If the server/client certificate includes the extKeyUsage extension,
verify that the listed key purposes include either the
anyExtendedKeyUsage wildcard or id-kp-serverAuth/id-kp-clientAuth,
respectively.
Signed-off-by: Jouni Malinen <j@w1.fi>
md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already
supported TEST_FAIL() with the OpenSSL crypto implementation, but the
same test functionality is needed for the internal crypto implementation
as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case fails with the current internal TLS client implementation
since the needed altsubject_match parameter is not yet supported.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The internal TLS implementation in wpa_supplicant supports TLS v1.2, so
verify that this version can be disabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
The internal TLS client implementation in wpa_supplicant can now be used
with the phase2 parameters tls_disable_tlsv1_0=1, tls_disable_tlsv1_1=1,
and tls_disable_tlsv1_2=1 to disable the specified TLS version(s).
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it simpler to add support for new TLS_CONN_* flags without
having to add a new configuration function for each flag.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows wpa_supplicant to return eap_tls_version STATUS information
when using the internal TLS client implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Since the internal TLS client implementation in wpa_supplicant now has
sufficient support for this functionality, allow the test case to be
executed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the internal TLS client implementation to support signature
algorithms SHA384 and SHA512 in addition to the previously supported
SHA256.
Signed-off-by: Jouni Malinen <j@w1.fi>
Since we support only SHA256 (and not the default SHA1) with TLS v1.2,
the signature_algorithms extensions needs to be added into ClientHello.
This fixes interop issues with the current version of OpenSSL that uses
the default SHA1 hash if ClientHello does not specify allowed signature
algorithms.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit adds support for validating certificates with SHA384 and
SHA512 hashes. Those certificates are now very common so wpa_supplicant
needs support for them.
SHA384 and SHA512 hash functions are included in the previous commit.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
This commit adds support for "hash://server/sha256/cert_hash_in_hex"
scheme in ca_cert property for the internal TLS implementation.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
In documentation is written: "If ca_cert and ca_path are not included,
server certificate will not be verified". This is the case when
wpa_supplicant is compiled with OpenSSL library, but when using the
internal TLS implementation and some certificates in CA chain are in
unsupported format (e.g., use SHA384 or SHA512 hash functions) then
verification fails even if ca_cert property is not specified.
This commit changes behavior so that certificate verification in
internal TLS implementation is really skipped when ca_cert is not
specified.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
gcc 4.8 vs 5.2 seem to compile eloop_register_sock() differently. With
5.2, that function name does not show up in the backtrace since
eloop_sock_table_add_sock() is used without a separate function call.
This broke the memory allocation failure checking in this test case. Fix
this by matching against the eloop_sock_table_add_sock() function which
shows up in the backtrace for both gcc versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
If init_for_reauth fails, the EAP-SIM peer state was not freed properly.
Use eap_sim_deinit() to make sure all allocations get freed. This could
be hit only if no random data could be derived for NONCE_MT.
Signed-off-by: Jouni Malinen <j@w1.fi>
If hostapd AP started unexpectedly, this test case would fail with
NameError due to incorrect variable name being used to construct the
exception text.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed for proper test execution. The recently added VHT 80+80
test cases started verifying channel bandwidth on the station side and
those checks fail if wpa_supplicant is built without
CONFIG_IEEE80211AC=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
If /tmp has a relatively small size limit, or multiple people run the
tests on the same machine, using the same output directory can easily
cause problems.
Make the test framework honor the new HWSIM_TEST_LOG_DIR environment
variable to make it easier to avoid those problems.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If wmediumd is available on the path, test that it can forward
packets between two virtual nodes and that stopping it makes
the regular in-kernel datapath do the needed work again.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
In addition, remove dependency on --long since this test case does not
really take that long.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
In addition, remove dependency on --long since this test case does not
really take that long (just couple of seconds).
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Convert p2ps_channel_active_go_and_station_different_mcc to use a
dynamically added HWSimRadio to allow the MCC case to be covered with a
single test run with the mac80211_hwsim default radios disabling MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
This may speed up some hwsim test case sequencies by avoiding a wait for
a scan at the end of a test case to complete.
Signed-off-by: Jouni Malinen <j@w1.fi>