libeap/tests/hwsim/test_suite_b.py

   1 # Suite B tests
   2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
   3 #
   4 # This software may be distributed under the terms of the BSD license.
   5 # See README for more details.
   6
   7 import time
   8 import logging
   9 logger = logging.getLogger()
  10
  11 import hostapd
  12 from utils import HwsimSkip
  13
  14 def check_suite_b_capa(dev):
  15     if "GCMP" not in dev[0].get_capability("pairwise"):
  16         raise HwsimSkip("GCMP not supported")
  17     if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"):
  18         raise HwsimSkip("BIP-GMAC-128 not supported")
  19     if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"):
  20         raise HwsimSkip("WPA-EAP-SUITE-B not supported")
  21     check_suite_b_tls_lib(dev)
  22
  23 def check_suite_b_tls_lib(dev):
  24     tls = dev[0].request("GET tls_library")
  25     if not tls.startswith("OpenSSL"):
  26         raise HwsimSkip("TLS library not supported for Suite B: " + tls);
  27     supported = False
  28     for ver in [ '1.0.2', '1.1.0' ]:
  29         if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls:
  30             supported = True
  31             break
  32     if not supported:
  33         raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls)
  34
  35 def test_suite_b(dev, apdev):
  36     """WPA2/GCMP connection at Suite B 128-bit level"""
  37     check_suite_b_capa(dev)
  38     dev[0].flush_scan_cache()
  39     params = { "ssid": "test-suite-b",
  40                "wpa": "2",
  41                "wpa_key_mgmt": "WPA-EAP-SUITE-B",
  42                "rsn_pairwise": "GCMP",
  43                "group_mgmt_cipher": "BIP-GMAC-128",
  44                "ieee80211w": "2",
  45                "ieee8021x": "1",
  46                "openssl_ciphers": "SUITEB128",
  47                #"dh_file": "auth_serv/dh.conf",
  48                "eap_server": "1",
  49                "eap_user_file": "auth_serv/eap_user.conf",
  50                "ca_cert": "auth_serv/ec-ca.pem",
  51                "server_cert": "auth_serv/ec-server.pem",
  52                "private_key": "auth_serv/ec-server.key" }
  53     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
  54
  55     dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
  56                    openssl_ciphers="SUITEB128",
  57                    eap="TLS", identity="tls user",
  58                    ca_cert="auth_serv/ec-ca.pem",
  59                    client_cert="auth_serv/ec-user.pem",
  60                    private_key="auth_serv/ec-user.key",
  61                    pairwise="GCMP", group="GCMP", scan_freq="2412")
  62     tls_cipher = dev[0].get_status_field("EAP TLS cipher")
  63     if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256":
  64         raise Exception("Unexpected TLS cipher: " + tls_cipher)
  65
  66     bss = dev[0].get_bss(apdev[0]['bssid'])
  67     if 'flags' not in bss:
  68         raise Exception("Could not get BSS flags from BSS table")
  69     if "[WPA2-EAP-SUITE-B-GCMP]" not in bss['flags']:
  70         raise Exception("Unexpected BSS flags: " + bss['flags'])
  71
  72     dev[0].request("DISCONNECT")
  73     dev[0].wait_disconnected(timeout=20)
  74     dev[0].dump_monitor()
  75     dev[0].request("RECONNECT")
  76     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
  77                             "CTRL-EVENT-CONNECTED"], timeout=20)
  78     if ev is None:
  79         raise Exception("Roaming with the AP timed out")
  80     if "CTRL-EVENT-EAP-STARTED" in ev:
  81         raise Exception("Unexpected EAP exchange")
  82
  83 def suite_b_as_params():
  84     params = {}
  85     params['ssid'] = 'as'
  86     params['beacon_int'] = '2000'
  87     params['radius_server_clients'] = 'auth_serv/radius_clients.conf'
  88     params['radius_server_auth_port'] = '18129'
  89     params['eap_server'] = '1'
  90     params['eap_user_file'] = 'auth_serv/eap_user.conf'
  91     params['ca_cert'] = 'auth_serv/ec-ca.pem'
  92     params['server_cert'] = 'auth_serv/ec-server.pem'
  93     params['private_key'] = 'auth_serv/ec-server.key'
  94     params['openssl_ciphers'] = 'SUITEB128'
  95     return params
  96
  97 def test_suite_b_radius(dev, apdev):
  98     """WPA2/GCMP (RADIUS) connection at Suite B 128-bit level"""
  99     check_suite_b_capa(dev)
 100     dev[0].flush_scan_cache()
 101     params = suite_b_as_params()
 102     hostapd.add_ap(apdev[1]['ifname'], params)
 103
 104     params = { "ssid": "test-suite-b",
 105                "wpa": "2",
 106                "wpa_key_mgmt": "WPA-EAP-SUITE-B",
 107                "rsn_pairwise": "GCMP",
 108                "group_mgmt_cipher": "BIP-GMAC-128",
 109                "ieee80211w": "2",
 110                "ieee8021x": "1",
 111                'auth_server_addr': "127.0.0.1",
 112                'auth_server_port': "18129",
 113                'auth_server_shared_secret': "radius",
 114                'nas_identifier': "nas.w1.fi" }
 115     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 116
 117     dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2",
 118                    openssl_ciphers="SUITEB128",
 119                    eap="TLS", identity="tls user",
 120                    ca_cert="auth_serv/ec-ca.pem",
 121                    client_cert="auth_serv/ec-user.pem",
 122                    private_key="auth_serv/ec-user.key",
 123                    pairwise="GCMP", group="GCMP", scan_freq="2412")
 124
 125 def check_suite_b_192_capa(dev):
 126     if "GCMP-256" not in dev[0].get_capability("pairwise"):
 127         raise HwsimSkip("GCMP-256 not supported")
 128     if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"):
 129         raise HwsimSkip("BIP-GMAC-256 not supported")
 130     if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
 131         raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
 132     check_suite_b_tls_lib(dev)
 133
 134 def test_suite_b_192(dev, apdev):
 135     """WPA2/GCMP-256 connection at Suite B 192-bit level"""
 136     check_suite_b_192_capa(dev)
 137     dev[0].flush_scan_cache()
 138     params = { "ssid": "test-suite-b",
 139                "wpa": "2",
 140                "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
 141                "rsn_pairwise": "GCMP-256",
 142                "group_mgmt_cipher": "BIP-GMAC-256",
 143                "ieee80211w": "2",
 144                "ieee8021x": "1",
 145                "openssl_ciphers": "SUITEB192",
 146                "eap_server": "1",
 147                "eap_user_file": "auth_serv/eap_user.conf",
 148                "ca_cert": "auth_serv/ec2-ca.pem",
 149                "server_cert": "auth_serv/ec2-server.pem",
 150                "private_key": "auth_serv/ec2-server.key" }
 151     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 152
 153     dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
 154                    ieee80211w="2",
 155                    openssl_ciphers="SUITEB192",
 156                    eap="TLS", identity="tls user",
 157                    ca_cert="auth_serv/ec2-ca.pem",
 158                    client_cert="auth_serv/ec2-user.pem",
 159                    private_key="auth_serv/ec2-user.key",
 160                    pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")
 161     tls_cipher = dev[0].get_status_field("EAP TLS cipher")
 162     if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384":
 163         raise Exception("Unexpected TLS cipher: " + tls_cipher)
 164
 165     bss = dev[0].get_bss(apdev[0]['bssid'])
 166     if 'flags' not in bss:
 167         raise Exception("Could not get BSS flags from BSS table")
 168     if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']:
 169         raise Exception("Unexpected BSS flags: " + bss['flags'])
 170
 171     dev[0].request("DISCONNECT")
 172     dev[0].wait_disconnected(timeout=20)
 173     dev[0].dump_monitor()
 174     dev[0].request("RECONNECT")
 175     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED",
 176                             "CTRL-EVENT-CONNECTED"], timeout=20)
 177     if ev is None:
 178         raise Exception("Roaming with the AP timed out")
 179     if "CTRL-EVENT-EAP-STARTED" in ev:
 180         raise Exception("Unexpected EAP exchange")
 181
 182 def test_suite_b_192_radius(dev, apdev):
 183     """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level"""
 184     check_suite_b_192_capa(dev)
 185     dev[0].flush_scan_cache()
 186     params = suite_b_as_params()
 187     params['ca_cert'] = 'auth_serv/ec2-ca.pem'
 188     params['server_cert'] = 'auth_serv/ec2-server.pem'
 189     params['private_key'] = 'auth_serv/ec2-server.key'
 190     params['openssl_ciphers'] = 'SUITEB192'
 191     hostapd.add_ap(apdev[1]['ifname'], params)
 192
 193     params = { "ssid": "test-suite-b",
 194                "wpa": "2",
 195                "wpa_key_mgmt": "WPA-EAP-SUITE-B-192",
 196                "rsn_pairwise": "GCMP-256",
 197                "group_mgmt_cipher": "BIP-GMAC-256",
 198                "ieee80211w": "2",
 199                "ieee8021x": "1",
 200                'auth_server_addr': "127.0.0.1",
 201                'auth_server_port': "18129",
 202                'auth_server_shared_secret': "radius",
 203                'nas_identifier': "nas.w1.fi" }
 204     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 205
 206     dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
 207                    ieee80211w="2",
 208                    openssl_ciphers="SUITEB192",
 209                    eap="TLS", identity="tls user",
 210                    ca_cert="auth_serv/ec2-ca.pem",
 211                    client_cert="auth_serv/ec2-user.pem",
 212                    private_key="auth_serv/ec2-user.key",
 213                    pairwise="GCMP-256", group="GCMP-256", scan_freq="2412")