Test: Implement TLS fragment support in EAP TLS authentication.
Now that EAP tls fragmentation is supported, change tls authentication tests to the standard 2048 bits authentication mode.
Change-Id: I683c9bc441d5b965415fe4c97fbf84bf4e0a05e6
diff --git a/src/test/utils/EapTLS.py b/src/test/utils/EapTLS.py
index cf8c673..dd33b05 100644
--- a/src/test/utils/EapTLS.py
+++ b/src/test/utils/EapTLS.py
@@ -68,37 +68,55 @@
CB_IDX = 2
CLIENT_CERT = """-----BEGIN CERTIFICATE-----
-MIICuDCCAiGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBizELMAkGA1UEBhMCVVMx
+MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBizELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTb21ld2hlcmUxEzARBgNVBAoTCkNpZW5h
IEluYy4xHjAcBgkqhkiG9w0BCQEWD2FkbWluQGNpZW5hLmNvbTEmMCQGA1UEAxMd
-RXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwNjA2MjExMjI3WhcN
-MTcwNjAxMjExMjI3WjBnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNV
+RXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMzExMTg1MzM2WhcN
+MTcwMzA2MTg1MzM2WjBnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNV
BAoTCkNpZW5hIEluYy4xFzAVBgNVBAMUDnVzZXJAY2llbmEuY29tMR0wGwYJKoZI
-hvcNAQkBFg51c2VyQGNpZW5hLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
-gYEAwvXiSzb9LZ6c7uNziUfKvoHO7wu/uiFC5YUpXbmVGuGZizbVrny0xnR85Dfe
-+9R4diansfDhIhzOUl1XjN3YDeSS9OeF5YWNNE8XDhlz2d3rVzaN6hIhdotBkUjg
-rUewjTg5OFR31QEyG3v8xR3CLgiE9xQELjZbSA07pD79zuUCAwEAAaNPME0wEwYD
-VR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5l
-eGFtcGxlLmNvbS9leGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQUFAAOBgQDAjkrY
-6tDChmKbvr8w6Du/t8vHjTCoCIocHTN0qzWOeb1YsAGX89+TrWIuO1dFyYd+Z0KC
-PDKB5j/ygml9Na+AklSYAVJIjvlzXKZrOaPmhZqDufi+rXWti/utVqY4VMW2+HKC
-nXp37qWeuFLGyR1519Y1d6F/5XzqmvbwURuEug==
+hvcNAQkBFg51c2VyQGNpZW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOxemcBsPn9tZsCa5o2JA6sQDC7A6JgCNXXl2VFzKLNNvB9PS6D7ZBsQ
+5An0zEDMNzi51q7lnrYg1XyiE4S8FzMGAFr94RlGMQJUbRD9V/oqszMX4k++iAOK
+tIA1gr3x7Zi+0tkjVSVzXTmgNnhChAamdMsjYUG5+CY9WAicXyy+VEV3zTphZZDR
+OjcjEp4m/TSXVPYPgYDXI40YZKX5BdvqykWtT/tIgZb48RS1NPyN/XkCYzl3bv21
+qx7Mc0fcEbsJBIIRYTUkfxnsilcnmLxSYO+p+DZ9uBLBzcQt+4Rd5pLSfi21WM39
+2Z2oOi3vs/OYAPAqgmi2JWOv3mePa/8CAwEAAaNPME0wEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9l
+eGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQUFAAOCAQEALBzMPDTIB6sLyPl0T6JV
+MjOkyldAVhXWiQsTjaGQGJUUe1cmUJyZbUZEc13MygXMPOM4x7z6VpXGuq1c/Vxn
+VzQ2fNnbJcIAHi/7G8W5/SQfPesIVDsHTEc4ZspPi5jlS/MVX3HOC+BDbOjdbwqP
+RX0JEr+uOyhjO+lRxG8ilMRACoBUbw1eDuVDoEBgErSUC44pq5ioDw2xelc+Y6hQ
+dmtYwfY0DbvwxHtA495frLyPcastDiT/zre7NL51MyUDPjjYjghNQEwvu66IKbQ3
+T1tJBrgI7/WI+dqhKBFolKGKTDWIHsZXQvZ1snGu/FRYzg1l+R/jT8cRB9BDwhUt
+yg==
-----END CERTIFICATE-----"""
CLIENT_PRIV_KEY = """-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDC9eJLNv0tnpzu43OJR8q+gc7vC7+6IULlhSlduZUa4ZmLNtWu
-fLTGdHzkN9771Hh2Jqex8OEiHM5SXVeM3dgN5JL054XlhY00TxcOGXPZ3etXNo3q
-EiF2i0GRSOCtR7CNODk4VHfVATIbe/zFHcIuCIT3FAQuNltIDTukPv3O5QIDAQAB
-AoGBAJha7NgYhevzqvIov25Fs1QDP0Kh7Ne5DH0u/e+nirUyHfqkBILSI7d+6uay
-Hsiv9t9mP+CXvGgbGMVW+oc0CpUbZw4Y64jZhg/vakMuHVhpgUCyPyzjk+7Z7STg
-2B1DEAxILApU8azjrDBIRHM8q0CH6NFwJPpFjg2oi7li6hPhAkEA56e/UT7Mh+57
-qWb2q9CuI+unQcav1tqxRxUtrGHl0YSO5YTWCnaT7vVFUSbemwUhEHJs8h+Qw41L
-g4eBu/qXLQJBANdy7puiDBBvV8XxQms14VRAEUUpCwqmzieG3RNmgr7wYRKyXzws
-hbgp5HIkGFIM4FOIrFj5jUP6CuF2BfoYaZkCQGRIny75w6s413nfY/u/TBOqyW5V
-J/wYElSWW35bpxTLkNzVY5+F88ankUlvTUDIuKaZEobCmXW+bilTeRs6gUUCQGeo
-2Lzw3rUZnTWTus0yg1Ox751C/hkF4LKL5NpsvAN6THpecAvXsA7HuS5hx4HSyCvo
-2mOEzj8ikxGfY4jNLiECQE09wQ39Gw3oGKCzdsTcWy8PXIWjOS44+7N/GjUB52+o
-CK7BGBOdZGZUSFc1rVA7eWKzxFDZ+EK264z6DL95mRw=
+MIIEpAIBAAKCAQEA7F6ZwGw+f21mwJrmjYkDqxAMLsDomAI1deXZUXMos028H09L
+oPtkGxDkCfTMQMw3OLnWruWetiDVfKIThLwXMwYAWv3hGUYxAlRtEP1X+iqzMxfi
+T76IA4q0gDWCvfHtmL7S2SNVJXNdOaA2eEKEBqZ0yyNhQbn4Jj1YCJxfLL5URXfN
+OmFlkNE6NyMSnib9NJdU9g+BgNcjjRhkpfkF2+rKRa1P+0iBlvjxFLU0/I39eQJj
+OXdu/bWrHsxzR9wRuwkEghFhNSR/GeyKVyeYvFJg76n4Nn24EsHNxC37hF3mktJ+
+LbVYzf3Znag6Le+z85gA8CqCaLYlY6/eZ49r/wIDAQABAoIBAQC9Oha4l2+JMBoc
+g2WjVVcccWJvY3xRhSMrWXEa5ahlswuxvRd8rwS7LlCBL/r8vQBQZ2ZY6fafM7X1
+awNZNgMUk+9g6PJ1+11s0g3mlgsCeYCwnKRO1ueofjh2k2AxlCZ0LAA8WS7nJm4x
+nfM9X3K2qDfEEHTh23Gvm1iIvDbtZ3+kXnjsdAuYduiaDDPNSyNOSCe2eCt2d9vt
+twV5pEf0PXcuLJ29i2LkRKdPwz/1J/AAE0dTJS9lrlLKE9qWXO2my4eUQI2FXVzW
+RpxhjGoFNXa59okobZ555rRrp4LHe8HPx5aowLSS5HGGrXHpiyYpFR9uciQxMD6q
+BQgmim5RAoGBAP09mWJS2gyiB9xqNY8MYyTrldXUIfujJ5OZch088rmbdS2p3TvG
+Oy6K0rOufBMCl95Ncv6YQ7cjQKpq8Q7fTfPkRI3/994DZu5D+vwyqIZpBnHDAnTi
+R9kf1Ep1QHmJPPE1GcijTnksaXP5g9+me2fTi4cCcl+An8GPv06z/KKjAoGBAO7x
+8MH1Dy2zAJhvlPbXdQLa/6b5aQeEVqObnJUvEaEy4M3c0QakULTDVQjsu/+ONNNV
+0Z5ZsBIWe/LaXxenub9lRJpD4KZOdz5bYIIq+Oa8L4bqTvyB/pVcZOE5a4ANvGiC
+4rVdAenPu734skgDFQPNZWKi/T6OZyJYgNzHG4L1AoGAEugvdHzVFM5gId+4Ifb9
+y/re0/kjlGMJCGcTcwVi5eKqa/9bqiPRtVbeBlZHoy+1YP6NUF7T5291W4PifYbE
+jioDyEpNGkFMxQtESOILXQWoWoQBwfJHBPnwYqLAbpKFf0jEpQs0R62+Lc96Pg9y
+9TyBFVJkcabrxorR8LFVclsCgYB8+eJ5MBneRy/aixIZAZxb//uTdAQxQFCohi2i
+Adpwu9HFGufhV3Q296u0XU3/XnvWxZ47+qES9Nujq//suXd32hnFrhcEJSpNXTHf
+I2bIGEmrgUYK4Fst+ANzobrOYWDYMQ0u2xSzHEoQFNH6xFHriTSsIJ/gZk8fMbdE
+wodrOQKBgQCOsFLo97vhlv6abA4v0T6bXuq4pzedIEh3bkqC/8rpLxqG98VoymHM
+bZIYf0U0KK3aNVfyXkIjGBaqA9/A0ttx/guOacf8M3yXbl3uEqlKevJTjhWlbUjp
+fM2med+fZ0+bh4DZ3O8BUJ1+6dxHngF/86GlwxTK4iSRkLIv6n3YSA==
-----END RSA PRIVATE KEY-----"""
def handle_server_hello_done(self, server_hello_done):
@@ -341,8 +359,9 @@
reqdata = str(TLS.from_records([client_certificate, client_key_ex, client_cert_record, client_ccs]))
reqdata += handshake_msg
log.info("------> Sending Client Hello TLS Certificate payload of len %d ----------->" %len(reqdata))
- eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, reqdata)
- self.eapol_send(EAPOL_EAPPACKET, eap_payload)
+ status = self.eapFragmentSend(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED,
+ payload = reqdata, fragsize = 1024)
+ assert_equal(status, True)
r = self.eapol_scapy_recv(cb = eapol_cb,
lfilter =
diff --git a/src/test/utils/EapolAAA.py b/src/test/utils/EapolAAA.py
index 0a2f8bd..c51f111 100644
--- a/src/test/utils/EapolAAA.py
+++ b/src/test/utils/EapolAAA.py
@@ -15,6 +15,7 @@
#
#### Authentication parameters
from scapy.all import *
+from scapy_ssl_tls.ssl_tls import *
from socket import *
from struct import *
import sys
@@ -45,13 +46,14 @@
EAP_TYPE_TLS = 13
cCertMsg = '\x0b\x00\x00\x03\x00\x00\x00'
TLS_LENGTH_INCLUDED = 0x80
+TLS_MORE_FRAGMENTS = 0x40
class EapolPacket(object):
def __init__(self, intf = 'veth0'):
self.intf = intf
self.s = None
- self.max_payload_size = 1600
+ self.max_recv_size = 1600
def setup(self):
self.s = socket(AF_PACKET, SOCK_RAW, htons(ETHERTYPE_PAE))
@@ -71,6 +73,64 @@
def eap(self, code, pkt_id, req_type=0, data=""):
return EAP(code = code, id = pkt_id, type = req_type)/data
+ def eapFragmentSend(self, code, pkt_id, flags = TLS_LENGTH_INCLUDED, payload = "", fragsize = 1024):
+ req_type = EAP_TYPE_TLS
+ if code in [ EAP_SUCCESS, EAP_FAILURE ]:
+ data = pack("!BBH", code, pkt_id, 4)
+ self.eapol_send(EAPOL_EAPPACKET, data)
+ return True
+
+ if len(payload) <= fragsize:
+ if flags & TLS_LENGTH_INCLUDED:
+ flags_dlen = pack("!BL", flags, len(payload))
+ data = pack("!BBHB", code, pkt_id, 5 + len(flags_dlen) + len(payload), req_type) \
+ + flags_dlen + payload
+ self.eapol_send(EAPOL_EAPPACKET, data)
+ return True
+ flags_str = pack("!B", flags)
+ data = pack("!BBHB", code, pkt_id, 5+len(flags_str)+len(payload), req_type) + flags_str + payload
+ self.eapol_send(EAPOL_EAPPACKET, data)
+ return True
+
+ fragments = []
+ data = payload[:]
+ frag = 0
+ def eapol_frag_cb(pkt):
+ r = str(pkt)
+ tls_data = r[self.TLS_OFFSET:]
+ frag_data = fragments[frag]
+ ##change packet id in response to match request
+ eap_payload = frag_data[:1] + pack("!B", pkt[EAP].id) + frag_data[2:]
+ self.eapol_send(EAPOL_EAPPACKET, eap_payload)
+
+ while len(data) > 0:
+ data_frag = data[:fragsize]
+ data = data[fragsize:]
+ if frag == 0:
+ ##first frag, include the total length
+ flags_dlen = pack("!BL", TLS_LENGTH_INCLUDED | TLS_MORE_FRAGMENTS, len(payload))
+ fragments.append(pack("!BBHB", code, pkt_id, 5 + len(flags_dlen) + len(data_frag), req_type) \
+ + flags_dlen + data_frag)
+ else:
+ if len(data) > 0:
+ flags = TLS_MORE_FRAGMENTS
+ else:
+ flags = 0
+ flags_str = pack("!B", flags)
+ fragments.append(pack("!BBHB", code, pkt_id, 5+len(flags_str)+len(data_frag), req_type) + \
+ flags_str + data_frag)
+ frag += 1
+
+ frag = 0
+ self.eapol_send(EAPOL_EAPPACKET, fragments[frag])
+ for frag in range(len(fragments)-1):
+ frag += 1
+ r = self.eapol_scapy_recv(cb = eapol_frag_cb,
+ lfilter = lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and \
+ pkt[EAP].code == EAP.REQUEST)
+
+ return True
+
def eapTLS(self, code, pkt_id, flags = TLS_LENGTH_INCLUDED, data=""):
req_type = EAP_TYPE_TLS
if code in [EAP_SUCCESS, EAP_FAILURE]:
@@ -82,11 +142,28 @@
flags_str = pack("!B", flags)
return pack("!BBHB", code, pkt_id, 5+len(flags_str)+len(data), req_type) + flags_str + data
+ def eapTLSFragment(self, code, pkt_id, frag, data="", data_len = 0):
+ req_type = EAP_TYPE_TLS
+ if frag == 0:
+ flags = TLS_LENGTH_INCLUDED | TLS_MORE_FRAGMENTS
+ elif frag > 0:
+ flags = TLS_MORE_FRAGMENTS
+ else:
+ #last fragment
+ flags = 0
+ if data_len == 0:
+ data_len = len(data)
+ if flags & TLS_LENGTH_INCLUDED:
+ flags_dlen = pack("!BL", flags, data_len)
+ return pack("!BBHB", code, pkt_id, 5+len(flags_dlen)+len(data), req_type) + flags_dlen + data
+ flags_str = pack("!B", flags)
+ return pack("!BBHB", code, pkt_id, 5+len(flags_str)+len(data), req_type) + flags_str + data
+
def eapol_send(self, eapol_type, eap_payload):
return sendp(self.llheader/self.eapol(eapol_type, eap_payload), iface=self.intf)
def eapol_recv(self):
- p = self.s.recv(self.max_payload_size)[14:]
+ p = self.s.recv(self.max_recv_size)[14:]
vers,pkt_type,eapollen = unpack("!BBH",p[:4])
print "Version %d, type %d, len %d" %(vers, pkt_type, eapollen)
assert_equal(pkt_type, EAPOL_EAPPACKET)
@@ -113,7 +190,7 @@
def eap_md5_challenge_recv(self,rad_pwd):
PASS = rad_pwd
print 'Inside EAP MD5 Challenge Exchange'
- p = self.s.recv(self.max_payload_size)[14:]
+ p = self.s.recv(self.max_recv_size)[14:]
vers,pkt_type,eapollen = unpack("!BBH",p[:4])
print "EAPOL Version %d, type %d, len %d" %(vers, pkt_type, eapollen)
code, pkt_id, eaplen = unpack("!BBH", p[4:8])
@@ -129,7 +206,7 @@
def eap_Status(self):
print 'Inside EAP Status'
- p = self.s.recv(self.max_payload_size)[14:]
+ p = self.s.recv(self.max_recv_size)[14:]
code, id, eaplen = unpack("!BBH", p[4:8])
return code