Jouni Malinen [Sun, 18 Jan 2015 14:23:43 +0000 (16:23 +0200)]
Print in debug log whether attached monitor is for global interface
It is easier to debug issues related to the wpa_supplicant control
interfaces being left behind in attached state when the debug log file
can be used to determine whether a specific monitor socket was a global
or per-interface one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 18 Jan 2015 13:58:05 +0000 (15:58 +0200)]
tests: Make WNM Sleep Mode tests more robust
It was possible for the Action frame used for entring WNM Sleep Mode to
get dropped on the AP side due to it arriving prior to having processed
EAPOL-Key message 4/4 due to a race condition between Data and
Management frame processing paths. Avoid this by waiting for
AP-STA-CONNECTED event from hostapd prior to trying to enter WNM Sleep
Mode. In addition, make the check for the STA flag change more robust by
allowing the wait to be a bit longer with a loop that terminates as soon
as the flag has changed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 18 Jan 2015 13:47:56 +0000 (15:47 +0200)]
tests: Make PMKSA caching tests more robust
When the STA is forced to disconnect immediately after completion of
4-way handshake, there is a race condition on the AP side between the
reception of EAPOL-Key msg 4/4 and the following Deauthentication frame.
It is possible for the deauthentication notification to be processed
first since that message uses different path from kernel to user space.
If hostapd does not receive EAPOL-Key msg 4/4 prior to deauthentication,
no PMKSA cache entry is added. This race condition was making the test
cases expecting PMKSA caching to work to fail every now and then. Avoid
this issue by waiting for AP-STA-CONNECTED event from hostapd. This
makes sure the PMKSA cache entry gets added on the AP side.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 18 Jan 2015 10:55:49 +0000 (12:55 +0200)]
tests: Add some more time for olbc_ht update in olbc_5ghz
It looks like this test case is failing every now and then, so add some
more time for the olbc_ht value to get updated before reporting a
failure.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 17:39:23 +0000 (19:39 +0200)]
tests: Import gobject in a way that allows failures
It looks like the gobject module does not get installed by default for
Python at least on Ubuntu server, so modify the D-Bus test case files to
import this in a way that allows other test cases to be run even without
gobject module being installed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 16:19:45 +0000 (18:19 +0200)]
tests: Make ap_anqp_sharing more robust
This test case uses get_bss() with a BSSID to find a BSS entry. That can
result in failures if there are multiple BSS entries in wpa_supplicant
BSS table for the same BSSID, e.g., due to an earlier hidden SSID test
case. Explicitly clear the cfg80211 and wpa_supplicant scan caches at
the beginning of this test case to make it less likely for earlier test
cases to trigger a failure here.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 16:09:40 +0000 (18:09 +0200)]
tests: Make ap_mixed_security more robust
This test case uses get_bss() with a BSSID to find a BSS entry. That can
result in failures if there are multiple BSS entries in wpa_supplicant
BSS table for the same BSSID, e.g., due to an earlier hidden SSID test
case. Explicitly clear the cfg80211 and wpa_supplicant scan caches at
the beginning of this test case to make it less likely for earlier test
cases to trigger a failure here.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 15:49:52 +0000 (17:49 +0200)]
tests: Hotspot 2.0 ANQP fetch with hidden SSID BSS entry
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 15:47:32 +0000 (17:47 +0200)]
HS 2.0: Try to use same BSS entry for storing GAS results
Commit
17b8995cf5813d7c027cd7a6884700e791d72392 ('Interworking: Try to
use same BSS entry for storing GAS results') added a mechanism to try to
pair GAS request and response to a single BSS entry to cover cases where
multiple BSS entries may exists for the same BSSID. However, that commit
did not cover the Hotspot 2.0 ANQP elements. Extend this mechanism to
all ANQP elements. This can help in cases where information in the
Hotspot 2.0 specific ANQP elements got lost if a hidden SSID or some
other reason of duplicated BSS entries was present while doing ANQP
fetches.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 15:19:32 +0000 (17:19 +0200)]
tests: Write BSS table to debug log in ap_mixed_security
This makes it easier to debug test failures in BSS entry flags field.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 15:15:42 +0000 (17:15 +0200)]
tests: Mark proxyarp_open as skip if traffic test fails
This step requires kernel changes that are not yet in upstream Linux
tree, so mark this as skip rather than failure for now.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 15:09:46 +0000 (17:09 +0200)]
tests: Clean up ap_wpa2_eap_aka_ext
Use a loop over set of test values instead of duplicated functionality
implemented separately for each case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 14:59:40 +0000 (16:59 +0200)]
tests: Make ap_wpa2_eap_aka_ext faster and more robust
Use SELECT_NETWORK instead of REASSOCIATE for the first reconnection to
avoid unnecessary long wait for temporary network disabling to be
cleared. In addition, wait for the disconnect event after issuing the
DISCONNECT commands to avoid issues due to any pending events during the
immediately following reconnection attempt.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 14:03:43 +0000 (16:03 +0200)]
tests: ap_hs20_fetch_osu: Print osu-providers.txt in debug log
This makes it easier to figure out what happened if the test case fails
due to not finding all the needed OSU-PROVIDER information.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 13:39:48 +0000 (15:39 +0200)]
Make wpa_supplicant FLUSH command more likely to clear all BSS entries
Move the wpa_bss_flush() call to the end of the function to allow any
pending user of a BSS entry to be cleared before removing the unused
entries. There were number of cases where BSS entries could have been
left in the list and this resulted in some hwsim test failures.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 11:54:16 +0000 (13:54 +0200)]
Write reason for scan only_new_results into debug log
This can be helpful in figuring out why the driver was requested to
flush its scan results prior to starting a new scan.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 11:05:34 +0000 (13:05 +0200)]
tests: Skip some scan tests if iw does not support scan flush
The external cfg80211 scan flushing operation requires a relatively
recent iw version and not all distributions include that. Avoid false
failure reports by marking these test cases skipped if the iw command
fails.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 11:04:11 +0000 (13:04 +0200)]
tests: Fix test skipping for some DFS/VHT cases
Due to a typo and missing hapd variable initialization, some of the DFS
and VHT test cases were marked as failures even though they were
supposed to be marked as skipped in case the kernel and wireless-regdb
did not have sufficient support for these modes.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 10:39:00 +0000 (12:39 +0200)]
tests: Fix dbus_probe_req_reporting_oom if already registered
If dbus_probe_req_reporting was run before dbus_probe_req_reporting_oom,
the SubscribeProbeReq() method succeeded since the memory allocation
that was supposed to fail in the OOM test case was not even tried.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 10:12:33 +0000 (12:12 +0200)]
tests: EAP-TNC fragmentation
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 10:02:11 +0000 (12:02 +0200)]
tests: EAP-MD5 server error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 09:25:46 +0000 (11:25 +0200)]
tests: Add optional -1 argument to parallel-vm.py
This can be used to skip rerunning of failed test cases
(e.g., with "./parallel-vm.py 1 -1 <test case>").
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 17 Jan 2015 00:24:00 +0000 (02:24 +0200)]
eapol_test: Fix cert_cb() function arguments
altsubject[] was added here, but the callback implementation in
eapol_test.c was forgotten from the commit.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 16 Jan 2015 23:48:15 +0000 (01:48 +0200)]
tests: Interworking auto_interworking=1 with mismatching BSS
This is a regression test case to detect a failure that resulted in an
up to five second busy loop through wpa_supplicant_fast_associate() when
interworking_find_network_match() and wpa_supplicant_select_bss() get
different matching results.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 16 Jan 2015 23:43:00 +0000 (01:43 +0200)]
Interworking: Avoid busy loop in scan result mismatch corner cases
It was possible for interworking_find_network_match() to find a possible
BSS match in a case where more thorough checks in
wpa_supplicant_select_bss() reject network. This itself is fine, in
general, but when combined with wpa_supplicant_fast_associate()
optimization and auto_interworking=1, this resulted in a busy loop of up
to five seconds and a possible stack overflow due to recursion in that
loop.
Fix this by limiting the Interworking wpa_supplicant_fast_associate()
call to be used only once per scan iteration, so that new scan
operations can be completed before going through the scan results again.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 16 Jan 2015 23:39:34 +0000 (01:39 +0200)]
Interworking: Start ANQP fetch from eloop callback
Reduce maximum stack use by starting next ANQP fetch operation from an
eloop callback rather than calling interworking_next_anqp_fetch()
directly from interworking_start_fetch_anqp(). This avoids issues that
could potentially make the process run out of stack if long loops of
ANQP operations are executed in cases where automatic Interworking
network selection is used and scan results do not have a full match for
a network.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 16 Jan 2015 14:16:28 +0000 (16:16 +0200)]
tests: Disconnect-Request with no session identification attributes
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 16 Jan 2015 14:14:54 +0000 (16:14 +0200)]
tests: Use a helper function to send and check RADIUS DAS messages
No need to have this same sequence of steps duplicated in multiple
places.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 16 Jan 2015 13:56:38 +0000 (15:56 +0200)]
tests: RADIUS DAS and Disconnect-Request removing PMKSA cache entry
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 16 Jan 2015 13:55:39 +0000 (15:55 +0200)]
RADIUS DAS: Allow PMKSA cache entry to be removed without association
This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 16 Jan 2015 11:10:48 +0000 (13:10 +0200)]
tests: RADIUS DAS with Acct-Multi-Session-Id
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 16 Jan 2015 11:09:44 +0000 (13:09 +0200)]
RADIUS DAS: Support Acct-Multi-Session-Id as a session identifier
This extends Disconnect-Request support for an additiona session
identification attribute.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 16 Jan 2015 11:07:14 +0000 (13:07 +0200)]
Add authMultiSessionId into hostapd STA info
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 16 Jan 2015 10:21:24 +0000 (12:21 +0200)]
tests: Disconnect-Request multi-session-match
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 16 Jan 2015 10:14:07 +0000 (12:14 +0200)]
tests: Fix radius_das_disconnect match + non-match case
If Calling-Station-Id matches, but CUI does not, NAS is expected to
reject the request instead of accepting it. Verify that Disconnect-NAK
is returned for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 16 Jan 2015 10:10:52 +0000 (12:10 +0200)]
RADIUS DAS: Check for single session match for Disconnect-Request
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 15 Jan 2015 23:13:59 +0000 (01:13 +0200)]
tests: STA not getting response to SA Query
This verifies that wpa_supplicant reconnects if PMF is enabled,
unprotected Deauthentication/Disassociation frame is received, and the
AP does not reply to SA Query.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 15 Jan 2015 10:27:56 +0000 (12:27 +0200)]
tests: INTERWORKING_CONNECT after having found hidden SSID AP
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 15 Jan 2015 10:24:18 +0000 (12:24 +0200)]
Interworking: Fix INTERWORKING_CONNECT with zero-length SSID BSS entry
For Interworking connection to work, the SSID of the selected BSS needs
to be known to be able to associate with the AP. It was possible for the
scan results to include two BSS entries matching the BSSID when an
earlier scan with that AP has shown a hidden SSID configuration (e.g.,
when running hwsim test cases, but at least in theory, this could happen
with real use cases as well). When that happened, the incorrect BSS
entry may not have included RSN configuration and as such, it would get
rejected for Interworking connection.
Fix this by confirming that the selected BSS entry has a real SSID. If
not, try to find another BSS entry matching the same BSSID and use that,
if found with an SSID.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 14 Jan 2015 22:59:14 +0000 (00:59 +0200)]
nl80211: Fix AP-scan-in-STA-mode error path behavior
If a second scan trigger attempt fails in STA mode, the error path was
supposed to restore the old mode that was in use before changing to STA
mode. However, wpa_driver_nl80211_set_mode() changes drv->nlmode on
success, so the recovery path needs to use the saved old_mode value
instead.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 14 Jan 2015 13:30:47 +0000 (15:30 +0200)]
tests: domain_match checking against server certificate
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 14 Jan 2015 13:31:28 +0000 (15:31 +0200)]
Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 14 Jan 2015 11:29:14 +0000 (13:29 +0200)]
tests: dbus_connect_eap to verify dNSName constraint configuration
This verifies that Certification signals include the expected
information on peer certificates and that dNSName constraint can be
configured based on that and is working both in matching and not
matching cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 14 Jan 2015 11:29:40 +0000 (13:29 +0200)]
Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com
Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 14 Jan 2015 11:24:09 +0000 (13:24 +0200)]
D-Bus: Clear cached EAP data on network profile changes
This makes D-Bus network profile Set(Properties) clear cached EAP data
similarly to how SET_NETWORK does for control interface.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 14 Jan 2015 10:14:31 +0000 (12:14 +0200)]
Include peer certificate always in EAP events
This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.
The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 13 Jan 2015 23:38:26 +0000 (01:38 +0200)]
Get rid of a compiler warning
Commit
e7d0e97bdbdc996564f06b382af3d5a5164a8fb3 ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 16 Dec 2014 14:07:54 +0000 (16:07 +0200)]
tests: Subset of VHT functionality on 2.4 GHz
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 13 Jan 2015 22:50:58 +0000 (00:50 +0200)]
Extend VENDOR_ELEM parameters to cover non-P2P Association Request
The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 13 Jan 2015 23:11:08 +0000 (01:11 +0200)]
tests: Add room for more vendor elems in wpas_ctrl_vendor_elem
This test case was verifying that the first unused VENDOR_ELEM value
above the current maximum is rejected. That makes it a bit inconvenient
to add new entries, so increase the elem value to leave room for new
additions without having to continuously modify this test case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Yanbo Li [Mon, 10 Nov 2014 15:12:29 +0000 (23:12 +0800)]
hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.
This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.
Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
Jouni Malinen [Sun, 11 Jan 2015 21:29:48 +0000 (23:29 +0200)]
GnuTLS: Add TLS event callbacks for chain success/failure and peer cert
This makes GnuTLS events match the ones provided when OpenSSL is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 21:13:35 +0000 (23:13 +0200)]
tests: Valid OCSP response with revoked and unknown cert status
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:07:13 +0000 (19:07 +0200)]
GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 18:17:51 +0000 (20:17 +0200)]
tests: Generate a fresh OCSP response for each test run
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:55:04 +0000 (19:55 +0200)]
tests: Verify mesh support for wpas_add_set_remove_support
This test case fails if wpa_supplicant is built without mesh support, so
need to check for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:45:56 +0000 (19:45 +0200)]
tests: Check mesh capability based on the modes capabilities list
This is more robust than checking the driver capability because it is
also possible for the wpa_supplicant build to be configured without mesh
support regardless of whether the driver supports it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:44:23 +0000 (19:44 +0200)]
Add MESH to modes capabilities
This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports mesh.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:42:57 +0000 (19:42 +0200)]
tests: Verify that SAE is supported for test cases requiring it
This makes it more convenient to run tests with wpa_supplicant builds
that do not support SAE (e.g., due to crypto library not providing
sufficient functionality for this).
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:41:01 +0000 (19:41 +0200)]
Add SAE to auth_alg capabilities
This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports SAE.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:49:14 +0000 (18:49 +0200)]
tests: Skip ap_wpa2_eap_ttls_server_cert_hash if probing not supported
The ca_cert="probe://" functionality is currently supported only with
OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:45:59 +0000 (18:45 +0200)]
GnuTLS: Verify that server certificate EKU is valid for a server
The server certificate will be rejected if it includes any EKU and none
of the listed EKUs is either TLS Web Server Authentication or ANY.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:13:17 +0000 (18:13 +0200)]
GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:07:54 +0000 (18:07 +0200)]
GnuTLS: Add support for private_key and client_cert as blobs
This allows private key and client certificate to be configured using
wpa_supplicant blobs instead of external files.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:02:52 +0000 (18:02 +0200)]
tests: Use RSA key format in ap_wpa2_eap_tls_blob
This format as a DER encoded blob is supported by both OpenSSL and
GnuTLS while the previous OpenSSL specific format did not get accepted
by GnuTLS.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 15:37:32 +0000 (17:37 +0200)]
tests: Split domain_suffix_match test cases based on match type
With GnuTLS, domain_suffix_match is currently requiring full match, so
split the test cases in a way that can be reported more cleanly as PASS
or SKIP based on TLS library behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 15:43:30 +0000 (17:43 +0200)]
tests: Add ca_cert to username/password Hotspot 2.0 credentials
Proper configuration should be used here to get server validation
enabled, so update the test cases to provide the ca_cert parameter. This
was included in number of existing test cases, but not all.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 15:05:59 +0000 (17:05 +0200)]
tests: Split subject_match and altsubject_match to separate test cases
These parameters are supported only with OpenSSL, so split any test case
that used those for a successful connection into two test cases. Skip
all test cases where these are used without the selected TLS library
supporting them to avoid reporting failures incorrectly. Though, verify
that subject_match and altsubject_match get rejected properly if TLS
library does not support these.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 14:57:26 +0000 (16:57 +0200)]
GnuTLS: Fix DER encoding certificate parsing
It looks like GnuTLS may return success on
gnutls_certificate_set_x509_*() functions with GNUTLS_X509_FMT_PEM even
when trying to read DER encoded information. Reverse the order of
parsing attempts so that we start with DER and then move to PEM if
GnuTLS reports failure on DER parsing. This seems to be more reliable
way of getting errors reported and both cases can now be handled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 14:01:08 +0000 (16:01 +0200)]
tests: Skip EAP-pwd and EAP-FAST test cases if not supported
Check wpa_supplicant EAP capability and skip EAP-pwd and EAP-FAST test
cases if the build did not include support for these. This is cleaner
than reporting failures for such test cases when the selected TLS
library does not support the EAP method.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 13:59:58 +0000 (15:59 +0200)]
tests: Fix crypto module test build without EAP-FAST
Skip the EAP-FAST specific test cases if wpa_supplicant build is
configured not to include EAP-FAST support.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 13:38:34 +0000 (15:38 +0200)]
tests: Skip OpenSSL cipher string tests with other TLS libraries
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 13:37:38 +0000 (15:37 +0200)]
Add "GET tls_library" to provide information on TLS library and version
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:59:50 +0000 (13:59 +0200)]
GnuTLS: Add event callbacks
This allows wpa_supplicant to provide more information about peer
certificate validation results to upper layers similarly to the
mechanism used with OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:29:17 +0000 (13:29 +0200)]
GnuTLS: Add support for domain_suffix_match
This implementation uses GnuTLS function
gnutls_x509_crt_check_hostname(). It has a bit different rules regarding
matching (allows wildcards in some cases, but does not use suffix
matching) compared to the internal implementation used with OpenSSL.
However, these rules are sufficiently close to each other to be of
reasonable use for most cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:05:28 +0000 (13:05 +0200)]
GnuTLS: Check for any unknown verification failure
After having checked all known GNUTLS_CERT_* error cases that we care
about, check that no other errors have been indicated by
gnutls_certificate_verify_peers2() as a reason to reject negotiation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:01:50 +0000 (13:01 +0200)]
GnuTLS: Add more debug prints for version and session status
Make the debug output more useful for determining whuch version of
GnuTLS was used and what was negotiated for the session.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 10:43:17 +0000 (12:43 +0200)]
GnuTLS: Move peer certificate validation into callback function
GnuTLS 2.10.0 added gnutls_certificate_set_verify_function() that can be
used to move peer certificate validation to an earlier point in the
handshake. Use that to get similar validation behavior to what was done
with OpenSSL, i.e., reject the handshake immediately after receiving the
peer certificate rather than at the completion of handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 09:45:53 +0000 (11:45 +0200)]
GnuTLS: Remove support for versions older than 2.12.x
GnuTLS project has marked 2.12.x obsolete since January 2014. There is
not much need for maintaining support for obsolete versions of the
library, so drop all #if/#endif blocks targeting 2.x.y versions. In
practice, none of these were requiring 2.12.x version with x greater
than 0, so 2.12.x remains supported for now.
In addition, add newer version (GnuTLS 3.0.18 and newer) to fetch client
and server random from the session since the old method is not supported
by new GnuTLS versions and as such, gets removed with rest of the old
ifdef blocks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 09:13:20 +0000 (11:13 +0200)]
GnuTLS: Remove old version number checks for 1.3.2
No one should be using GnuTLS versions older than 1.3.2 from 2006
anymore, so remove these unnecessary #if/#endif checks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 09:11:03 +0000 (11:11 +0200)]
GnuTLS: Remove GNUTLS_INTERNAL_STRUCTURE_HACK
This was needed with very old GnuTLS versions, but has not been needed,
or used, since GnuTLS 1.3.2 which was released in 2006. As such, there
is no need to maintain this code anymore and it is better to just clean
the source code by removing all the related code.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 23:48:44 +0000 (01:48 +0200)]
GnuTLS: Add support for ca_cert as a blob
This allows GnuTLS to be used with trusted CA certificate from
wpa_supplicant blob rather than an external certificate file.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 23:35:54 +0000 (01:35 +0200)]
TLS: Reject openssl_ciphers parameter in non-OpenSSL cases
This TLS configuration parameter is explicitly for OpenSSL. Instead of
ignoring it silently, reject any configuration trying to use it in
builds that use other options for TLS implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:56:17 +0000 (00:56 +0200)]
Work around Windows build issues
At least MinGW did not have ENOTCONN, EOPNOTSUPP, ECANCELED, so define
these to allow the build to go through.
wpas_rrm_send_neighbor_rep_request() is not really used on Windows, so
the exact error code values do not make any difference here.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:52:19 +0000 (00:52 +0200)]
Define host_to_le32() for Windows builds
This define had been forgotten at some point in time and wpa_supplicant
compilation for Windows failed with some recently added code that
depended on this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:49:16 +0000 (00:49 +0200)]
Fix os_win32 build
Addition of os_memcmp_const() in commit
afc3c8b07ffcdccc9349c83dfd3cc904ad9fbfb1 had forgotten to include
common.h into os_win32.c to get u8 defined.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:43:30 +0000 (00:43 +0200)]
Remove Network Security Service (NSS) support
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:57:33 +0000 (00:57 +0200)]
schannel: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with schannel.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with schannel instead of the default OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:37:21 +0000 (00:37 +0200)]
TLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented in the internal
TLS implementation. Instead of ignoring them silently, reject the
configuration to avoid giving incorrect impression of the parameters
being used if wpa_supplicant is built with the internal TLS
implementation instead of the default OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:33:48 +0000 (00:33 +0200)]
GnuTLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with GnuTLS.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with GnuTLS instead of the default OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:26:26 +0000 (00:26 +0200)]
Fix a typo in domain_suffix_match documentation
Spell SubjectName correctly.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:10:53 +0000 (00:10 +0200)]
tests: Increase altsubject_match testing coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:00:04 +0000 (00:00 +0200)]
Improve subject_match and domain_suffix_match documentation
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 15:31:37 +0000 (17:31 +0200)]
trace: Fix out-of-memory testing logic
data.function needs to be set for the return value to be of any use and
strcmp won't work with NULL pointer either. (CID 99907)
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 15:12:18 +0000 (17:12 +0200)]
tests: bssid_blacklist and bssid_whitelist
Signed-off-by: Jouni Malinen <j@w1.fi>
Stefan Tomanek [Mon, 5 Jan 2015 20:10:16 +0000 (21:10 +0100)]
Add address masks to BSSID lists
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).
This change expands the data structures used by MAC lists to include a
mask indicating the significant (non-masked) portions of an address and
extends the list parser to recognize mask suffixes.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Stefan Tomanek [Mon, 5 Jan 2015 20:08:49 +0000 (21:08 +0100)]
Add network specific BSSID black and white lists
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.
This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Stefan Tomanek [Mon, 5 Jan 2015 20:08:40 +0000 (21:08 +0100)]
Add generic parser for MAC address lists
This change generalizes the code used for parsing the configuration
option 'p2p_client_list' and makes it suitable to use it in other
contexts.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Jouni Malinen [Sat, 10 Jan 2015 11:16:42 +0000 (13:16 +0200)]
nl80211: Use a helper function to put mesh_id
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 11:14:20 +0000 (13:14 +0200)]
nl80211: Use a helper function for putting beacon interval
Signed-off-by: Jouni Malinen <j@w1.fi>