Use imsi_privacy_cert as the name of the configuration parameter for the
X.509v3 certificate that contains the RSA public key needed for IMSI
privacy. The only allowed format for this information is a PEM-encoded
X.509 certificate, so the previous name was somewhat confusing.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Unfortunately, some objects (WlantestCapture, WpaSupplicant
and wpaspy.Ctrl) use __del__ and actually have some logic
there. This is more or less wrong, and we should be using
context managers for it. However, cleaning that up is a
pretty large task.
Unfortunately, __del__ can cause reentrant logging which is
wrong too, because it might be invoked while in the middle
of a logging call, and the __del__ of these objects closes
connections and logs while doing that.
Since we're (likely) using cpython, we can work around this
by explicitly calling gc.collect() in a context where the
logging and close is fine, not only ensuring that all the
connections are closed properly before the next test, but
also fixing the issue with reentrant logging.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Instead of printing a very long line of the failed tests, print the test
case names on separate lines up to the number of available lines at the
bottom of the screen. This avoids some issues with curses and overlong
lines. Furthermore, display the last failed test cases instead of
somewhat confusing sequence of test case names from the VMs.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case could fail if there was an old BSS entry from a previous
test case in the scan results.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This test case was checking the exact key info bits in EAPOL-Key frames
during PTK rekeying as such, needs to be updated to match the
implementation change on the Secure bit setting.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
There was a possible race condition here between the hostapd request
transmission and wpa_supplicant response command. Wait for the
wpa_supplicant event that indicates reception of the request before
issuing the DSCP_RESP command to avoid failures.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.
Signed-off-by: Jouni Malinen <j@w1.fi>
The wpa_supplicant implementation for this functionality is going to be
changed to not require disconnection, so prepare the test case to not
fail.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add RSA public key (in an X.509v3 certificate) and private key for IMSI
privacy. These were generated with
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -days 7500 \
-keyout imsi-privacy-key.pem -out imsi-privacy-cert.pem
Test the case where wpa_supplicant side RSA-OAEP operation for IMSI
privacy is done in an external component while the hostapd (EAP server)
processing of the encrypted identity is internal.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
These were testing only of SAE, not SAE-PK capability, and needs to be
skipped in SAE-PK is not included in the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
We don't particularly care about the quality of random numbers
during the test. So far, there hasn't been an issue with the
RNG not being initialized completely, we only get a few prints
about uninitialized reads from urandom. However, if some tool
were to actually use /dev/random, it might get stuck. Call the
RNDADDTOENTCNT ioctl to unblock this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The previous versions are going to be expiring soon, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.
Signed-off-by: Jouni Malinen <j@w1.fi>
This parameter has no impact to TLS client functionality, so these is
not really any point to maintain these test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL does not support group 25, so replace these cases with a
supported group 20 to meet the real testing need here.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL is known not to support this option, so skip it to allow rest
of the test case to be performed without known failures.
Signed-off-by: Jouni Malinen <j@w1.fi>
git has started rejecting repositories owned by other users and refusing
to run the "git rev-parse HEAD" command in this type of cases. That
resulted in issues with the VM testing model where the VM is practically
running everything as root while the host is a normal development
environment and likely a non-root user owned files.
Fix this by fetching the commitid on the host and pass it to the VM so
that no git operations need to be run within the VM itself.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Do not add the --commit argument if the current git commitid cannot be
determined. This prevents complete failure to run the tests if the git
command cannot be used for some reason (like a recent change that
stopped allowing root user within the VM from running the git operation
for the case where the host system uses non-root account).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Flush scan results to avoid failure caused by incorrect channel
selection based on an old result for the same BSSID. This was found with
the following test sequence:
ap_track_sta_no_auth dpp_network_intro_version_missing_req dpp_controller_relay_pkex
Signed-off-by: Jouni Malinen <j@w1.fi>
The first sock.recv() may return both the status,RUNNING and the
following status line if the sigma_dut process ends up being faster in
writing the result than the test script is in reading the result. This
resulted in unexpected behavior and odd error messages when parsing the
result in the test cases. Fix this by dropping the status,RUNNING line
from the result in case the buffer includes multiple lines.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case was assuming the Configurator would change the
netAccessKey curve every time based on the protocol keys, but that is
not the case anymore, so force that change here for a negative test.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This test case was assuming the Configurator would change the
netAccessKey curve every time based on the protocol keys, but that is
not the case anymore, so force that change here for a negative test.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Do not leave a large number of network added/removed events remaining
for the following test case to handle. This removes some possible
failure test case sequences like the following one:
wpas_ctrl_many_networks dbus_ap_scan_2_ap_mode_scan
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This test cases can fail if previously executed tests leave older scan
results in cfg80211 scan table. Clear that scan table explicitly to
avoid such issues.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to avoid pri/sec channel switching based on potential
scan results from the previous test cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
min-seq.py can be used to find a minimal test sequence that can be used
to reproduce test failures. This is meant for being able to process the
recently added "Failure sequence:" entries from parallel-vm.log to
reduce manual work needed to debug commonly failing test case sequences.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to avoid test failures when a previous test case might
have restricted the set of allowed SAE groups.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Flush scan results to avoid unexpected behavior due to scan results
remaining available from previous test cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Flush scan results to avoid unexpected behavior due to scan results
remaining available from previous test cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The test case name ap_ft_pmf_over_ds was used for two different test
cases which resulted in only one of those being used. Fix this by using
unique test case names.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Clear scan cache to avoid issues with old scan results from earlier test
cases. This caused issues like the following test case sequence failing:
rrm_beacon_req_active_ap_channels ap_ft_eap_dis_over_ds
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Clear scan results to avoid issues with get_bss() finding an entry from
an earlier test case when checking for mesh information.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Clear the scan cache on the AP before running this test since the HT40
operation on the 2.4 GHz band might get disallowed based on scan results
from earlier test cases. This was found with the following hwsim test
case sequence failing:
ap_acs_with_fallback_to_20 wpa2_ocv_ap_ht_mismatch
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Flush the scan table explicitly to avoid issues with the ROAM command if
the new AP is not found and an entry from a previous test case is used
instead. This was happening in a number of cases where a SAE test case
was run after sigma_dut_ap_cipher_gcmp_256 which used the second AP
instance and allowed that to show up in the scan results in the next
text case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
These can fail if the scan results from the previous test case remain,
e.g., when run immediately after scan_bss_limit.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a couple of more channel configuration cases and log the channel
parameters with more details in the test log.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
A number of test cases using 40 MHz or wider channels with the primary
channel 36 were failing when executed after dpp_chirp_ap_5g since that
test case was running an AP on the channel 40 and resulting in need to
swap the primary and the secondary channels in the following test case.
Fix this by clearing the AP scan cache explicitly for such cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Flush the scan cache for all test cases that used get_bss() to check for
particular ANQP information. This was already done for one such case
based on commit dd900637b2 ("tests: Make gas_anqp_extra_elements more
robust"), but other test cases need this as well.
This was showing with frequent errors in test cases sequences like this
one:
dfs_radar_no_ht gas_fragment_with_comeback_delay gas_unknown_adv_proto gas_anqp_venue_url
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to avoid leaving behind a BSS entry with WPS enabled for
the next text case in some cases. In particular, this was causing issues
in the following sequence of test cases:
ap_wps_conf_chan14 ap_wps_cancel ap_wps_pin_request_file
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Now that wpa_supplicant does this internally as a part of the FLUSH
command, there is no need for the test scripts to try to clear the
parameter between test cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This test case could fail in some sequences like "sigma_dut_sae
scan_parsing" due to the ignore_old_scan_res parameter accidentally
being left to 1 by the former test case and the simulated scan result
being older than the previous scan trigger. Reduce the age of that scan
entry to make this less likely to happen.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The DPP Enrollee might wait for up to 60 seconds for the configuration,
so use a longer timeout value to be able to cover this negative test
case where the Configurator never sends the response.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
