Update the SAE-PK implementation to match the changes in the protocol
design:
- allow only Sec values 3 and 5 and encode this as a single bit field
with multiple copies
- add a checksum character
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Instead of overriding the subject field with something arbitrary, use
the value that is included in the CSR now that there is something there.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Instead of checking if the kernel allows modules (via the presence of
/proc/modules), check if mac80211_hwsim is already there and load it
only if not. This gets rid of some ugly prints from modprobe in case
code isn't even a module and cannot be found, etc.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
With python3 bytes are returned for stdout, so need to use b''
strings instead of normal strings. These are just a few places
I ran into, almost certainly more places need it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If we want the test to actually use 160/80+80 we need to explicitly
advertise that we support it ourselves, since the kernel is going to be
a bit more strict about this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Clear scan results explicitly in test cases that check BSS entry flags
to avoid incorrect failures based on results from earlier test cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Lambda >= 12 is needed with Sec = 2, so drop the shorter password
lengths in the sae_pk and module_wpa_supplicant test cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Now that there is a pending mac80211 patch ("mac80211: allow SA-QUERY
processing in userspace") to allow wpa_supplicant to take care of SA
Query Request processing, start enforcing correct behavior for this in
ocv_sa_query and wpa2_ocv_sta_override_sa_query_resp.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the current country code cannot be fetched, do not try to report the
current value in the log since that will result in TypeError exception.
Signed-off-by: Jouni Malinen <j@w1.fi>
Couple of VHT test cases missed explicit setting of hapd to None before
trying to start hostapd. Add those to avoid unexpected exceptions in
case hostapd start fails.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a decorator that clears ignore_old_scan_res parameter value instead
of doing this with try/finally in large number of test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a decorator that disables IPv6 and requires running
under a VM, rather than open-coding that many times.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The freqlist parameter uses comma, not space, separated values. Add
another test case for checking freqlist values that do not use the
preferred channel numbers to make sure the frequency list is actually
used as a constraint for selecting the channel.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a test for delayed group rekey retransmission that checks that
the IGTK is protected against it by not resetting the IPN replay
counter when reinstalling such a key.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
While adding support for IGTK and BIGTK here, I tested this without
protections (i.e., with protections removed from both wpa_supplicant and
the driver), and while I got some bad resets on the debugfs values, it
should have failed with "unexpected connectivity".
Fix this to be correct - we need to reset the GTK PN, not the PTK PN in
this test.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Replace the gtk boolean by a keytype value indicating
GTK or PTK, to be able to extend to other types later.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When run after other tests, It was likely that the target
bss was already present in scan_fail, so the
scan_for_bss() wouldn't trip the allocation failure in
wpa_bss_add(). Flush the scan results before the scan to
ensure wpa_bss_add() is called and consistently pass
scan_fail.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
If sigma_dut is not installed, start_sigma_dut() will
throw an exception. Call start_sigma_dut() inside the
try/except to correctly reset the regulatory domain.
This fixes several seemingly random failures due to
regulatory domain not being reset.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
The memory allocation in dpp_peer_intro() was moved into a helper
function dpp_check_signed_connector(), so update the test case to match.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This test case seems to be failing every now and then due to the AP not
getting out the Deauthentication frame after PMKSA expiration if the STA
is in power save mode.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It looks like this test case was supposed to set power_save off at the
end instead of repeating the same setting twice.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These test cases are using externally generated PMKSA cache entry which
does not support use of PFS. This will start failing if the station
claims to support PFS in such cases, so explicitly disable PFS
functionality in these test cases for now.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Otherwise the test will continue on and fail later due to unexpected
foreign ARP request. The try/except design here did not work properly to
detect this.
Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
Crypto libraries are starting to refuse to accept the old shorter keys,
so move all test certificates and DH to use 2048 bit (or longer) keys.
Signed-off-by: Jouni Malinen <j@w1.fi>
Python 3.8 removed the previously used default of MD5 algorithm, so
provide the explicit digestmod=hashlib.md5 parameter to the couple of
places that were missing it.
Signed-off-by: Jouni Malinen <j@w1.fi>
The ap_beacon_rate_* test cases could end up terminating before the very
first Beacon frame is captured, so wait a bit after the connection to
make sure at least one Beacon frame is going to be in the capture file.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case was using sigma_dut to set sae_pwe=2, but that value was
not cleared in the end. This could result in following SAE test cases
failing due to unexpected behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The eloop_register_read_sock() call in i802_init() will be skipped if
the driver supports control port for EAPOL RX, so need to skip this part
of the test case conditionally.
Signed-off-by: Jouni Malinen <j@w1.fi>