Gitiles
Code Review Sign In
gerrit.opencord.org / cord-tester / 22aa0c6a651c23dc5e6b132545f51df73d537954 / . / src / test / utils / EapTLS.py
blob: 8a3e1c7c051d176235dcd8e9dd050b5b2df29334 [file] [log] [blame]
Chetan Gaonkercfcce782016-05-10 10:10:42 -0700[diff] [blame]1#
2# Copyright 2016-present Ciena Corporation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15#
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]16import sys, os
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]17from EapolAAA import *
18from enum import *
19import noseTlsAuthHolder as tlsAuthHolder
20from scapy_ssl_tls.ssl_tls import *
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]21from scapy_ssl_tls.ssl_tls_crypto import *
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]22from socket import *
23from struct import *
24import scapy
25from nose.tools import *
26from CordTestBase import CordTester
Chetan Gaonker4a25e2b2016-03-04 14:45:15 -0800[diff] [blame]27import re
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]28
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]29log.setLevel('INFO')
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]30
31def bytes_to_num(data):
32 return int(data.encode('hex'), 16)
33
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]34class TLSAuthTest(EapolPacket, CordTester):
35
36 tlsStateTable = Enumeration("TLSStateTable", ("ST_EAP_SETUP",
37 "ST_EAP_START",
38 "ST_EAP_ID_REQ",
39 "ST_EAP_TLS_HELLO_REQ",
40 "ST_EAP_TLS_CERT_REQ",
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]41 "ST_EAP_TLS_CHANGE_CIPHER_SPEC",
42 "ST_EAP_TLS_FINISHED",
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]43 "ST_EAP_TLS_DONE"
44 )
45 )
46 tlsEventTable = Enumeration("TLSEventTable", ("EVT_EAP_SETUP",
47 "EVT_EAP_START",
48 "EVT_EAP_ID_REQ",
49 "EVT_EAP_TLS_HELLO_REQ",
50 "EVT_EAP_TLS_CERT_REQ",
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]51 "EVT_EAP_TLS_CHANGE_CIPHER_SPEC",
52 "EVT_EAP_TLS_FINISHED",
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]53 "EVT_EAP_TLS_DONE"
54 )
55 )
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]56 server_hello_done_signature = '\x0e\x00\x00\x00'
57 SERVER_HELLO = '\x02'
58 SERVER_CERTIFICATE = '\x0b'
59 SERVER_HELLO_DONE = '\x0d'
60 SERVER_UNKNOWN = '\xff'
61 HANDSHAKE = '\x16'
62 CHANGE_CIPHER = '\x14'
63 TLS_OFFSET = 28
64 HDR_IDX = 0
65 DATA_IDX = 1
66 CB_IDX = 2
67 CLIENT_CERT = """-----BEGIN CERTIFICATE-----
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]68MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBizELMAkGA1UEBhMCVVMx
69CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTb21ld2hlcmUxEzARBgNVBAoTCkNpZW5h
70IEluYy4xHjAcBgkqhkiG9w0BCQEWD2FkbWluQGNpZW5hLmNvbTEmMCQGA1UEAxMd
71RXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMzExMTg1MzM2WhcN
72MTcwMzA2MTg1MzM2WjBnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNV
73BAoTCkNpZW5hIEluYy4xFzAVBgNVBAMUDnVzZXJAY2llbmEuY29tMR0wGwYJKoZI
74hvcNAQkBFg51c2VyQGNpZW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
75AQoCggEBAOxemcBsPn9tZsCa5o2JA6sQDC7A6JgCNXXl2VFzKLNNvB9PS6D7ZBsQ
765An0zEDMNzi51q7lnrYg1XyiE4S8FzMGAFr94RlGMQJUbRD9V/oqszMX4k++iAOK
77tIA1gr3x7Zi+0tkjVSVzXTmgNnhChAamdMsjYUG5+CY9WAicXyy+VEV3zTphZZDR
78OjcjEp4m/TSXVPYPgYDXI40YZKX5BdvqykWtT/tIgZb48RS1NPyN/XkCYzl3bv21
79qx7Mc0fcEbsJBIIRYTUkfxnsilcnmLxSYO+p+DZ9uBLBzcQt+4Rd5pLSfi21WM39
802Z2oOi3vs/OYAPAqgmi2JWOv3mePa/8CAwEAAaNPME0wEwYDVR0lBAwwCgYIKwYB
81BQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9l
82eGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQUFAAOCAQEALBzMPDTIB6sLyPl0T6JV
83MjOkyldAVhXWiQsTjaGQGJUUe1cmUJyZbUZEc13MygXMPOM4x7z6VpXGuq1c/Vxn
84VzQ2fNnbJcIAHi/7G8W5/SQfPesIVDsHTEc4ZspPi5jlS/MVX3HOC+BDbOjdbwqP
85RX0JEr+uOyhjO+lRxG8ilMRACoBUbw1eDuVDoEBgErSUC44pq5ioDw2xelc+Y6hQ
86dmtYwfY0DbvwxHtA495frLyPcastDiT/zre7NL51MyUDPjjYjghNQEwvu66IKbQ3
87T1tJBrgI7/WI+dqhKBFolKGKTDWIHsZXQvZ1snGu/FRYzg1l+R/jT8cRB9BDwhUt
88yg==
Chetan Gaonker4a25e2b2016-03-04 14:45:15 -0800[diff] [blame]89-----END CERTIFICATE-----"""
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]90
91 def handle_server_hello_done(self, server_hello_done):
92 if server_hello_done[-4:] == self.server_hello_done_signature:
93 self.server_hello_done_received = True
94
95 def __init__(self, intf = 'veth0'):
96 self.fsmTable = tlsAuthHolder.initTlsAuthHolderFsmTable(self, self.tlsStateTable, self.tlsEventTable)
97 EapolPacket.__init__(self, intf)
98 CordTester.__init__(self, self.fsmTable, self.tlsStateTable.ST_EAP_TLS_DONE)
99 #self.tlsStateTable, self.tlsEventTable)
100 self.currentState = self.tlsStateTable.ST_EAP_SETUP
101 self.currentEvent = self.tlsEventTable.EVT_EAP_SETUP
102 self.nextState = None
103 self.nextEvent = None
104 self.pending_bytes = 0 #for TLS fragment reassembly
105 self.server_hello_done_received = False
106 self.send_tls_response = True
107 self.server_certs = []
108 self.pkt_last = ''
109 self.pkt_history = []
110 self.pkt_map = { self.SERVER_HELLO: ['', '', lambda pkt: pkt ],
111 self.SERVER_CERTIFICATE: ['', '', lambda pkt: pkt ],
112 self.SERVER_HELLO_DONE: ['', '', self.handle_server_hello_done ],
113 self.SERVER_UNKNOWN: ['', '', lambda pkt: pkt ]
114 }
115 self.tls_ctx = TLSSessionCtx(client = True)
116
117 def load_tls_record(self, data, pkt_type = ''):
118 if pkt_type not in [ self.SERVER_HELLO_DONE, self.SERVER_UNKNOWN ]:
119 TLS(data, ctx = self.tls_ctx)
120
121 def pkt_update(self, pkt_type, data, hdr=None, reassembled = False):
122 if not self.pkt_map.has_key(pkt_type):
123 return
124 if hdr is not None:
125 self.pkt_map[pkt_type][self.HDR_IDX] += hdr
126 self.pkt_map[pkt_type][self.DATA_IDX] += data
127 if reassembled is True:
128 self.pkt_map[pkt_type][self.CB_IDX](self.pkt_map[pkt_type][self.DATA_IDX])
129 log.info('Appending packet type %02x to packet history of len %d'
130 %(ord(pkt_type), len(self.pkt_map[pkt_type][self.DATA_IDX])))
131 self.pkt_history.append(self.pkt_map[pkt_type][self.DATA_IDX])
132 data = ''.join(self.pkt_map[pkt_type][:self.DATA_IDX+1])
133 self.load_tls_record(data, pkt_type = pkt_type)
134 self.pkt_map[pkt_type][self.HDR_IDX] = ''
135 self.pkt_map[pkt_type][self.DATA_IDX] = ''
136
137 def eapol_server_hello_cb(self, pkt):
138 '''Reassemble and send response for server hello/certificate fragments'''
139 r = str(pkt)
140 offset = self.TLS_OFFSET
141 tls_data = r[offset:]
142 if self.pending_bytes > 0:
143 if len(tls_data) >= self.pending_bytes:
144 self.pkt_update(self.pkt_last, tls_data[:self.pending_bytes], reassembled = True)
145 offset += self.pending_bytes
146 self.pkt_last = ''
147 self.pending_bytes = 0
148 else:
149 self.pkt_update(self.pkt_last, tls_data)
150 self.pending_bytes -= len(tls_data)
151
152 while self.pending_bytes == 0 and offset < len(pkt):
153 tls_data = r[offset:]
154 self.pending_bytes = bytes_to_num(tls_data[3:5])
155 if tls_data[0] == self.HANDSHAKE:
156 pkt_type = tls_data[5]
157 if len(tls_data) - 5 >= self.pending_bytes:
158 data_received = tls_data[5: 5 + self.pending_bytes]
159 offset += 5 + self.pending_bytes
160 self.pending_bytes = 0
161 self.pkt_update(pkt_type, data_received,
162 hdr = tls_data[:5],
163 reassembled = True)
164 else:
165 self.pkt_update(pkt_type, tls_data[5:],
166 hdr = tls_data[:5],
167 reassembled = False)
168 self.pending_bytes -= len(tls_data) - 5
169 self.pkt_last = pkt_type
170 log.info('Pending bytes left %d' %(self.pending_bytes))
171 assert self.pending_bytes > 0
172 else:
173 self.pkt_last = self.SERVER_UNKNOWN
174 if len(tls_data) - 5 >= self.pending_bytes:
175 offset += 5 + self.pending_bytes
176 self.pending_bytes = 0
177 self.pkt_last = ''
178
179 #send TLS response
180 if self.send_tls_response:
181 eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, '')
182 self.eapol_send(EAPOL_EAPPACKET, eap_payload)
183
184 def _eapSetup(self):
185 self.setup()
186 self.nextEvent = self.tlsEventTable.EVT_EAP_START
187
188 def _eapStart(self):
189 self.eapol_start()
190 self.nextEvent = self.tlsEventTable.EVT_EAP_ID_REQ
191
192 def _eapIdReq(self):
193 log.info( 'Inside EAP ID Req' )
194 def eapol_cb(pkt):
195 log.info('Got EAPOL packet with type id and code request')
196 log.info('Packet code: %d, type: %d, id: %d', pkt[EAP].code, pkt[EAP].type, pkt[EAP].id)
197 log.info("<====== Send EAP Response with identity = %s ================>" % USER)
198 self.eapol_id_req(pkt[EAP].id, USER)
199
200 self.eapol_scapy_recv(cb = eapol_cb,
201 lfilter =
202 lambda pkt: EAP in pkt and pkt[EAP].type == EAP.TYPE_ID and pkt[EAP].code == EAP.REQUEST)
203 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_HELLO_REQ
204
205 def _eapTlsHelloReq(self):
206
207 def eapol_cb(pkt):
208 log.info('Got hello request for id %d', pkt[EAP].id)
209 self.client_hello = TLSClientHello(version="TLS_1_0",
210 gmt_unix_time=1234,
211 random_bytes= '\xAB' * 28,
212 session_id='',
213 compression_methods=(TLSCompressionMethod.NULL),
214 cipher_suites=[TLSCipherSuite.RSA_WITH_AES_256_CBC_SHA]
215 )
216 self.pkt_history.append( str(self.client_hello) )
217 reqdata = TLSRecord()/TLSHandshake()/self.client_hello
218 self.load_tls_record(str(reqdata))
219 log.info("Sending Client Hello TLS payload of len %d, id %d" %(len(reqdata),pkt[EAP].id))
220 eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, str(reqdata))
221 self.eapol_send(EAPOL_EAPPACKET, eap_payload)
222
223 self.eapol_scapy_recv(cb = eapol_cb,
224 lfilter =
225 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST)
226
227 for i in range(2):
228 self.eapol_scapy_recv(cb = self.eapol_server_hello_cb,
229 lfilter =
230 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST)
231 ##send cert request when we receive the last server hello fragment
232 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CERT_REQ
233
234 def get_encrypted_handshake_msg(self, finish_val=''):
235 all_handshake_pkts = ''.join(self.pkt_history)
236 if not finish_val:
237 finish_val = self.tls_ctx.get_verify_data(data = all_handshake_pkts)
238 msg = str(TLSHandshake(type=TLSHandshakeType.FINISHED)/finish_val)
239 crypto_container = CryptoContainer(self.tls_ctx, data = msg,
240 content_type = TLSContentType.HANDSHAKE)
241 return crypto_container.encrypt()
242
243 def _eapTlsCertReq(self):
244
245 def eapol_cb(pkt):
246 log.info('Got cert request')
247 self.send_tls_response = False
248 self.eapol_server_hello_cb(pkt)
249 assert self.server_hello_done_received == True
250 rex_pem = re.compile(r'\-+BEGIN[^\-]+\-+(.*?)\-+END[^\-]+\-+', re.DOTALL)
251 der_cert = rex_pem.findall(self.CLIENT_CERT)[0].decode("base64")
252 client_certificate = TLSRecord(version="TLS_1_0")/TLSHandshake()/TLSCertificateList(
253 certificates=[TLSCertificate(data=x509.X509Cert(der_cert))])
254 kex_data = self.tls_ctx.get_client_kex_data()
255 client_key_ex = TLSRecord()/TLSHandshake()/kex_data
256 client_key_ex_data = str(TLSHandshake()/kex_data)
257 self.pkt_history.append(client_key_ex_data)
258 self.load_tls_record(str(client_key_ex))
259 #log.info('TLS ctxt: %s' %self.tls_ctx)
260 client_ccs = TLSRecord(version="TLS_1_0")/TLSChangeCipherSpec()
261 enc_handshake_msg = self.get_encrypted_handshake_msg()
262 handshake_msg = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/enc_handshake_msg)
263 reqdata = str(TLS.from_records( [client_certificate, client_key_ex, client_ccs] ))
264 reqdata += handshake_msg
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]265 log.info("------> Sending Client Hello TLS Certificate payload of len %d ----------->" %len(reqdata))
266 eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, str(reqdata))
267 self.eapol_send(EAPOL_EAPPACKET, eap_payload)
268
269 self.eapol_scapy_recv(cb = eapol_cb,
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]270 lfilter =
271 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST)
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]272 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CHANGE_CIPHER_SPEC
273
274 def _eapTlsChangeCipherSpec(self):
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]275 def eapol_cb(pkt):
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]276 r = str(pkt)
277 tls_data = r[TLS_OFFSET:]
278 log.info('Verifying TLS Change Cipher spec record type %x' %ord(tls_data[0]))
279 assert tls_data[0] == self.CHANGE_CIPHER
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]280
281 self.eapol_scapy_recv(cb = eapol_cb,
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]282 lfilter =
283 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST)
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]284 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_FINISHED
285
286 def _eapTlsFinished(self):
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]287
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]288 def eapol_cb(pkt):
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]289 log.info('Got Server finished')
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]290
291 self.eapol_scapy_recv(cb = eapol_cb,
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame^]292 lfilter =
293 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST)
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]294 #We stop here as certification validation success implies auth success
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]295 self.nextEvent = None