Verify OCSP stapling response that is signed by the CA rather than a
separate OCSP responder. In addition, verify that invalid signer
certificate (missing OCSP delegation) gets rejected.
Signed-off-by: Jouni Malinen <j@w1.fi>
Due to a serial number mismatch, the correct "revoked" status was not
used; instead "unknown" was used. While the test case would not fail for
this, incorrect code path was checked.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The PKCS12 file with default openssl options cannot be used with OpenSSL
1.0.1 in FIPS mode. Replace this with -descert version as a workaround.
Signed-off-by: Jouni Malinen <j@w1.fi>
This ends up using the special User-Name = STA MAC address case for
Accounting-Request. In addition, add Chargeable-User-Identity for one of
the STAs.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.
Signed-off-by: Jouni Malinen <j@w1.fi>
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.
Signed-off-by: Jouni Malinen <j@w1.fi>
This format as a DER encoded blob is supported by both OpenSSL and
GnuTLS while the previous OpenSSL specific format did not get accepted
by GnuTLS.
Signed-off-by: Jouni Malinen <j@w1.fi>
This tests RP EAP-Initiate/Re-auth-Start transmission, ERP key
derivation, and EAP-Initiate/Re-auth + EAP-Finish/Re-auth exchange and
rMSK derivation.
Signed-off-by: Jouni Malinen <j@w1.fi>
This verifies that hostapd uses Session-Timeout value from Access-Accept
as the lifetime for the PMKSA cache entries and expires entries both
while the station is disconnected and during an association.
Signed-off-by: Jouni Malinen <j@w1.fi>
Extend EAP-SIM/AKA/AKA' test coverage by setting up another
authentication server instance to store dynamic SIM/AKA/AKA' information
into an SQLite database. This allows the stored reauth/pseudonym data to
be modified on the server side and by doing so, allows testing fallback
from reauth to pseudonym/permanent identity.
Signed-off-by: Jouni Malinen <j@w1.fi>
Verify that session information is stored from Access-Accept and sent to
the station at the requested timeout. Verify that station processes this
notification.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Enable hostapd control interface for the RADIUS server instance and
verify that the RADIUS server MIB counters are incremented.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a password that uses one, two, and three octet encoding
for UTF-8 characters. The value is tested against a pre-configured
hash to verify that utf8_to_ucs2() function works correctly.
Signed-off-by: Jouni Malinen <j@w1.fi>
This fixes the user.key file (incorrect key was copied previously) and
adds a test case for EAP-TLS with WPA2-Enterprise.
Signed-hostap: Jouni Malinen <j@w1.fi>
This increases EAP method coverage for WPA2-Enterprise to include
EAP-pwd, EAP-GPSK, EAP-SAKE, EAP-EKE, EAP-IKEv2, EAP-PAX, and EAP-PSK.
Signed-hostap: Jouni Malinen <j@w1.fi>
The test_ap_hs20_username* test cases verify that a username/password
credential can be used for Hotspot 2.0 connection and that the network
type is reported correctly.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>