Commit graph

8504 commits

Author SHA1 Message Date
Jouni Malinen
296186c006 tests: Make ap_mixed_security more robust
This test case uses get_bss() with a BSSID to find a BSS entry. That can
result in failures if there are multiple BSS entries in wpa_supplicant
BSS table for the same BSSID, e.g., due to an earlier hidden SSID test
case. Explicitly clear the cfg80211 and wpa_supplicant scan caches at
the beginning of this test case to make it less likely for earlier test
cases to trigger a failure here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-18 12:50:20 +02:00
Jouni Malinen
092ac7bb0e tests: Hotspot 2.0 ANQP fetch with hidden SSID BSS entry
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-18 12:50:20 +02:00
Jouni Malinen
8266e6c6b4 HS 2.0: Try to use same BSS entry for storing GAS results
Commit 17b8995cf5 ('Interworking: Try to
use same BSS entry for storing GAS results') added a mechanism to try to
pair GAS request and response to a single BSS entry to cover cases where
multiple BSS entries may exists for the same BSSID. However, that commit
did not cover the Hotspot 2.0 ANQP elements. Extend this mechanism to
all ANQP elements. This can help in cases where information in the
Hotspot 2.0 specific ANQP elements got lost if a hidden SSID or some
other reason of duplicated BSS entries was present while doing ANQP
fetches.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 17:47:32 +02:00
Jouni Malinen
3dacd58b0d tests: Write BSS table to debug log in ap_mixed_security
This makes it easier to debug test failures in BSS entry flags field.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 17:22:38 +02:00
Jouni Malinen
7e3a6c9e21 tests: Mark proxyarp_open as skip if traffic test fails
This step requires kernel changes that are not yet in upstream Linux
tree, so mark this as skip rather than failure for now.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 17:15:42 +02:00
Jouni Malinen
0258cf1006 tests: Clean up ap_wpa2_eap_aka_ext
Use a loop over set of test values instead of duplicated functionality
implemented separately for each case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 17:09:46 +02:00
Jouni Malinen
584e4197bd tests: Make ap_wpa2_eap_aka_ext faster and more robust
Use SELECT_NETWORK instead of REASSOCIATE for the first reconnection to
avoid unnecessary long wait for temporary network disabling to be
cleared. In addition, wait for the disconnect event after issuing the
DISCONNECT commands to avoid issues due to any pending events during the
immediately following reconnection attempt.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 16:59:40 +02:00
Jouni Malinen
27f527e0e2 tests: ap_hs20_fetch_osu: Print osu-providers.txt in debug log
This makes it easier to figure out what happened if the test case fails
due to not finding all the needed OSU-PROVIDER information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 16:03:43 +02:00
Jouni Malinen
6c69991382 Make wpa_supplicant FLUSH command more likely to clear all BSS entries
Move the wpa_bss_flush() call to the end of the function to allow any
pending user of a BSS entry to be cleared before removing the unused
entries. There were number of cases where BSS entries could have been
left in the list and this resulted in some hwsim test failures.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 15:39:48 +02:00
Jouni Malinen
2dbe63ad53 Write reason for scan only_new_results into debug log
This can be helpful in figuring out why the driver was requested to
flush its scan results prior to starting a new scan.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 13:54:16 +02:00
Jouni Malinen
a4a15cf1f9 tests: Skip some scan tests if iw does not support scan flush
The external cfg80211 scan flushing operation requires a relatively
recent iw version and not all distributions include that. Avoid false
failure reports by marking these test cases skipped if the iw command
fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 13:05:34 +02:00
Jouni Malinen
e246d7d5b3 tests: Fix test skipping for some DFS/VHT cases
Due to a typo and missing hapd variable initialization, some of the DFS
and VHT test cases were marked as failures even though they were
supposed to be marked as skipped in case the kernel and wireless-regdb
did not have sufficient support for these modes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 13:04:11 +02:00
Jouni Malinen
fb9adae466 tests: Fix dbus_probe_req_reporting_oom if already registered
If dbus_probe_req_reporting was run before dbus_probe_req_reporting_oom,
the SubscribeProbeReq() method succeeded since the memory allocation
that was supposed to fail in the OOM test case was not even tried.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 12:39:00 +02:00
Jouni Malinen
90b10d4edd tests: EAP-TNC fragmentation
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 12:12:33 +02:00
Jouni Malinen
ee9533eb0e tests: EAP-MD5 server error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 12:02:11 +02:00
Jouni Malinen
802bf82482 tests: Add optional -1 argument to parallel-vm.py
This can be used to skip rerunning of failed test cases
(e.g., with "./parallel-vm.py 1 -1 <test case>").

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 11:28:46 +02:00
Jouni Malinen
242b83a380 eapol_test: Fix cert_cb() function arguments
altsubject[] was added here, but the callback implementation in
eapol_test.c was forgotten from the commit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 02:24:00 +02:00
Jouni Malinen
e912e4bc92 tests: Interworking auto_interworking=1 with mismatching BSS
This is a regression test case to detect a failure that resulted in an
up to five second busy loop through wpa_supplicant_fast_associate() when
interworking_find_network_match() and wpa_supplicant_select_bss() get
different matching results.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 01:53:44 +02:00
Jouni Malinen
a8826b1848 Interworking: Avoid busy loop in scan result mismatch corner cases
It was possible for interworking_find_network_match() to find a possible
BSS match in a case where more thorough checks in
wpa_supplicant_select_bss() reject network. This itself is fine, in
general, but when combined with wpa_supplicant_fast_associate()
optimization and auto_interworking=1, this resulted in a busy loop of up
to five seconds and a possible stack overflow due to recursion in that
loop.

Fix this by limiting the Interworking wpa_supplicant_fast_associate()
call to be used only once per scan iteration, so that new scan
operations can be completed before going through the scan results again.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 01:52:07 +02:00
Jouni Malinen
edd5939a26 Interworking: Start ANQP fetch from eloop callback
Reduce maximum stack use by starting next ANQP fetch operation from an
eloop callback rather than calling interworking_next_anqp_fetch()
directly from interworking_start_fetch_anqp(). This avoids issues that
could potentially make the process run out of stack if long loops of
ANQP operations are executed in cases where automatic Interworking
network selection is used and scan results do not have a full match for
a network.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 01:51:47 +02:00
Jouni Malinen
6ace81ea77 tests: Disconnect-Request with no session identification attributes
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 16:16:28 +02:00
Jouni Malinen
9921689759 tests: Use a helper function to send and check RADIUS DAS messages
No need to have this same sequence of steps duplicated in multiple
places.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 16:14:54 +02:00
Jouni Malinen
05dad77c8f tests: RADIUS DAS and Disconnect-Request removing PMKSA cache entry
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 16:07:52 +02:00
Jouni Malinen
cbc210de09 RADIUS DAS: Allow PMKSA cache entry to be removed without association
This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 15:55:39 +02:00
Jouni Malinen
e94a3f626d tests: RADIUS DAS with Acct-Multi-Session-Id
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 13:10:48 +02:00
Jouni Malinen
4e871ed1c3 RADIUS DAS: Support Acct-Multi-Session-Id as a session identifier
This extends Disconnect-Request support for an additiona session
identification attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 13:09:44 +02:00
Jouni Malinen
b52c0d453f Add authMultiSessionId into hostapd STA info
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 13:07:14 +02:00
Jouni Malinen
9142b4dd45 tests: Disconnect-Request multi-session-match
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 12:50:16 +02:00
Jouni Malinen
c2b48088f6 tests: Fix radius_das_disconnect match + non-match case
If Calling-Station-Id matches, but CUI does not, NAS is expected to
reject the request instead of accepting it. Verify that Disconnect-NAK
is returned for this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 12:50:16 +02:00
Jouni Malinen
861beb7269 RADIUS DAS: Check for single session match for Disconnect-Request
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 12:50:16 +02:00
Jouni Malinen
201c9ad77f tests: STA not getting response to SA Query
This verifies that wpa_supplicant reconnects if PMF is enabled,
unprotected Deauthentication/Disassociation frame is received, and the
AP does not reply to SA Query.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 01:13:59 +02:00
Jouni Malinen
e1f8fe8851 tests: INTERWORKING_CONNECT after having found hidden SSID AP
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-15 12:29:02 +02:00
Jouni Malinen
783b2a977f Interworking: Fix INTERWORKING_CONNECT with zero-length SSID BSS entry
For Interworking connection to work, the SSID of the selected BSS needs
to be known to be able to associate with the AP. It was possible for the
scan results to include two BSS entries matching the BSSID when an
earlier scan with that AP has shown a hidden SSID configuration (e.g.,
when running hwsim test cases, but at least in theory, this could happen
with real use cases as well). When that happened, the incorrect BSS
entry may not have included RSN configuration and as such, it would get
rejected for Interworking connection.

Fix this by confirming that the selected BSS entry has a real SSID. If
not, try to find another BSS entry matching the same BSSID and use that,
if found with an SSID.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-15 12:24:18 +02:00
Jouni Malinen
1fef85c7c5 nl80211: Fix AP-scan-in-STA-mode error path behavior
If a second scan trigger attempt fails in STA mode, the error path was
supposed to restore the old mode that was in use before changing to STA
mode. However, wpa_driver_nl80211_set_mode() changes drv->nlmode on
success, so the recovery path needs to use the saved old_mode value
instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-15 00:59:14 +02:00
Jouni Malinen
061cbb258f tests: domain_match checking against server certificate
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
2099fed400 tests: dbus_connect_eap to verify dNSName constraint configuration
This verifies that Certification signals include the expected
information on peer certificates and that dNSName constraint can be
configured based on that and is working both in matching and not
matching cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
98a4cd447e D-Bus: Clear cached EAP data on network profile changes
This makes D-Bus network profile Set(Properties) clear cached EAP data
similarly to how SET_NETWORK does for control interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 13:24:09 +02:00
Jouni Malinen
483dd6a5e0 Include peer certificate always in EAP events
This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.

The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 12:24:52 +02:00
Jouni Malinen
dd5f902584 Get rid of a compiler warning
Commit e7d0e97bdb ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:38:26 +02:00
Jouni Malinen
496c4e45d8 tests: Subset of VHT functionality on 2.4 GHz
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:12:56 +02:00
Jouni Malinen
d29fa3a767 Extend VENDOR_ELEM parameters to cover non-P2P Association Request
The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:12:56 +02:00
Jouni Malinen
615d8a9705 tests: Add room for more vendor elems in wpas_ctrl_vendor_elem
This test case was verifying that the first unused VENDOR_ELEM value
above the current maximum is rejected. That makes it a bit inconvenient
to add new entries, so increase the elem value to leave room for new
additions without having to continuously modify this test case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 01:12:56 +02:00
Yanbo Li
e7d0e97bdb hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.

This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
2015-01-14 00:59:22 +02:00
Jouni Malinen
3e7f1c7980 GnuTLS: Add TLS event callbacks for chain success/failure and peer cert
This makes GnuTLS events match the ones provided when OpenSSL is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
37b4a66ce6 tests: Valid OCSP response with revoked and unknown cert status
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0eb2ed067f GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
279a0afffb tests: Generate a fresh OCSP response for each test run
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0ff7afbc42 tests: Verify mesh support for wpas_add_set_remove_support
This test case fails if wpa_supplicant is built without mesh support, so
need to check for this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00