Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

tests: Suite B 192-bit profile

This adds a Suite B test case for 192-bit level.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 10 years ago
parent
4113a96bba
commit
37551fe374
7 changed files with 259 additions and 0 deletions
Split View Show Diff Stats
  1. 15 0
      tests/hwsim/auth_serv/ec2-ca.pem
  2. 53 0
      tests/hwsim/auth_serv/ec2-generate.sh
  3. 9 0
      tests/hwsim/auth_serv/ec2-server.key
  4. 58 0
      tests/hwsim/auth_serv/ec2-server.pem
  5. 9 0
      tests/hwsim/auth_serv/ec2-user.key
  6. 57 0
      tests/hwsim/auth_serv/ec2-user.pem
  7. 58 0
      tests/hwsim/test_suite_b.py

+ 15 - 0
tests/hwsim/auth_serv/ec2-ca.pem
View File 

@@ -0,0 +1,15 @@
 
+-----BEGIN CERTIFICATE-----
 
+MIICPTCCAcSgAwIBAgIJAL63h7lu0KZpMAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
 
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
 
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTI1MDEy
 
+MjExMzIwM1owUjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMQ4wDAYD
 
+VQQKDAV3MS5maTEgMB4GA1UEAwwXU3VpdGUgQiAxOTItYml0IFJvb3QgQ0EwdjAQ
 
+BgcqhkjOPQIBBgUrgQQAIgNiAAQjdOMC9bqcDR9/SaOhxNbmQLQTGZfhtmoxHkJL
 
+5GG3bwW5hYA2jYHWU84H+mR6om6fg78G+IxjLly2OWiByYUeWDcsYqLGj3UHHaVv
 
+rIitaRPyg3dExemnmK3zjgXnoaajZjBkMB0GA1UdDgQWBBSuBbynInvH0vn8IKZc
 
+MbtBTo9svTAfBgNVHSMEGDAWgBSuBbynInvH0vn8IKZcMbtBTo9svTASBgNVHRMB
 
+Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjBZ
 
+vEbGRDQNvzAY3nfYrsrE2Dd11smT6zv0mIvDeQCktbISGpStRBQjAaFjcCyjDEkC
 
+MH7ywcqJe+mpWDt5xFJvB52iZ7rX7rO0OX0qmjI38PC0IOo7euJdfcC1gHdSoAW3
 
+bA==
 
+-----END CERTIFICATE-----

+ 53 - 0
tests/hwsim/auth_serv/ec2-generate.sh
View File 

@@ -0,0 +1,53 @@
 
+#!/bin/sh
 
+
 
+OPENSSL=openssl
 
+
 
+CURVE=secp384r1
 
+DIGEST="-sha384"
 
+DIGEST_CA="-md sha384"
 
+
 
+echo
 
+echo "---[ Root CA ]----------------------------------------------------------"
 
+echo
 
+
 
+cat ec-ca-openssl.cnf |
 
+	sed "s/#@CN@/commonName_default = Suite B 192-bit Root CA/" \
 
+	> ec-ca-openssl.cnf.tmp
 
+$OPENSSL ecparam -out ec2-ca.key -name $CURVE -genkey
 
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec2-ca.key -out ec2-ca.pem -outform PEM -days 3650 $DIGEST
 
+mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private
 
+touch ec-ca/index.txt
 
+rm ec-ca-openssl.cnf.tmp
 
+
 
+echo
 
+echo "---[ Server ]-----------------------------------------------------------"
 
+echo
 
+
 
+cat ec-ca-openssl.cnf |
 
+	sed "s/#@CN@/commonName_default = server.w1.fi/" |
 
+	sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
 
+	> ec-ca-openssl.cnf.tmp
 
+$OPENSSL ecparam -out ec2-server.key -name $CURVE -genkey
 
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-server.key -out ec2-server.req -outform PEM $DIGEST
 
+$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-server.req -out ec2-server.pem -extensions ext_server $DIGEST_CA
 
+rm ec-ca-openssl.cnf.tmp
 
+
 
+echo
 
+echo "---[ User ]-------------------------------------------------------------"
 
+echo
 
+
 
+cat ec-ca-openssl.cnf |
 
+	sed "s/#@CN@/commonName_default = user/" |
 
+	sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \
 
+	> ec-ca-openssl.cnf.tmp
 
+$OPENSSL ecparam -out ec2-user.key -name $CURVE -genkey
 
+$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key -out ec2-user.req -outform PEM -extensions ext_client $DIGEST
 
+$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA
 
+rm ec-ca-openssl.cnf.tmp
 
+
 
+echo
 
+echo "---[ Verify ]-----------------------------------------------------------"
 
+echo
 
+
 
+$OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem
 
+$OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem

+ 9 - 0
tests/hwsim/auth_serv/ec2-server.key
View File 

@@ -0,0 +1,9 @@
 
+-----BEGIN EC PARAMETERS-----
 
+BgUrgQQAIg==
 
+-----END EC PARAMETERS-----
 
+-----BEGIN EC PRIVATE KEY-----
 
+MIGkAgEBBDCjaz/zVDXqNO/XprtliomKOC6QjbBFgsF2YwUAtKB5ukL4miVGNyCu
 
+jIlq9eUD1x6gBwYFK4EEACKhZANiAARWq1ut1b6ctOFBkEOjULL3VjJFP15g0gk+
 
+sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZvRooiNyL0AH2wk0qzN5u
 
+n02JOt9Q76TVYflE91C5DTxjgLOgxBw=
 
+-----END EC PRIVATE KEY-----

+ 58 - 0
tests/hwsim/auth_serv/ec2-server.pem
View File 

@@ -0,0 +1,58 @@
 
+Certificate:
 
+    Data:
 
+        Version: 3 (0x2)
 
+        Serial Number: 9347590364512421238 (0x81b94fe92ea08576)
 
+    Signature Algorithm: ecdsa-with-SHA384
 
+        Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
 
+        Validity
 
+            Not Before: Jan 25 11:32:03 2015 GMT
 
+            Not After : Jan 25 11:32:03 2016 GMT
 
+        Subject: C=FI, O=w1.fi, CN=server.w1.fi
 
+        Subject Public Key Info:
 
+            Public Key Algorithm: id-ecPublicKey
 
+                Public-Key: (384 bit)
 
+                pub: 
+                    04:56:ab:5b:ad:d5:be:9c:b4:e1:41:90:43:a3:50:
 
+                    b2:f7:56:32:45:3f:5e:60:d2:09:3e:b0:14:cc:06:
 
+                    88:14:e5:64:4d:ed:0a:1d:fe:37:de:9b:99:38:3b:
 
+                    b1:4a:61:93:40:6a:b0:c5:32:1d:b2:0c:c5:d9:bd:
 
+                    1a:28:88:dc:8b:d0:01:f6:c2:4d:2a:cc:de:6e:9f:
 
+                    4d:89:3a:df:50:ef:a4:d5:61:f9:44:f7:50:b9:0d:
 
+                    3c:63:80:b3:a0:c4:1c
 
+                ASN1 OID: secp384r1
 
+        X509v3 extensions:
 
+            X509v3 Basic Constraints: critical
 
+                CA:FALSE
 
+            X509v3 Subject Key Identifier: 
+                19:D7:57:D0:3B:91:84:A4:AF:93:03:32:3C:AB:C4:F9:A7:B0:27:19
 
+            X509v3 Authority Key Identifier: 
+                keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
 
+
 
+            X509v3 Subject Alternative Name: critical
 
+                DNS:server.w1.fi
 
+            X509v3 Extended Key Usage: critical
 
+                TLS Web Server Authentication
 
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
 
+    Signature Algorithm: ecdsa-with-SHA384
 
+         30:65:02:30:79:68:37:af:eb:46:e8:77:35:13:77:d5:db:eb:
 
+         f9:75:40:cd:d4:3d:0a:03:ec:67:a0:22:fe:65:f5:d7:ca:53:
 
+         4a:85:f5:14:4b:41:f9:b9:98:a6:85:8b:ac:e0:c8:6c:02:31:
 
+         00:83:12:02:be:93:2b:c2:00:74:ec:cb:fc:5a:8c:a6:5e:52:
 
+         ee:20:76:3d:73:2b:fb:fe:60:4c:52:f3:bc:1e:4c:e8:f9:ea:
 
+         f6:e2:f6:ca:c6:a8:3b:2d:9a:17:eb:4d:0a
 
+-----BEGIN CERTIFICATE-----
 
+MIICTTCCAdOgAwIBAgIJAIG5T+kuoIV2MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
 
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
 
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
 
+NTExMzIwM1owNDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMRUwEwYDVQQD
 
+DAxzZXJ2ZXIudzEuZmkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARWq1ut1b6ctOFB
 
+kEOjULL3VjJFP15g0gk+sBTMBogU5WRN7Qod/jfem5k4O7FKYZNAarDFMh2yDMXZ
 
+vRooiNyL0AH2wk0qzN5un02JOt9Q76TVYflE91C5DTxjgLOgxByjgZIwgY8wDAYD
 
+VR0TAQH/BAIwADAdBgNVHQ4EFgQUGddX0DuRhKSvkwMyPKvE+aewJxkwHwYDVR0j
 
+BBgwFoAUrgW8pyJ7x9L5/CCmXDG7QU6PbL0wGgYDVR0RAQH/BBAwDoIMc2VydmVy
 
+LncxLmZpMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAKBggq
 
+hkjOPQQDAwNoADBlAjB5aDev60bodzUTd9Xb6/l1QM3UPQoD7GegIv5l9dfKU0qF
 
+9RRLQfm5mKaFi6zgyGwCMQCDEgK+kyvCAHTsy/xajKZeUu4gdj1zK/v+YExS87we
 
+TOj56vbi9srGqDstmhfrTQo=
 
+-----END CERTIFICATE-----

+ 9 - 0
tests/hwsim/auth_serv/ec2-user.key
View File 

@@ -0,0 +1,9 @@
 
+-----BEGIN EC PARAMETERS-----
 
+BgUrgQQAIg==
 
+-----END EC PARAMETERS-----
 
+-----BEGIN EC PRIVATE KEY-----
 
+MIGkAgEBBDB7tpaHBuZZG+MVYjRVpZvZvZxxFOu/reH2Ms3DiBH5DHW7dLP7T4Gs
 
+X+yw8bQZwCqgBwYFK4EEACKhZANiAATJYVk5woo/LAFd+znRAoMOClGXtfO2yZlp
 
+3n6jYUsG48W03XOlYd2/aCJVtGp6SwRVxumfYT4TejEj/Ky44vOlmQ9pasNfMYYN
 
+kpHcAWJ8sV7mP7LM9YVksksfhon91+E=
 
+-----END EC PRIVATE KEY-----

+ 57 - 0
tests/hwsim/auth_serv/ec2-user.pem
View File 

@@ -0,0 +1,57 @@
 
+Certificate:
 
+    Data:
 
+        Version: 3 (0x2)
 
+        Serial Number: 9347590364512421239 (0x81b94fe92ea08577)
 
+    Signature Algorithm: ecdsa-with-SHA384
 
+        Issuer: C=FI, L=Helsinki, O=w1.fi, CN=Suite B 192-bit Root CA
 
+        Validity
 
+            Not Before: Jan 25 11:32:03 2015 GMT
 
+            Not After : Jan 25 11:32:03 2016 GMT
 
+        Subject: C=FI, O=w1.fi, CN=user
 
+        Subject Public Key Info:
 
+            Public Key Algorithm: id-ecPublicKey
 
+                Public-Key: (384 bit)
 
+                pub: 
+                    04:c9:61:59:39:c2:8a:3f:2c:01:5d:fb:39:d1:02:
 
+                    83:0e:0a:51:97:b5:f3:b6:c9:99:69:de:7e:a3:61:
 
+                    4b:06:e3:c5:b4:dd:73:a5:61:dd:bf:68:22:55:b4:
 
+                    6a:7a:4b:04:55:c6:e9:9f:61:3e:13:7a:31:23:fc:
 
+                    ac:b8:e2:f3:a5:99:0f:69:6a:c3:5f:31:86:0d:92:
 
+                    91:dc:01:62:7c:b1:5e:e6:3f:b2:cc:f5:85:64:b2:
 
+                    4b:1f:86:89:fd:d7:e1
 
+                ASN1 OID: secp384r1
 
+        X509v3 extensions:
 
+            X509v3 Basic Constraints: 
+                CA:FALSE
 
+            X509v3 Subject Key Identifier: 
+                75:EA:7B:CE:8A:99:D2:E7:77:B4:3B:80:68:59:E9:B6:88:B2:FA:F6
 
+            X509v3 Authority Key Identifier: 
+                keyid:AE:05:BC:A7:22:7B:C7:D2:F9:FC:20:A6:5C:31:BB:41:4E:8F:6C:BD
 
+
 
+            X509v3 Subject Alternative Name: 
+                email:user@w1.fi
 
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
 
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
 
+    Signature Algorithm: ecdsa-with-SHA384
 
+         30:65:02:31:00:c2:b7:35:4e:5e:d1:da:7f:35:a0:ac:54:92:
 
+         18:08:0d:9c:86:e9:4e:cf:3a:09:48:23:eb:4d:56:77:e5:d0:
 
+         e7:b0:55:b3:0e:91:2d:f8:3e:1c:4e:0d:b7:32:dc:11:1b:02:
 
+         30:49:c2:6b:63:39:3c:4b:d9:e9:8d:b9:ce:6e:8e:9f:88:43:
 
+         03:e0:5f:7e:75:44:12:66:f8:c6:ae:8e:f1:da:10:02:36:8c:
 
+         7b:a2:89:a0:05:3b:c6:39:d6:e1:7a:b7:85
 
+-----BEGIN CERTIFICATE-----
 
+MIICOjCCAcCgAwIBAgIJAIG5T+kuoIV3MAoGCCqGSM49BAMDMFIxCzAJBgNVBAYT
 
+AkZJMREwDwYDVQQHDAhIZWxzaW5raTEOMAwGA1UECgwFdzEuZmkxIDAeBgNVBAMM
 
+F1N1aXRlIEIgMTkyLWJpdCBSb290IENBMB4XDTE1MDEyNTExMzIwM1oXDTE2MDEy
 
+NTExMzIwM1owLDELMAkGA1UEBhMCRkkxDjAMBgNVBAoMBXcxLmZpMQ0wCwYDVQQD
 
+DAR1c2VyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEyWFZOcKKPywBXfs50QKDDgpR
 
+l7XztsmZad5+o2FLBuPFtN1zpWHdv2giVbRqeksEVcbpn2E+E3oxI/ysuOLzpZkP
 
+aWrDXzGGDZKR3AFifLFe5j+yzPWFZLJLH4aJ/dfho4GHMIGEMAkGA1UdEwQCMAAw
 
+HQYDVR0OBBYEFHXqe86KmdLnd7Q7gGhZ6baIsvr2MB8GA1UdIwQYMBaAFK4FvKci
 
+e8fS+fwgplwxu0FOj2y9MBUGA1UdEQQOMAyBCnVzZXJAdzEuZmkwEwYDVR0lBAww
 
+CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgWgMAoGCCqGSM49BAMDA2gAMGUCMQDCtzVO
 
+XtHafzWgrFSSGAgNnIbpTs86CUgj601Wd+XQ57BVsw6RLfg+HE4NtzLcERsCMEnC
 
+a2M5PEvZ6Y25zm6On4hDA+BffnVEEmb4xq6O8doQAjaMe6KJoAU7xjnW4Xq3hQ==
 
+-----END CERTIFICATE-----

+ 58 - 0
tests/hwsim/test_suite_b.py
View File 

@@ -68,3 +68,61 @@ def test_suite_b(dev, apdev):
 
         raise Exception("Roaming with the AP timed out")
 
     if "CTRL-EVENT-EAP-STARTED" in ev:
 
         raise Exception("Unexpected EAP exchange")
 
+
 
+def test_suite_b_192(dev, apdev):
 
+    """WPA2-PSK/GCMP-256 connection at Suite B 192-bit level"""
 
+    if "GCMP-256" not in dev[0].get_capability("pairwise"):
 
+        raise HwsimSkip("GCMP-256 not supported")
 
+    if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
 
+        raise HwsimSkip("BIP-GMAC-256 not supported")
 
+    if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
 
+        raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
 
+    tls = dev[0].request("GET tls_library")
 
+    if not tls.startswith("OpenSSL"):
 
+        raise HwsimSkip("TLS library not supported for Suite B: " + tls);
 
+    if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
 
+        raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
 
+
 
+    params = { "ssid": "test-suite-b",
 
+               "wpa": "2",
 
+               "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
 
+               "rsn_pairwise": "GCMP-256",
 
+               "group_mgmt_cipher": "BIP-GMAC-256",
 
+               "ieee80211w": "2",
 
+               "ieee8021x": "1",
 
+               "openssl_ciphers": "SUITEB192",
 
+               "eap_server": "1",
 
+               "eap_user_file": "auth_serv/eap_user.conf",
 
+               "ca_cert": "auth_serv/ec2-ca.pem",
 
+               "server_cert": "auth_serv/ec2-server.pem",
 
+               "private_key": "auth_serv/ec2-server.key" }
 
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 
+
 
+    dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
 
+                   ieee80211w="2",
 
+                   openssl_ciphers="SUITEB192",
 
+                   eap="TLS", identity="tls user",
 
+                   ca_cert="auth_serv/ec2-ca.pem",
 
+                   client_cert="auth_serv/ec2-user.pem",
 
+                   private_key="auth_serv/ec2-user.key",
 
+                   pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
 
+    tls_cipher = dev[0].get_status_field("EAP TLS cipher")
 
+    if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
 
+        raise Exception("Unexpected TLS cipher: " + tls_cipher)
 
+
 
+    bss = dev[0].get_bss(apdev[0]['bssid'])
 
+    if 'flags' not in bss:
 
+        raise Exception("Could not get BSS flags from BSS table")
 
+    if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
 
+        raise Exception("Unexpected BSS flags: " + bss['flags'])
 
+
 
+    dev[0].request("DISCONNECT")
 
+    dev[0].wait_disconnected(timeout=20)
 
+    dev[0].dump_monitor()
 
+    dev[0].request("RECONNECT")
 
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
 
+                            "CTRL-EVENT-CONNECTED"], timeout=20)
 
+    if ev is None:
 
+        raise Exception("Roaming with the AP timed out")
 
+    if "CTRL-EVENT-EAP-STARTED" in ev:
 
+        raise Exception("Unexpected EAP exchange")