Update the SAE-PK implementation to match the changes in the protocol
design:
- allow only Sec values 3 and 5 and encode this as a single bit field
with multiple copies
- add a checksum character
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Instead of overriding the subject field with something arbitrary, use
the value that is included in the CSR now that there is something there.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Instead of checking if the kernel allows modules (via the presence of
/proc/modules), check if mac80211_hwsim is already there and load it
only if not. This gets rid of some ugly prints from modprobe in case
code isn't even a module and cannot be found, etc.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
With python3 bytes are returned for stdout, so need to use b''
strings instead of normal strings. These are just a few places
I ran into, almost certainly more places need it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If we want the test to actually use 160/80+80 we need to explicitly
advertise that we support it ourselves, since the kernel is going to be
a bit more strict about this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Clear scan results explicitly in test cases that check BSS entry flags
to avoid incorrect failures based on results from earlier test cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Lambda >= 12 is needed with Sec = 2, so drop the shorter password
lengths in the sae_pk and module_wpa_supplicant test cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Now that there is a pending mac80211 patch ("mac80211: allow SA-QUERY
processing in userspace") to allow wpa_supplicant to take care of SA
Query Request processing, start enforcing correct behavior for this in
ocv_sa_query and wpa2_ocv_sta_override_sa_query_resp.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the current country code cannot be fetched, do not try to report the
current value in the log since that will result in TypeError exception.
Signed-off-by: Jouni Malinen <j@w1.fi>
Couple of VHT test cases missed explicit setting of hapd to None before
trying to start hostapd. Add those to avoid unexpected exceptions in
case hostapd start fails.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a decorator that clears ignore_old_scan_res parameter value instead
of doing this with try/finally in large number of test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a decorator that disables IPv6 and requires running
under a VM, rather than open-coding that many times.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The freqlist parameter uses comma, not space, separated values. Add
another test case for checking freqlist values that do not use the
preferred channel numbers to make sure the frequency list is actually
used as a constraint for selecting the channel.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a test for delayed group rekey retransmission that checks that
the IGTK is protected against it by not resetting the IPN replay
counter when reinstalling such a key.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
While adding support for IGTK and BIGTK here, I tested this without
protections (i.e., with protections removed from both wpa_supplicant and
the driver), and while I got some bad resets on the debugfs values, it
should have failed with "unexpected connectivity".
Fix this to be correct - we need to reset the GTK PN, not the PTK PN in
this test.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Replace the gtk boolean by a keytype value indicating
GTK or PTK, to be able to extend to other types later.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When run after other tests, It was likely that the target
bss was already present in scan_fail, so the
scan_for_bss() wouldn't trip the allocation failure in
wpa_bss_add(). Flush the scan results before the scan to
ensure wpa_bss_add() is called and consistently pass
scan_fail.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
If sigma_dut is not installed, start_sigma_dut() will
throw an exception. Call start_sigma_dut() inside the
try/except to correctly reset the regulatory domain.
This fixes several seemingly random failures due to
regulatory domain not being reset.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
The memory allocation in dpp_peer_intro() was moved into a helper
function dpp_check_signed_connector(), so update the test case to match.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This test case seems to be failing every now and then due to the AP not
getting out the Deauthentication frame after PMKSA expiration if the STA
is in power save mode.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It looks like this test case was supposed to set power_save off at the
end instead of repeating the same setting twice.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These test cases are using externally generated PMKSA cache entry which
does not support use of PFS. This will start failing if the station
claims to support PFS in such cases, so explicitly disable PFS
functionality in these test cases for now.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Otherwise the test will continue on and fail later due to unexpected
foreign ARP request. The try/except design here did not work properly to
detect this.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Crypto libraries are starting to refuse to accept the old shorter keys,
so move all test certificates and DH to use 2048 bit (or longer) keys.
Signed-off-by: Jouni Malinen <j@w1.fi>
Python 3.8 removed the previously used default of MD5 algorithm, so
provide the explicit digestmod=hashlib.md5 parameter to the couple of
places that were missing it.
Signed-off-by: Jouni Malinen <j@w1.fi>
The ap_beacon_rate_* test cases could end up terminating before the very
first Beacon frame is captured, so wait a bit after the connection to
make sure at least one Beacon frame is going to be in the capture file.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case was using sigma_dut to set sae_pwe=2, but that value was
not cleared in the end. This could result in following SAE test cases
failing due to unexpected behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The eloop_register_read_sock() call in i802_init() will be skipped if
the driver supports control port for EAPOL RX, so need to skip this part
of the test case conditionally.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it more convenient to run tests with builds that disable
TKIP/WPA(v1) support completely.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is in preparation for a hostapd implementation change on how to
address the unexpected RSNXE Used field value in FTE during FT
reassociation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Verify hostapd behavior during FT protocol processing when a STA entry
is still present in the AP and that association has PMF negotiated.
Signed-off-by: Jouni Malinen <j@w1.fi>
Include support for MACsec testing in the (vm) kernel by default.
Don't include support in the example hostapd or wpa_supplicant configs
yet since that would potentially break the build on older distributions
like Ubuntu 16.04, which is supported until April 2021.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Specify the secondary channel offset and correct center_freq1 value to
make the parameters complete for a 40 MHz channel.
Signed-off-by: Jouni Malinen <j@w1.fi>
Include a defconfig for building kernel as UML. Also update the README
with a few notes related to UML.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Make the included kernel-config a little more minimal by checking in the
defconfig instead.
Generate the defconfig by checking out a linux at tag wt-2020-03-17,
copy kernel-config to .config, run
'yes "" | make oldconfig && make savedefconfig',
and copy resulting defconfig to kernel-config.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
If we use user-mode-linux, we have time-travel, and then the --long
argument doesn't really make a difference, so just assume that's the
case.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
bgscan_learn_beacon_loss was failing quite frequently and it looks like
the background scans were related to those failures. Since those scans
are not really relevant to testing beacon loss, get rid of them in these
test cases to avoid incorrect failures.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previously used normal data TX depends on undefined driver behavior
after all keys have been removed. That may not be available, so do this
more properly with frame injection through a monitor interface.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Stopping the AP from beaconing will also stop it from acknowledging
frames and that resulted in bgscan_learn_beacon_loss failing when
mac80211_hwsim is registering REPORTS_TX_ACK_STATUS. Work around this by
moving to using PMF so that the station ignores the unprotected
deauthentiation frames from the AP and also disabling SA Query. This
allows the AP to be stopped and restarted with large enough Beacon
interval to allow the station to detect beacon loss.
This is identical to the earlier design change for
bgscan_simple_beacon_loss (somehow this bgscan_learn_beacon_loss test
case managed to pass at that time).
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks ike the authentication timeouts may continue a bit longer after
some kernel changes and that could result in temporarily disabling the
network profile. Give this test case more time to complete the
connection to avoid reporting failures unnecessarily.
Signed-off-by: Jouni Malinen <j@w1.fi>