This adds a Suite B test case for 192-bit level.
Signed-off-by: Jouni Malinen <j@w1.fi>
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICPTCCAcSgAwIBAgIJAL63h7lu0KZpMAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTI1MDEy
+MjExMzIwM1owUjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4wDAYD
+VQQKDAV3MS5maTEgMB4GA1UEAwwXU3VpdGUgQiAxOTItYml0IFJvb3QgQ0EwdjAQ
+BgcqhkjOPQIBBgUrgQQAIgNiAAQjdOMC9bqcDR9/SaOhxNbmQLQTGZfhtmoxHkJL
+5GG3bwW5hYA2jYHWU84H+mR6om6fg78G+IxjLly2OWiByYUeWDcsYqLGj3UHHaVv
+rIitaRPyg3dExemnmK3zjgXnoaajZjBkMB0GA1UdDgQWBBSuBbynInvH0vn8IKZc
+MbtBTo9svTAfBgNVHSMEGDAWgBSuBbynInvH0vn8IKZcMbtBTo9svTASBgNVHRMB
+Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjBZ
+vEbGRDQNvzAY3nfYrsrE2Dd11smT6zv0mIvDeQCktbISGpStRBQjAaFjcCyjDEkC
+MH7ywcqJe+mpWDt5xFJvB52iZ7rX7rO0OX0qmjI38PC0IOo7euJdfcC1gHdSoAW3
+bA==
+-----END CERTIFICATE-----
--- /dev/null
+#!/bin/sh
+
+OPENSSL=openssl
+
+CURVE=secp384r1
+DIGEST="-sha384"
+DIGEST_CA="-md sha384"
+
+echo
+echo "---[ Root CA ]----------------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+ sed "s/#@CN@/commonName_default = Suite B 192-bit Root CA/" \
+ > ec-ca-openssl.cnf.tmp
+$OPENSSL ecparam -out ec2-ca.key -name $CURVE -genkey
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec2-ca.key -out ec2-ca.pem -outform PEM -days 3650 $DIGEST
+mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private
+touch ec-ca/index.txt
+rm ec-ca-openssl.cnf.tmp
+
+echo
+echo "---[ Server ]-----------------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+ sed "s/#@CN@/commonName_default = server.w1.fi/" |
+ sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
+ > ec-ca-openssl.cnf.tmp
+$OPENSSL ecparam -out ec2-server.key -name $CURVE -genkey
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-server.key -out ec2-server.req -outform PEM $DIGEST
+$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-server.req -out ec2-server.pem -extensions ext_server $DIGEST_CA
+rm ec-ca-openssl.cnf.tmp
+
+echo
+echo "---[ User ]-------------------------------------------------------------"
+echo
+
+cat ec-ca-openssl.cnf |
+ sed "s/#@CN@/commonName_default = user/" |
+ sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \
+ > ec-ca-openssl.cnf.tmp
+$OPENSSL ecparam -out ec2-user.key -name $CURVE -genkey
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key -out ec2-user.req -outform PEM -extensions ext_client $DIGEST
+$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
+rm ec-ca-openssl.cnf.tmp
+
+echo
+echo "---[ Verify ]-----------------------------------------------------------"
+echo
+
+$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
+$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem
--- /dev/null
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCjaz/zVDXqNO/XprtliomKOC6QjbBFgsF2YwUAtKB5ukL4miVGNyCu
+jIlq9eUD1x6gBwYFK4EEACKhZANiAARWq1ut1b6ctOFBkEOjULL3VjJFP15g0gk+
+sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZvRooiNyL0AH2wk0qzN5u
+n02JOt9Q76TVYflE91C5DTxjgLOgxBw=
+-----END EC PRIVATE KEY-----
--- /dev/null
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9347590364512421238 (0x81b94fe92ea08576)
+ Signature Algorithm: ecdsa-with-SHA384
+ Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
+ Validity
+ Not Before: Jan 25 11:32:03 2015 GMT
+ Not After : Jan 25 11:32:03 2016 GMT
+ Subject: C=FI, O=w1.fi, CN=server.w1.fi
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:56:ab:5b:ad:d5:be:9c:b4:e1:41:90:43:a3:50:
+ b2:f7:56:32:45:3f:5e:60:d2:09:3e:b0:14:cc:06:
+ 88:14:e5:64:4d:ed:0a:1d:fe:37:de:9b:99:38:3b:
+ b1:4a:61:93:40:6a:b0:c5:32:1d:b2:0c:c5:d9:bd:
+ 1a:28:88:dc:8b:d0:01:f6:c2:4d:2a:cc:de:6e:9f:
+ 4d:89:3a:df:50:ef:a4:d5:61:f9:44:f7:50:b9:0d:
+ 3c:63:80:b3:a0:c4:1c
+ ASN1 OID: secp384r1
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 19:D7:57:D0:3B:91:84:A4:AF:93:03:32:3C:AB:C4:F9:A7:B0:27:19
+ X509v3 Authority Key Identifier:
+ keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
+
+ X509v3 Subject Alternative Name: critical
+ DNS:server.w1.fi
+ X509v3 Extended Key Usage: critical
+ TLS Web Server Authentication
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ Signature Algorithm: ecdsa-with-SHA384
+ 30:65:02:30:79:68:37:af:eb:46:e8:77:35:13:77:d5:db:eb:
+ f9:75:40:cd:d4:3d:0a:03:ec:67:a0:22:fe:65:f5:d7:ca:53:
+ 4a:85:f5:14:4b:41:f9:b9:98:a6:85:8b:ac:e0:c8:6c:02:31:
+ 00:83:12:02:be:93:2b:c2:00:74:ec:cb:fc:5a:8c:a6:5e:52:
+ ee:20:76:3d:73:2b:fb:fe:60:4c:52:f3:bc:1e:4c:e8:f9:ea:
+ f6:e2:f6:ca:c6:a8:3b:2d:9a:17:eb:4d:0a
+-----BEGIN CERTIFICATE-----
+MIICTTCCAdOgAwIBAgIJAIG5T+kuoIV2MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
+NTExMzIwM1owNDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRUwEwYDVQQD
+DAxzZXJ2ZXIudzEuZmkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARWq1ut1b6ctOFB
+kEOjULL3VjJFP15g0gk+sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZ
+vRooiNyL0AH2wk0qzN5un02JOt9Q76TVYflE91C5DTxjgLOgxByjgZIwgY8wDAYD
+VR0TAQH/BAIwADAdBgNVHQ4EFgQUGddX0DuRhKSvkwMyPKvE+aewJxkwHwYDVR0j
+BBgwFoAUrgW8pyJ7x9L5/CCmXDG7QU6PbL0wGgYDVR0RAQH/BBAwDoIMc2VydmVy
+LncxLmZpMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAKBggq
+hkjOPQQDAwNoADBlAjB5aDev60bodzUTd9Xb6/l1QM3UPQoD7GegIv5l9dfKU0qF
+9RRLQfm5mKaFi6zgyGwCMQCDEgK+kyvCAHTsy/xajKZeUu4gdj1zK/v+YExS87we
+TOj56vbi9srGqDstmhfrTQo=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDB7tpaHBuZZG+MVYjRVpZvZvZxxFOu/reH2Ms3DiBH5DHW7dLP7T4Gs
+X+yw8bQZwCqgBwYFK4EEACKhZANiAATJYVk5woo/LAFd+znRAoMOClGXtfO2yZlp
+3n6jYUsG48W03XOlYd2/aCJVtGp6SwRVxumfYT4TejEj/Ky44vOlmQ9pasNfMYYN
+kpHcAWJ8sV7mP7LM9YVksksfhon91+E=
+-----END EC PRIVATE KEY-----
--- /dev/null
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9347590364512421239 (0x81b94fe92ea08577)
+ Signature Algorithm: ecdsa-with-SHA384
+ Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
+ Validity
+ Not Before: Jan 25 11:32:03 2015 GMT
+ Not After : Jan 25 11:32:03 2016 GMT
+ Subject: C=FI, O=w1.fi, CN=user
+ Subject Public Key Info:
+ Public Key Algorithm: id-ecPublicKey
+ Public-Key: (384 bit)
+ pub:
+ 04:c9:61:59:39:c2:8a:3f:2c:01:5d:fb:39:d1:02:
+ 83:0e:0a:51:97:b5:f3:b6:c9:99:69:de:7e:a3:61:
+ 4b:06:e3:c5:b4:dd:73:a5:61:dd:bf:68:22:55:b4:
+ 6a:7a:4b:04:55:c6:e9:9f:61:3e:13:7a:31:23:fc:
+ ac:b8:e2:f3:a5:99:0f:69:6a:c3:5f:31:86:0d:92:
+ 91:dc:01:62:7c:b1:5e:e6:3f:b2:cc:f5:85:64:b2:
+ 4b:1f:86:89:fd:d7:e1
+ ASN1 OID: secp384r1
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 75:EA:7B:CE:8A:99:D2:E7:77:B4:3B:80:68:59:E9:B6:88:B2:FA:F6
+ X509v3 Authority Key Identifier:
+ keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
+
+ X509v3 Subject Alternative Name:
+ email:user@w1.fi
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment
+ Signature Algorithm: ecdsa-with-SHA384
+ 30:65:02:31:00:c2:b7:35:4e:5e:d1:da:7f:35:a0:ac:54:92:
+ 18:08:0d:9c:86:e9:4e:cf:3a:09:48:23:eb:4d:56:77:e5:d0:
+ e7:b0:55:b3:0e:91:2d:f8:3e:1c:4e:0d:b7:32:dc:11:1b:02:
+ 30:49:c2:6b:63:39:3c:4b:d9:e9:8d:b9:ce:6e:8e:9f:88:43:
+ 03:e0:5f:7e:75:44:12:66:f8:c6:ae:8e:f1:da:10:02:36:8c:
+ 7b:a2:89:a0:05:3b:c6:39:d6:e1:7a:b7:85
+-----BEGIN CERTIFICATE-----
+MIICOjCCAcCgAwIBAgIJAIG5T+kuoIV3MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
+NTExMzIwM1owLDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMQ0wCwYDVQQD
+DAR1c2VyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEyWFZOcKKPywBXfs50QKDDgpR
+l7XztsmZad5+o2FLBuPFtN1zpWHdv2giVbRqeksEVcbpn2E+E3oxI/ysuOLzpZkP
+aWrDXzGGDZKR3AFifLFe5j+yzPWFZLJLH4aJ/dfho4GHMIGEMAkGA1UdEwQCMAAw
+HQYDVR0OBBYEFHXqe86KmdLnd7Q7gGhZ6baIsvr2MB8GA1UdIwQYMBaAFK4FvKci
+e8fS+fwgplwxu0FOj2y9MBUGA1UdEQQOMAyBCnVzZXJAdzEuZmkwEwYDVR0lBAww
+CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgWgMAoGCCqGSM49BAMDA2gAMGUCMQDCtzVO
+XtHafzWgrFSSGAgNnIbpTs86CUgj601Wd+XQ57BVsw6RLfg+HE4NtzLcERsCMEnC
+a2M5PEvZ6Y25zm6On4hDA+BffnVEEmb4xq6O8doQAjaMe6KJoAU7xjnW4Xq3hQ==
+-----END CERTIFICATE-----
raise Exception("Roaming with the AP timed out")
if "CTRL-EVENT-EAP-STARTED" in ev:
raise Exception("Unexpected EAP exchange")
+
+def test_suite_b_192(dev, apdev):
+ """WPA2-PSK/GCMP-256 connection at Suite B 192-bit level"""
+ if "GCMP-256" not in dev[0].get_capability("pairwise"):
+ raise HwsimSkip("GCMP-256 not supported")
+ if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
+ raise HwsimSkip("BIP-GMAC-256 not supported")
+ if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
+ raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
+ tls = dev[0].request("GET tls_library")
+ if not tls.startswith("OpenSSL"):
+ raise HwsimSkip("TLS library not supported for Suite B: " + tls);
+ if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
+ raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
+
+ params = { "ssid": "test-suite-b",
+ "wpa": "2",
+ "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
+ "rsn_pairwise": "GCMP-256",
+ "group_mgmt_cipher": "BIP-GMAC-256",
+ "ieee80211w": "2",
+ "ieee8021x": "1",
+ "openssl_ciphers": "SUITEB192",
+ "eap_server": "1",
+ "eap_user_file": "auth_serv/eap_user.conf",
+ "ca_cert": "auth_serv/ec2-ca.pem",
+ "server_cert": "auth_serv/ec2-server.pem",
+ "private_key": "auth_serv/ec2-server.key" }
+ hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+
+ dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
+ ieee80211w="2",
+ openssl_ciphers="SUITEB192",
+ eap="TLS", identity="tls user",
+ ca_cert="auth_serv/ec2-ca.pem",
+ client_cert="auth_serv/ec2-user.pem",
+ private_key="auth_serv/ec2-user.key",
+ pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
+ tls_cipher = dev[0].get_status_field("EAP TLS cipher")
+ if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
+ raise Exception("Unexpected TLS cipher: " + tls_cipher)
+
+ bss = dev[0].get_bss(apdev[0]['bssid'])
+ if 'flags' not in bss:
+ raise Exception("Could not get BSS flags from BSS table")
+ if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
+ raise Exception("Unexpected BSS flags: " + bss['flags'])
+
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=20)
+ dev[0].dump_monitor()
+ dev[0].request("RECONNECT")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
+ "CTRL-EVENT-CONNECTED"], timeout=20)
+ if ev is None:
+ raise Exception("Roaming with the AP timed out")
+ if "CTRL-EVENT-EAP-STARTED" in ev:
+ raise Exception("Unexpected EAP exchange")
projects / thirdparty / hostap.git / commitdiff
