www.project-moonshot.org Git - mech

P2P: Fix P2P invitation with NFC

Use interface's own NFC configuration instead of parent's one
to support a P2P device dedicated interface.

Signed-off-by: David Spinadel <david.spinadel@intel.com>

WNM: Fix the length of WNM_BSS_QUERY control interface command

The length should be 14 and not 10.
The current situation causes failure during parsing of the command.

Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>

tests: Error handling for scan trigger failure cases

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Retry scan-for-connect if driver trigger fails

This restores some of the pre-radio work behavior for scanning by
retrying scan trigger if the driver rejects it (most likely returning
EBUSY in case of nl80211-drivers). Retry is indicated in the
CTRL-EVENT-SCAN-FAILED event with "retry=1".

For manual scans (e.g., triggered through "SCAN" control interface
command), no additional retries are performed. In other words, if upper
layers want to retry, they can do so based on the CTRL-EVENT-SCAN-FAILED
event.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Add a test framework for various wpa_supplicant failure cases

For CONFIG_TESTING_OPTIONS=y builds, add a new test parameter than can
be used to trigger various error cases within wpa_supplicant operations
to make it easier to test error path processing. "SET test_failure
<val>" is used to set which operation fails. For now, 0 = no failures
and 1 = scan trigger fails with EBUSY. More operations can be added in
the future to extend coverage.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: WPS registrar learning configuration from WPA+WPA2 AP

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WPS: Re-fix an interoperability issue with mixed mode and AP Settings

Commit ce7b56afab8e6065e886b9471fa8071c8d2bd66b ('WPS: Fix an
interoperability issue with mixed mode and AP Settings') added code to
filter M7 Authentication/Encryption Type attributes into a single bit
value in mixed mode (WPA+WPA2) cases to work around issues with Windows
7. This workaround was lost in commit
d7a15d5953beb47964526aa17b4dc2e9b2985fc1 ('WPS: Indicate current AP
settings in M7 in unconfigurated state') that fixed unconfigured state
values in AP Settings, but did not take into account the earlier
workaround for mixed mode.

Re-introduce filtering of Authentication/Encryption Type attributes for
M7 based on the current AP configuration. In other words, merge those
two earlier commits together to include both the earlier workaround the
newer fix.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

ACS: Allow subset of channels to be configured

Add the possibility to define a subset of channels used by the ACS
engine when not operating on DFS channels.

Signed-off-by: Adrien Decostre <ad.decostre@gmail.com>

nl80211: Allow HT/VHT to be disabled for IBSS

Allow HT/VHT overrides to be used for IBSS.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

mesh: Return negative value on join failed

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

mesh: Make inactivity timer configurable

Current mesh code uses ap_max_inactivity as inactivity timer. This patch
makes it configurable.

There is another mesh inactivity timer in mac80211. The timer works even
if user_mpm=1. So this patch sets the max value to the timer for
workaround.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

AP: Expire STA without entry in kernel

If the inactivity check returns that there is no entry remaining for the
STA in the kernel, drop the STA in hostapd as well.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

AP: Remove redundant condition for STA expiration

This condition is always true because of surrounding if.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

tests: Increase hostapd out-of-memory loop coverage

Signed-off-by: Jouni Malinen <j@w1.fi>

Fix RADIUS client with out-of-memory and missing shared secret

It was possible for an out-of-memory code path to trigger NULL pointer
dereference when preparing a RADIUS accounting report.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: WPA + WEP configuration getting rejected

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add step-by-step guide for setting up test framework

This set of notes provides information on how virtual guess OS can be
used to run the mac80211_hwsim test cases under any host OS. The
specific example here uses Ubuntu 14.04.1 server as the starting point
and lists the additional packages that need to be installed and commands
that can be used to fetch and build the test programs.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Close wlan5 control interface monitor more explicitly

There were couple of common cases where the control interface for the
dynamic wpa_supplicant instance could have been left in attached state
until Python ends up cleaning up the instance. This could result in
issues if many monitor interface events were queued for that attached
socket. Make this less likely to cause issues by explicitly detaching
and closing control interfaces before moving to the next test case.

Signed-off-by: Jouni Malinen <j@w1.fi>

Print in debug log whether attached monitor is for global interface

It is easier to debug issues related to the wpa_supplicant control
interfaces being left behind in attached state when the debug log file
can be used to determine whether a specific monitor socket was a global
or per-interface one.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Make WNM Sleep Mode tests more robust

It was possible for the Action frame used for entring WNM Sleep Mode to
get dropped on the AP side due to it arriving prior to having processed
EAPOL-Key message 4/4 due to a race condition between Data and
Management frame processing paths. Avoid this by waiting for
AP-STA-CONNECTED event from hostapd prior to trying to enter WNM Sleep
Mode. In addition, make the check for the STA flag change more robust by
allowing the wait to be a bit longer with a loop that terminates as soon
as the flag has changed.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Make PMKSA caching tests more robust

When the STA is forced to disconnect immediately after completion of
4-way handshake, there is a race condition on the AP side between the
reception of EAPOL-Key msg 4/4 and the following Deauthentication frame.
It is possible for the deauthentication notification to be processed
first since that message uses different path from kernel to user space.

If hostapd does not receive EAPOL-Key msg 4/4 prior to deauthentication,
no PMKSA cache entry is added. This race condition was making the test
cases expecting PMKSA caching to work to fail every now and then. Avoid
this issue by waiting for AP-STA-CONNECTED event from hostapd. This
makes sure the PMKSA cache entry gets added on the AP side.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add some more time for olbc_ht update in olbc_5ghz

It looks like this test case is failing every now and then, so add some
more time for the olbc_ht value to get updated before reporting a
failure.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Import gobject in a way that allows failures

It looks like the gobject module does not get installed by default for
Python at least on Ubuntu server, so modify the D-Bus test case files to
import this in a way that allows other test cases to be run even without
gobject module being installed.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Make ap_anqp_sharing more robust

This test case uses get_bss() with a BSSID to find a BSS entry. That can
result in failures if there are multiple BSS entries in wpa_supplicant
BSS table for the same BSSID, e.g., due to an earlier hidden SSID test
case. Explicitly clear the cfg80211 and wpa_supplicant scan caches at
the beginning of this test case to make it less likely for earlier test
cases to trigger a failure here.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Make ap_mixed_security more robust

This test case uses get_bss() with a BSSID to find a BSS entry. That can
result in failures if there are multiple BSS entries in wpa_supplicant
BSS table for the same BSSID, e.g., due to an earlier hidden SSID test
case. Explicitly clear the cfg80211 and wpa_supplicant scan caches at
the beginning of this test case to make it less likely for earlier test
cases to trigger a failure here.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Hotspot 2.0 ANQP fetch with hidden SSID BSS entry

Signed-off-by: Jouni Malinen <j@w1.fi>

HS 2.0: Try to use same BSS entry for storing GAS results

Commit 17b8995cf5813d7c027cd7a6884700e791d72392 ('Interworking: Try to
use same BSS entry for storing GAS results') added a mechanism to try to
pair GAS request and response to a single BSS entry to cover cases where
multiple BSS entries may exists for the same BSSID. However, that commit
did not cover the Hotspot 2.0 ANQP elements. Extend this mechanism to
all ANQP elements. This can help in cases where information in the
Hotspot 2.0 specific ANQP elements got lost if a hidden SSID or some
other reason of duplicated BSS entries was present while doing ANQP
fetches.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Write BSS table to debug log in ap_mixed_security

This makes it easier to debug test failures in BSS entry flags field.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Mark proxyarp_open as skip if traffic test fails

This step requires kernel changes that are not yet in upstream Linux
tree, so mark this as skip rather than failure for now.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Clean up ap_wpa2_eap_aka_ext

Use a loop over set of test values instead of duplicated functionality
implemented separately for each case.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Make ap_wpa2_eap_aka_ext faster and more robust

Use SELECT_NETWORK instead of REASSOCIATE for the first reconnection to
avoid unnecessary long wait for temporary network disabling to be
cleared. In addition, wait for the disconnect event after issuing the
DISCONNECT commands to avoid issues due to any pending events during the
immediately following reconnection attempt.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: ap_hs20_fetch_osu: Print osu-providers.txt in debug log

This makes it easier to figure out what happened if the test case fails
due to not finding all the needed OSU-PROVIDER information.

Signed-off-by: Jouni Malinen <j@w1.fi>

Make wpa_supplicant FLUSH command more likely to clear all BSS entries

Move the wpa_bss_flush() call to the end of the function to allow any
pending user of a BSS entry to be cleared before removing the unused
entries. There were number of cases where BSS entries could have been
left in the list and this resulted in some hwsim test failures.

Signed-off-by: Jouni Malinen <j@w1.fi>

Write reason for scan only_new_results into debug log

This can be helpful in figuring out why the driver was requested to
flush its scan results prior to starting a new scan.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Skip some scan tests if iw does not support scan flush

The external cfg80211 scan flushing operation requires a relatively
recent iw version and not all distributions include that. Avoid false
failure reports by marking these test cases skipped if the iw command
fails.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Fix test skipping for some DFS/VHT cases

Due to a typo and missing hapd variable initialization, some of the DFS
and VHT test cases were marked as failures even though they were
supposed to be marked as skipped in case the kernel and wireless-regdb
did not have sufficient support for these modes.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Fix dbus_probe_req_reporting_oom if already registered

If dbus_probe_req_reporting was run before dbus_probe_req_reporting_oom,
the SubscribeProbeReq() method succeeded since the memory allocation
that was supposed to fail in the OOM test case was not even tried.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: EAP-TNC fragmentation

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: EAP-MD5 server error cases

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add optional -1 argument to parallel-vm.py

This can be used to skip rerunning of failed test cases
(e.g., with "./parallel-vm.py 1 -1 <test case>").

Signed-off-by: Jouni Malinen <j@w1.fi>

eapol_test: Fix cert_cb() function arguments

altsubject[] was added here, but the callback implementation in
eapol_test.c was forgotten from the commit.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Interworking auto_interworking=1 with mismatching BSS

This is a regression test case to detect a failure that resulted in an
up to five second busy loop through wpa_supplicant_fast_associate() when
interworking_find_network_match() and wpa_supplicant_select_bss() get
different matching results.

Signed-off-by: Jouni Malinen <j@w1.fi>

Interworking: Avoid busy loop in scan result mismatch corner cases

It was possible for interworking_find_network_match() to find a possible
BSS match in a case where more thorough checks in
wpa_supplicant_select_bss() reject network. This itself is fine, in
general, but when combined with wpa_supplicant_fast_associate()
optimization and auto_interworking=1, this resulted in a busy loop of up
to five seconds and a possible stack overflow due to recursion in that
loop.

Fix this by limiting the Interworking wpa_supplicant_fast_associate()
call to be used only once per scan iteration, so that new scan
operations can be completed before going through the scan results again.

Signed-off-by: Jouni Malinen <j@w1.fi>

Interworking: Start ANQP fetch from eloop callback

Reduce maximum stack use by starting next ANQP fetch operation from an
eloop callback rather than calling interworking_next_anqp_fetch()
directly from interworking_start_fetch_anqp(). This avoids issues that
could potentially make the process run out of stack if long loops of
ANQP operations are executed in cases where automatic Interworking
network selection is used and scan results do not have a full match for
a network.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Disconnect-Request with no session identification attributes

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Use a helper function to send and check RADIUS DAS messages

No need to have this same sequence of steps duplicated in multiple
places.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: RADIUS DAS and Disconnect-Request removing PMKSA cache entry

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

RADIUS DAS: Allow PMKSA cache entry to be removed without association

This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: RADIUS DAS with Acct-Multi-Session-Id

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

RADIUS DAS: Support Acct-Multi-Session-Id as a session identifier

This extends Disconnect-Request support for an additiona session
identification attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>

Add authMultiSessionId into hostapd STA info

dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Disconnect-Request multi-session-match

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Fix radius_das_disconnect match + non-match case

If Calling-Station-Id matches, but CUI does not, NAS is expected to
reject the request instead of accepting it. Verify that Disconnect-NAK
is returned for this.

Signed-off-by: Jouni Malinen <j@w1.fi>

RADIUS DAS: Check for single session match for Disconnect-Request

Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: STA not getting response to SA Query

This verifies that wpa_supplicant reconnects if PMF is enabled,
unprotected Deauthentication/Disassociation frame is received, and the
AP does not reply to SA Query.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: INTERWORKING_CONNECT after having found hidden SSID AP

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Interworking: Fix INTERWORKING_CONNECT with zero-length SSID BSS entry

For Interworking connection to work, the SSID of the selected BSS needs
to be known to be able to associate with the AP. It was possible for the
scan results to include two BSS entries matching the BSSID when an
earlier scan with that AP has shown a hidden SSID configuration (e.g.,
when running hwsim test cases, but at least in theory, this could happen
with real use cases as well). When that happened, the incorrect BSS
entry may not have included RSN configuration and as such, it would get
rejected for Interworking connection.

Fix this by confirming that the selected BSS entry has a real SSID. If
not, try to find another BSS entry matching the same BSSID and use that,
if found with an SSID.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

nl80211: Fix AP-scan-in-STA-mode error path behavior

If a second scan trigger attempt fails in STA mode, the error path was
supposed to restore the old mode that was in use before changing to STA
mode. However, wpa_driver_nl80211_set_mode() changes drv->nlmode on
success, so the recovery path needs to use the saved old_mode value
instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: domain_match checking against server certificate

Signed-off-by: Jouni Malinen <j@w1.fi>

Add domain_match network profile parameter

This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: dbus_connect_eap to verify dNSName constraint configuration

This verifies that Certification signals include the expected
information on peer certificates and that dNSName constraint can be
configured based on that and is working both in matching and not
matching cases.

Signed-off-by: Jouni Malinen <j@w1.fi>

Add peer certificate alt subject name information to EAP events

A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>

D-Bus: Clear cached EAP data on network profile changes

This makes D-Bus network profile Set(Properties) clear cached EAP data
similarly to how SET_NETWORK does for control interface.

Signed-off-by: Jouni Malinen <j@w1.fi>

Include peer certificate always in EAP events

This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.

The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.

Signed-off-by: Jouni Malinen <j@w1.fi>

Get rid of a compiler warning

Commit e7d0e97bdbdc996564f06b382af3d5a5164a8fb3 ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Subset of VHT functionality on 2.4 GHz

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Extend VENDOR_ELEM parameters to cover non-P2P Association Request

The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Add room for more vendor elems in wpas_ctrl_vendor_elem

This test case was verifying that the first unused VENDOR_ELEM value
above the current maximum is rejected. That makes it a bit inconvenient
to add new entries, so increase the elem value to leave room for new
additions without having to continuously modify this test case.

Signed-off-by: Jouni Malinen <j@w1.fi>

hostapd: Add vendor specific VHT extension for the 2.4 GHz band

This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.

This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>

GnuTLS: Add TLS event callbacks for chain success/failure and peer cert

This makes GnuTLS events match the ones provided when OpenSSL is used.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Valid OCSP response with revoked and unknown cert status

This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Add support for OCSP stapling as a client

This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Generate a fresh OCSP response for each test run

GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Verify mesh support for wpas_add_set_remove_support

This test case fails if wpa_supplicant is built without mesh support, so
need to check for this.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Check mesh capability based on the modes capabilities list

This is more robust than checking the driver capability because it is
also possible for the wpa_supplicant build to be configured without mesh
support regardless of whether the driver supports it.

Signed-off-by: Jouni Malinen <j@w1.fi>

Add MESH to modes capabilities

This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports mesh.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Verify that SAE is supported for test cases requiring it

This makes it more convenient to run tests with wpa_supplicant builds
that do not support SAE (e.g., due to crypto library not providing
sufficient functionality for this).

Signed-off-by: Jouni Malinen <j@w1.fi>

Add SAE to auth_alg capabilities

This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports SAE.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Skip ap_wpa2_eap_ttls_server_cert_hash if probing not supported

The ca_cert="probe://" functionality is currently supported only with
OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Verify that server certificate EKU is valid for a server

The server certificate will be rejected if it includes any EKU and none
of the listed EKUs is either TLS Web Server Authentication or ANY.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Fix tls_disable_time_checks=1 processing

Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Add support for private_key and client_cert as blobs

This allows private key and client certificate to be configured using
wpa_supplicant blobs instead of external files.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Use RSA key format in ap_wpa2_eap_tls_blob

This format as a DER encoded blob is supported by both OpenSSL and
GnuTLS while the previous OpenSSL specific format did not get accepted
by GnuTLS.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Split domain_suffix_match test cases based on match type

With GnuTLS, domain_suffix_match is currently requiring full match, so
split the test cases in a way that can be reported more cleanly as PASS
or SKIP based on TLS library behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add ca_cert to username/password Hotspot 2.0 credentials

Proper configuration should be used here to get server validation
enabled, so update the test cases to provide the ca_cert parameter. This
was included in number of existing test cases, but not all.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Split subject_match and altsubject_match to separate test cases

These parameters are supported only with OpenSSL, so split any test case
that used those for a successful connection into two test cases. Skip
all test cases where these are used without the selected TLS library
supporting them to avoid reporting failures incorrectly. Though, verify
that subject_match and altsubject_match get rejected properly if TLS
library does not support these.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Fix DER encoding certificate parsing

It looks like GnuTLS may return success on
gnutls_certificate_set_x509_*() functions with GNUTLS_X509_FMT_PEM even
when trying to read DER encoded information. Reverse the order of
parsing attempts so that we start with DER and then move to PEM if
GnuTLS reports failure on DER parsing. This seems to be more reliable
way of getting errors reported and both cases can now be handled.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Skip EAP-pwd and EAP-FAST test cases if not supported

Check wpa_supplicant EAP capability and skip EAP-pwd and EAP-FAST test
cases if the build did not include support for these. This is cleaner
than reporting failures for such test cases when the selected TLS
library does not support the EAP method.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Fix crypto module test build without EAP-FAST

Skip the EAP-FAST specific test cases if wpa_supplicant build is
configured not to include EAP-FAST support.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Skip OpenSSL cipher string tests with other TLS libraries

Signed-off-by: Jouni Malinen <j@w1.fi>

Add "GET tls_library" to provide information on TLS library and version

This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Add event callbacks

This allows wpa_supplicant to provide more information about peer
certificate validation results to upper layers similarly to the
mechanism used with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Add support for domain_suffix_match

This implementation uses GnuTLS function
gnutls_x509_crt_check_hostname(). It has a bit different rules regarding
matching (allows wildcards in some cases, but does not use suffix
matching) compared to the internal implementation used with OpenSSL.
However, these rules are sufficiently close to each other to be of
reasonable use for most cases.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Check for any unknown verification failure

After having checked all known GNUTLS_CERT_* error cases that we care
about, check that no other errors have been indicated by
gnutls_certificate_verify_peers2() as a reason to reject negotiation.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Add more debug prints for version and session status

Make the debug output more useful for determining whuch version of
GnuTLS was used and what was negotiated for the session.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Move peer certificate validation into callback function

GnuTLS 2.10.0 added gnutls_certificate_set_verify_function() that can be
used to move peer certificate validation to an earlier point in the
handshake. Use that to get similar validation behavior to what was done
with OpenSSL, i.e., reject the handshake immediately after receiving the
peer certificate rather than at the completion of handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Remove support for versions older than 2.12.x

GnuTLS project has marked 2.12.x obsolete since January 2014. There is
not much need for maintaining support for obsolete versions of the
library, so drop all #if/#endif blocks targeting 2.x.y versions. In
practice, none of these were requiring 2.12.x version with x greater
than 0, so 2.12.x remains supported for now.

In addition, add newer version (GnuTLS 3.0.18 and newer) to fetch client
and server random from the session since the old method is not supported
by new GnuTLS versions and as such, gets removed with rest of the old
ifdef blocks.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Remove old version number checks for 1.3.2

No one should be using GnuTLS versions older than 1.3.2 from 2006
anymore, so remove these unnecessary #if/#endif checks.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Remove GNUTLS_INTERNAL_STRUCTURE_HACK

This was needed with very old GnuTLS versions, but has not been needed,
or used, since GnuTLS 1.3.2 which was released in 2006. As such, there
is no need to maintain this code anymore and it is better to just clean
the source code by removing all the related code.

Signed-off-by: Jouni Malinen <j@w1.fi>

GnuTLS: Add support for ca_cert as a blob

This allows GnuTLS to be used with trusted CA certificate from
wpa_supplicant blob rather than an external certificate file.

Signed-off-by: Jouni Malinen <j@w1.fi>