2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
9 logger = logging.getLogger()
12 from utils import HwsimSkip
14 def check_suite_b_capa(dev):
15 if "GCMP" not in dev[0].get_capability("pairwise"):
16 raise HwsimSkip("GCMP not supported")
17 if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"):
18 raise HwsimSkip("BIP-GMAC-128 not supported")
19 if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"):
20 raise HwsimSkip("WPA-EAP-SUITE-B not supported")
21 check_suite_b_tls_lib(dev)
23 def check_suite_b_tls_lib(dev):
24 tls = dev[0].request("GET tls_library")
25 if not tls.startswith("OpenSSL"):
26 raise HwsimSkip("TLS library not supported for Suite B: " + tls);
28 for ver in [ '1.0.2', '1.1.0' ]:
29 if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls:
33 raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
35 def test_suite_b(dev, apdev):
36 """WPA2/GCMP connection at Suite B 128-bit level"""
37 check_suite_b_capa(dev)
38 dev[0].flush_scan_cache()
39 params = { "ssid": "test-suite-b",
41 "wpa_key_mgmt": "WPA-EAP-SUITE-B",
42 "rsn_pairwise": "GCMP",
43 "group_mgmt_cipher": "BIP-GMAC-128",
46 "openssl_ciphers": "SUITEB128",
47 #"dh_file": "auth_serv/dh.conf",
49 "eap_user_file": "auth_serv/eap_user.conf",
50 "ca_cert": "auth_serv/ec-ca.pem",
51 "server_cert": "auth_serv/ec-server.pem",
52 "private_key": "auth_serv/ec-server.key" }
53 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
55 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
56 openssl_ciphers="SUITEB128",
57 eap="TLS", identity="tls user",
58 ca_cert="auth_serv/ec-ca.pem",
59 client_cert="auth_serv/ec-user.pem",
60 private_key="auth_serv/ec-user.key",
61 pairwise="GCMP", group="GCMP", scan_freq="2412")
62 tls_cipher = dev[0].get_status_field("EAP TLS cipher")
63 if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256":
64 raise Exception("Unexpected TLS cipher: " + tls_cipher)
66 bss = dev[0].get_bss(apdev[0]['bssid'])
67 if 'flags' not in bss:
68 raise Exception("Could not get BSS flags from BSS table")
69 if "[WPA2-EAP-SUITE-B-GCMP]" not in bss['flags']:
70 raise Exception("Unexpected BSS flags: " + bss['flags'])
72 dev[0].request("DISCONNECT")
73 dev[0].wait_disconnected(timeout=20)
75 dev[0].request("RECONNECT")
76 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
77 "CTRL-EVENT-CONNECTED"], timeout=20)
79 raise Exception("Roaming with the AP timed out")
80 if "CTRL-EVENT-EAP-STARTED" in ev:
81 raise Exception("Unexpected EAP exchange")
83 def suite_b_as_params():
86 params['beacon_int'] = '2000'
87 params['radius_server_clients'] = 'auth_serv/radius_clients.conf'
88 params['radius_server_auth_port'] = '18129'
89 params['eap_server'] = '1'
90 params['eap_user_file'] = 'auth_serv/eap_user.conf'
91 params['ca_cert'] = 'auth_serv/ec-ca.pem'
92 params['server_cert'] = 'auth_serv/ec-server.pem'
93 params['private_key'] = 'auth_serv/ec-server.key'
94 params['openssl_ciphers'] = 'SUITEB128'
97 def test_suite_b_radius(dev, apdev):
98 """WPA2/GCMP (RADIUS) connection at Suite B 128-bit level"""
99 check_suite_b_capa(dev)
100 dev[0].flush_scan_cache()
101 params = suite_b_as_params()
102 hostapd.add_ap(apdev[1]['ifname'], params)
104 params = { "ssid": "test-suite-b",
106 "wpa_key_mgmt": "WPA-EAP-SUITE-B",
107 "rsn_pairwise": "GCMP",
108 "group_mgmt_cipher": "BIP-GMAC-128",
111 'auth_server_addr': "127.0.0.1",
112 'auth_server_port': "18129",
113 'auth_server_shared_secret': "radius",
114 'nas_identifier': "nas.w1.fi" }
115 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
117 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
118 openssl_ciphers="SUITEB128",
119 eap="TLS", identity="tls user",
120 ca_cert="auth_serv/ec-ca.pem",
121 client_cert="auth_serv/ec-user.pem",
122 private_key="auth_serv/ec-user.key",
123 pairwise="GCMP", group="GCMP", scan_freq="2412")
125 def check_suite_b_192_capa(dev):
126 if "GCMP-256" not in dev[0].get_capability("pairwise"):
127 raise HwsimSkip("GCMP-256 not supported")
128 if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
129 raise HwsimSkip("BIP-GMAC-256 not supported")
130 if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
131 raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
132 check_suite_b_tls_lib(dev)
134 def test_suite_b_192(dev, apdev):
135 """WPA2/GCMP-256 connection at Suite B 192-bit level"""
136 check_suite_b_192_capa(dev)
137 dev[0].flush_scan_cache()
138 params = { "ssid": "test-suite-b",
140 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
141 "rsn_pairwise": "GCMP-256",
142 "group_mgmt_cipher": "BIP-GMAC-256",
145 "openssl_ciphers": "SUITEB192",
147 "eap_user_file": "auth_serv/eap_user.conf",
148 "ca_cert": "auth_serv/ec2-ca.pem",
149 "server_cert": "auth_serv/ec2-server.pem",
150 "private_key": "auth_serv/ec2-server.key" }
151 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
153 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
155 openssl_ciphers="SUITEB192",
156 eap="TLS", identity="tls user",
157 ca_cert="auth_serv/ec2-ca.pem",
158 client_cert="auth_serv/ec2-user.pem",
159 private_key="auth_serv/ec2-user.key",
160 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
161 tls_cipher = dev[0].get_status_field("EAP TLS cipher")
162 if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
163 raise Exception("Unexpected TLS cipher: " + tls_cipher)
165 bss = dev[0].get_bss(apdev[0]['bssid'])
166 if 'flags' not in bss:
167 raise Exception("Could not get BSS flags from BSS table")
168 if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
169 raise Exception("Unexpected BSS flags: " + bss['flags'])
171 dev[0].request("DISCONNECT")
172 dev[0].wait_disconnected(timeout=20)
173 dev[0].dump_monitor()
174 dev[0].request("RECONNECT")
175 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
176 "CTRL-EVENT-CONNECTED"], timeout=20)
178 raise Exception("Roaming with the AP timed out")
179 if "CTRL-EVENT-EAP-STARTED" in ev:
180 raise Exception("Unexpected EAP exchange")
182 def test_suite_b_192_radius(dev, apdev):
183 """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level"""
184 check_suite_b_192_capa(dev)
185 dev[0].flush_scan_cache()
186 params = suite_b_as_params()
187 params['ca_cert'] = 'auth_serv/ec2-ca.pem'
188 params['server_cert'] = 'auth_serv/ec2-server.pem'
189 params['private_key'] = 'auth_serv/ec2-server.key'
190 params['openssl_ciphers'] = 'SUITEB192'
191 hostapd.add_ap(apdev[1]['ifname'], params)
193 params = { "ssid": "test-suite-b",
195 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
196 "rsn_pairwise": "GCMP-256",
197 "group_mgmt_cipher": "BIP-GMAC-256",
200 'auth_server_addr': "127.0.0.1",
201 'auth_server_port': "18129",
202 'auth_server_shared_secret': "radius",
203 'nas_identifier': "nas.w1.fi" }
204 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
206 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
208 openssl_ciphers="SUITEB192",
209 eap="TLS", identity="tls user",
210 ca_cert="auth_serv/ec2-ca.pem",
211 client_cert="auth_serv/ec2-user.pem",
212 private_key="auth_serv/ec2-user.key",
213 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")