DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

tests: Update capability checks to include OpenSSL 3.0

Browse source 
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-01-11 17:21:40 +02:00 committed by Jouni Malinen
parent 500813f9f3
commit f5fcac731f
5 changed files with 18 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
tests/hwsim/test_ap_eap.py
View file

@ -97,6 +97,11 @@ def check_pkcs5_v15_support(dev):
if "BoringSSL" in tls or "GnuTLS" in tls: if "BoringSSL" in tls or "GnuTLS" in tls:
raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls) raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)
def check_tls13_support(dev):
tls = dev.request("GET tls_library")
if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls:
raise HwsimSkip("TLS v1.3 not supported")
def check_ocsp_multi_support(dev): def check_ocsp_multi_support(dev):
tls = dev.request("GET tls_library") tls = dev.request("GET tls_library")
if not tls.startswith("internal"): if not tls.startswith("internal"):
@ -3971,7 +3976,7 @@ def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
if cipher == "RC4-SHA" and \ if cipher == "RC4-SHA" and \
("Could not select EAP method" in str(e) or \ ("Could not select EAP method" in str(e) or \
"EAP failed" in str(e)): "EAP failed" in str(e)):
if "run=OpenSSL 1.1" in tls: if "run=OpenSSL 1.1" in tls or "run=OpenSSL 3.0" in tls:
logger.info("Allow failure due to missing TLS library support") logger.info("Allow failure due to missing TLS library support")
dev[0].request("REMOVE_NETWORK all") dev[0].request("REMOVE_NETWORK all")
dev[0].wait_disconnected() dev[0].wait_disconnected()
@ -5905,7 +5910,7 @@ def test_ap_wpa2_eap_tls_versions(dev, apdev):
"tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1") "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1")
check_tls_ver(dev[2], hapd, check_tls_ver(dev[2], hapd,
"tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1") "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
if "run=OpenSSL 1.1.1" in tls: if "run=OpenSSL 1.1.1" in tls or "run=OpenSSL 3.0" in tls:
check_tls_ver(dev[0], hapd, check_tls_ver(dev[0], hapd,
"tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3") "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
@ -5937,9 +5942,7 @@ def test_ap_wpa2_eap_tls_13(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params) hapd = hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library") check_tls13_support(dev[0])
if "run=OpenSSL 1.1.1" not in tls:
raise HwsimSkip("TLS v1.3 not supported")
id = eap_connect(dev[0], hapd, "TLS", "tls user", id = eap_connect(dev[0], hapd, "TLS", "tls user",
ca_cert="auth_serv/ca.pem", ca_cert="auth_serv/ca.pem",
client_cert="auth_serv/user.pem", client_cert="auth_serv/user.pem",
@ -5961,9 +5964,7 @@ def test_ap_wpa2_eap_ttls_13(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params) hapd = hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library") check_tls13_support(dev[0])
if "run=OpenSSL 1.1.1" not in tls:
raise HwsimSkip("TLS v1.3 not supported")
id = eap_connect(dev[0], hapd, "TTLS", "pap user", id = eap_connect(dev[0], hapd, "TTLS", "pap user",
anonymous_identity="ttls", password="password", anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", ca_cert="auth_serv/ca.pem",
@ -5986,9 +5987,7 @@ def test_ap_wpa2_eap_peap_13(dev, apdev):
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hapd = hostapd.add_ap(apdev[0], params) hapd = hostapd.add_ap(apdev[0], params)
tls = dev[0].request("GET tls_library") check_tls13_support(dev[0])
if "run=OpenSSL 1.1.1" not in tls:
raise HwsimSkip("TLS v1.3 not supported")
id = eap_connect(dev[0], hapd, "PEAP", "user", id = eap_connect(dev[0], hapd, "PEAP", "user",
anonymous_identity="peap", password="password", anonymous_identity="peap", password="password",
ca_cert="auth_serv/ca.pem", ca_cert="auth_serv/ca.pem",
@ -6019,13 +6018,9 @@ def test_ap_wpa2_eap_tls_13_ec(dev, apdev):
"private_key": "auth_serv/ec-server.key", "private_key": "auth_serv/ec-server.key",
"tls_flags": "[ENABLE-TLSv1.3]"} "tls_flags": "[ENABLE-TLSv1.3]"}
hapd = hostapd.add_ap(apdev[0], params) hapd = hostapd.add_ap(apdev[0], params)
tls = hapd.request("GET tls_library") check_tls13_support(hapd)
if "run=OpenSSL 1.1.1" not in tls:
raise HwsimSkip("TLS v1.3 not supported")
tls = dev[0].request("GET tls_library") check_tls13_support(dev[0])
if "run=OpenSSL 1.1.1" not in tls:
raise HwsimSkip("TLS v1.3 not supported")
id = eap_connect(dev[0], hapd, "TLS", "tls user", id = eap_connect(dev[0], hapd, "TLS", "tls user",
ca_cert="auth_serv/ec-ca.pem", ca_cert="auth_serv/ec-ca.pem",
client_cert="auth_serv/ec-user.pem", client_cert="auth_serv/ec-user.pem",

6
tests/hwsim/test_erp.py
View file

@ -12,7 +12,7 @@ import time
import hostapd import hostapd
from utils import * from utils import *
from test_ap_eap import int_eap_server_params from test_ap_eap import int_eap_server_params, check_tls13_support
from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
def test_erp_initiate_reauth_start(dev, apdev): def test_erp_initiate_reauth_start(dev, apdev):
@ -329,9 +329,7 @@ def test_erp_radius_eap_methods(dev, apdev):
def test_erp_radius_eap_tls_v13(dev, apdev): def test_erp_radius_eap_tls_v13(dev, apdev):
"""ERP enabled on RADIUS server and peer using EAP-TLS v1.3""" """ERP enabled on RADIUS server and peer using EAP-TLS v1.3"""
check_erp_capa(dev[0]) check_erp_capa(dev[0])
tls = dev[0].request("GET tls_library") check_tls13_support(dev[0])
if "run=OpenSSL 1.1.1" not in tls:
raise HwsimSkip("No TLS v1.3 support in TLS library")
eap_methods = dev[0].get_capability("eap") eap_methods = dev[0].get_capability("eap")
start_erp_as(tls13=True) start_erp_as(tls13=True)

4
tests/hwsim/test_fils.py
View file

@ -1420,10 +1420,10 @@ def run_fils_sk_pfs(dev, apdev, group, params):
tls = dev[0].request("GET tls_library") tls = dev[0].request("GET tls_library")
if int(group) in [25]: if int(group) in [25]:
if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls)): if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls or "build=OpenSSL 3.0" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls or "run=OpenSSL 3.0" in tls)):
raise HwsimSkip("EC group not supported") raise HwsimSkip("EC group not supported")
if int(group) in [27, 28, 29, 30]: if int(group) in [27, 28, 29, 30]:
if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls)): if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls or "build=OpenSSL 3.0" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls or "run=OpenSSL 3.0" in tls)):
raise HwsimSkip("Brainpool EC group not supported") raise HwsimSkip("Brainpool EC group not supported")
start_erp_as(msk_dump=os.path.join(params['logdir'], "msk.lst")) start_erp_as(msk_dump=os.path.join(params['logdir'], "msk.lst"))

2
tests/hwsim/test_sae.py
View file

@ -2116,7 +2116,7 @@ def run_sae_pwe_group(dev, apdev, group):
check_sae_capab(dev[0]) check_sae_capab(dev[0])
tls = dev[0].request("GET tls_library") tls = dev[0].request("GET tls_library")
if group in [27, 28, 29, 30]: if group in [27, 28, 29, 30]:
if tls.startswith("OpenSSL") and "run=OpenSSL 1." in tls: if tls.startswith("OpenSSL") and ("run=OpenSSL 1." in tls or "run=OpenSSL 3." in tls):
logger.info("Add Brainpool EC groups since OpenSSL is new enough") logger.info("Add Brainpool EC groups since OpenSSL is new enough")
else: else:
raise HwsimSkip("Brainpool curve not supported") raise HwsimSkip("Brainpool curve not supported")

2
tests/hwsim/test_suite_b.py
View file

@ -27,7 +27,7 @@ def check_suite_b_tls_lib(dev, dhe=False, level128=False):
if not tls.startswith("OpenSSL"): if not tls.startswith("OpenSSL"):
raise HwsimSkip("TLS library not supported for Suite B: " + tls) raise HwsimSkip("TLS library not supported for Suite B: " + tls)
supported = False supported = False
for ver in ['1.0.2', '1.1.0', '1.1.1']: for ver in ['1.0.2', '1.1.0', '1.1.1', '3.0']:
if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls: if "build=OpenSSL " + ver in tls and "run=OpenSSL " + ver in tls:
supported = True supported = True
break break