Commit graph

10260 commits

Author SHA1 Message Date
Jouni Malinen
7fff91ae51 Fix tls_connection_prf() regression with CONFIG_TLS=internal
Commit af851914f8 ('Make
tls_connection_get_keyblock_size() internal to tls_*.c') broke
tls_connection_prf() with the internal TLS implementation when using
skip_keyblock=1. In practice, this broke EAP-FAST. Fix this by deriving
the correct number of PRF bytes before skipping the keyblock.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 23:40:54 +02:00
Jouni Malinen
1adf262144 TLS: Add support for extKeyUsage X.509v3 extension
If the server/client certificate includes the extKeyUsage extension,
verify that the listed key purposes include either the
anyExtendedKeyUsage wildcard or id-kp-serverAuth/id-kp-clientAuth,
respectively.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 21:53:23 +02:00
Jouni Malinen
404597e630 tests: Skip ap_wpa2_eap_ttls_dh_params_dsa with internal TLS
DH DSA parameters are not yet supported.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 21:09:44 +02:00
Jouni Malinen
686eee77d2 tests: Skip PKCS#12 tests with internal TLS client implementation
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 21:07:39 +02:00
Jouni Malinen
07555778a7 Add TEST_FAIL() support for internal hash functions
md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already
supported TEST_FAIL() with the OpenSSL crypto implementation, but the
same test functionality is needed for the internal crypto implementation
as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 21:01:33 +02:00
Jouni Malinen
089e7ca372 tests: Skip dbus_connect_eap if altsubject_match is not supported
This test case fails with the current internal TLS client implementation
since the needed altsubject_match parameter is not yet supported.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:57:26 +02:00
Jouni Malinen
4104267e81 Fix memory leak on NFC DH generation error path
It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:53:20 +02:00
Jouni Malinen
c5ef7bbfa5 tests: Fix wpas_ctrl_oom with the internal TLS implementation
One of the OOM cases does not apply for internal crypto implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:43:44 +02:00
Jouni Malinen
c675f669c3 tests: Fix wpas_ctrl_network without SAE
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:38:34 +02:00
Jouni Malinen
e78eb40442 tests: Skip domain_match and domain_suffix_match with internal TLS
The internal TLS client in wpa_supplicant does not yet support the
functionality needed for these test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:35:05 +02:00
Jouni Malinen
c5864dca5d TLS client: Add certificate chain validation failure callbacks
This adds more support for event_cb() calls for various server
certificate chain validation failures.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:32:52 +02:00
Jouni Malinen
2286578fe0 tests: TLS v1.2 check in ap_wpa2_eap_tls_versions for internal TLS
The internal TLS implementation in wpa_supplicant supports TLS v1.2, so
verify that this version can be disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:04:26 +02:00
Jouni Malinen
896a97d712 TLS client: Add support for disabling TLS versions
The internal TLS client implementation in wpa_supplicant can now be used
with the phase2 parameters tls_disable_tlsv1_0=1, tls_disable_tlsv1_1=1,
and tls_disable_tlsv1_2=1 to disable the specified TLS version(s).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:03:11 +02:00
Jouni Malinen
0cbc22b2eb TLS client: Use TLS_CONN_* flags
This makes it simpler to add support for new TLS_CONN_* flags without
having to add a new configuration function for each flag.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:48:17 +02:00
Jouni Malinen
20804fe844 TLS: Add support for tls_get_version()
This allows wpa_supplicant to return eap_tls_version STATUS information
when using the internal TLS client implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:41:37 +02:00
Jouni Malinen
bb0a72ab46 tests: Skip OCSP test cases with the internal TLS implementation
The internal TLS client implementation does not yet support OCSP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:32:45 +02:00
Jouni Malinen
0fc1b583e2 tests: ap_wpa2_eap_ttls_server_cert_hash with internal TLS client
Since the internal TLS client implementation in wpa_supplicant now has
sufficient support for this functionality, allow the test case to be
executed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:02:04 +02:00
Jouni Malinen
f2a6ad01a9 TLS client: Add support for server certificate probing
The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:59:27 +02:00
Jouni Malinen
b115eebe01 TLS: Add TLS v1.2 signature algorithm support for SHA384 and SHA512
This extends the internal TLS client implementation to support signature
algorithms SHA384 and SHA512 in addition to the previously supported
SHA256.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:21:08 +02:00
Jouni Malinen
c0acec3934 crypto: Add CRYPTO_HASH_ALG_SHA384 and CRYPTO_HASH_ALG_SHA512
This extends the crypto_hash_*() API to support SHA384 and SHA512 when
built with CONFIG_TLS=internal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:21:08 +02:00
Jouni Malinen
0aed9156ef TLS client: Add signature_algorithms extension into ClientHello
Since we support only SHA256 (and not the default SHA1) with TLS v1.2,
the signature_algorithms extensions needs to be added into ClientHello.
This fixes interop issues with the current version of OpenSSL that uses
the default SHA1 hash if ClientHello does not specify allowed signature
algorithms.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:21:07 +02:00
Pali Rohár
9e8809a717 TLS client: Validate certificates with SHA384 and SHA512 hashes
This commit adds support for validating certificates with SHA384 and
SHA512 hashes. Those certificates are now very common so wpa_supplicant
needs support for them.

SHA384 and SHA512 hash functions are included in the previous commit.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-29 18:21:05 +02:00
Pali Rohár
6bb6a9ce29 Add SHA384 and SHA512 implementations from LibTomCrypt library
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-29 18:19:32 +02:00
Pali Rohár
fdc1614264 TLS client: Add support for validating server certificate hash
This commit adds support for "hash://server/sha256/cert_hash_in_hex"
scheme in ca_cert property for the internal TLS implementation.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-29 11:45:59 +02:00
Pali Rohár
3665776e4e TLS client: Do not verify CA certificates when ca_cert is not specified
In documentation is written: "If ca_cert and ca_path are not included,
server certificate will not be verified". This is the case when
wpa_supplicant is compiled with OpenSSL library, but when using the
internal TLS implementation and some certificates in CA chain are in
unsupported format (e.g., use SHA384 or SHA512 hash functions) then
verification fails even if ca_cert property is not specified.

This commit changes behavior so that certificate verification in
internal TLS implementation is really skipped when ca_cert is not
specified.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-29 11:39:25 +02:00
Jouni Malinen
9b35afd6ac tests: Fix OOM eloop_register_sock() test cases with new gcc
gcc 4.8 vs 5.2 seem to compile eloop_register_sock() differently. With
5.2, that function name does not show up in the backtrace since
eloop_sock_table_add_sock() is used without a separate function call.
This broke the memory allocation failure checking in this test case. Fix
this by matching against the eloop_sock_table_add_sock() function which
shows up in the backtrace for both gcc versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:48:16 +02:00
Jouni Malinen
d36ae37679 tests: EAP-SIM/AKA/AKA' error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:46:36 +02:00
Jouni Malinen
11c9ddb766 Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt()
This enables more error path testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:46:36 +02:00
Jouni Malinen
ea52a46e13 EAP-SIM peer: Fix memory leak on reauth error path
If init_for_reauth fails, the EAP-SIM peer state was not freed properly.
Use eap_sim_deinit() to make sure all allocations get freed. This could
be hit only if no random data could be derived for NONCE_MT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:46:36 +02:00
Jouni Malinen
1a33c94ccc EAP-SAKE: Fix a typo in attribute parser debug print
Parsing AT_MSK_LIFE ended up writing a debug log entry with incorrect
attribute name (AT_IV).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 12:25:42 +02:00
Jouni Malinen
288b6f8b85 tests: Extended coverage for the EAP-SAKE attribute parser
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 12:25:22 +02:00
Jouni Malinen
ab4ea0e948 tests: EAP-SAKE local error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 11:53:31 +02:00
Jouni Malinen
c49b383f45 tests: Convert eap_proto_sake to use newer design
This makes it more convenient to extend the test case with new
message exchanges.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 11:22:21 +02:00
Jouni Malinen
6f2252614c tests: Fix error message for ap_open_out_of_memory
If hostapd AP started unexpectedly, this test case would fail with
NameError due to incorrect variable name being used to construct the
exception text.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 00:23:35 +02:00
Johannes Berg
1a4f18d8f4 tests: run-tests: Print more details about NameError
If encountering a NameError, print the entire traceback so that
it's actually debuggable.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-11-28 00:21:20 +02:00
Jouni Malinen
b6f17f2f5c tests: ERP protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 00:18:49 +02:00
Jouni Malinen
12fff543b3 tests: Enable 802.11ac support in example wpa_supplicant config
This is needed for proper test execution. The recently added VHT 80+80
test cases started verifying channel bandwidth on the station side and
those checks fail if wpa_supplicant is built without
CONFIG_IEEE80211AC=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 21:11:53 +02:00
Johannes Berg
680ce356c0 tests: Honor HWSIM_TEST_LOG_DIR variable in VM runs
If /tmp has a relatively small size limit, or multiple people run the
tests on the same machine, using the same output directory can easily
cause problems.

Make the test framework honor the new HWSIM_TEST_LOG_DIR environment
variable to make it easier to avoid those problems.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-11-27 21:11:53 +02:00
Johannes Berg
10a15590f8 tests: Add a simple wmediumd test
If wmediumd is available on the path, test that it can forward
packets between two virtual nodes and that stopping it makes
the regular in-kernel datapath do the needed work again.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-11-27 21:11:53 +02:00
Jouni Malinen
f6c09bf46e tests: Remove HwsimSkip from p2p_channel
With the optimizations from the previous commits, none of the test cases
here need to be skipped.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:38:17 +02:00
Jouni Malinen
858d12f69a tests: Optimize p2p_go_move_active initial wait
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:37:35 +02:00
Jouni Malinen
ae248721f4 tests: Optimize p2p_go_move_reg_change initial wait
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:35:51 +02:00
Jouni Malinen
63b87a5aeb tests: Optimize p2p_go_move_scm_multi initial wait
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:31:44 +02:00
Jouni Malinen
3acf68feb9 tests: Convert p2p_go_move_scm_multi to use dynamic hwsim
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:30:02 +02:00
Jouni Malinen
d18df681b0 tests: Convert p2p_go_move_scm_peer_does_not_support to dynamic hwsim
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.

In addition, remove dependency on --long since this test case does not
really take that long.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:27:25 +02:00
Jouni Malinen
f0b39e057a tests: Convert p2p_go_move_scm_peer_supports to use dynamic hwsim
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.

In addition, remove dependency on --long since this test case does not
really take that long (just couple of seconds).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:24:33 +02:00
Jouni Malinen
b98445f6ba tests: Optimize p2p_go_move_scm initial wait
There is no need to wait for the initial client timeout in this type of
test sequence since that wait can be cleared by connecting and
disconnecting a client to the group. This allows the test case to be
executed much more quickly and the dependency on --long can be removed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:22:30 +02:00
Jouni Malinen
262825e896 tests: Convert p2p_go_move_scm to use dynamic hwsim
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:14:38 +02:00
Jouni Malinen
1002684e11 tests: Convert p2p_go_move_active to use dynamic hwsim
Use a dynamically added HWSimRadio to allow the MCC case to be covered
with a single test run with the mac80211_hwsim default radios disabling
MCC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:11:27 +02:00
Jouni Malinen
78fdab307e tests: Dynamic hwsim p2ps_channel_active_go_and_station_different_mcc
Convert p2ps_channel_active_go_and_station_different_mcc to use a
dynamically added HWSimRadio to allow the MCC case to be covered with a
single test run with the mac80211_hwsim default radios disabling MCC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-27 19:01:10 +02:00