tests: Update capability checks to include OpenSSL 3.0

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-11 17:21:40 +02:00 · 2022-01-11 17:21:40 +02:00 · f5fcac731f
commit f5fcac731f
parent 500813f9f3
5 changed files with 18 additions and 25 deletions
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@ -97,6 +97,11 @@ def check_pkcs5_v15_support(dev):
    if "BoringSSL" in tls or "GnuTLS" in tls:
        raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)

+def check_tls13_support(dev):
+    tls = dev.request("GET tls_library")
+    if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls:
+        raise HwsimSkip("TLS v1.3 not supported")
+
 def check_ocsp_multi_support(dev):
    tls = dev.request("GET tls_library")
    if not tls.startswith("internal"):
@ -3971,7 +3976,7 @@ def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
            if cipher == "RC4-SHA" and \
               ("Could not select EAP method" in str(e) or \
                "EAP failed" in str(e)):
-                if "run=OpenSSL 1.1" in tls:
+                if "run=OpenSSL 1.1" in tls or "run=OpenSSL 3.0" in tls:
                    logger.info("Allow failure due to missing TLS library support")
                    dev[0].request("REMOVE_NETWORK all")
                    dev[0].wait_disconnected()
@ -5905,7 +5910,7 @@ def test_ap_wpa2_eap_tls_versions(dev, apdev):
                  "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1")
    check_tls_ver(dev[2], hapd,
                  "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
-    if "run=OpenSSL 1.1.1" in tls:
+    if "run=OpenSSL 1.1.1" in tls or "run=OpenSSL 3.0" in tls:
        check_tls_ver(dev[0], hapd,
                      "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")

@ -5937,9 +5942,7 @@ def test_ap_wpa2_eap_tls_13(dev, apdev):
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)

-    tls = dev[0].request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls:
-        raise HwsimSkip("TLS v1.3 not supported")
+    check_tls13_support(dev[0])
    id = eap_connect(dev[0], hapd, "TLS", "tls user",
                     ca_cert="auth_serv/ca.pem",
                     client_cert="auth_serv/user.pem",
@ -5961,9 +5964,7 @@ def test_ap_wpa2_eap_ttls_13(dev, apdev):
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)

-    tls = dev[0].request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls:
-        raise HwsimSkip("TLS v1.3 not supported")
+    check_tls13_support(dev[0])
    id = eap_connect(dev[0], hapd, "TTLS", "pap user",
                     anonymous_identity="ttls", password="password",
                     ca_cert="auth_serv/ca.pem",
@ -5986,9 +5987,7 @@ def test_ap_wpa2_eap_peap_13(dev, apdev):
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    hapd = hostapd.add_ap(apdev[0], params)

-    tls = dev[0].request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls:
-        raise HwsimSkip("TLS v1.3 not supported")
+    check_tls13_support(dev[0])
    id = eap_connect(dev[0], hapd, "PEAP", "user",
                     anonymous_identity="peap", password="password",
                     ca_cert="auth_serv/ca.pem",
@ -6019,13 +6018,9 @@ def test_ap_wpa2_eap_tls_13_ec(dev, apdev):
              "private_key": "auth_serv/ec-server.key",
              "tls_flags": "[ENABLE-TLSv1.3]"}
    hapd = hostapd.add_ap(apdev[0], params)
-    tls = hapd.request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls:
-        raise HwsimSkip("TLS v1.3 not supported")
+    check_tls13_support(hapd)

-    tls = dev[0].request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls:
-        raise HwsimSkip("TLS v1.3 not supported")
+    check_tls13_support(dev[0])
    id = eap_connect(dev[0], hapd, "TLS", "tls user",
                     ca_cert="auth_serv/ec-ca.pem",
                     client_cert="auth_serv/ec-user.pem",
--- a/tests/hwsim/test_erp.py
+++ b/tests/hwsim/test_erp.py
@ -12,7 +12,7 @@ import time

 import hostapd
 from utils import *
-from test_ap_eap import int_eap_server_params
+from test_ap_eap import int_eap_server_params, check_tls13_support
 from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations

 def test_erp_initiate_reauth_start(dev, apdev):
@ -329,9 +329,7 @@ def test_erp_radius_eap_methods(dev, apdev):
 def test_erp_radius_eap_tls_v13(dev, apdev):
    """ERP enabled on RADIUS server and peer using EAP-TLS v1.3"""
    check_erp_capa(dev[0])
-    tls = dev[0].request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls:
-        raise HwsimSkip("No TLS v1.3 support in TLS library")
+    check_tls13_support(dev[0])

    eap_methods = dev[0].get_capability("eap")
    start_erp_as(tls13=True)
--- a/tests/hwsim/test_fils.py
+++ b/tests/hwsim/test_fils.py
@ -1420,10 +1420,10 @@ def run_fils_sk_pfs(dev, apdev, group, params):

    tls = dev[0].request("GET tls_library")
    if int(group) in [25]:
-        if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls)):
+        if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls or "build=OpenSSL 3.0" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls or "run=OpenSSL 3.0" in tls)):
            raise HwsimSkip("EC group not supported")
    if int(group) in [27, 28, 29, 30]:
-        if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls)):
+        if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls or "build=OpenSSL 3.0" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls or "run=OpenSSL 3.0" in tls)):
            raise HwsimSkip("Brainpool EC group not supported")

    start_erp_as(msk_dump=os.path.join(params['logdir'], "msk.lst"))
--- a/tests/hwsim/test_sae.py
+++ b/tests/hwsim/test_sae.py
@ -2116,7 +2116,7 @@ def run_sae_pwe_group(dev, apdev, group):
    check_sae_capab(dev[0])
    tls = dev[0].request("GET tls_library")
    if group in [27, 28, 29, 30]:
-        if tls.startswith("OpenSSL") and "run=OpenSSL 1." in tls:
+        if tls.startswith("OpenSSL") and ("run=OpenSSL 1." in tls or "run=OpenSSL 3." in tls):
            logger.info("Add Brainpool EC groups since OpenSSL is new enough")
        else:
            raise HwsimSkip("Brainpool curve not supported")
--- a/tests/hwsim/test_suite_b.py
+++ b/tests/hwsim/test_suite_b.py
@ -27,7 +27,7 @@ def check_suite_b_tls_lib(dev, dhe=False, level128=False):
    if not tls.startswith("OpenSSL"):
        raise HwsimSkip("TLS library not supported for Suite B: " + tls)
    supported = False
-    for ver in ['1.0.2', '1.1.0', '1.1.1']:
+    for ver in ['1.0.2', '1.1.0', '1.1.1', '3.0']:
        if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls:
            supported = True
            break