One of the steps that expected failure due to PMKID mismatch did not
stop connection attempts. This could result in the following test step
failing due to the previous profile with peaplabel=1 getting used to
derive the MSK incorrectly.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This patch is made by using 2to3 command with some modifications.
$ find . -name *.py | xargs 2to3 -f imports -w -n
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Verify that not updating GTK (i.e., only update PTK) in the driver does
not break connectivity. This case is different after the check for
"already in-use GTK" and rejection of GTK reinstallation.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like OpenSSL 1.1.1 accepted the openssl_ciphers=FOO test
configuration or well, at least does not reject it like previous
versions did. For now, ignore this failure.
Signed-off-by: Jouni Malinen <j@w1.fi>
RC4-SHA cipher case ended up allowing the handshake to be started just
to fail with "no ciphers available" when trying to generate ClientHello.
Fix this by handling an EAP failure case for the RC4-SHA test step with
OpenSSL 1.1.*.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is a regression test for a sequence where wpa_supplicant interface
MAC address is changed externally and the ifdown-ifup sequence is
processed only after the interface has already been set UP.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case uses EAP-MSCHAPv2 within the PEAP tunnel, so verify that
the build includes support for that before running the test.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
GnuTLS seems to require the intermediate CA certificate to be included
both in the ca_cert and client_cert file for the cases of server and
client certificates using different intermediate CA certificates. Use
the user_and_ica.pem file with GnuTLS builds and reorder the
certificates in that file to make this work with GnuTLS.
Signed-off-by: Jouni Malinen <j@w1.fi>
Change the test condition from "is OpenSSL 1.0.2" to "is not OpenSSL
1.0.1", so that the TLSv1.2 test step gets executed with OpenSSL 1.0.2
and 1.1 (and newer).
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous versions expired, so need to re-sign these to fix number of
the EAP test cases. In addition, add a shell script (update.sh) and the
needed CA files to automate this full update process.
Signed-off-by: Jouni Malinen <j@w1.fi>
These test cases depend on ERP processing to reach the get_emsk handler
function. Since ERP really needs the realm to derive a proper
keyName-NAI, modify these test cases to pass the realm part in the
identity to allow error checking to be introduced for rejecting ERP
cases where the realm is not available.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous fix to the OCSP request construction ended up finally
moving from SHA-1 -based hash to SHA-256 for OCSP test cases. To
maintain coverage for SHA-1, add cloned versions of the two test cases
so that both SHA-256 and SHA-1 cases get covered.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Fix the openssl ocsp command line and check if it returns an error - so
that instead of having something unusable later we error out
immediately. Moving the -sha256 argument earlier fixes hash function use
for the OCSP request generation (the old version used SHA-1).
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This verifies both the internal and external GSM authentication
operation when EAP-SIM is tunneled within EAP-TTLS/PEAP/FAST.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It does not look like BoringSSL allows pbeWithMD5AndDES-CBC to be used
to protect the local private key, so skip this test case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>