Verify that unexpected 2048-bit RSA client certificate gets rejected by
the RADIUS server if the server is configured to use Suite B at 192-bit
level.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Verify that unexpected p256 client certificate gets rejected if the
server is configured to use Suite B at 192-bit level.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
PMF is supposed to be enabled automatically in sigma_dut, so remove
the explicit argument to do so from the commands.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
All SAE and OWE associations are expected to require PMF to be
negotiated, so enable or require PMF in AP and STA configurations
accordingly to match the new sigma_dut behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check for unexpected connection to avoid timeout on TLS alert event if
the implementation does not check DH key size at all.
Signed-off-by: Jouni Malinen <j@w1.fi>
Need to ignore missing RX-ANQP event for the FILS Realm Info if
wpa_supplicant build does not include FILS support.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit b488a12948 ('Clear PMK length and
check for this when deriving PTK') started rejecting PTK derivation
based on PMK length. This reduced coverage from the eapol-fuzzer, so set
the default length when initializing the state machine in the fuzzer to
reach the previously used code paths.
Signed-off-by: Jouni Malinen <j@w1.fi>
Wait for test/allocation failure for longer than the wait_fail_trigger()
default two seconds to allow DPP (in particular, PKEX) retransmission to
occur. This removes some issues where the previous wait was more or less
exactly the same duration as the retransmission interval and the first
Listen operation not always starting quickly enough to receive the first
frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
When executing ./start.sh with OpenSSL 1.1.0f, an OCSP operation fails.
Put "-sha256" ahead of "-serial" to fix this.
~# openssl version
OpenSSL 1.1.0f 25 May 2017
~# openssl ocsp -reqout /lkp/benchmarks/hwsim/tests/hwsim/logs/current/ocsp-req.der -issuer /lkp/benchmarks/hwsim/tests/hwsim/auth_serv/ca.pem -serial 0xD8D3E3A6CBE3CD12 -no_nonce -sha256
ocsp: Digest must be before -cert or -serial
ocsp: Use -help for summary.
~# openssl ocsp -reqout /lkp/benchmarks/hwsim/tests/hwsim/logs/current/ocsp-req.der -issuer /lkp/benchmarks/hwsim/tests/hwsim/auth_serv/ca.pem -sha256 -serial 0xD8D3E3A6CBE3CD12 -no_nonce
Signed-off-by: leishaoting <leist.fnst@cn.fujitsu.com>
src/crypto/libcrypto.a and src/tls/libtls.a have circular references
and will need special handling with the linker at least for the time
being. This could be cleaned up eventually, but for now, provide a
mechanism to get the program linked.
This was already done in tests/Makefile, but tests/eapol-fuzzer/Makefile
needs the same.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not include this argument in normal case, but add a test case to
cover the special extra check case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This test case is not really realistic and the second connection attempt
would fail if additional AES-based ciphers get provisioned. Work this
around by dropping to CCMP only if other ciphers are present.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to avoid false errors with GCMP-256 and CCMP-256 to be
added in the implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The kernel started enforcing attribute lengths, and nl80211.py had been
doing it all wrong - the padding must be present, but not part of the
length.
Fix it to do it the right way.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
These test cases were failing when run immediately after
dpp_pkex_test_fail. It looks like timing of the TX status and the short
eloop wait were getting reordered in this cases. This ended up with some
of the DPP-TX-STATUS event messages missing. Instead of explicitly
checking for those message, simply count the number of DPP-TX messages
to verify that the correct number of retries are being sent.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>