev[0], params)
37551fe3
JM		 181
182 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
183 ieee80211w="2",
184 openssl_ciphers="SUITEB192",
185 eap="TLS", identity="tls user",
186 ca_cert="auth_serv/ec2-ca.pem",
187 client_cert="auth_serv/ec2-user.pem",
188 private_key="auth_serv/ec2-user.key",
189 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
190 tls_cipher = dev[0].get_status_field("EAP TLS cipher")
9acd0beb
JM		 191 if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384" and \
192 tls_cipher != "ECDHE-ECDSA-AES-256-GCM-AEAD":
37551fe3 193 raise Exception("Unexpected TLS cipher: " + tls_cipher)
1b3f536d
JM		 194 cipher = dev[0].get_status_field("mgmt_group_cipher")
195 if cipher != "BIP-GMAC-256":
196 raise Exception("Unexpected mgmt_group_cipher: " + cipher)
37551fe3
JM		 197
198 bss = dev[0].get_bss(apdev[0]['bssid'])
199 if 'flags' not in bss:
200 raise Exception("Could not get BSS flags from BSS table")
201 if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
202 raise Exception("Unexpected BSS flags: " + bss['flags'])
203
204 dev[0].request("DISCONNECT")
205 dev[0].wait_disconnected(timeout=20)
206 dev[0].dump_monitor()
207 dev[0].request("RECONNECT")
208 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
209 "CTRL-EVENT-CONNECTED"], timeout=20)
210 if ev is None:
211 raise Exception("Roaming with the AP timed out")
212 if "CTRL-EVENT-EAP-STARTED" in ev:
213 raise Exception("Unexpected EAP exchange")
6e3ee4c5 214
a58bb54f
JM		 215 conf = hapd.get_config()
216 if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192':
217 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
218
0fa415a8
JM		 219 dev[0].request("DISCONNECT")
220 dev[0].wait_disconnected(timeout=20)
221 dev[0].dump_monitor()
222 dev[0].request("RECONNECT")
223 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
224 "CTRL-EVENT-CONNECTED"], timeout=20)
225 if ev is None:
226 raise Exception("Roaming with the AP timed out (2)")
227 if "CTRL-EVENT-EAP-STARTED" in ev:
228 raise Exception("Unexpected EAP exchange (2)")
229
6e3ee4c5
JM		 230def test_suite_b_192_radius(dev, apdev):
231 """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level"""
232 check_suite_b_192_capa(dev)
233 dev[0].flush_scan_cache()
234 params = suite_b_as_params()
235 params['ca_cert'] = 'auth_serv/ec2-ca.pem'
236 params['server_cert'] = 'auth_serv/ec2-server.pem'
237 params['private_key'] = 'auth_serv/ec2-server.key'
238 params['openssl_ciphers'] = 'SUITEB192'
8b8a1864 239 hostapd.add_ap(apdev[1], params)
6e3ee4c5
JM		 240
241 params = { "ssid": "test-suite-b",
242 "wpa": "2",
243 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
244 "rsn_pairwise": "GCMP-256",
245 "group_mgmt_cipher": "BIP-GMAC-256",
246 "ieee80211w": "2",
247 "ieee8021x": "1",
248 'auth_server_addr': "127.0.0.1",
249 'auth_server_port': "18129",
250 'auth_server_shared_secret': "radius",
251 'nas_identifier': "nas.w1.fi" }
8b8a1864 252 hapd = hostapd.add_ap(apdev[0], params)
6e3ee4c5
JM		 253
254 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
255 ieee80211w="2",
256 openssl_ciphers="SUITEB192",
257 eap="TLS", identity="tls user",
258 ca_cert="auth_serv/ec2-ca.pem",
259 client_cert="auth_serv/ec2-user.pem",
260 private_key="auth_serv/ec2-user.key",
261 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
fe6e56a2 262
9ec824b9
JM		 263def test_suite_b_192_radius_and_p256_cert(dev, apdev):
264 """Suite B 192-bit level and p256 client cert"""
265 check_suite_b_192_capa(dev)
266 dev[0].flush_scan_cache()
267 params = suite_b_as_params()
268 params['ca_cert'] = 'auth_serv/ec2-ca.pem'
269 params['server_cert'] = 'auth_serv/ec2-server.pem'
270 params['private_key'] = 'auth_serv/ec2-server.key'
271 params['openssl_ciphers'] = 'SUITEB192'
272 hostapd.add_ap(apdev[1], params)
273
274 params = { "ssid": "test-suite-b",
275 "wpa": "2",
276 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
277 "rsn_pairwise": "GCMP-256",
278 "group_mgmt_cipher": "BIP-GMAC-256",
279 "ieee80211w": "2",
280 "ieee8021x": "1",
281 'auth_server_addr': "127.0.0.1",
282 'auth_server_port': "18129",
283 'auth_server_shared_secret': "radius",
284 'nas_identifier': "nas.w1.fi" }
285 hapd = hostapd.add_ap(apdev[0], params)
286
287 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
288 ieee80211w="2",
289 #openssl_ciphers="SUITEB192",
290 eap="TLS", identity="tls user",
291 ca_cert="auth_serv/ec2-ca.pem",
292 client_cert="auth_serv/ec2-user-p256.pem",
293 private_key="auth_serv/ec2-user-p256.key",
294 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
295 wait_connect=False)
296 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
297 if ev is None:
298 raise Exception("EAP-Failure not reported")
299 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
300 if ev is None:
301 raise Exception("Disconnection not reported")
302 if "reason=23" not in ev:
58be42b2 303 raise Exception("Unexpected disconnection reason: " + ev)
9ec824b9 304
fe6e56a2
JM		 305def test_suite_b_pmkid_failure(dev, apdev):
306 """WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure"""
307 check_suite_b_capa(dev)
308 dev[0].flush_scan_cache()
309 params = suite_b_ap_params()
8b8a1864 310 hapd = hostapd.add_ap(apdev[0], params)
fe6e56a2
JM		 311
312 with fail_test(dev[0], 1, "rsn_pmkid_suite_b"):
313 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B",
314 ieee80211w="2",
315 openssl_ciphers="SUITEB128",
316 eap="TLS", identity="tls user",
317 ca_cert="auth_serv/ec-ca.pem",
318 client_cert="auth_serv/ec-user.pem",
319 private_key="auth_serv/ec-user.key",
320 pairwise="GCMP", group="GCMP", scan_freq="2412")
321
322def test_suite_b_192_pmkid_failure(dev, apdev):
323 """WPA2/GCMP-256 connection at Suite B 192-bit level and PMKID derivation failure"""
324 check_suite_b_192_capa(dev)
325 dev[0].flush_scan_cache()
326 params = suite_b_192_ap_params()
8b8a1864 327 hapd = hostapd.add_ap(apdev[0], params)
fe6e56a2
JM		 328
329 with fail_test(dev[0], 1, "rsn_pmkid_suite_b"):
330 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
331 ieee80211w="2",
332 openssl_ciphers="SUITEB192",
333 eap="TLS", identity="tls user",
334 ca_cert="auth_serv/ec2-ca.pem",
335 client_cert="auth_serv/ec2-user.pem",
336 private_key="auth_serv/ec2-user.key",
337 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
338
339def test_suite_b_mic_failure(dev, apdev):
340 """WPA2/GCMP connection at Suite B 128-bit level and MIC derivation failure"""
341 check_suite_b_capa(dev)
342 dev[0].flush_scan_cache()
343 params = suite_b_ap_params()
8b8a1864 344 hapd = hostapd.add_ap(apdev[0], params)
fe6e56a2
JM		 345
346 with fail_test(dev[0], 1, "wpa_eapol_key_mic"):
347 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B",
348 ieee80211w="2",
349 openssl_ciphers="SUITEB128",
350 eap="TLS", identity="tls user",
351 ca_cert="auth_serv/ec-ca.pem",
352 client_cert="auth_serv/ec-user.pem",
353 private_key="auth_serv/ec-user.key",
354 pairwise="GCMP", group="GCMP", scan_freq="2412",
355 wait_connect=False)
356 dev[0].wait_disconnected()
357
358def test_suite_b_192_mic_failure(dev, apdev):
359 """WPA2/GCMP connection at Suite B 192-bit level and MIC derivation failure"""
96a8cc88 360 check_suite_b_192_capa(dev)
fe6e56a2
JM		 361 dev[0].flush_scan_cache()
362 params = suite_b_192_ap_params()
8b8a1864 363 hapd = hostapd.add_ap(apdev[0], params)
fe6e56a2
JM		 364
365 with fail_test(dev[0], 1, "wpa_eapol_key_mic"):
366 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
367 ieee80211w="2",
368 openssl_ciphers="SUITEB192",
369 eap="TLS", identity="tls user",
370 ca_cert="auth_serv/ec2-ca.pem",
371 client_cert="auth_serv/ec2-user.pem",
372 private_key="auth_serv/ec2-user.key",
373 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
374 wait_connect=False)
375 dev[0].wait_disconnected()
78b6be04
JM		 376
377def suite_b_192_rsa_ap_params():
378 params = { "ssid": "test-suite-b",
379 "wpa": "2",
380 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
381 "rsn_pairwise": "GCMP-256",
382 "group_mgmt_cipher": "BIP-GMAC-256",
383 "ieee80211w": "2",
384 "ieee8021x": "1",
385 "tls_flags": "[SUITEB]",
386 "dh_file": "auth_serv/dh_param_3072.pem",
387 "eap_server": "1",
388 "eap_user_file": "auth_serv/eap_user.conf",
389 "ca_cert": "auth_serv/rsa3072-ca.pem",
390 "server_cert": "auth_serv/rsa3072-server.pem",
391 "private_key": "auth_serv/rsa3072-server.key" }
392 return params
393
394def test_suite_b_192_rsa(dev, apdev):
395 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA"""
396 run_suite_b_192_rsa(dev, apdev)
397
398def test_suite_b_192_rsa_ecdhe(dev, apdev):
399 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (ECDHE)"""
400 run_suite_b_192_rsa(dev, apdev, no_dhe=True)
401
402def test_suite_b_192_rsa_dhe(dev, apdev):
403 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (DHE)"""
404 run_suite_b_192_rsa(dev, apdev, no_ecdh=True)
405
406def run_suite_b_192_rsa(dev, apdev, no_ecdh=False, no_dhe=False):
adc5e37a 407 check_suite_b_192_capa(dev, dhe=no_ecdh)
78b6be04
JM		 408 dev[0].flush_scan_cache()
409 params = suite_b_192_rsa_ap_params()
410 if no_ecdh:
411 params["tls_flags"] = "[SUITEB-NO-ECDH]"
412 if no_dhe:
413 del params["dh_file"]
414 hapd = hostapd.add_ap(apdev[0], params)
415
416 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
417 ieee80211w="2",
418 phase1="tls_suiteb=1",
419 eap="TLS", identity="tls user",
420 ca_cert="auth_serv/rsa3072-ca.pem",
421 client_cert="auth_serv/rsa3072-user.pem",
422 private_key="auth_serv/rsa3072-user.key",
423 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
424 tls_cipher = dev[0].get_status_field("EAP TLS cipher")
9acd0beb
JM		 425 if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \
426 tls_cipher != "DHE-RSA-AES256-GCM-SHA384" and \
427 tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD" and \
428 tls_cipher != "DHE-RSA-AES-256-GCM-AEAD":
78b6be04
JM		 429 raise Exception("Unexpected TLS cipher: " + tls_cipher)
430 cipher = dev[0].get_status_field("mgmt_group_cipher")
431 if cipher != "BIP-GMAC-256":
432 raise Exception("Unexpected mgmt_group_cipher: " + cipher)
433
434 bss = dev[0].get_bss(apdev[0]['bssid'])
435 if 'flags' not in bss:
436 raise Exception("Could not get BSS flags from BSS table")
437 if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
438 raise Exception("Unexpected BSS flags: " + bss['flags'])
439
440 dev[0].request("DISCONNECT")
441 dev[0].wait_disconnected(timeout=20)
442 dev[0].dump_monitor()
443 dev[0].request("RECONNECT")
444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
445 "CTRL-EVENT-CONNECTED"], timeout=20)
446 if ev is None:
447 raise Exception("Roaming with the AP timed out")
448 if "CTRL-EVENT-EAP-STARTED" in ev:
449 raise Exception("Unexpected EAP exchange")
450
451 conf = hapd.get_config()
452 if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192':
453 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt'])
454
455def test_suite_b_192_rsa_insufficient_key(dev, apdev):
456 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient key length"""
457 check_suite_b_192_capa(dev)
458 dev[0].flush_scan_cache()
459 params = suite_b_192_rsa_ap_params()
460 params["ca_cert"] = "auth_serv/ca.pem"
461 params["server_cert"] = "auth_serv/server.pem"
462 params["private_key"] = "auth_serv/server.key"
463 hapd = hostapd.add_ap(apdev[0], params)
464
465 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
466 ieee80211w="2",
467 phase1="tls_suiteb=1",
468 eap="TLS", identity="tls user",
469 ca_cert="auth_serv/ca.pem",
470 client_cert="auth_serv/user.pem",
471 private_key="auth_serv/user.key",
472 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
473 wait_connect=False)
474 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
475 dev[0].request("DISCONNECT")
476 if ev is None:
477 raise Exception("Certificate error not reported")
9acd0beb
JM		 478 if "reason=11" in ev and "err='Insufficient RSA modulus size'" in ev:
479 return
480 if "reason=7" in ev and "err='certificate uses insecure algorithm'" in ev:
481 return
482 raise Exception("Unexpected error reason: " + ev)
78b6be04
JM		 483
484def test_suite_b_192_rsa_insufficient_dh(dev, apdev):
485 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient DH key length"""
adc5e37a 486 check_suite_b_192_capa(dev, dhe=True)
78b6be04
JM		 487 dev[0].flush_scan_cache()
488 params = suite_b_192_rsa_ap_params()
489 params["tls_flags"] = "[SUITEB-NO-ECDH]"
490 params["dh_file"] = "auth_serv/dh.conf"
491 hapd = hostapd.add_ap(apdev[0], params)
492
493 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
494 ieee80211w="2",
495 phase1="tls_suiteb=1",
496 eap="TLS", identity="tls user",
497 ca_cert="auth_serv/rsa3072-ca.pem",
498 client_cert="auth_serv/rsa3072-user.pem",
499 private_key="auth_serv/rsa3072-user.key",
500 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412",
501 wait_connect=False)
0039b972
JM		 502 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'",
503 "CTRL-EVENT-CONNECTED"],
78b6be04
JM		 504 timeout=10)
505 dev[0].request("DISCONNECT")
506 if ev is None:
507 raise Exception("DH error not reported")
0039b972
JM		 508 if "CTRL-EVENT-CONNECTED" in ev:
509 raise Exception("Unexpected connection")
78b6be04
JM		 510 if "insufficient security" not in ev and "internal error" not in ev:
511 raise Exception("Unexpected error reason: " + ev)
2ce88a1d
JM		 512
513def test_suite_b_192_rsa_radius(dev, apdev):
514 """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level and RSA (ECDHE)"""
515 check_suite_b_192_capa(dev)
516 dev[0].flush_scan_cache()
517 params = suite_b_as_params()
518 params['ca_cert'] = 'auth_serv/rsa3072-ca.pem'
519 params['server_cert'] = 'auth_serv/rsa3072-server.pem'
520 params['private_key'] = 'auth_serv/rsa3072-server.key'
521 del params['openssl_ciphers']
522 params["tls_flags"] = "[SUITEB]"
523
524 hostapd.add_ap(apdev[1], params)
525
526 params = { "ssid": "test-suite-b",
527 "wpa": "2",
528 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
529 "rsn_pairwise": "GCMP-256",
530 "group_mgmt_cipher": "BIP-GMAC-256",
531 "ieee80211w": "2",
532 "ieee8021x": "1",
533 'auth_server_addr': "127.0.0.1",
534 'auth_server_port': "18129",
535 'auth_server_shared_secret': "radius",
536 'nas_identifier': "nas.w1.fi" }
537 hapd = hostapd.add_ap(apdev[0], params)
538
539 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
540 ieee80211w="2",
541 openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384",
542 phase1="tls_suiteb=1",
543 eap="TLS", identity="tls user",
544 ca_cert="auth_serv/rsa3072-ca.pem",
545 client_cert="auth_serv/rsa3072-user.pem",
546 private_key="auth_serv/rsa3072-user.key",
547 pairwise="GCMP-256", group="GCMP-256",
548 group_mgmt="BIP-GMAC-256", scan_freq="2412")
549 tls_cipher = dev[0].get_status_field("EAP TLS cipher")
9acd0beb
JM		 550 if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \
551 tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD":
2ce88a1d 552 raise Exception("Unexpected TLS cipher: " + tls_cipher)
7fd583d6
JM		 553
554def test_suite_b_192_rsa_ecdhe_radius_rsa2048_client(dev, apdev):
555 """Suite B 192-bit level and RSA (ECDHE) and RSA2048 client"""
556 run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, True)
557
558def test_suite_b_192_rsa_dhe_radius_rsa2048_client(dev, apdev):
559 """Suite B 192-bit level and RSA (DHE) and RSA2048 client"""
560 run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, False)
561
562def run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, ecdhe):
adc5e37a 563 check_suite_b_192_capa(dev, dhe=not ecdhe)
7fd583d6
JM		 564 dev[0].flush_scan_cache()
565 params = suite_b_as_params()
566 params['ca_cert'] = 'auth_serv/rsa3072-ca.pem'
567 params['server_cert'] = 'auth_serv/rsa3072-server.pem'
568 params['private_key'] = 'auth_serv/rsa3072-server.key'
569 del params['openssl_ciphers']
570 if ecdhe:
571 params["tls_flags"] = "[SUITEB]"
572 ciphers = "ECDHE-RSA-AES256-GCM-SHA384"
573 else:
574 params["tls_flags"] = "[SUITEB-NO-ECDH]"
575 params["dh_file"] = "auth_serv/dh_param_3072.pem"
576 ciphers = "DHE-RSA-AES256-GCM-SHA384"
577
578 hostapd.add_ap(apdev[1], params)
579
580 params = { "ssid": "test-suite-b",
581 "wpa": "2",
582 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
583 "rsn_pairwise": "GCMP-256",
584 "group_mgmt_cipher": "BIP-GMAC-256",
585 "ieee80211w": "2",
586 "ieee8021x": "1",
587 'auth_server_addr': "127.0.0.1",
588 'auth_server_port': "18129",
589 'auth_server_shared_secret': "radius",
590 'nas_identifier': "nas.w1.fi" }
591 hapd = hostapd.add_ap(apdev[0], params)
592
593 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
594 ieee80211w="2",
595 openssl_ciphers=ciphers,
596 phase1="tls_suiteb=1",
597 eap="TLS", identity="tls user",
598 ca_cert="auth_serv/rsa3072-ca.pem",
599 client_cert="auth_serv/rsa3072-user-rsa2048.pem",
600 private_key="auth_serv/rsa3072-user-rsa2048.key",
601 pairwise="GCMP-256", group="GCMP-256",
602 group_mgmt="BIP-GMAC-256", scan_freq="2412",
603 wait_connect=False)
604 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
605 if ev is None:
606 raise Exception("EAP-Failure not reported")
607 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5)
608 if ev is None:
609 raise Exception("Disconnection not reported")
610 if "reason=23" not in ev:
58be42b2 611 raise Exception("Unexpected disconnection reason: " + ev)
Unnamed repository; edit this file 'description' to name the repository.