Verify that unexpected p256 client certificate gets rejected if the
server is configured to use Suite B at 192-bit level.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
PMF is supposed to be enabled automatically in sigma_dut, so remove
the explicit argument to do so from the commands.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
All SAE and OWE associations are expected to require PMF to be
negotiated, so enable or require PMF in AP and STA configurations
accordingly to match the new sigma_dut behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check for unexpected connection to avoid timeout on TLS alert event if
the implementation does not check DH key size at all.
Signed-off-by: Jouni Malinen <j@w1.fi>
Need to ignore missing RX-ANQP event for the FILS Realm Info if
wpa_supplicant build does not include FILS support.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit b488a12948 ('Clear PMK length and
check for this when deriving PTK') started rejecting PTK derivation
based on PMK length. This reduced coverage from the eapol-fuzzer, so set
the default length when initializing the state machine in the fuzzer to
reach the previously used code paths.
Signed-off-by: Jouni Malinen <j@w1.fi>
Wait for test/allocation failure for longer than the wait_fail_trigger()
default two seconds to allow DPP (in particular, PKEX) retransmission to
occur. This removes some issues where the previous wait was more or less
exactly the same duration as the retransmission interval and the first
Listen operation not always starting quickly enough to receive the first
frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
When executing ./start.sh with OpenSSL 1.1.0f, an OCSP operation fails.
Put "-sha256" ahead of "-serial" to fix this.
~# openssl version
OpenSSL 1.1.0f 25 May 2017
~# openssl ocsp -reqout /lkp/benchmarks/hwsim/tests/hwsim/logs/current/ocsp-req.der -issuer /lkp/benchmarks/hwsim/tests/hwsim/auth_serv/ca.pem -serial 0xD8D3E3A6CBE3CD12 -no_nonce -sha256
ocsp: Digest must be before -cert or -serial
ocsp: Use -help for summary.
~# openssl ocsp -reqout /lkp/benchmarks/hwsim/tests/hwsim/logs/current/ocsp-req.der -issuer /lkp/benchmarks/hwsim/tests/hwsim/auth_serv/ca.pem -sha256 -serial 0xD8D3E3A6CBE3CD12 -no_nonce
Signed-off-by: leishaoting <leist.fnst@cn.fujitsu.com>
src/crypto/libcrypto.a and src/tls/libtls.a have circular references
and will need special handling with the linker at least for the time
being. This could be cleaned up eventually, but for now, provide a
mechanism to get the program linked.
This was already done in tests/Makefile, but tests/eapol-fuzzer/Makefile
needs the same.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not include this argument in normal case, but add a test case to
cover the special extra check case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This test case is not really realistic and the second connection attempt
would fail if additional AES-based ciphers get provisioned. Work this
around by dropping to CCMP only if other ciphers are present.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to avoid false errors with GCMP-256 and CCMP-256 to be
added in the implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The kernel started enforcing attribute lengths, and nl80211.py had been
doing it all wrong - the padding must be present, but not part of the
length.
Fix it to do it the right way.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
These test cases were failing when run immediately after
dpp_pkex_test_fail. It looks like timing of the TX status and the short
eloop wait were getting reordered in this cases. This ended up with some
of the DPP-TX-STATUS event messages missing. Instead of explicitly
checking for those message, simply count the number of DPP-TX messages
to verify that the correct number of retries are being sent.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Fix problem when running ap_ft test cases with real HW using remote
tests and hwsim wrapper by using the newer hostapd.app_ap() API.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
These VHT160 with DFS cases were in a single test case to optimize test
execution time with parallel wait for the 60 second CAC. However, this
design has become difficult to support with the kernel changes that
allow radar events to be shared between interfaces. To avoid need for
more workarounds here just for testing purposes, split this into two
test cases so that conflicting events from another interface do not
cause the test case to fail.
Signed-off-by: Jouni Malinen <j@w1.fi>
These DFS radar detection cases were in a single test case to optimize
test execution time with parallel wait for the 60 second CAC. However,
this design has become difficult to support with the kernel changes that
allow radar events to be shared between interfaces. To avoid need for
more workarounds here just for testing purposes, split this into two
test cases so that conflicting events from another interface do not
cause the test case to fail.
Signed-off-by: Jouni Malinen <j@w1.fi>
mac80211_hwsim module typically dumps a lot of details into the kernel
message buffer. While it's probably okay in a dedicated VM, it's way too
chatty in other setups.
The kernel allows fine-tuning logging via the dynamic debugging
facility. Let's enable all logging locations in the mac80211_hwsim
module so that we don't loose debugging output when the kernel adopts
the dynamic debug mechanism for the driver.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
hostapd implementation was changed to use a valid Status Code when
rejecting the connection. This test case was forgotten at the time, but
it needs a matching change to allow the new value (1 instead of 14).
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows mesh_sae_groups_invalid and
wpas_mesh_secure_sae_group_negotiation to be run with BoringSSL (group
25 not available anymore).
Signed-off-by: Jouni Malinen <j@w1.fi>
Use absolute path name for configuration file to ensure the file can be
succesfully reloaded and read on SIGHUP signal. This is needed when
running the test case on host (i.e., not using a VM).
Signed-off-by: Sriram R <srirrama@qti.qualcomm.com>
Change the test condition from "is OpenSSL 1.0.2" to "is not OpenSSL
1.0.1", so that the TLSv1.2 test step gets executed with OpenSSL 1.0.2
and 1.1 (and newer).
Signed-off-by: Jouni Malinen <j@w1.fi>
Recent versions of tshark/wireshark renamed these fields, deal
with that in the tshark wrapper code.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Beacon more frequently since Probe Request frames are practically ignored
in this test setup (ext_mgmt_frame_handled=1 on hostapd side) and
wpa_supplicant scans may end up getting ignored if no new results are
available due to the missing Probe Response frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
I find myself writing a version of this script every now and
then, but there's little point in that - just add one to the
tree so we can use it again.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The extra sanity check for replay protection in these procedures ended
up breaking the tests. RESET_PN cannot be used before RESEND_* commands
since that would prevent the DUT from accepting the retransmitted
EAPOL-Key frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This describes how various wpa_supplicant/hostapd extensions can be used
to test IEEE 802.11 functionality in other devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
These test cases do not really verify any specific DUT behavior
automatically, i.e., these are here to generate sniffer captures for
manual analysis.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous designed worked since wpa_supplicant did not track pending
request state. With such tracking added, this test case needs to make
sure there is a pending operation when injecting the invalid response.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases. In addition, add a shell script (update.sh) and the
needed CA files to automate this full update process.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new wpa_supplicant network parameter group_mgmt can be used to
specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128,
BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not
specified, the current behavior is maintained (i.e., follow what the AP
advertises). The parameter can list multiple space separate ciphers.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There was a race condition on the sequence where iface.AbortScan() is
immediately followed by iface.Scan(). If the driver event
(NL80211_CMD_SCAN_ABORTED) arrived after the following new scan request,
the D-Bus operation failed. This is not what this test case is trying to
check, so wait for an indication of the previous scan having terminated
properly before issuing the next scan.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The STA can get disconnected event before the AP processed the
deauthentication frame, resulting in GET_FAIL command being sent too
early. Fix this by waiting for AP-STA-DISCONNECTED on AP side, too.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Import vht_supported from test_ap_vht to fix the following issue:
rrm_beacon_req_table_vht run failed: global name 'vht_supported' is not defined
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
This makes it easier to post-process frame capture files if frames need
to be decrypted in test cases that do not configure wlantest with the
PMK directly (i.e., mainly the cases when a RADIUS server is used).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Wait for the configuration step to complete before forcefully
terminating DPP listen. Previous version was causing failures for this
test case sequence:
dpp_qr_code_auth_initiator_enrollee dpp_pkex_config2
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
On slow machines or inside VM it may take some time for "DISCONNECTED"
event to arrive. Since the retry delay counter is started already, it
may result in less than 5 seconds time between "DISCONNECTED" and
"CONNECTED" events.
Fix the test by taking more accurate timestamps between the events.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Previously p2p_channel_drv_pref_* tests would fail
if dedicated P2P device is used, since the SET commands
were sent to incorrect interface.
Fix this by using a global control interface instead.
Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
We capture the dmesg that contains everything, but if a test
causes a kernel crash we will miss all logging at higher levels
like debug. Change the printk level to catch all of that too.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Lockdep no longer prints "INFO:" but now prints "WARNING:".
Also add the "*** DEADLOCK ***" string it usually prints so
if it changes again we can keep finding that string.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>