Commit graph

89 commits

Author SHA1 Message Date
Jouni Malinen
0ba13e8613 tests: Update server and user certificates (2017)
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases. In addition, add a shell script (update.sh) and the
needed CA files to automate this full update process.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-01 18:47:02 +03:00
Jouni Malinen
78b6be046d tests: Suite B with RSA keys
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
cc8330b88b tests: Write MSK dump files from authentication server
This makes it easier to post-process frame capture files if frames need
to be decrypted in test cases that do not configure wlantest with the
PMK directly (i.e., mainly the cases when a RADIUS server is used).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-05 19:29:01 +03:00
Jouni Malinen
0a0c4dc1d7 tests: Use a domain name in the identity for get_emsk OOM tests
These test cases depend on ERP processing to reach the get_emsk handler
function. Since ERP really needs the realm to derive a proper
keyName-NAI, modify these test cases to pass the realm part in the
identity to allow error checking to be introduced for rejecting ERP
cases where the realm is not available.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-22 13:51:07 +03:00
Jouni Malinen
c90c62e5d3 tests: hostapd authentication server test cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-05 16:51:04 +02:00
Jouni Malinen
209527aeed tests: Renew expired server certificates
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-18 21:39:01 +02:00
Jouni Malinen
f22bc11846 tests: EAP-SIM tunneled within EAP-TTLS/PEAP/FAST
This verifies both the internal and external GSM authentication
operation when EAP-SIM is tunneled within EAP-TTLS/PEAP/FAST.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
49897fb065 tests: Invalid VLAN ID from RADIUS server for ACL
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-26 18:39:49 +02:00
Jouni Malinen
5b71cb552b tests: Update server and user certificates (2015)
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-09-30 22:45:03 +03:00
Jouni Malinen
604f559ae4 tests: Hotspot 2.0 and failures during profile configuration
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-07-04 17:49:57 +03:00
Jouni Malinen
8b29661192 tests: Accept "user@example.com" as user identity similarly to "user"
This is needed to allow updated Interworking behavior that adds the
realm to the EAP-Response/Identity value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-11 21:06:15 +02:00
Jouni Malinen
71fd685fb8 tests: Set ocsp_stapling_response_multi in as2.conf
This keeps the as.conf and as2.conf more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-09 19:49:24 +02:00
Michael Braun
3fdb5005f5 tests: Tagged-VLAN only change on reauthentication
Check VLAN ID change during reauthentication when using tagged-only
configuration.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-27 21:49:27 +02:00
Jouni Malinen
78dd5c11ac tests: Renew expired certificates
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-19 18:44:39 +02:00
Michael Braun
732bbcc709 tests: Verify connectivity with untagged/tagged VLAN mixed configuration
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
57af507ea7 tests: Untagged VLAN ID with EGRESS_VLANID RADIUS attribute
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
629d369674 tests: Verify tagged-only connectivity
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Jouni Malinen
31dd315382 tests: PKCS#12 with extra certs on the server
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-06 01:14:43 +02:00
Jouni Malinen
504108dbdf tests: Generate new certificates for Suite B test cases
The previous version expired in January. The new ones are from running
ec-generate.sh and ec2-generate.sh again.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-02 00:09:20 +02:00
Jouni Malinen
d8e5a55f1e tests: WPS and EAP-WSC in network profile
This goes through some error paths that do not really show up in real
WPS use cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 22:08:04 +02:00
Jouni Malinen
992007c515 tests: Fix ERP anonymous_identity test cases
These need to be run without realm in the identity value to allow the
realm from the anonymous_identity to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 22:03:23 +02:00
Jouni Malinen
4e34f56f3c tests: Renew the expired OCSP responder certificate
This certificate expired and that makes couple of test cases fail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-13 00:38:29 +02:00
Jouni Malinen
40c654cc1d tests: EAP-SIM with external GSM auth and replacing SIM
These test cases verify that EAP-SIM with external GSM auth supports the
use case of replacing the SIM. The first test case does this incorrectly
by not clearing the pseudonym identity (anonymous_identity in the
network profile) while the second one clears that and shows successful
connection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-08 18:03:11 +02:00
Jouni Malinen
52811b8c90 tests: EAP-TLS with intermediate CAs and OCSP multi
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
98d125cafa tests: Minimal testing of OCSP stapling with ocsp_multi
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-23 00:32:52 +02:00
Jouni Malinen
09a4404a33 tests: EAP-PEAP version forcing
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 20:59:14 +02:00
Jouni Malinen
96bf8fe104 tests: PKCS #8 private key with PKCS #5 v1.5 and v2.0 format
This verifies client private key use in encrypted PKCS #8 format with
PKCS #5 v1.5 format using pbeWithMD5AndDES-CBC and PKCS #5 v2.0 format
using PBES2 with des-ede3-cbc.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-05 20:27:27 +02:00
Jouni Malinen
d6ba709aa3 tests: EAP-TLS with SHA512/SHA384 signature
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-30 00:39:38 +02:00
Jouni Malinen
7c0d66cf7a tests: EAP-MSCHAPv2 error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-12 01:55:00 +03:00
Jouni Malinen
d79ce4a6ce tests: Additional OCSP coverage
Verify OCSP stapling response that is signed by the CA rather than a
separate OCSP responder. In addition, verify that invalid signer
certificate (missing OCSP delegation) gets rejected.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 17:32:53 +03:00
Jouni Malinen
aeba66b28e tests: Fix OCSP response for ap_wpa2_eap_ttls_ocsp_revoked
Due to a serial number mismatch, the correct "revoked" status was not
used; instead "unknown" was used. While the test case would not fail for
this, incorrect code path was checked.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-02 19:16:04 +03:00
Jouni Malinen
403610d386 tests: Update server and user certificates (2015)
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-01 01:37:47 +03:00
Jouni Malinen
6da3b745f1 tests: Try users2.pkcs12 twice to add coverage
This allows manual verification of extra PKCS#12 certificate processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:10:15 +03:00
Jouni Malinen
d35b0227c1 tests: Use openssl pkcs12 -descert workaround to allow FIPS mode
The PKCS12 file with default openssl options cannot be used with OpenSSL
1.0.1 in FIPS mode. Replace this with -descert version as a workaround.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
405c621cdb tests: WPA2-Enterprise connection using MAC ACL
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-01 00:34:27 +03:00
Jouni Malinen
b3ff3decf6 tests: DH parameter file DSA conversion and error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
0c83ae0469 tests: EAP-TLS with PKCS12 that includes additional certificates
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
b197a8194b tests: EAP-TLS and server checking CRL
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
5748d1e5f8 tests: EAP-TTLS with server certificate valid beyond UNIX time 2^31
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-24 11:24:35 +03:00
Jouni Malinen
768ea0bc32 tests: DH params with 2048-bit key
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-24 11:03:42 +03:00
Jouni Malinen
0d33f5040f tests: EAP-PEAP/MSCHAPv2 with domain name
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 22:06:06 +03:00
Jouni Malinen
b898a6ee72 tests: WPA2-Enterprise connection using EAP-pwd and NTHash
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:45:25 +02:00
Jouni Malinen
4bcedaa400 tests: Re-sign expired test certificates
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 14:18:57 +02:00
Jouni Malinen
3a4bace428 tests: RADIUS server changing VLAN ID assignment
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-30 01:11:56 +02:00
Jouni Malinen
4a4cd04cad tests: RADIUS MAC ACL and accounting enabled
This ends up using the special User-Name = STA MAC address case for
Accounting-Request. In addition, add Chargeable-User-Identity for one of
the STAs.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-29 15:55:48 +02:00
Jouni Malinen
95a15d793e tests: EAP-GTC server error cases
In addition, no-password-configured coverage extended to EAP-MD5 and
EAP-MSCHAPv2 as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 15:59:36 +02:00
Jouni Malinen
37551fe374 tests: Suite B 192-bit profile
This adds a Suite B test case for 192-bit level.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
4113a96bba tests: Complete Suite B 128-bit coverage
Enable BIP-GMAC-128 and enforce Suite B profile for TLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
37b4a66ce6 tests: Valid OCSP response with revoked and unknown cert status
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
279a0afffb tests: Generate a fresh OCSP response for each test run
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00