The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the internal TLS client implementation to support signature
algorithms SHA384 and SHA512 in addition to the previously supported
SHA256.
Signed-off-by: Jouni Malinen <j@w1.fi>
Since we support only SHA256 (and not the default SHA1) with TLS v1.2,
the signature_algorithms extensions needs to be added into ClientHello.
This fixes interop issues with the current version of OpenSSL that uses
the default SHA1 hash if ClientHello does not specify allowed signature
algorithms.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit adds support for validating certificates with SHA384 and
SHA512 hashes. Those certificates are now very common so wpa_supplicant
needs support for them.
SHA384 and SHA512 hash functions are included in the previous commit.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
This commit adds support for "hash://server/sha256/cert_hash_in_hex"
scheme in ca_cert property for the internal TLS implementation.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
In documentation is written: "If ca_cert and ca_path are not included,
server certificate will not be verified". This is the case when
wpa_supplicant is compiled with OpenSSL library, but when using the
internal TLS implementation and some certificates in CA chain are in
unsupported format (e.g., use SHA384 or SHA512 hash functions) then
verification fails even if ca_cert property is not specified.
This commit changes behavior so that certificate verification in
internal TLS implementation is really skipped when ca_cert is not
specified.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
gcc 4.8 vs 5.2 seem to compile eloop_register_sock() differently. With
5.2, that function name does not show up in the backtrace since
eloop_sock_table_add_sock() is used without a separate function call.
This broke the memory allocation failure checking in this test case. Fix
this by matching against the eloop_sock_table_add_sock() function which
shows up in the backtrace for both gcc versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
If init_for_reauth fails, the EAP-SIM peer state was not freed properly.
Use eap_sim_deinit() to make sure all allocations get freed. This could
be hit only if no random data could be derived for NONCE_MT.
Signed-off-by: Jouni Malinen <j@w1.fi>
If hostapd AP started unexpectedly, this test case would fail with
NameError due to incorrect variable name being used to construct the
exception text.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed for proper test execution. The recently added VHT 80+80
test cases started verifying channel bandwidth on the station side and
those checks fail if wpa_supplicant is built without
CONFIG_IEEE80211AC=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
If /tmp has a relatively small size limit, or multiple people run the
tests on the same machine, using the same output directory can easily
cause problems.
Make the test framework honor the new HWSIM_TEST_LOG_DIR environment
variable to make it easier to avoid those problems.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If wmediumd is available on the path, test that it can forward
packets between two virtual nodes and that stopping it makes
the regular in-kernel datapath do the needed work again.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
In addition, remove dependency on --long since this test case does not
really take that long.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
In addition, remove dependency on --long since this test case does not
really take that long (just couple of seconds).
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Convert p2ps_channel_active_go_and_station_different_mcc to use a
dynamically added HWSimRadio to allow the MCC case to be covered with a
single test run with the mac80211_hwsim default radios disabling MCC.
Signed-off-by: Jouni Malinen <j@w1.fi>
This may speed up some hwsim test case sequencies by avoiding a wait for
a scan at the end of a test case to complete.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the run_tshark() operations more reliable while still
allowing to reduce the extra wait by forcing wlantest to flush the
packets to the pcapng file.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to do live parsing of captured pcap files from
wlantest without having to rename and restart the capture file. Packet
writes are flushed to disk after each packet if -N is included in the
command line.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the test log more readable by converting the values to
integers and sorting the array.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This verifies the nl80211 behavior to abort a scan on an explicit
control interface request and on connection request.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Connect radio work is sometimes delayed for a considerable duration if
there is an ongoing scan radio work. To avoid these delays abort the
ongoing scan on that interface before queuing a connect request. Upon a
scan done indication from the driver, connect radio work will be
scheduled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds the driver interface commands for issuing a request to abort
an ongoing scan operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to avoid hitting WEP/TKIP detection in
ibss_mesh_setup_freq() if the previous connection used WEP or TKIP.
Previously, that could have resulted in VHT and HT getting disabled for
the mesh connection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
NL80211_CMD_GET_STATION does not work with the IBSS/mesh BSSID, so clear
the signal strength instead of returning failure when SIGNAL_POLL is
used in an IBSS/mesh.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
A new network profile configuration parameter max_oper_chwidth=3 can be
used to specify preference to enable 80+80 MHz VHT channel for IBSS. If
that is set, the first 80 MHz segment is specified based on the
frequency parameter in the network profile and the second segment is
selected automatically (which will practically be limited to a single
possibility due to DFS requirements in most countries).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>