]>
Commit | Line | Data |
---|---|---|
b652daca | 1 | # Suite B tests |
4113a96b | 2 | # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi> |
b652daca JM |
3 | # |
4 | # This software may be distributed under the terms of the BSD license. | |
5 | # See README for more details. | |
6 | ||
7 | import time | |
8 | import logging | |
9 | logger = logging.getLogger() | |
10 | ||
11 | import hostapd | |
fe6e56a2 | 12 | from utils import HwsimSkip, fail_test |
b652daca | 13 | |
6e3ee4c5 | 14 | def check_suite_b_capa(dev): |
b652daca | 15 | if "GCMP" not in dev[0].get_capability("pairwise"): |
81e787b7 | 16 | raise HwsimSkip("GCMP not supported") |
4113a96b JM |
17 | if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"): |
18 | raise HwsimSkip("BIP-GMAC-128 not supported") | |
19 | if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"): | |
20 | raise HwsimSkip("WPA-EAP-SUITE-B not supported") | |
adc5e37a | 21 | check_suite_b_tls_lib(dev, level128=True) |
a2bc326e | 22 | |
adc5e37a | 23 | def check_suite_b_tls_lib(dev, dhe=False, level128=False): |
4113a96b | 24 | tls = dev[0].request("GET tls_library") |
9acd0beb JM |
25 | if tls.startswith("GnuTLS"): |
26 | return | |
4113a96b | 27 | if not tls.startswith("OpenSSL"): |
bc6e3288 | 28 | raise HwsimSkip("TLS library not supported for Suite B: " + tls) |
a2bc326e | 29 | supported = False |
d7e35c4e | 30 | for ver in [ '1.0.2', '1.1.0', '1.1.1' ]: |
a2bc326e JM |
31 | if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls: |
32 | supported = True | |
33 | break | |
adc5e37a JM |
34 | if not dhe and not level128 and "build=OpenSSL " + ver in tls and "run=BoringSSL" in tls: |
35 | supported = True | |
36 | break | |
a2bc326e | 37 | if not supported: |
4113a96b JM |
38 | raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls) |
39 | ||
fe6e56a2 | 40 | def suite_b_ap_params(): |
4113a96b JM |
41 | params = { "ssid": "test-suite-b", |
42 | "wpa": "2", | |
43 | "wpa_key_mgmt": "WPA-EAP-SUITE-B", | |
44 | "rsn_pairwise": "GCMP", | |
45 | "group_mgmt_cipher": "BIP-GMAC-128", | |
46 | "ieee80211w": "2", | |
47 | "ieee8021x": "1", | |
48 | "openssl_ciphers": "SUITEB128", | |
49 | #"dh_file": "auth_serv/dh.conf", | |
50 | "eap_server": "1", | |
51 | "eap_user_file": "auth_serv/eap_user.conf", | |
52 | "ca_cert": "auth_serv/ec-ca.pem", | |
53 | "server_cert": "auth_serv/ec-server.pem", | |
54 | "private_key": "auth_serv/ec-server.key" } | |
fe6e56a2 JM |
55 | return params |
56 | ||
57 | def test_suite_b(dev, apdev): | |
58 | """WPA2/GCMP connection at Suite B 128-bit level""" | |
59 | check_suite_b_capa(dev) | |
60 | dev[0].flush_scan_cache() | |
61 | params = suite_b_ap_params() | |
8b8a1864 | 62 | hapd = hostapd.add_ap(apdev[0], params) |
4113a96b JM |
63 | |
64 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2", | |
65 | openssl_ciphers="SUITEB128", | |
66 | eap="TLS", identity="tls user", | |
67 | ca_cert="auth_serv/ec-ca.pem", | |
68 | client_cert="auth_serv/ec-user.pem", | |
69 | private_key="auth_serv/ec-user.key", | |
b652daca | 70 | pairwise="GCMP", group="GCMP", scan_freq="2412") |
4113a96b | 71 | tls_cipher = dev[0].get_status_field("EAP TLS cipher") |
9acd0beb JM |
72 | if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256" and \ |
73 | tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD": | |
4113a96b | 74 | raise Exception("Unexpected TLS cipher: " + tls_cipher) |
d463c556 JM |
75 | |
76 | bss = dev[0].get_bss(apdev[0]['bssid']) | |
77 | if 'flags' not in bss: | |
78 | raise Exception("Could not get BSS flags from BSS table") | |
79 | if "[WPA2-EAP-SUITE-B-GCMP]" not in bss['flags']: | |
80 | raise Exception("Unexpected BSS flags: " + bss['flags']) | |
81 | ||
b652daca | 82 | dev[0].request("DISCONNECT") |
5f35a5e2 | 83 | dev[0].wait_disconnected(timeout=20) |
b652daca JM |
84 | dev[0].dump_monitor() |
85 | dev[0].request("RECONNECT") | |
86 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", | |
87 | "CTRL-EVENT-CONNECTED"], timeout=20) | |
88 | if ev is None: | |
89 | raise Exception("Roaming with the AP timed out") | |
90 | if "CTRL-EVENT-EAP-STARTED" in ev: | |
91 | raise Exception("Unexpected EAP exchange") | |
37551fe3 | 92 | |
a58bb54f JM |
93 | conf = hapd.get_config() |
94 | if conf['key_mgmt'] != 'WPA-EAP-SUITE-B': | |
95 | raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt']) | |
96 | ||
0fa415a8 JM |
97 | dev[0].request("DISCONNECT") |
98 | dev[0].wait_disconnected(timeout=20) | |
99 | dev[0].dump_monitor() | |
100 | dev[0].request("RECONNECT") | |
101 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", | |
102 | "CTRL-EVENT-CONNECTED"], timeout=20) | |
103 | if ev is None: | |
104 | raise Exception("Roaming with the AP timed out (2)") | |
105 | if "CTRL-EVENT-EAP-STARTED" in ev: | |
106 | raise Exception("Unexpected EAP exchange (2)") | |
107 | ||
6e3ee4c5 JM |
108 | def suite_b_as_params(): |
109 | params = {} | |
110 | params['ssid'] = 'as' | |
111 | params['beacon_int'] = '2000' | |
112 | params['radius_server_clients'] = 'auth_serv/radius_clients.conf' | |
113 | params['radius_server_auth_port'] = '18129' | |
114 | params['eap_server'] = '1' | |
115 | params['eap_user_file'] = 'auth_serv/eap_user.conf' | |
116 | params['ca_cert'] = 'auth_serv/ec-ca.pem' | |
117 | params['server_cert'] = 'auth_serv/ec-server.pem' | |
118 | params['private_key'] = 'auth_serv/ec-server.key' | |
119 | params['openssl_ciphers'] = 'SUITEB128' | |
120 | return params | |
121 | ||
122 | def test_suite_b_radius(dev, apdev): | |
123 | """WPA2/GCMP (RADIUS) connection at Suite B 128-bit level""" | |
124 | check_suite_b_capa(dev) | |
125 | dev[0].flush_scan_cache() | |
126 | params = suite_b_as_params() | |
8b8a1864 | 127 | hostapd.add_ap(apdev[1], params) |
6e3ee4c5 JM |
128 | |
129 | params = { "ssid": "test-suite-b", | |
130 | "wpa": "2", | |
131 | "wpa_key_mgmt": "WPA-EAP-SUITE-B", | |
132 | "rsn_pairwise": "GCMP", | |
133 | "group_mgmt_cipher": "BIP-GMAC-128", | |
134 | "ieee80211w": "2", | |
135 | "ieee8021x": "1", | |
136 | 'auth_server_addr': "127.0.0.1", | |
137 | 'auth_server_port': "18129", | |
138 | 'auth_server_shared_secret': "radius", | |
139 | 'nas_identifier': "nas.w1.fi" } | |
8b8a1864 | 140 | hapd = hostapd.add_ap(apdev[0], params) |
6e3ee4c5 JM |
141 | |
142 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2", | |
143 | openssl_ciphers="SUITEB128", | |
144 | eap="TLS", identity="tls user", | |
145 | ca_cert="auth_serv/ec-ca.pem", | |
146 | client_cert="auth_serv/ec-user.pem", | |
147 | private_key="auth_serv/ec-user.key", | |
148 | pairwise="GCMP", group="GCMP", scan_freq="2412") | |
149 | ||
adc5e37a | 150 | def check_suite_b_192_capa(dev, dhe=False): |
37551fe3 JM |
151 | if "GCMP-256" not in dev[0].get_capability("pairwise"): |
152 | raise HwsimSkip("GCMP-256 not supported") | |
153 | if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"): | |
154 | raise HwsimSkip("BIP-GMAC-256 not supported") | |
155 | if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"): | |
156 | raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported") | |
adc5e37a | 157 | check_suite_b_tls_lib(dev, dhe=dhe) |
37551fe3 | 158 | |
fe6e56a2 | 159 | def suite_b_192_ap_params(): |
37551fe3 JM |
160 | params = { "ssid": "test-suite-b", |
161 | "wpa": "2", | |
162 | "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", | |
163 | "rsn_pairwise": "GCMP-256", | |
164 | "group_mgmt_cipher": "BIP-GMAC-256", | |
165 | "ieee80211w": "2", | |
166 | "ieee8021x": "1", | |
167 | "openssl_ciphers": "SUITEB192", | |
168 | "eap_server": "1", | |
169 | "eap_user_file": "auth_serv/eap_user.conf", | |
170 | "ca_cert": "auth_serv/ec2-ca.pem", | |
171 | "server_cert": "auth_serv/ec2-server.pem", | |
172 | "private_key": "auth_serv/ec2-server.key" } | |
fe6e56a2 JM |
173 | return params |
174 | ||
175 | def test_suite_b_192(dev, apdev): | |
176 | """WPA2/GCMP-256 connection at Suite B 192-bit level""" | |
177 | check_suite_b_192_capa(dev) | |
178 | dev[0].flush_scan_cache() | |
179 | params = suite_b_192_ap_params() | |
8b8a1864 | 180 | hapd = hostapd.add_ap(apdev[0], params) |
37551fe3 JM |
181 | |
182 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
183 | ieee80211w="2", | |
184 | openssl_ciphers="SUITEB192", | |
185 | eap="TLS", identity="tls user", | |
186 | ca_cert="auth_serv/ec2-ca.pem", | |
187 | client_cert="auth_serv/ec2-user.pem", | |
188 | private_key="auth_serv/ec2-user.key", | |
189 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") | |
190 | tls_cipher = dev[0].get_status_field("EAP TLS cipher") | |
9acd0beb JM |
191 | if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384" and \ |
192 | tls_cipher != "ECDHE-ECDSA-AES-256-GCM-AEAD": | |
37551fe3 | 193 | raise Exception("Unexpected TLS cipher: " + tls_cipher) |
1b3f536d JM |
194 | cipher = dev[0].get_status_field("mgmt_group_cipher") |
195 | if cipher != "BIP-GMAC-256": | |
196 | raise Exception("Unexpected mgmt_group_cipher: " + cipher) | |
37551fe3 JM |
197 | |
198 | bss = dev[0].get_bss(apdev[0]['bssid']) | |
199 | if 'flags' not in bss: | |
200 | raise Exception("Could not get BSS flags from BSS table") | |
201 | if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']: | |
202 | raise Exception("Unexpected BSS flags: " + bss['flags']) | |
203 | ||
204 | dev[0].request("DISCONNECT") | |
205 | dev[0].wait_disconnected(timeout=20) | |
206 | dev[0].dump_monitor() | |
207 | dev[0].request("RECONNECT") | |
208 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", | |
209 | "CTRL-EVENT-CONNECTED"], timeout=20) | |
210 | if ev is None: | |
211 | raise Exception("Roaming with the AP timed out") | |
212 | if "CTRL-EVENT-EAP-STARTED" in ev: | |
213 | raise Exception("Unexpected EAP exchange") | |
6e3ee4c5 | 214 | |
a58bb54f JM |
215 | conf = hapd.get_config() |
216 | if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192': | |
217 | raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt']) | |
218 | ||
0fa415a8 JM |
219 | dev[0].request("DISCONNECT") |
220 | dev[0].wait_disconnected(timeout=20) | |
221 | dev[0].dump_monitor() | |
222 | dev[0].request("RECONNECT") | |
223 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", | |
224 | "CTRL-EVENT-CONNECTED"], timeout=20) | |
225 | if ev is None: | |
226 | raise Exception("Roaming with the AP timed out (2)") | |
227 | if "CTRL-EVENT-EAP-STARTED" in ev: | |
228 | raise Exception("Unexpected EAP exchange (2)") | |
229 | ||
6e3ee4c5 JM |
230 | def test_suite_b_192_radius(dev, apdev): |
231 | """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level""" | |
232 | check_suite_b_192_capa(dev) | |
233 | dev[0].flush_scan_cache() | |
234 | params = suite_b_as_params() | |
235 | params['ca_cert'] = 'auth_serv/ec2-ca.pem' | |
236 | params['server_cert'] = 'auth_serv/ec2-server.pem' | |
237 | params['private_key'] = 'auth_serv/ec2-server.key' | |
238 | params['openssl_ciphers'] = 'SUITEB192' | |
8b8a1864 | 239 | hostapd.add_ap(apdev[1], params) |
6e3ee4c5 JM |
240 | |
241 | params = { "ssid": "test-suite-b", | |
242 | "wpa": "2", | |
243 | "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", | |
244 | "rsn_pairwise": "GCMP-256", | |
245 | "group_mgmt_cipher": "BIP-GMAC-256", | |
246 | "ieee80211w": "2", | |
247 | "ieee8021x": "1", | |
248 | 'auth_server_addr': "127.0.0.1", | |
249 | 'auth_server_port': "18129", | |
250 | 'auth_server_shared_secret': "radius", | |
251 | 'nas_identifier': "nas.w1.fi" } | |
8b8a1864 | 252 | hapd = hostapd.add_ap(apdev[0], params) |
6e3ee4c5 JM |
253 | |
254 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
255 | ieee80211w="2", | |
256 | openssl_ciphers="SUITEB192", | |
257 | eap="TLS", identity="tls user", | |
258 | ca_cert="auth_serv/ec2-ca.pem", | |
259 | client_cert="auth_serv/ec2-user.pem", | |
260 | private_key="auth_serv/ec2-user.key", | |
261 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") | |
fe6e56a2 | 262 | |
9ec824b9 JM |
263 | def test_suite_b_192_radius_and_p256_cert(dev, apdev): |
264 | """Suite B 192-bit level and p256 client cert""" | |
265 | check_suite_b_192_capa(dev) | |
266 | dev[0].flush_scan_cache() | |
267 | params = suite_b_as_params() | |
268 | params['ca_cert'] = 'auth_serv/ec2-ca.pem' | |
269 | params['server_cert'] = 'auth_serv/ec2-server.pem' | |
270 | params['private_key'] = 'auth_serv/ec2-server.key' | |
271 | params['openssl_ciphers'] = 'SUITEB192' | |
272 | hostapd.add_ap(apdev[1], params) | |
273 | ||
274 | params = { "ssid": "test-suite-b", | |
275 | "wpa": "2", | |
276 | "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", | |
277 | "rsn_pairwise": "GCMP-256", | |
278 | "group_mgmt_cipher": "BIP-GMAC-256", | |
279 | "ieee80211w": "2", | |
280 | "ieee8021x": "1", | |
281 | 'auth_server_addr': "127.0.0.1", | |
282 | 'auth_server_port': "18129", | |
283 | 'auth_server_shared_secret': "radius", | |
284 | 'nas_identifier': "nas.w1.fi" } | |
285 | hapd = hostapd.add_ap(apdev[0], params) | |
286 | ||
287 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
288 | ieee80211w="2", | |
289 | #openssl_ciphers="SUITEB192", | |
290 | eap="TLS", identity="tls user", | |
291 | ca_cert="auth_serv/ec2-ca.pem", | |
292 | client_cert="auth_serv/ec2-user-p256.pem", | |
293 | private_key="auth_serv/ec2-user-p256.key", | |
294 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", | |
295 | wait_connect=False) | |
296 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) | |
297 | if ev is None: | |
298 | raise Exception("EAP-Failure not reported") | |
299 | ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5) | |
300 | if ev is None: | |
301 | raise Exception("Disconnection not reported") | |
302 | if "reason=23" not in ev: | |
58be42b2 | 303 | raise Exception("Unexpected disconnection reason: " + ev) |
9ec824b9 | 304 | |
fe6e56a2 JM |
305 | def test_suite_b_pmkid_failure(dev, apdev): |
306 | """WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure""" | |
307 | check_suite_b_capa(dev) | |
308 | dev[0].flush_scan_cache() | |
309 | params = suite_b_ap_params() | |
8b8a1864 | 310 | hapd = hostapd.add_ap(apdev[0], params) |
fe6e56a2 JM |
311 | |
312 | with fail_test(dev[0], 1, "rsn_pmkid_suite_b"): | |
313 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", | |
314 | ieee80211w="2", | |
315 | openssl_ciphers="SUITEB128", | |
316 | eap="TLS", identity="tls user", | |
317 | ca_cert="auth_serv/ec-ca.pem", | |
318 | client_cert="auth_serv/ec-user.pem", | |
319 | private_key="auth_serv/ec-user.key", | |
320 | pairwise="GCMP", group="GCMP", scan_freq="2412") | |
321 | ||
322 | def test_suite_b_192_pmkid_failure(dev, apdev): | |
323 | """WPA2/GCMP-256 connection at Suite B 192-bit level and PMKID derivation failure""" | |
324 | check_suite_b_192_capa(dev) | |
325 | dev[0].flush_scan_cache() | |
326 | params = suite_b_192_ap_params() | |
8b8a1864 | 327 | hapd = hostapd.add_ap(apdev[0], params) |
fe6e56a2 JM |
328 | |
329 | with fail_test(dev[0], 1, "rsn_pmkid_suite_b"): | |
330 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
331 | ieee80211w="2", | |
332 | openssl_ciphers="SUITEB192", | |
333 | eap="TLS", identity="tls user", | |
334 | ca_cert="auth_serv/ec2-ca.pem", | |
335 | client_cert="auth_serv/ec2-user.pem", | |
336 | private_key="auth_serv/ec2-user.key", | |
337 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") | |
338 | ||
339 | def test_suite_b_mic_failure(dev, apdev): | |
340 | """WPA2/GCMP connection at Suite B 128-bit level and MIC derivation failure""" | |
341 | check_suite_b_capa(dev) | |
342 | dev[0].flush_scan_cache() | |
343 | params = suite_b_ap_params() | |
8b8a1864 | 344 | hapd = hostapd.add_ap(apdev[0], params) |
fe6e56a2 JM |
345 | |
346 | with fail_test(dev[0], 1, "wpa_eapol_key_mic"): | |
347 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", | |
348 | ieee80211w="2", | |
349 | openssl_ciphers="SUITEB128", | |
350 | eap="TLS", identity="tls user", | |
351 | ca_cert="auth_serv/ec-ca.pem", | |
352 | client_cert="auth_serv/ec-user.pem", | |
353 | private_key="auth_serv/ec-user.key", | |
354 | pairwise="GCMP", group="GCMP", scan_freq="2412", | |
355 | wait_connect=False) | |
356 | dev[0].wait_disconnected() | |
357 | ||
358 | def test_suite_b_192_mic_failure(dev, apdev): | |
359 | """WPA2/GCMP connection at Suite B 192-bit level and MIC derivation failure""" | |
96a8cc88 | 360 | check_suite_b_192_capa(dev) |
fe6e56a2 JM |
361 | dev[0].flush_scan_cache() |
362 | params = suite_b_192_ap_params() | |
8b8a1864 | 363 | hapd = hostapd.add_ap(apdev[0], params) |
fe6e56a2 JM |
364 | |
365 | with fail_test(dev[0], 1, "wpa_eapol_key_mic"): | |
366 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
367 | ieee80211w="2", | |
368 | openssl_ciphers="SUITEB192", | |
369 | eap="TLS", identity="tls user", | |
370 | ca_cert="auth_serv/ec2-ca.pem", | |
371 | client_cert="auth_serv/ec2-user.pem", | |
372 | private_key="auth_serv/ec2-user.key", | |
373 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", | |
374 | wait_connect=False) | |
375 | dev[0].wait_disconnected() | |
78b6be04 JM |
376 | |
377 | def suite_b_192_rsa_ap_params(): | |
378 | params = { "ssid": "test-suite-b", | |
379 | "wpa": "2", | |
380 | "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", | |
381 | "rsn_pairwise": "GCMP-256", | |
382 | "group_mgmt_cipher": "BIP-GMAC-256", | |
383 | "ieee80211w": "2", | |
384 | "ieee8021x": "1", | |
385 | "tls_flags": "[SUITEB]", | |
386 | "dh_file": "auth_serv/dh_param_3072.pem", | |
387 | "eap_server": "1", | |
388 | "eap_user_file": "auth_serv/eap_user.conf", | |
389 | "ca_cert": "auth_serv/rsa3072-ca.pem", | |
390 | "server_cert": "auth_serv/rsa3072-server.pem", | |
391 | "private_key": "auth_serv/rsa3072-server.key" } | |
392 | return params | |
393 | ||
394 | def test_suite_b_192_rsa(dev, apdev): | |
395 | """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA""" | |
396 | run_suite_b_192_rsa(dev, apdev) | |
397 | ||
398 | def test_suite_b_192_rsa_ecdhe(dev, apdev): | |
399 | """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (ECDHE)""" | |
400 | run_suite_b_192_rsa(dev, apdev, no_dhe=True) | |
401 | ||
402 | def test_suite_b_192_rsa_dhe(dev, apdev): | |
403 | """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (DHE)""" | |
404 | run_suite_b_192_rsa(dev, apdev, no_ecdh=True) | |
405 | ||
406 | def run_suite_b_192_rsa(dev, apdev, no_ecdh=False, no_dhe=False): | |
adc5e37a | 407 | check_suite_b_192_capa(dev, dhe=no_ecdh) |
78b6be04 JM |
408 | dev[0].flush_scan_cache() |
409 | params = suite_b_192_rsa_ap_params() | |
410 | if no_ecdh: | |
411 | params["tls_flags"] = "[SUITEB-NO-ECDH]" | |
412 | if no_dhe: | |
413 | del params["dh_file"] | |
414 | hapd = hostapd.add_ap(apdev[0], params) | |
415 | ||
416 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
417 | ieee80211w="2", | |
418 | phase1="tls_suiteb=1", | |
419 | eap="TLS", identity="tls user", | |
420 | ca_cert="auth_serv/rsa3072-ca.pem", | |
421 | client_cert="auth_serv/rsa3072-user.pem", | |
422 | private_key="auth_serv/rsa3072-user.key", | |
423 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") | |
424 | tls_cipher = dev[0].get_status_field("EAP TLS cipher") | |
9acd0beb JM |
425 | if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \ |
426 | tls_cipher != "DHE-RSA-AES256-GCM-SHA384" and \ | |
427 | tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD" and \ | |
428 | tls_cipher != "DHE-RSA-AES-256-GCM-AEAD": | |
78b6be04 JM |
429 | raise Exception("Unexpected TLS cipher: " + tls_cipher) |
430 | cipher = dev[0].get_status_field("mgmt_group_cipher") | |
431 | if cipher != "BIP-GMAC-256": | |
432 | raise Exception("Unexpected mgmt_group_cipher: " + cipher) | |
433 | ||
434 | bss = dev[0].get_bss(apdev[0]['bssid']) | |
435 | if 'flags' not in bss: | |
436 | raise Exception("Could not get BSS flags from BSS table") | |
437 | if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']: | |
438 | raise Exception("Unexpected BSS flags: " + bss['flags']) | |
439 | ||
440 | dev[0].request("DISCONNECT") | |
441 | dev[0].wait_disconnected(timeout=20) | |
442 | dev[0].dump_monitor() | |
443 | dev[0].request("RECONNECT") | |
444 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", | |
445 | "CTRL-EVENT-CONNECTED"], timeout=20) | |
446 | if ev is None: | |
447 | raise Exception("Roaming with the AP timed out") | |
448 | if "CTRL-EVENT-EAP-STARTED" in ev: | |
449 | raise Exception("Unexpected EAP exchange") | |
450 | ||
451 | conf = hapd.get_config() | |
452 | if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192': | |
453 | raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt']) | |
454 | ||
455 | def test_suite_b_192_rsa_insufficient_key(dev, apdev): | |
456 | """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient key length""" | |
457 | check_suite_b_192_capa(dev) | |
458 | dev[0].flush_scan_cache() | |
459 | params = suite_b_192_rsa_ap_params() | |
460 | params["ca_cert"] = "auth_serv/ca.pem" | |
461 | params["server_cert"] = "auth_serv/server.pem" | |
462 | params["private_key"] = "auth_serv/server.key" | |
463 | hapd = hostapd.add_ap(apdev[0], params) | |
464 | ||
465 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
466 | ieee80211w="2", | |
467 | phase1="tls_suiteb=1", | |
468 | eap="TLS", identity="tls user", | |
469 | ca_cert="auth_serv/ca.pem", | |
470 | client_cert="auth_serv/user.pem", | |
471 | private_key="auth_serv/user.key", | |
472 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", | |
473 | wait_connect=False) | |
474 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10) | |
475 | dev[0].request("DISCONNECT") | |
476 | if ev is None: | |
477 | raise Exception("Certificate error not reported") | |
9acd0beb JM |
478 | if "reason=11" in ev and "err='Insufficient RSA modulus size'" in ev: |
479 | return | |
480 | if "reason=7" in ev and "err='certificate uses insecure algorithm'" in ev: | |
481 | return | |
482 | raise Exception("Unexpected error reason: " + ev) | |
78b6be04 JM |
483 | |
484 | def test_suite_b_192_rsa_insufficient_dh(dev, apdev): | |
485 | """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient DH key length""" | |
adc5e37a | 486 | check_suite_b_192_capa(dev, dhe=True) |
78b6be04 JM |
487 | dev[0].flush_scan_cache() |
488 | params = suite_b_192_rsa_ap_params() | |
489 | params["tls_flags"] = "[SUITEB-NO-ECDH]" | |
490 | params["dh_file"] = "auth_serv/dh.conf" | |
491 | hapd = hostapd.add_ap(apdev[0], params) | |
492 | ||
493 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
494 | ieee80211w="2", | |
495 | phase1="tls_suiteb=1", | |
496 | eap="TLS", identity="tls user", | |
497 | ca_cert="auth_serv/rsa3072-ca.pem", | |
498 | client_cert="auth_serv/rsa3072-user.pem", | |
499 | private_key="auth_serv/rsa3072-user.key", | |
500 | pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", | |
501 | wait_connect=False) | |
0039b972 JM |
502 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'", |
503 | "CTRL-EVENT-CONNECTED"], | |
78b6be04 JM |
504 | timeout=10) |
505 | dev[0].request("DISCONNECT") | |
506 | if ev is None: | |
507 | raise Exception("DH error not reported") | |
0039b972 JM |
508 | if "CTRL-EVENT-CONNECTED" in ev: |
509 | raise Exception("Unexpected connection") | |
78b6be04 JM |
510 | if "insufficient security" not in ev and "internal error" not in ev: |
511 | raise Exception("Unexpected error reason: " + ev) | |
2ce88a1d JM |
512 | |
513 | def test_suite_b_192_rsa_radius(dev, apdev): | |
514 | """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level and RSA (ECDHE)""" | |
515 | check_suite_b_192_capa(dev) | |
516 | dev[0].flush_scan_cache() | |
517 | params = suite_b_as_params() | |
518 | params['ca_cert'] = 'auth_serv/rsa3072-ca.pem' | |
519 | params['server_cert'] = 'auth_serv/rsa3072-server.pem' | |
520 | params['private_key'] = 'auth_serv/rsa3072-server.key' | |
521 | del params['openssl_ciphers'] | |
522 | params["tls_flags"] = "[SUITEB]" | |
523 | ||
524 | hostapd.add_ap(apdev[1], params) | |
525 | ||
526 | params = { "ssid": "test-suite-b", | |
527 | "wpa": "2", | |
528 | "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", | |
529 | "rsn_pairwise": "GCMP-256", | |
530 | "group_mgmt_cipher": "BIP-GMAC-256", | |
531 | "ieee80211w": "2", | |
532 | "ieee8021x": "1", | |
533 | 'auth_server_addr': "127.0.0.1", | |
534 | 'auth_server_port': "18129", | |
535 | 'auth_server_shared_secret': "radius", | |
536 | 'nas_identifier': "nas.w1.fi" } | |
537 | hapd = hostapd.add_ap(apdev[0], params) | |
538 | ||
539 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
540 | ieee80211w="2", | |
541 | openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384", | |
542 | phase1="tls_suiteb=1", | |
543 | eap="TLS", identity="tls user", | |
544 | ca_cert="auth_serv/rsa3072-ca.pem", | |
545 | client_cert="auth_serv/rsa3072-user.pem", | |
546 | private_key="auth_serv/rsa3072-user.key", | |
547 | pairwise="GCMP-256", group="GCMP-256", | |
548 | group_mgmt="BIP-GMAC-256", scan_freq="2412") | |
549 | tls_cipher = dev[0].get_status_field("EAP TLS cipher") | |
9acd0beb JM |
550 | if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \ |
551 | tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD": | |
2ce88a1d | 552 | raise Exception("Unexpected TLS cipher: " + tls_cipher) |
7fd583d6 JM |
553 | |
554 | def test_suite_b_192_rsa_ecdhe_radius_rsa2048_client(dev, apdev): | |
555 | """Suite B 192-bit level and RSA (ECDHE) and RSA2048 client""" | |
556 | run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, True) | |
557 | ||
558 | def test_suite_b_192_rsa_dhe_radius_rsa2048_client(dev, apdev): | |
559 | """Suite B 192-bit level and RSA (DHE) and RSA2048 client""" | |
560 | run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, False) | |
561 | ||
562 | def run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, ecdhe): | |
adc5e37a | 563 | check_suite_b_192_capa(dev, dhe=not ecdhe) |
7fd583d6 JM |
564 | dev[0].flush_scan_cache() |
565 | params = suite_b_as_params() | |
566 | params['ca_cert'] = 'auth_serv/rsa3072-ca.pem' | |
567 | params['server_cert'] = 'auth_serv/rsa3072-server.pem' | |
568 | params['private_key'] = 'auth_serv/rsa3072-server.key' | |
569 | del params['openssl_ciphers'] | |
570 | if ecdhe: | |
571 | params["tls_flags"] = "[SUITEB]" | |
572 | ciphers = "ECDHE-RSA-AES256-GCM-SHA384" | |
573 | else: | |
574 | params["tls_flags"] = "[SUITEB-NO-ECDH]" | |
575 | params["dh_file"] = "auth_serv/dh_param_3072.pem" | |
576 | ciphers = "DHE-RSA-AES256-GCM-SHA384" | |
577 | ||
578 | hostapd.add_ap(apdev[1], params) | |
579 | ||
580 | params = { "ssid": "test-suite-b", | |
581 | "wpa": "2", | |
582 | "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", | |
583 | "rsn_pairwise": "GCMP-256", | |
584 | "group_mgmt_cipher": "BIP-GMAC-256", | |
585 | "ieee80211w": "2", | |
586 | "ieee8021x": "1", | |
587 | 'auth_server_addr': "127.0.0.1", | |
588 | 'auth_server_port': "18129", | |
589 | 'auth_server_shared_secret': "radius", | |
590 | 'nas_identifier': "nas.w1.fi" } | |
591 | hapd = hostapd.add_ap(apdev[0], params) | |
592 | ||
593 | dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", | |
594 | ieee80211w="2", | |
595 | openssl_ciphers=ciphers, | |
596 | phase1="tls_suiteb=1", | |
597 | eap="TLS", identity="tls user", | |
598 | ca_cert="auth_serv/rsa3072-ca.pem", | |
599 | client_cert="auth_serv/rsa3072-user-rsa2048.pem", | |
600 | private_key="auth_serv/rsa3072-user-rsa2048.key", | |
601 | pairwise="GCMP-256", group="GCMP-256", | |
602 | group_mgmt="BIP-GMAC-256", scan_freq="2412", | |
603 | wait_connect=False) | |
604 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) | |
605 | if ev is None: | |
606 | raise Exception("EAP-Failure not reported") | |
607 | ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5) | |
608 | if ev is None: | |
609 | raise Exception("Disconnection not reported") | |
610 | if "reason=23" not in ev: | |
58be42b2 | 611 | raise Exception("Unexpected disconnection reason: " + ev) |