| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 |
- # Suite B tests
- # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
- #
- # This software may be distributed under the terms of the BSD license.
- # See README for more details.
- import time
- import logging
- logger = logging.getLogger()
- import hostapd
- from utils import HwsimSkip
- def check_suite_b_capa(dev):
- if "GCMP" not in dev[0].get_capability("pairwise"):
- raise HwsimSkip("GCMP not supported")
- if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"):
- raise HwsimSkip("BIP-GMAC-128 not supported")
- if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"):
- raise HwsimSkip("WPA-EAP-SUITE-B not supported")
- tls = dev[0].request("GET tls_library")
- if not tls.startswith("OpenSSL"):
- raise HwsimSkip("TLS library not supported for Suite B: " + tls);
- if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
- raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
- def test_suite_b(dev, apdev):
- """WPA2/GCMP connection at Suite B 128-bit level"""
- check_suite_b_capa(dev)
- dev[0].flush_scan_cache()
- params = { "ssid": "test-suite-b",
- "wpa": "2",
- "wpa_key_mgmt": "WPA-EAP-SUITE-B",
- "rsn_pairwise": "GCMP",
- "group_mgmt_cipher": "BIP-GMAC-128",
- "ieee80211w": "2",
- "ieee8021x": "1",
- "openssl_ciphers": "SUITEB128",
- #"dh_file": "auth_serv/dh.conf",
- "eap_server": "1",
- "eap_user_file": "auth_serv/eap_user.conf",
- "ca_cert": "auth_serv/ec-ca.pem",
- "server_cert": "auth_serv/ec-server.pem",
- "private_key": "auth_serv/ec-server.key" }
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
- dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
- openssl_ciphers="SUITEB128",
- eap="TLS", identity="tls user",
- ca_cert="auth_serv/ec-ca.pem",
- client_cert="auth_serv/ec-user.pem",
- private_key="auth_serv/ec-user.key",
- pairwise="GCMP", group="GCMP", scan_freq="2412")
- tls_cipher = dev[0].get_status_field("EAP TLS cipher")
- if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256":
- raise Exception("Unexpected TLS cipher: " + tls_cipher)
- bss = dev[0].get_bss(apdev[0]['bssid'])
- if 'flags' not in bss:
- raise Exception("Could not get BSS flags from BSS table")
- if "[WPA2-EAP-SUITE-B-GCMP]" not in bss['flags']:
- raise Exception("Unexpected BSS flags: " + bss['flags'])
- dev[0].request("DISCONNECT")
- dev[0].wait_disconnected(timeout=20)
- dev[0].dump_monitor()
- dev[0].request("RECONNECT")
- ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
- "CTRL-EVENT-CONNECTED"], timeout=20)
- if ev is None:
- raise Exception("Roaming with the AP timed out")
- if "CTRL-EVENT-EAP-STARTED" in ev:
- raise Exception("Unexpected EAP exchange")
- def suite_b_as_params():
- params = {}
- params['ssid'] = 'as'
- params['beacon_int'] = '2000'
- params['radius_server_clients'] = 'auth_serv/radius_clients.conf'
- params['radius_server_auth_port'] = '18129'
- params['eap_server'] = '1'
- params['eap_user_file'] = 'auth_serv/eap_user.conf'
- params['ca_cert'] = 'auth_serv/ec-ca.pem'
- params['server_cert'] = 'auth_serv/ec-server.pem'
- params['private_key'] = 'auth_serv/ec-server.key'
- params['openssl_ciphers'] = 'SUITEB128'
- return params
- def test_suite_b_radius(dev, apdev):
- """WPA2/GCMP (RADIUS) connection at Suite B 128-bit level"""
- check_suite_b_capa(dev)
- dev[0].flush_scan_cache()
- params = suite_b_as_params()
- hostapd.add_ap(apdev[1]['ifname'], params)
- params = { "ssid": "test-suite-b",
- "wpa": "2",
- "wpa_key_mgmt": "WPA-EAP-SUITE-B",
- "rsn_pairwise": "GCMP",
- "group_mgmt_cipher": "BIP-GMAC-128",
- "ieee80211w": "2",
- "ieee8021x": "1",
- 'auth_server_addr': "127.0.0.1",
- 'auth_server_port': "18129",
- 'auth_server_shared_secret': "radius",
- 'nas_identifier': "nas.w1.fi" }
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
- dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
- openssl_ciphers="SUITEB128",
- eap="TLS", identity="tls user",
- ca_cert="auth_serv/ec-ca.pem",
- client_cert="auth_serv/ec-user.pem",
- private_key="auth_serv/ec-user.key",
- pairwise="GCMP", group="GCMP", scan_freq="2412")
- def check_suite_b_192_capa(dev):
- if "GCMP-256" not in dev[0].get_capability("pairwise"):
- raise HwsimSkip("GCMP-256 not supported")
- if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
- raise HwsimSkip("BIP-GMAC-256 not supported")
- if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
- raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
- tls = dev[0].request("GET tls_library")
- if not tls.startswith("OpenSSL"):
- raise HwsimSkip("TLS library not supported for Suite B: " + tls);
- if "build=OpenSSL 1.0.2" not in tls or "run=OpenSSL 1.0.2" not in tls:
- raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
- def test_suite_b_192(dev, apdev):
- """WPA2/GCMP-256 connection at Suite B 192-bit level"""
- check_suite_b_192_capa(dev)
- dev[0].flush_scan_cache()
- params = { "ssid": "test-suite-b",
- "wpa": "2",
- "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
- "rsn_pairwise": "GCMP-256",
- "group_mgmt_cipher": "BIP-GMAC-256",
- "ieee80211w": "2",
- "ieee8021x": "1",
- "openssl_ciphers": "SUITEB192",
- "eap_server": "1",
- "eap_user_file": "auth_serv/eap_user.conf",
- "ca_cert": "auth_serv/ec2-ca.pem",
- "server_cert": "auth_serv/ec2-server.pem",
- "private_key": "auth_serv/ec2-server.key" }
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
- dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
- ieee80211w="2",
- openssl_ciphers="SUITEB192",
- eap="TLS", identity="tls user",
- ca_cert="auth_serv/ec2-ca.pem",
- client_cert="auth_serv/ec2-user.pem",
- private_key="auth_serv/ec2-user.key",
- pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
- tls_cipher = dev[0].get_status_field("EAP TLS cipher")
- if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
- raise Exception("Unexpected TLS cipher: " + tls_cipher)
- bss = dev[0].get_bss(apdev[0]['bssid'])
- if 'flags' not in bss:
- raise Exception("Could not get BSS flags from BSS table")
- if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
- raise Exception("Unexpected BSS flags: " + bss['flags'])
- dev[0].request("DISCONNECT")
- dev[0].wait_disconnected(timeout=20)
- dev[0].dump_monitor()
- dev[0].request("RECONNECT")
- ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
- "CTRL-EVENT-CONNECTED"], timeout=20)
- if ev is None:
- raise Exception("Roaming with the AP timed out")
- if "CTRL-EVENT-EAP-STARTED" in ev:
- raise Exception("Unexpected EAP exchange")
- def test_suite_b_192_radius(dev, apdev):
- """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level"""
- check_suite_b_192_capa(dev)
- dev[0].flush_scan_cache()
- params = suite_b_as_params()
- params['ca_cert'] = 'auth_serv/ec2-ca.pem'
- params['server_cert'] = 'auth_serv/ec2-server.pem'
- params['private_key'] = 'auth_serv/ec2-server.key'
- params['openssl_ciphers'] = 'SUITEB192'
- hostapd.add_ap(apdev[1]['ifname'], params)
- params = { "ssid": "test-suite-b",
- "wpa": "2",
- "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
- "rsn_pairwise": "GCMP-256",
- "group_mgmt_cipher": "BIP-GMAC-256",
- "ieee80211w": "2",
- "ieee8021x": "1",
- 'auth_server_addr': "127.0.0.1",
- 'auth_server_port': "18129",
- 'auth_server_shared_secret': "radius",
- 'nas_identifier': "nas.w1.fi" }
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
- dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
- ieee80211w="2",
- openssl_ciphers="SUITEB192",
- eap="TLS", identity="tls user",
- ca_cert="auth_serv/ec2-ca.pem",
- client_cert="auth_serv/ec2-user.pem",
- private_key="auth_serv/ec2-user.key",
- pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
|
