Accueil Explorer Aide
S'inscrire Connexion
wareck
/
krackattacks
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

tests: Additional OCSP coverage

Verify OCSP stapling response that is signed by the CA rather than a
separate OCSP responder. In addition, verify that invalid signer
certificate (missing OCSP delegation) gets rejected.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen il y a 9 ans
Parent
63d9bf81ab
commit
d79ce4a6ce
3 fichiers modifiés avec 140 ajouts et 0 suppressions
Vue séparée Afficher les stats Diff
  1. 15 0
      tests/hwsim/auth_serv/ca-key.pem
  2. 21 0
      tests/hwsim/start.sh
  3. 104 0
      tests/hwsim/test_ap_eap.py

+ 15 - 0
tests/hwsim/auth_serv/ca-key.pem
Voir le fichier 

@@ -0,0 +1,15 @@
 
+-----BEGIN RSA PRIVATE KEY-----
 
+MIICXAIBAAKBgQC+HobkeQPB0ZTV1LOxKJB2+7imzW0c0Uj0CJpn//mmVLEZKd8p
 
+G83xb2YB59t5zsA5KiUTJpQMLHtaLIEPlO5R0HXmRtsXRqcViw5XD7BUdmMSyoYY
 
+vBrDFsBwCdZrQzm4mClGrMtqrTiIOwfcgc069h32L+8d166KttHnsxUCuQIDAQAB
 
+AoGAEPKDr8Yh0ZsvG0iUpAwrpI+XzDavrUvypt5FdVPaGzudddLHs9BosUbu3uie
 
+JeOKOw5Is8ZSmCs267jf4FW0UKtgpnHGK2H0ba0iramzz07oK48V4y7C7nS3eJr/
 
+Oen6H9BW4DNXreFZ5yTRFOiQ4eD1pHqR/M/bBieDfRjakgECQQDfgiYYInio4TmM
 
+9q/h1q5T1bGgajz5U4GInd0K2diNqVoGhSTAyRRGauH+68tPQuX7WCM1VE/lZfZL
 
+4/dlOaRhAkEA2cHNkrFh4CAlXgtCub+psmT032AIFDEpNNT0K22XIE8savYNqs8w
 
+aGPurrwGQflxCB19boiaKEcW5FQDkff9WQJAbUznNiw9V1D05OOKNWXX0HWTLMBn
 
+WwIkOVwByZmo1fX4aXHY/FIZESqZpCFJRlSPxS9f4Gd/vs3y+T/dLupWYQJAJDGX
 
+RrOfDg6px1jdzVvzC8jF/r7KePi23aYrs3Ayt1cRjfG50dNAO4moqXhtHdglFnE4
 
+YP/ph5pRTsA8G635eQJBAKbh0zB4HqFI2PmnKsShFBPNkK5x17nAZlYNJf2Ip4Ii
 
+2Gjxyx4H0iBVgFYLsLB6hRBkOPpx6Jl8mJXOtFXb8lE=
 
+-----END RSA PRIVATE KEY-----

+ 21 - 0
tests/hwsim/start.sh
Voir le fichier 

@@ -147,6 +147,27 @@ for i in unknown revoked; do
 
 	-reqin $DIR/auth_serv/ocsp-req.der \
 
 	-respout $LOGDIR/ocsp-server-cache-$i.der >> $LOGDIR/ocsp.log 2>&1
 
 done
 
+
 
+openssl ocsp -reqout $LOGDIR/ocsp-req.der -issuer $DIR/auth_serv/ca.pem \
 
+    -serial 0xD8D3E3A6CBE3CCE2 -no_nonce -sha256 >> $LOGDIR/ocsp.log 2>&1
 
+for i in "" "-unknown" "-revoked"; do
 
+    openssl ocsp -index $DIR/auth_serv/index$i.txt \
 
+	-rsigner $DIR/auth_serv/ca.pem \
 
+	-rkey $DIR/auth_serv/ca-key.pem \
 
+	-CA $DIR/auth_serv/ca.pem \
 
+	-ndays 7 \
 
+	-reqin $LOGDIR/ocsp-req.der \
 
+	-resp_no_certs \
 
+	-respout $LOGDIR/ocsp-resp-ca-signed$i.der >> $LOGDIR/ocsp.log 2>&1
 
+done
 
+openssl ocsp -index $DIR/auth_serv/index.txt \
 
+    -rsigner $DIR/auth_serv/server.pem \
 
+    -rkey $DIR/auth_serv/server.key \
 
+    -CA $DIR/auth_serv/ca.pem \
 
+    -ndays 7 \
 
+    -reqin $LOGDIR/ocsp-req.der \
 
+    -respout $LOGDIR/ocsp-resp-server-signed.der >> $LOGDIR/ocsp.log 2>&1
 
+
 
 touch $LOGDIR/hostapd.db
 
 sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &

+ 104 - 0
tests/hwsim/test_ap_eap.py
Voir le fichier 

@@ -2507,6 +2507,110 @@ def int_eap_server_params():
 
                "private_key": "auth_serv/server.key" }
 
     return params
 
 
+def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
 
+    """EAP-TLS and CA signed OCSP response (good)"""
 
+    check_ocsp_support(dev[0])
 
+    ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
 
+    if not os.path.exists(ocsp):
 
+        raise HwsimSkip("No OCSP response available")
 
+    params = int_eap_server_params()
 
+    params["ocsp_stapling_response"] = ocsp
 
+    hostapd.add_ap(apdev[0]['ifname'], params)
 
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
 
+                   identity="tls user", ca_cert="auth_serv/ca.pem",
 
+                   private_key="auth_serv/user.pkcs12",
 
+                   private_key_passwd="whatever", ocsp=2,
 
+                   scan_freq="2412")
 
+
 
+def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
 
+    """EAP-TLS and CA signed OCSP response (revoked)"""
 
+    check_ocsp_support(dev[0])
 
+    ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
 
+    if not os.path.exists(ocsp):
 
+        raise HwsimSkip("No OCSP response available")
 
+    params = int_eap_server_params()
 
+    params["ocsp_stapling_response"] = ocsp
 
+    hostapd.add_ap(apdev[0]['ifname'], params)
 
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
 
+                   identity="tls user", ca_cert="auth_serv/ca.pem",
 
+                   private_key="auth_serv/user.pkcs12",
 
+                   private_key_passwd="whatever", ocsp=2,
 
+                   wait_connect=False, scan_freq="2412")
 
+    count = 0
 
+    while True:
 
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
 
+        if ev is None:
 
+            raise Exception("Timeout on EAP status")
 
+        if 'bad certificate status response' in ev:
 
+            break
 
+        if 'certificate revoked' in ev:
 
+            break
 
+        count = count + 1
 
+        if count > 10:
 
+            raise Exception("Unexpected number of EAP status messages")
 
+
 
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
 
+    if ev is None:
 
+        raise Exception("Timeout on EAP failure report")
 
+
 
+def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
 
+    """EAP-TLS and CA signed OCSP response (unknown)"""
 
+    check_ocsp_support(dev[0])
 
+    ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
 
+    if not os.path.exists(ocsp):
 
+        raise HwsimSkip("No OCSP response available")
 
+    params = int_eap_server_params()
 
+    params["ocsp_stapling_response"] = ocsp
 
+    hostapd.add_ap(apdev[0]['ifname'], params)
 
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
 
+                   identity="tls user", ca_cert="auth_serv/ca.pem",
 
+                   private_key="auth_serv/user.pkcs12",
 
+                   private_key_passwd="whatever", ocsp=2,
 
+                   wait_connect=False, scan_freq="2412")
 
+    count = 0
 
+    while True:
 
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
 
+        if ev is None:
 
+            raise Exception("Timeout on EAP status")
 
+        if 'bad certificate status response' in ev:
 
+            break
 
+        count = count + 1
 
+        if count > 10:
 
+            raise Exception("Unexpected number of EAP status messages")
 
+
 
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
 
+    if ev is None:
 
+        raise Exception("Timeout on EAP failure report")
 
+
 
+def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
 
+    """EAP-TLS and server signed OCSP response"""
 
+    check_ocsp_support(dev[0])
 
+    ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
 
+    if not os.path.exists(ocsp):
 
+        raise HwsimSkip("No OCSP response available")
 
+    params = int_eap_server_params()
 
+    params["ocsp_stapling_response"] = ocsp
 
+    hostapd.add_ap(apdev[0]['ifname'], params)
 
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
 
+                   identity="tls user", ca_cert="auth_serv/ca.pem",
 
+                   private_key="auth_serv/user.pkcs12",
 
+                   private_key_passwd="whatever", ocsp=2,
 
+                   wait_connect=False, scan_freq="2412")
 
+    count = 0
 
+    while True:
 
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
 
+        if ev is None:
 
+            raise Exception("Timeout on EAP status")
 
+        if 'bad certificate status response' in ev:
 
+            break
 
+        count = count + 1
 
+        if count > 10:
 
+            raise Exception("Unexpected number of EAP status messages")
 
+
 
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
 
+    if ev is None:
 
+        raise Exception("Timeout on EAP failure report")
 
+
 
 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
 
     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
 
     check_ocsp_support(dev[0])