1# Suite B tests 2# Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi> 3# 4# This software may be distributed under the terms of the BSD license. 5# See README for more details. 6 7import time 8import logging 9logger = logging.getLogger() 10 11import hostapd 12from utils import HwsimSkip, fail_test 13from test_ap_eap import check_tls13_support 14 15def check_suite_b_capa(dev): 16 if "GCMP" not in dev[0].get_capability("pairwise"): 17 raise HwsimSkip("GCMP not supported") 18 if "BIP-GMAC-128" not in dev[0].get_capability("group_mgmt"): 19 raise HwsimSkip("BIP-GMAC-128 not supported") 20 if "WPA-EAP-SUITE-B" not in dev[0].get_capability("key_mgmt"): 21 raise HwsimSkip("WPA-EAP-SUITE-B not supported") 22 check_suite_b_tls_lib(dev, level128=True) 23 24def check_suite_b_tls_lib(dev, dhe=False, level128=False): 25 tls = dev[0].request("GET tls_library") 26 if tls.startswith("GnuTLS"): 27 return 28 if tls.startswith("wolfSSL"): 29 return 30 if not tls.startswith("OpenSSL"): 31 raise HwsimSkip("TLS library not supported for Suite B: " + tls) 32 supported = False 33 for ver in ['1.0.2', '1.1.0', '1.1.1', '3.']: 34 if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls: 35 supported = True 36 break 37 if not dhe and not level128 and "build=OpenSSL " + ver in tls and "run=BoringSSL" in tls: 38 supported = True 39 break 40 if not supported: 41 raise HwsimSkip("OpenSSL version not supported for Suite B: " + tls) 42 43def suite_b_ap_params(): 44 params = {"ssid": "test-suite-b", 45 "wpa": "2", 46 "wpa_key_mgmt": "WPA-EAP-SUITE-B", 47 "rsn_pairwise": "GCMP", 48 "group_mgmt_cipher": "BIP-GMAC-128", 49 "ieee80211w": "2", 50 "ieee8021x": "1", 51 "openssl_ciphers": "SUITEB128", 52 #"dh_file": "auth_serv/dh.conf", 53 "eap_server": "1", 54 "eap_user_file": "auth_serv/eap_user.conf", 55 "ca_cert": "auth_serv/ec-ca.pem", 56 "server_cert": "auth_serv/ec-server.pem", 57 "private_key": "auth_serv/ec-server.key"} 58 return params 59 60def test_suite_b(dev, apdev): 61 """WPA2/GCMP connection at Suite B 128-bit level""" 62 check_suite_b_capa(dev) 63 dev[0].flush_scan_cache() 64 params = suite_b_ap_params() 65 hapd = hostapd.add_ap(apdev[0], params) 66 67 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2", 68 openssl_ciphers="SUITEB128", 69 eap="TLS", identity="tls user", 70 ca_cert="auth_serv/ec-ca.pem", 71 client_cert="auth_serv/ec-user.pem", 72 private_key="auth_serv/ec-user.key", 73 pairwise="GCMP", group="GCMP", scan_freq="2412") 74 hapd.wait_sta() 75 tls_cipher = dev[0].get_status_field("EAP TLS cipher") 76 if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256" and \ 77 tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD": 78 raise Exception("Unexpected TLS cipher: " + tls_cipher) 79 80 bss = dev[0].get_bss(apdev[0]['bssid']) 81 if 'flags' not in bss: 82 raise Exception("Could not get BSS flags from BSS table") 83 if "[WPA2-EAP-SUITE-B-GCMP]" not in bss['flags']: 84 raise Exception("Unexpected BSS flags: " + bss['flags']) 85 86 dev[0].request("DISCONNECT") 87 dev[0].wait_disconnected(timeout=20) 88 dev[0].dump_monitor() 89 dev[0].request("RECONNECT") 90 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 91 "CTRL-EVENT-CONNECTED"], timeout=20) 92 if ev is None: 93 raise Exception("Roaming with the AP timed out") 94 if "CTRL-EVENT-EAP-STARTED" in ev: 95 raise Exception("Unexpected EAP exchange") 96 97 conf = hapd.get_config() 98 if conf['key_mgmt'] != 'WPA-EAP-SUITE-B': 99 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt']) 100 101 hapd.wait_sta() 102 dev[0].request("DISCONNECT") 103 dev[0].wait_disconnected(timeout=20) 104 dev[0].dump_monitor() 105 dev[0].request("RECONNECT") 106 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 107 "CTRL-EVENT-CONNECTED"], timeout=20) 108 if ev is None: 109 raise Exception("Roaming with the AP timed out (2)") 110 if "CTRL-EVENT-EAP-STARTED" in ev: 111 raise Exception("Unexpected EAP exchange (2)") 112 113def suite_b_as_params(): 114 params = {} 115 params['ssid'] = 'as' 116 params['beacon_int'] = '2000' 117 params['radius_server_clients'] = 'auth_serv/radius_clients.conf' 118 params['radius_server_auth_port'] = '18129' 119 params['eap_server'] = '1' 120 params['eap_user_file'] = 'auth_serv/eap_user.conf' 121 params['ca_cert'] = 'auth_serv/ec-ca.pem' 122 params['server_cert'] = 'auth_serv/ec-server.pem' 123 params['private_key'] = 'auth_serv/ec-server.key' 124 params['openssl_ciphers'] = 'SUITEB128' 125 return params 126 127def test_suite_b_radius(dev, apdev): 128 """WPA2/GCMP (RADIUS) connection at Suite B 128-bit level""" 129 check_suite_b_capa(dev) 130 dev[0].flush_scan_cache() 131 params = suite_b_as_params() 132 hostapd.add_ap(apdev[1], params) 133 134 params = {"ssid": "test-suite-b", 135 "wpa": "2", 136 "wpa_key_mgmt": "WPA-EAP-SUITE-B", 137 "rsn_pairwise": "GCMP", 138 "group_mgmt_cipher": "BIP-GMAC-128", 139 "ieee80211w": "2", 140 "ieee8021x": "1", 141 'auth_server_addr': "127.0.0.1", 142 'auth_server_port': "18129", 143 'auth_server_shared_secret': "radius", 144 'nas_identifier': "nas.w1.fi"} 145 hapd = hostapd.add_ap(apdev[0], params) 146 147 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", ieee80211w="2", 148 openssl_ciphers="SUITEB128", 149 eap="TLS", identity="tls user", 150 ca_cert="auth_serv/ec-ca.pem", 151 client_cert="auth_serv/ec-user.pem", 152 private_key="auth_serv/ec-user.key", 153 pairwise="GCMP", group="GCMP", scan_freq="2412") 154 155def check_suite_b_192_capa(dev, dhe=False): 156 if "GCMP-256" not in dev[0].get_capability("pairwise"): 157 raise HwsimSkip("GCMP-256 not supported") 158 if "BIP-GMAC-256" not in dev[0].get_capability("group_mgmt"): 159 raise HwsimSkip("BIP-GMAC-256 not supported") 160 if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"): 161 raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported") 162 check_suite_b_tls_lib(dev, dhe=dhe) 163 164def suite_b_192_ap_params(): 165 params = {"ssid": "test-suite-b", 166 "wpa": "2", 167 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", 168 "rsn_pairwise": "GCMP-256", 169 "group_mgmt_cipher": "BIP-GMAC-256", 170 "ieee80211w": "2", 171 "ieee8021x": "1", 172 "openssl_ciphers": "SUITEB192", 173 "eap_server": "1", 174 "eap_user_file": "auth_serv/eap_user.conf", 175 "ca_cert": "auth_serv/ec2-ca.pem", 176 "server_cert": "auth_serv/ec2-server.pem", 177 "private_key": "auth_serv/ec2-server.key"} 178 return params 179 180def test_suite_b_192(dev, apdev): 181 """WPA2/GCMP-256 connection at Suite B 192-bit level""" 182 check_suite_b_192_capa(dev) 183 dev[0].flush_scan_cache() 184 params = suite_b_192_ap_params() 185 hapd = hostapd.add_ap(apdev[0], params) 186 187 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 188 ieee80211w="2", 189 openssl_ciphers="SUITEB192", 190 eap="TLS", identity="tls user", 191 ca_cert="auth_serv/ec2-ca.pem", 192 client_cert="auth_serv/ec2-user.pem", 193 private_key="auth_serv/ec2-user.key", 194 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") 195 tls_cipher = dev[0].get_status_field("EAP TLS cipher") 196 if tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384" and \ 197 tls_cipher != "ECDHE-ECDSA-AES-256-GCM-AEAD": 198 raise Exception("Unexpected TLS cipher: " + tls_cipher) 199 cipher = dev[0].get_status_field("mgmt_group_cipher") 200 if cipher != "BIP-GMAC-256": 201 raise Exception("Unexpected mgmt_group_cipher: " + cipher) 202 203 bss = dev[0].get_bss(apdev[0]['bssid']) 204 if 'flags' not in bss: 205 raise Exception("Could not get BSS flags from BSS table") 206 if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']: 207 raise Exception("Unexpected BSS flags: " + bss['flags']) 208 209 hapd.wait_sta() 210 dev[0].request("DISCONNECT") 211 dev[0].wait_disconnected(timeout=20) 212 dev[0].dump_monitor() 213 dev[0].request("RECONNECT") 214 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 215 "CTRL-EVENT-CONNECTED"], timeout=20) 216 if ev is None: 217 raise Exception("Roaming with the AP timed out") 218 if "CTRL-EVENT-EAP-STARTED" in ev: 219 raise Exception("Unexpected EAP exchange") 220 221 conf = hapd.get_config() 222 if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192': 223 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt']) 224 225 hapd.wait_sta() 226 dev[0].request("DISCONNECT") 227 dev[0].wait_disconnected(timeout=20) 228 dev[0].dump_monitor() 229 dev[0].request("RECONNECT") 230 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 231 "CTRL-EVENT-CONNECTED"], timeout=20) 232 if ev is None: 233 raise Exception("Roaming with the AP timed out (2)") 234 if "CTRL-EVENT-EAP-STARTED" in ev: 235 raise Exception("Unexpected EAP exchange (2)") 236 237def test_suite_b_192_radius(dev, apdev): 238 """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level""" 239 check_suite_b_192_capa(dev) 240 dev[0].flush_scan_cache() 241 params = suite_b_as_params() 242 params['ca_cert'] = 'auth_serv/ec2-ca.pem' 243 params['server_cert'] = 'auth_serv/ec2-server.pem' 244 params['private_key'] = 'auth_serv/ec2-server.key' 245 params['openssl_ciphers'] = 'SUITEB192' 246 hostapd.add_ap(apdev[1], params) 247 248 params = {"ssid": "test-suite-b", 249 "wpa": "2", 250 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", 251 "rsn_pairwise": "GCMP-256", 252 "group_mgmt_cipher": "BIP-GMAC-256", 253 "ieee80211w": "2", 254 "ieee8021x": "1", 255 'auth_server_addr': "127.0.0.1", 256 'auth_server_port': "18129", 257 'auth_server_shared_secret': "radius", 258 'nas_identifier': "nas.w1.fi"} 259 hapd = hostapd.add_ap(apdev[0], params) 260 261 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 262 ieee80211w="2", 263 openssl_ciphers="SUITEB192", 264 eap="TLS", identity="tls user", 265 ca_cert="auth_serv/ec2-ca.pem", 266 client_cert="auth_serv/ec2-user.pem", 267 private_key="auth_serv/ec2-user.key", 268 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") 269 270def test_suite_b_192_radius_and_p256_cert(dev, apdev): 271 """Suite B 192-bit level and p256 client cert""" 272 check_suite_b_192_capa(dev) 273 dev[0].flush_scan_cache() 274 params = suite_b_as_params() 275 params['ca_cert'] = 'auth_serv/ec2-ca.pem' 276 params['server_cert'] = 'auth_serv/ec2-server.pem' 277 params['private_key'] = 'auth_serv/ec2-server.key' 278 params['openssl_ciphers'] = 'SUITEB192' 279 hostapd.add_ap(apdev[1], params) 280 281 params = {"ssid": "test-suite-b", 282 "wpa": "2", 283 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", 284 "rsn_pairwise": "GCMP-256", 285 "group_mgmt_cipher": "BIP-GMAC-256", 286 "ieee80211w": "2", 287 "ieee8021x": "1", 288 'auth_server_addr': "127.0.0.1", 289 'auth_server_port': "18129", 290 'auth_server_shared_secret': "radius", 291 'nas_identifier': "nas.w1.fi"} 292 hapd = hostapd.add_ap(apdev[0], params) 293 294 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 295 ieee80211w="2", 296 #openssl_ciphers="SUITEB192", 297 eap="TLS", identity="tls user", 298 ca_cert="auth_serv/ec2-ca.pem", 299 client_cert="auth_serv/ec2-user-p256.pem", 300 private_key="auth_serv/ec2-user-p256.key", 301 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", 302 wait_connect=False) 303 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) 304 if ev is None: 305 raise Exception("EAP-Failure not reported") 306 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5) 307 if ev is None: 308 raise Exception("Disconnection not reported") 309 if "reason=23" not in ev: 310 raise Exception("Unexpected disconnection reason: " + ev) 311 312def test_suite_b_pmkid_failure(dev, apdev): 313 """WPA2/GCMP connection at Suite B 128-bit level and PMKID derivation failure""" 314 check_suite_b_capa(dev) 315 dev[0].flush_scan_cache() 316 params = suite_b_ap_params() 317 hapd = hostapd.add_ap(apdev[0], params) 318 319 with fail_test(dev[0], 1, "rsn_pmkid_suite_b"): 320 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", 321 ieee80211w="2", 322 openssl_ciphers="SUITEB128", 323 eap="TLS", identity="tls user", 324 ca_cert="auth_serv/ec-ca.pem", 325 client_cert="auth_serv/ec-user.pem", 326 private_key="auth_serv/ec-user.key", 327 pairwise="GCMP", group="GCMP", scan_freq="2412") 328 329def test_suite_b_192_pmkid_failure(dev, apdev): 330 """WPA2/GCMP-256 connection at Suite B 192-bit level and PMKID derivation failure""" 331 check_suite_b_192_capa(dev) 332 dev[0].flush_scan_cache() 333 params = suite_b_192_ap_params() 334 hapd = hostapd.add_ap(apdev[0], params) 335 336 with fail_test(dev[0], 1, "rsn_pmkid_suite_b_192"): 337 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 338 ieee80211w="2", 339 openssl_ciphers="SUITEB192", 340 eap="TLS", identity="tls user", 341 ca_cert="auth_serv/ec2-ca.pem", 342 client_cert="auth_serv/ec2-user.pem", 343 private_key="auth_serv/ec2-user.key", 344 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") 345 346def test_suite_b_mic_failure(dev, apdev): 347 """WPA2/GCMP connection at Suite B 128-bit level and MIC derivation failure""" 348 check_suite_b_capa(dev) 349 dev[0].flush_scan_cache() 350 params = suite_b_ap_params() 351 hapd = hostapd.add_ap(apdev[0], params) 352 353 with fail_test(dev[0], 1, "wpa_eapol_key_mic"): 354 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B", 355 ieee80211w="2", 356 openssl_ciphers="SUITEB128", 357 eap="TLS", identity="tls user", 358 ca_cert="auth_serv/ec-ca.pem", 359 client_cert="auth_serv/ec-user.pem", 360 private_key="auth_serv/ec-user.key", 361 pairwise="GCMP", group="GCMP", scan_freq="2412", 362 wait_connect=False) 363 dev[0].wait_disconnected() 364 365def test_suite_b_192_mic_failure(dev, apdev): 366 """WPA2/GCMP connection at Suite B 192-bit level and MIC derivation failure""" 367 check_suite_b_192_capa(dev) 368 dev[0].flush_scan_cache() 369 params = suite_b_192_ap_params() 370 hapd = hostapd.add_ap(apdev[0], params) 371 372 with fail_test(dev[0], 1, "wpa_eapol_key_mic"): 373 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 374 ieee80211w="2", 375 openssl_ciphers="SUITEB192", 376 eap="TLS", identity="tls user", 377 ca_cert="auth_serv/ec2-ca.pem", 378 client_cert="auth_serv/ec2-user.pem", 379 private_key="auth_serv/ec2-user.key", 380 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", 381 wait_connect=False) 382 dev[0].wait_disconnected() 383 384def suite_b_192_rsa_ap_params(): 385 params = {"ssid": "test-suite-b", 386 "wpa": "2", 387 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", 388 "rsn_pairwise": "GCMP-256", 389 "group_mgmt_cipher": "BIP-GMAC-256", 390 "ieee80211w": "2", 391 "ieee8021x": "1", 392 "tls_flags": "[SUITEB]", 393 "dh_file": "auth_serv/dh_param_3072.pem", 394 "eap_server": "1", 395 "eap_user_file": "auth_serv/eap_user.conf", 396 "ca_cert": "auth_serv/rsa3072-ca.pem", 397 "server_cert": "auth_serv/rsa3072-server.pem", 398 "private_key": "auth_serv/rsa3072-server.key"} 399 return params 400 401def test_suite_b_192_rsa(dev, apdev): 402 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA""" 403 run_suite_b_192_rsa(dev, apdev) 404 405def test_suite_b_192_rsa_tls_13(dev, apdev): 406 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (TLS v1.3)""" 407 check_tls13_support(dev[0]) 408 run_suite_b_192_rsa(dev, apdev, tls13=True) 409 410def test_suite_b_192_rsa_ecdhe(dev, apdev): 411 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (ECDHE)""" 412 run_suite_b_192_rsa(dev, apdev, no_dhe=True) 413 414def test_suite_b_192_rsa_dhe(dev, apdev): 415 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA (DHE)""" 416 run_suite_b_192_rsa(dev, apdev, no_ecdh=True) 417 418def run_suite_b_192_rsa(dev, apdev, no_ecdh=False, no_dhe=False, tls13=False): 419 check_suite_b_192_capa(dev, dhe=no_ecdh) 420 dev[0].flush_scan_cache() 421 params = suite_b_192_rsa_ap_params() 422 tls_flags = "" 423 if no_ecdh: 424 tls_flags += "[SUITEB-NO-ECDH]" 425 if no_dhe: 426 del params["dh_file"] 427 if tls13: 428 if not no_ecdh: 429 tls_flags += "[SUITEB]" 430 tls_flags += "[ENABLE-TLSv1.3]" 431 if len(tls_flags) > 0: 432 params["tls_flags"] = tls_flags 433 hapd = hostapd.add_ap(apdev[0], params) 434 435 phase1 = "tls_suiteb=1" 436 if tls13: 437 phase1 += " tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0" 438 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 439 ieee80211w="2", 440 phase1=phase1, 441 eap="TLS", identity="tls user", 442 ca_cert="auth_serv/rsa3072-ca.pem", 443 client_cert="auth_serv/rsa3072-user.pem", 444 private_key="auth_serv/rsa3072-user.key", 445 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") 446 ver = dev[0].get_status_field("eap_tls_version") 447 logger.info("TLS version: " + ver) 448 if tls13 and ver != "TLSv1.3": 449 raise Exception("Unexpected TLS version: " + ver) 450 tls_cipher = dev[0].get_status_field("EAP TLS cipher") 451 if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \ 452 tls_cipher != "DHE-RSA-AES256-GCM-SHA384" and \ 453 tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD" and \ 454 tls_cipher != "DHE-RSA-AES-256-GCM-AEAD" and \ 455 tls_cipher != "TLS_AES_256_GCM_SHA384": 456 raise Exception("Unexpected TLS cipher: " + tls_cipher) 457 cipher = dev[0].get_status_field("mgmt_group_cipher") 458 if cipher != "BIP-GMAC-256": 459 raise Exception("Unexpected mgmt_group_cipher: " + cipher) 460 461 bss = dev[0].get_bss(apdev[0]['bssid']) 462 if 'flags' not in bss: 463 raise Exception("Could not get BSS flags from BSS table") 464 if "[WPA2-EAP-SUITE-B-192-GCMP-256]" not in bss['flags']: 465 raise Exception("Unexpected BSS flags: " + bss['flags']) 466 467 hapd.wait_sta() 468 dev[0].request("DISCONNECT") 469 dev[0].wait_disconnected(timeout=20) 470 dev[0].dump_monitor() 471 dev[0].request("RECONNECT") 472 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 473 "CTRL-EVENT-CONNECTED"], timeout=20) 474 if ev is None: 475 raise Exception("Roaming with the AP timed out") 476 if "CTRL-EVENT-EAP-STARTED" in ev: 477 raise Exception("Unexpected EAP exchange") 478 479 conf = hapd.get_config() 480 if conf['key_mgmt'] != 'WPA-EAP-SUITE-B-192': 481 raise Exception("Unexpected config key_mgmt: " + conf['key_mgmt']) 482 483def test_suite_b_192_rsa_insufficient_key(dev, apdev): 484 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient key length""" 485 check_suite_b_192_capa(dev) 486 dev[0].flush_scan_cache() 487 params = suite_b_192_rsa_ap_params() 488 params["ca_cert"] = "auth_serv/ca.pem" 489 params["server_cert"] = "auth_serv/server.pem" 490 params["private_key"] = "auth_serv/server.key" 491 hapd = hostapd.add_ap(apdev[0], params) 492 493 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 494 ieee80211w="2", 495 phase1="tls_suiteb=1", 496 eap="TLS", identity="tls user", 497 ca_cert="auth_serv/ca.pem", 498 client_cert="auth_serv/user.pem", 499 private_key="auth_serv/user.key", 500 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", 501 wait_connect=False) 502 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10) 503 dev[0].request("DISCONNECT") 504 if ev is None: 505 raise Exception("Certificate error not reported") 506 if "reason=11" in ev and "err='Insufficient RSA modulus size'" in ev: 507 return 508 if "reason=7" in ev and "err='certificate uses insecure algorithm'" in ev: 509 return 510 raise Exception("Unexpected error reason: " + ev) 511 512def test_suite_b_192_rsa_insufficient_dh(dev, apdev): 513 """WPA2/GCMP-256 connection at Suite B 192-bit level and RSA with insufficient DH key length""" 514 check_suite_b_192_capa(dev, dhe=True) 515 dev[0].flush_scan_cache() 516 params = suite_b_192_rsa_ap_params() 517 params["tls_flags"] = "[SUITEB-NO-ECDH]" 518 params["dh_file"] = "auth_serv/dh.conf" 519 hapd = hostapd.add_ap(apdev[0], params) 520 521 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 522 ieee80211w="2", 523 phase1="tls_suiteb=1", 524 eap="TLS", identity="tls user", 525 ca_cert="auth_serv/rsa3072-ca.pem", 526 client_cert="auth_serv/rsa3072-user.pem", 527 private_key="auth_serv/rsa3072-user.key", 528 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", 529 wait_connect=False) 530 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'", 531 "CTRL-EVENT-CONNECTED"], 532 timeout=10) 533 dev[0].request("DISCONNECT") 534 if ev is None: 535 raise Exception("DH error not reported") 536 if "CTRL-EVENT-CONNECTED" in ev: 537 raise Exception("Unexpected connection") 538 if "insufficient security" not in ev and "internal error" not in ev: 539 raise Exception("Unexpected error reason: " + ev) 540 541def test_suite_b_192_rsa_radius(dev, apdev): 542 """WPA2/GCMP-256 (RADIUS) connection at Suite B 192-bit level and RSA (ECDHE)""" 543 check_suite_b_192_capa(dev) 544 dev[0].flush_scan_cache() 545 params = suite_b_as_params() 546 params['ca_cert'] = 'auth_serv/rsa3072-ca.pem' 547 params['server_cert'] = 'auth_serv/rsa3072-server.pem' 548 params['private_key'] = 'auth_serv/rsa3072-server.key' 549 del params['openssl_ciphers'] 550 params["tls_flags"] = "[SUITEB]" 551 552 hostapd.add_ap(apdev[1], params) 553 554 params = {"ssid": "test-suite-b", 555 "wpa": "2", 556 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", 557 "rsn_pairwise": "GCMP-256", 558 "group_mgmt_cipher": "BIP-GMAC-256", 559 "ieee80211w": "2", 560 "ieee8021x": "1", 561 'auth_server_addr': "127.0.0.1", 562 'auth_server_port': "18129", 563 'auth_server_shared_secret': "radius", 564 'nas_identifier': "nas.w1.fi"} 565 hapd = hostapd.add_ap(apdev[0], params) 566 567 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 568 ieee80211w="2", 569 openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384", 570 phase1="tls_suiteb=1", 571 eap="TLS", identity="tls user", 572 ca_cert="auth_serv/rsa3072-ca.pem", 573 client_cert="auth_serv/rsa3072-user.pem", 574 private_key="auth_serv/rsa3072-user.key", 575 pairwise="GCMP-256", group="GCMP-256", 576 group_mgmt="BIP-GMAC-256", scan_freq="2412") 577 tls_cipher = dev[0].get_status_field("EAP TLS cipher") 578 if tls_cipher != "ECDHE-RSA-AES256-GCM-SHA384" and \ 579 tls_cipher != "ECDHE-RSA-AES-256-GCM-AEAD": 580 raise Exception("Unexpected TLS cipher: " + tls_cipher) 581 582def test_suite_b_192_rsa_ecdhe_radius_rsa2048_client(dev, apdev): 583 """Suite B 192-bit level and RSA (ECDHE) and RSA2048 client""" 584 run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, True) 585 586def test_suite_b_192_rsa_dhe_radius_rsa2048_client(dev, apdev): 587 """Suite B 192-bit level and RSA (DHE) and RSA2048 client""" 588 run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, False) 589 590def run_suite_b_192_rsa_radius_rsa2048_client(dev, apdev, ecdhe): 591 check_suite_b_192_capa(dev, dhe=not ecdhe) 592 dev[0].flush_scan_cache() 593 params = suite_b_as_params() 594 params['ca_cert'] = 'auth_serv/rsa3072-ca.pem' 595 params['server_cert'] = 'auth_serv/rsa3072-server.pem' 596 params['private_key'] = 'auth_serv/rsa3072-server.key' 597 del params['openssl_ciphers'] 598 if ecdhe: 599 params["tls_flags"] = "[SUITEB]" 600 ciphers = "ECDHE-RSA-AES256-GCM-SHA384" 601 else: 602 params["tls_flags"] = "[SUITEB-NO-ECDH]" 603 params["dh_file"] = "auth_serv/dh_param_3072.pem" 604 ciphers = "DHE-RSA-AES256-GCM-SHA384" 605 606 hostapd.add_ap(apdev[1], params) 607 608 params = {"ssid": "test-suite-b", 609 "wpa": "2", 610 "wpa_key_mgmt": "WPA-EAP-SUITE-B-192", 611 "rsn_pairwise": "GCMP-256", 612 "group_mgmt_cipher": "BIP-GMAC-256", 613 "ieee80211w": "2", 614 "ieee8021x": "1", 615 'auth_server_addr': "127.0.0.1", 616 'auth_server_port': "18129", 617 'auth_server_shared_secret': "radius", 618 'nas_identifier': "nas.w1.fi"} 619 hapd = hostapd.add_ap(apdev[0], params) 620 621 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 622 ieee80211w="2", 623 openssl_ciphers=ciphers, 624 phase1="tls_suiteb=1", 625 eap="TLS", identity="tls user", 626 ca_cert="auth_serv/rsa3072-ca.pem", 627 client_cert="auth_serv/rsa3072-user-rsa2048.pem", 628 private_key="auth_serv/rsa3072-user-rsa2048.key", 629 pairwise="GCMP-256", group="GCMP-256", 630 group_mgmt="BIP-GMAC-256", scan_freq="2412", 631 wait_connect=False) 632 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) 633 if ev is None: 634 raise Exception("EAP-Failure not reported") 635 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5) 636 if ev is None: 637 raise Exception("Disconnection not reported") 638 if "reason=23" not in ev: 639 raise Exception("Unexpected disconnection reason: " + ev) 640 641def test_openssl_ecdh_curves(dev, apdev): 642 """OpenSSL ECDH curve configuration""" 643 check_suite_b_192_capa(dev) 644 dev[0].flush_scan_cache() 645 params = suite_b_192_ap_params() 646 params['wpa_key_mgmt'] = "WPA-EAP" 647 del params['openssl_ciphers'] 648 hapd = hostapd.add_ap(apdev[0], params) 649 650 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP", 651 ieee80211w="2", 652 openssl_ciphers="SUITEB192", 653 eap="TLS", identity="tls user", 654 ca_cert="auth_serv/ec2-ca.pem", 655 client_cert="auth_serv/ec2-user.pem", 656 private_key="auth_serv/ec2-user.key", 657 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") 658 dev[0].request("REMOVE_NETWORK all") 659 dev[0].wait_disconnected() 660 661 hapd.disable() 662 hapd.set('openssl_ecdh_curves', 'foo') 663 if "FAIL" not in hapd.request("ENABLE"): 664 raise Exception("Invalid openssl_ecdh_curves value accepted") 665 hapd.set('openssl_ecdh_curves', 'P-384') 666 hapd.enable() 667 668 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP", 669 ieee80211w="2", 670 openssl_ciphers="SUITEB192", 671 eap="TLS", identity="tls user", 672 ca_cert="auth_serv/ec2-ca.pem", 673 client_cert="auth_serv/ec2-user.pem", 674 private_key="auth_serv/ec2-user.key", 675 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") 676 dev[0].request("REMOVE_NETWORK all") 677 dev[0].wait_disconnected() 678 679 # Check with server enforcing P-256 and client allowing only P-384 680 hapd.disable() 681 hapd.set('openssl_ecdh_curves', 'P-256') 682 hapd.enable() 683 684 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP", 685 ieee80211w="2", 686 openssl_ciphers="SUITEB192", 687 eap="TLS", identity="tls user", 688 ca_cert="auth_serv/ec2-ca.pem", 689 client_cert="auth_serv/ec2-user.pem", 690 private_key="auth_serv/ec2-user.key", 691 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", 692 wait_connect=False) 693 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) 694 if ev is None: 695 raise Exception("EAP failure not reported") 696 dev[0].request("REMOVE_NETWORK all") 697 dev[0].wait_disconnected() 698 699def test_suite_b_192_pmksa_caching_roam(dev, apdev): 700 """WPA2/GCMP-256 connection at Suite B 192-bit level using PMKSA caching and roaming""" 701 check_suite_b_192_capa(dev) 702 dev[0].flush_scan_cache() 703 params = suite_b_192_ap_params() 704 hapd = hostapd.add_ap(apdev[0], params) 705 bssid = hapd.own_addr() 706 707 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 708 ieee80211w="2", 709 openssl_ciphers="SUITEB192", 710 eap="TLS", identity="tls user", 711 ca_cert="auth_serv/ec2-ca.pem", 712 client_cert="auth_serv/ec2-user.pem", 713 private_key="auth_serv/ec2-user.key", 714 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412") 715 ev = dev[0].wait_event(["PMKSA-CACHE-ADDED"], timeout=5) 716 if ev is None: 717 raise Exception("PMKSA cache entry not added for AP1") 718 hapd.wait_sta() 719 dev[0].dump_monitor() 720 721 hapd2 = hostapd.add_ap(apdev[1], params) 722 bssid2 = hapd2.own_addr() 723 dev[0].scan_for_bss(bssid2, freq=2412) 724 dev[0].request("ROAM " + bssid2) 725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 726 "CTRL-EVENT-CONNECTED"], timeout=20) 727 if ev is None: 728 raise Exception("Roaming with the AP timed out") 729 if "CTRL-EVENT-EAP-STARTED" not in ev: 730 raise Exception("EAP exchange not seen") 731 ev = dev[0].wait_connected() 732 if bssid2 not in ev: 733 raise Exception("Roam to AP2 connected back to AP1") 734 ev = dev[0].wait_event(["PMKSA-CACHE-ADDED"], timeout=5) 735 if ev is None: 736 raise Exception("PMKSA cache entry not added for AP2") 737 hapd2.wait_sta() 738 dev[0].dump_monitor() 739 740 dev[0].request("ROAM " + bssid) 741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 742 "CTRL-EVENT-CONNECTED"], timeout=20) 743 if ev is None: 744 raise Exception("Roaming with the AP timed out") 745 if "CTRL-EVENT-EAP-STARTED" in ev: 746 raise Exception("Unexpected EAP exchange") 747 if bssid not in ev: 748 raise Exception("Roam to AP1 connected back to AP2") 749 hapd.wait_sta() 750 dev[0].dump_monitor() 751 752 dev[0].request("ROAM " + bssid2) 753 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 754 "CTRL-EVENT-CONNECTED"], timeout=20) 755 if ev is None: 756 raise Exception("Roaming with the AP timed out") 757 if "CTRL-EVENT-EAP-STARTED" in ev: 758 raise Exception("Unexpected EAP exchange") 759 if bssid2 not in ev: 760 raise Exception("Second roam to AP2 connected back to AP1") 761 hapd2.wait_sta() 762 dev[0].dump_monitor() 763 764def test_suite_b_192_okc(dev, apdev): 765 """WPA3/GCMP-256 connection at Suite B 192-bit level and OKC""" 766 check_suite_b_192_capa(dev) 767 dev[0].flush_scan_cache() 768 params = suite_b_192_ap_params() 769 params['okc'] = "1" 770 hapd = hostapd.add_ap(apdev[0], params) 771 bssid = hapd.own_addr() 772 773 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 774 ieee80211w="2", 775 openssl_ciphers="SUITEB192", 776 eap="TLS", identity="tls user", 777 ca_cert="auth_serv/ec2-ca.pem", 778 client_cert="auth_serv/ec2-user.pem", 779 private_key="auth_serv/ec2-user.key", 780 pairwise="GCMP-256", group="GCMP-256", okc=True, 781 scan_freq="2412") 782 hapd.wait_sta() 783 784 pmksa = dev[0].get_pmksa(bssid) 785 if pmksa is None: 786 raise Exception("No PMKSA cache entry created") 787 if pmksa['opportunistic'] != '0': 788 raise Exception("Unexpected opportunistic PMKSA cache entry") 789 790 hapd2 = hostapd.add_ap(apdev[1], params) 791 bssid2 = hapd2.own_addr() 792 dev[0].scan_for_bss(bssid2, freq=2412) 793 dev[0].request("ROAM " + bssid2) 794 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 795 "CTRL-EVENT-CONNECTED"], timeout=10) 796 if ev is None: 797 raise Exception("Roaming with the AP timed out") 798 if "CTRL-EVENT-EAP-STARTED" in ev: 799 raise Exception("Unexpected EAP exchange") 800 pmksa2 = dev[0].get_pmksa(bssid2) 801 if pmksa2 is None: 802 raise Exception("No PMKSA cache entry created") 803 804 dev[0].request("ROAM " + bssid) 805 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 806 "CTRL-EVENT-CONNECTED"], timeout=10) 807 if ev is None: 808 raise Exception("Roaming with the AP timed out") 809 if "CTRL-EVENT-EAP-STARTED" in ev: 810 raise Exception("Unexpected EAP exchange") 811 812 pmksa1b = dev[0].get_pmksa(bssid) 813 if pmksa1b is None: 814 raise Exception("No PMKSA cache entry found") 815 if pmksa['pmkid'] != pmksa1b['pmkid']: 816 raise Exception("Unexpected PMKID change for AP1") 817 818 dev[0].request("ROAM " + bssid2) 819 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", 820 "CTRL-EVENT-CONNECTED"], timeout=10) 821 if ev is None: 822 raise Exception("Roaming with the AP timed out") 823 if "CTRL-EVENT-EAP-STARTED" in ev: 824 raise Exception("Unexpected EAP exchange") 825 pmksa2b = dev[0].get_pmksa(bssid2) 826 if pmksa2b is None: 827 raise Exception("No PMKSA cache entry created") 828 if pmksa2['pmkid'] != pmksa2b['pmkid']: 829 raise Exception("Unexpected PMKID change for AP2") 830 831def test_suite_b_192_rsa_no_cs_match(dev, apdev): 832 """Suite B 192-bit level RSA failing (no CS match)""" 833 check_suite_b_192_capa(dev) 834 dev[0].flush_scan_cache() 835 params = suite_b_192_rsa_ap_params() 836 params['openssl_ciphers'] = "DHE-RSA-AES256-SHA" 837 hapd = hostapd.add_ap(apdev[0], params) 838 839 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", 840 ieee80211w="2", 841 phase1="tls_suiteb=1", 842 eap="TLS", identity="tls user", 843 ca_cert="auth_serv/rsa3072-ca.pem", 844 client_cert="auth_serv/rsa3072-user.pem", 845 private_key="auth_serv/rsa3072-user.key", 846 pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", 847 wait_connect=False) 848 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) 849 if ev is None: 850 raise Exception("EAP-Failure not reported") 851 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=5) 852 if ev is None: 853 raise Exception("Disconnection not reported") 854 if "reason=23" not in ev: 855 raise Exception("Unexpected disconnection reason: " + ev) 856
