Commit graph

124 commits

Author SHA1 Message Date
Michael Braun
57af507ea7 tests: Untagged VLAN ID with EGRESS_VLANID RADIUS attribute
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
629d369674 tests: Verify tagged-only connectivity
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Jouni Malinen
31dd315382 tests: PKCS#12 with extra certs on the server
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-06 01:14:43 +02:00
Jouni Malinen
504108dbdf tests: Generate new certificates for Suite B test cases
The previous version expired in January. The new ones are from running
ec-generate.sh and ec2-generate.sh again.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-02 00:09:20 +02:00
Jouni Malinen
d8e5a55f1e tests: WPS and EAP-WSC in network profile
This goes through some error paths that do not really show up in real
WPS use cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 22:08:04 +02:00
Jouni Malinen
992007c515 tests: Fix ERP anonymous_identity test cases
These need to be run without realm in the identity value to allow the
realm from the anonymous_identity to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 22:03:23 +02:00
Jouni Malinen
4e34f56f3c tests: Renew the expired OCSP responder certificate
This certificate expired and that makes couple of test cases fail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 00:38:29 +02:00
Jouni Malinen
40c654cc1d tests: EAP-SIM with external GSM auth and replacing SIM
These test cases verify that EAP-SIM with external GSM auth supports the
use case of replacing the SIM. The first test case does this incorrectly
by not clearing the pseudonym identity (anonymous_identity in the
network profile) while the second one clears that and shows successful
connection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-08 18:03:11 +02:00
Jouni Malinen
52811b8c90 tests: EAP-TLS with intermediate CAs and OCSP multi
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
98d125cafa tests: Minimal testing of OCSP stapling with ocsp_multi
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-23 00:32:52 +02:00
Jouni Malinen
09a4404a33 tests: EAP-PEAP version forcing
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 20:59:14 +02:00
Jouni Malinen
96bf8fe104 tests: PKCS #8 private key with PKCS #5 v1.5 and v2.0 format
This verifies client private key use in encrypted PKCS #8 format with
PKCS #5 v1.5 format using pbeWithMD5AndDES-CBC and PKCS #5 v2.0 format
using PBES2 with des-ede3-cbc.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-05 20:27:27 +02:00
Jouni Malinen
d6ba709aa3 tests: EAP-TLS with SHA512/SHA384 signature
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-30 00:39:38 +02:00
Jouni Malinen
7c0d66cf7a tests: EAP-MSCHAPv2 error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-12 01:55:00 +03:00
Jouni Malinen
d79ce4a6ce tests: Additional OCSP coverage
Verify OCSP stapling response that is signed by the CA rather than a
separate OCSP responder. In addition, verify that invalid signer
certificate (missing OCSP delegation) gets rejected.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 17:32:53 +03:00
Jouni Malinen
aeba66b28e tests: Fix OCSP response for ap_wpa2_eap_ttls_ocsp_revoked
Due to a serial number mismatch, the correct "revoked" status was not
used; instead "unknown" was used. While the test case would not fail for
this, incorrect code path was checked.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-02 19:16:04 +03:00
Jouni Malinen
403610d386 tests: Update server and user certificates (2015)
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-01 01:37:47 +03:00
Jouni Malinen
6da3b745f1 tests: Try users2.pkcs12 twice to add coverage
This allows manual verification of extra PKCS#12 certificate processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:10:15 +03:00
Jouni Malinen
d35b0227c1 tests: Use openssl pkcs12 -descert workaround to allow FIPS mode
The PKCS12 file with default openssl options cannot be used with OpenSSL
1.0.1 in FIPS mode. Replace this with -descert version as a workaround.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
405c621cdb tests: WPA2-Enterprise connection using MAC ACL
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-01 00:34:27 +03:00
Jouni Malinen
b3ff3decf6 tests: DH parameter file DSA conversion and error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
0c83ae0469 tests: EAP-TLS with PKCS12 that includes additional certificates
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
b197a8194b tests: EAP-TLS and server checking CRL
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
5748d1e5f8 tests: EAP-TTLS with server certificate valid beyond UNIX time 2^31
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-24 11:24:35 +03:00
Jouni Malinen
768ea0bc32 tests: DH params with 2048-bit key
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-24 11:03:42 +03:00
Jouni Malinen
0d33f5040f tests: EAP-PEAP/MSCHAPv2 with domain name
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 22:06:06 +03:00
Jouni Malinen
b898a6ee72 tests: WPA2-Enterprise connection using EAP-pwd and NTHash
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:45:25 +02:00
Jouni Malinen
4bcedaa400 tests: Re-sign expired test certificates
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 14:18:57 +02:00
Jouni Malinen
3a4bace428 tests: RADIUS server changing VLAN ID assignment
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-30 01:11:56 +02:00
Jouni Malinen
4a4cd04cad tests: RADIUS MAC ACL and accounting enabled
This ends up using the special User-Name = STA MAC address case for
Accounting-Request. In addition, add Chargeable-User-Identity for one of
the STAs.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-29 15:55:48 +02:00
Jouni Malinen
95a15d793e tests: EAP-GTC server error cases
In addition, no-password-configured coverage extended to EAP-MD5 and
EAP-MSCHAPv2 as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 15:59:36 +02:00
Jouni Malinen
37551fe374 tests: Suite B 192-bit profile
This adds a Suite B test case for 192-bit level.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
4113a96bba tests: Complete Suite B 128-bit coverage
Enable BIP-GMAC-128 and enforce Suite B profile for TLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
37b4a66ce6 tests: Valid OCSP response with revoked and unknown cert status
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
279a0afffb tests: Generate a fresh OCSP response for each test run
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
62750c3e80 tests: Use RSA key format in ap_wpa2_eap_tls_blob
This format as a DER encoded blob is supported by both OpenSSL and
GnuTLS while the previous OpenSSL specific format did not get accepted
by GnuTLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
5b3c40a65b tests: Verify that wpa_supplicant clears keys from memory
Check that PMK and PTK and not left in memory (heap or stack)
unnecessarily after they are not needed anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-30 10:37:02 +02:00
Jouni Malinen
f41f670ea5 tests: ERP with EAP-IKEv2
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-20 23:48:53 +02:00
Jouni Malinen
acc9a635c8 tests: EAP Re-authentication Protocol (ERP)
This tests RP EAP-Initiate/Re-auth-Start transmission, ERP key
derivation, and EAP-Initiate/Re-auth + EAP-Finish/Re-auth exchange and
rMSK derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Jouni Malinen
2cde175a93 tests: PMKSA cache entry timeout based on Session-Timeout
This verifies that hostapd uses Session-Timeout value from Access-Accept
as the lifetime for the PMKSA cache entries and expires entries both
while the station is disconnected and during an association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-04 23:01:08 +03:00
Jouni Malinen
c1d1b6998d tests: Update server and user certificates
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-09-30 00:40:23 +03:00
Jouni Malinen
8583d66478 tests: EAP-AKA' and EAP-AKA both enabled (bidding mechanism)
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-18 00:04:18 +03:00
Jouni Malinen
95fb531ccc tests: EAP-TTLS/EAP-AKA, EAP-PEAP/EAP-AKA, EAP-FAST/EAP-AKA
These add some more EAP-TTLS/PEAP/FAST coverage to test pending Phase 2
response re-processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 23:43:50 +03:00
Jouni Malinen
5a0c15174b tests: UNAUTH-TLS
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 22:47:25 +03:00
Jouni Malinen
5b1aaf6cfb tests: EAP-SIM/AKA/AKA' with SQLite
Extend EAP-SIM/AKA/AKA' test coverage by setting up another
authentication server instance to store dynamic SIM/AKA/AKA' information
into an SQLite database. This allows the stored reauth/pseudonym data to
be modified on the server side and by doing so, allows testing fallback
from reauth to pseudonym/permanent identity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 17:57:28 +03:00
Jouni Malinen
0403fa0a93 tests: Increas EAP-pwd fragmentation coverage
Verify fragmentation of additional message types.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 00:52:13 +03:00
Jouni Malinen
a0f350fd79 tests: EAP-SIM server using GSM triplets
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-30 16:28:48 +03:00
Jouni Malinen
19d64886ef tests: RADIUS MAC ACL
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 19:32:45 +02:00
Jouni Malinen
c37b02fcc4 tests: Authentication server using PKCS#12 file
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-20 00:16:00 +02:00
Jouni Malinen
8fc1f204df tests: HS 2.0 session information URL
Verify that session information is stored from Access-Accept and sent to
the station at the requested timeout. Verify that station processes this
notification.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-10 11:34:31 +02:00
Jouni Malinen
4056b0c747 tests: RADIUS Class attribute
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-10 11:16:29 +02:00
Jouni Malinen
76a30196ad tests: PMKSA cache and Chargeable-User-Identity
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-10 00:51:14 +02:00
Jouni Malinen
5cf8801181 tests: HS 2.0 subscription remediation notification
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-08 11:49:23 +02:00
Jouni Malinen
fac1722787 tests: VLAN tests using RADIUS tunnel attributes
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-08 11:35:08 +02:00
Jouni Malinen
48ef12e75f tests: Verify HS 2.0 deauth request from RADIUS Access-Accept
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-08 11:35:08 +02:00
Jouni Malinen
14bef66d66 tests: Server certificate with both client and server EKU
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 10:35:33 +02:00
Jouni Malinen
9d756af73e tests: Verify RADIUS functionality over IPv6
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 10:35:33 +02:00
Jouni Malinen
9e709315d9 tests: Verify HS 2.0 OSEN connection
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 18:10:08 +02:00
Jouni Malinen
4fcee244b9 tests: Verify RADIUS server MIB values
Enable hostapd control interface for the RADIUS server instance and
verify that the RADIUS server MIB counters are incremented.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 21:39:31 +02:00
Jouni Malinen
4287bb76bf tests: Verify RADIUS accounting functionality
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 17:08:38 +02:00
Jouni Malinen
eac674402f tests: Verify NtPasswordHash with different UTF-8 cases
This adds a password that uses one, two, and three octet encoding
for UTF-8 characters. The value is tested against a pre-configured
hash to verify that utf8_to_ucs2() function works correctly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 12:08:50 +02:00
Jouni Malinen
6ab4a7aa5a tests: EAP-TTLS and server certificate with client EKU
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 10:33:55 +02:00
Jouni Malinen
6a4d0dbe1c tests: Expired server certificate
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 10:28:22 +02:00
Jouni Malinen
64e05f9644 tests: Domain name suffix match against CN
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 10:19:16 +02:00
Jouni Malinen
d4c7a2b9e6 tests: EAP-TLS with OCSP
Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 17:45:56 +02:00
Jouni Malinen
2d10eb0efd tests: PKCS#12 use for EAP-TLS
Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 17:18:22 +02:00
Jouni Malinen
9f8994c623 tests: CA certificate in DER format
Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 17:06:36 +02:00
Jouni Malinen
e745c811ef tests: Verify EAP vendor test
Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
d0ce105068 tests: Verify EAP-PEAP/EAP-TLS
Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:11 +02:00
Jouni Malinen
e114c49cfc tests: Add an EAP-TLS test case
This fixes the user.key file (incorrect key was copied previously) and
adds a test case for EAP-TLS with WPA2-Enterprise.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 19:51:06 +02:00
Jouni Malinen
22b99086ce tests: Add more EAP test cases
This increases EAP method coverage for WPA2-Enterprise to include
EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-03 19:51:06 +02:00
Jouni Malinen
8fba2e5d42 tests: Add Hotspot 2.0 test cases for connecting with username
The test_ap_hs20_username* test cases verify that a username/password
credential can be used for Hotspot 2.0 connection and that the network
type is reported correctly.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-29 14:38:31 +02:00
Jouni Malinen
c7afc0789c tests: Add negative TLS test case to verify trust root validation
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 21:38:02 +03:00
Jouni Malinen
479cbb3892 tests: Start RADIUS authentication server
This can be used to run WPA2-Enterprise test cases.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 19:14:16 +03:00