A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 1 | # |
Chetan Gaonker | cfcce78 | 2016-05-10 10:10:42 -0700 | [diff] [blame] | 2 | # Copyright 2016-present Ciena Corporation |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 7 | # |
Chetan Gaonker | cfcce78 | 2016-05-10 10:10:42 -0700 | [diff] [blame] | 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 9 | # |
Chetan Gaonker | cfcce78 | 2016-05-10 10:10:42 -0700 | [diff] [blame] | 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
| 15 | # |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 16 | import sys, os |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 17 | from EapolAAA import * |
| 18 | from enum import * |
| 19 | import noseTlsAuthHolder as tlsAuthHolder |
| 20 | from scapy_ssl_tls.ssl_tls import * |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 21 | from scapy_ssl_tls.ssl_tls_crypto import * |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 22 | from tls_cert import Key |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 23 | from socket import * |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 24 | from CordTestServer import cord_test_radius_restart |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 25 | import struct |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 26 | import scapy |
| 27 | from nose.tools import * |
| 28 | from CordTestBase import CordTester |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 29 | from CordContainer import * |
Chetan Gaonker | 4a25e2b | 2016-03-04 14:45:15 -0800 | [diff] [blame] | 30 | import re |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 31 | import time |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 32 | |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 33 | log.setLevel('INFO') |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 34 | |
| 35 | def bytes_to_num(data): |
A R Karthick | 2b93d6a | 2016-09-06 15:19:09 -0700 | [diff] [blame] | 36 | try: |
| 37 | return int(data.encode('hex'), 16) |
| 38 | except: |
| 39 | print('Exception') |
| 40 | return -1 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 41 | |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 42 | class TLSAuthTest(EapolPacket, CordTester): |
| 43 | |
| 44 | tlsStateTable = Enumeration("TLSStateTable", ("ST_EAP_SETUP", |
| 45 | "ST_EAP_START", |
| 46 | "ST_EAP_ID_REQ", |
| 47 | "ST_EAP_TLS_HELLO_REQ", |
| 48 | "ST_EAP_TLS_CERT_REQ", |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 49 | "ST_EAP_TLS_CHANGE_CIPHER_SPEC", |
| 50 | "ST_EAP_TLS_FINISHED", |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 51 | "ST_EAP_TLS_DONE" |
| 52 | ) |
| 53 | ) |
| 54 | tlsEventTable = Enumeration("TLSEventTable", ("EVT_EAP_SETUP", |
| 55 | "EVT_EAP_START", |
| 56 | "EVT_EAP_ID_REQ", |
| 57 | "EVT_EAP_TLS_HELLO_REQ", |
| 58 | "EVT_EAP_TLS_CERT_REQ", |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 59 | "EVT_EAP_TLS_CHANGE_CIPHER_SPEC", |
| 60 | "EVT_EAP_TLS_FINISHED", |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 61 | "EVT_EAP_TLS_DONE" |
| 62 | ) |
| 63 | ) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 64 | server_hello_done_signature = '\x0e\x00\x00\x00' |
| 65 | SERVER_HELLO = '\x02' |
| 66 | SERVER_CERTIFICATE = '\x0b' |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 67 | CERTIFICATE_REQUEST = '\x0d' |
| 68 | SERVER_HELLO_DONE = '\x0e' |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 69 | SERVER_UNKNOWN = '\xff' |
| 70 | HANDSHAKE = '\x16' |
| 71 | CHANGE_CIPHER = '\x14' |
| 72 | TLS_OFFSET = 28 |
| 73 | HDR_IDX = 0 |
| 74 | DATA_IDX = 1 |
| 75 | CB_IDX = 2 |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 76 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 77 | CLIENT_CERT = """-----BEGIN CERTIFICATE----- |
A R Karthick | aa10a20 | 2016-08-15 15:06:21 -0700 | [diff] [blame] | 78 | MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBizELMAkGA1UEBhMCVVMx |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 79 | CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTb21ld2hlcmUxEzARBgNVBAoTCkNpZW5h |
| 80 | IEluYy4xHjAcBgkqhkiG9w0BCQEWD2FkbWluQGNpZW5hLmNvbTEmMCQGA1UEAxMd |
A R Karthick | aa10a20 | 2016-08-15 15:06:21 -0700 | [diff] [blame] | 81 | RXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMzExMTg1MzM2WhcN |
| 82 | MTcwMzA2MTg1MzM2WjBnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNV |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 83 | BAoTCkNpZW5hIEluYy4xFzAVBgNVBAMUDnVzZXJAY2llbmEuY29tMR0wGwYJKoZI |
A R Karthick | aa10a20 | 2016-08-15 15:06:21 -0700 | [diff] [blame] | 84 | hvcNAQkBFg51c2VyQGNpZW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC |
| 85 | AQoCggEBAOxemcBsPn9tZsCa5o2JA6sQDC7A6JgCNXXl2VFzKLNNvB9PS6D7ZBsQ |
| 86 | 5An0zEDMNzi51q7lnrYg1XyiE4S8FzMGAFr94RlGMQJUbRD9V/oqszMX4k++iAOK |
| 87 | tIA1gr3x7Zi+0tkjVSVzXTmgNnhChAamdMsjYUG5+CY9WAicXyy+VEV3zTphZZDR |
| 88 | OjcjEp4m/TSXVPYPgYDXI40YZKX5BdvqykWtT/tIgZb48RS1NPyN/XkCYzl3bv21 |
| 89 | qx7Mc0fcEbsJBIIRYTUkfxnsilcnmLxSYO+p+DZ9uBLBzcQt+4Rd5pLSfi21WM39 |
| 90 | 2Z2oOi3vs/OYAPAqgmi2JWOv3mePa/8CAwEAAaNPME0wEwYDVR0lBAwwCgYIKwYB |
| 91 | BQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9l |
| 92 | eGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQUFAAOCAQEALBzMPDTIB6sLyPl0T6JV |
| 93 | MjOkyldAVhXWiQsTjaGQGJUUe1cmUJyZbUZEc13MygXMPOM4x7z6VpXGuq1c/Vxn |
| 94 | VzQ2fNnbJcIAHi/7G8W5/SQfPesIVDsHTEc4ZspPi5jlS/MVX3HOC+BDbOjdbwqP |
| 95 | RX0JEr+uOyhjO+lRxG8ilMRACoBUbw1eDuVDoEBgErSUC44pq5ioDw2xelc+Y6hQ |
| 96 | dmtYwfY0DbvwxHtA495frLyPcastDiT/zre7NL51MyUDPjjYjghNQEwvu66IKbQ3 |
| 97 | T1tJBrgI7/WI+dqhKBFolKGKTDWIHsZXQvZ1snGu/FRYzg1l+R/jT8cRB9BDwhUt |
| 98 | yg== |
Chetan Gaonker | 4a25e2b | 2016-03-04 14:45:15 -0800 | [diff] [blame] | 99 | -----END CERTIFICATE-----""" |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 100 | |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 101 | CLIENT_PRIV_KEY = """-----BEGIN RSA PRIVATE KEY----- |
A R Karthick | aa10a20 | 2016-08-15 15:06:21 -0700 | [diff] [blame] | 102 | MIIEpAIBAAKCAQEA7F6ZwGw+f21mwJrmjYkDqxAMLsDomAI1deXZUXMos028H09L |
| 103 | oPtkGxDkCfTMQMw3OLnWruWetiDVfKIThLwXMwYAWv3hGUYxAlRtEP1X+iqzMxfi |
| 104 | T76IA4q0gDWCvfHtmL7S2SNVJXNdOaA2eEKEBqZ0yyNhQbn4Jj1YCJxfLL5URXfN |
| 105 | OmFlkNE6NyMSnib9NJdU9g+BgNcjjRhkpfkF2+rKRa1P+0iBlvjxFLU0/I39eQJj |
| 106 | OXdu/bWrHsxzR9wRuwkEghFhNSR/GeyKVyeYvFJg76n4Nn24EsHNxC37hF3mktJ+ |
| 107 | LbVYzf3Znag6Le+z85gA8CqCaLYlY6/eZ49r/wIDAQABAoIBAQC9Oha4l2+JMBoc |
| 108 | g2WjVVcccWJvY3xRhSMrWXEa5ahlswuxvRd8rwS7LlCBL/r8vQBQZ2ZY6fafM7X1 |
| 109 | awNZNgMUk+9g6PJ1+11s0g3mlgsCeYCwnKRO1ueofjh2k2AxlCZ0LAA8WS7nJm4x |
| 110 | nfM9X3K2qDfEEHTh23Gvm1iIvDbtZ3+kXnjsdAuYduiaDDPNSyNOSCe2eCt2d9vt |
| 111 | twV5pEf0PXcuLJ29i2LkRKdPwz/1J/AAE0dTJS9lrlLKE9qWXO2my4eUQI2FXVzW |
| 112 | RpxhjGoFNXa59okobZ555rRrp4LHe8HPx5aowLSS5HGGrXHpiyYpFR9uciQxMD6q |
| 113 | BQgmim5RAoGBAP09mWJS2gyiB9xqNY8MYyTrldXUIfujJ5OZch088rmbdS2p3TvG |
| 114 | Oy6K0rOufBMCl95Ncv6YQ7cjQKpq8Q7fTfPkRI3/994DZu5D+vwyqIZpBnHDAnTi |
| 115 | R9kf1Ep1QHmJPPE1GcijTnksaXP5g9+me2fTi4cCcl+An8GPv06z/KKjAoGBAO7x |
| 116 | 8MH1Dy2zAJhvlPbXdQLa/6b5aQeEVqObnJUvEaEy4M3c0QakULTDVQjsu/+ONNNV |
| 117 | 0Z5ZsBIWe/LaXxenub9lRJpD4KZOdz5bYIIq+Oa8L4bqTvyB/pVcZOE5a4ANvGiC |
| 118 | 4rVdAenPu734skgDFQPNZWKi/T6OZyJYgNzHG4L1AoGAEugvdHzVFM5gId+4Ifb9 |
| 119 | y/re0/kjlGMJCGcTcwVi5eKqa/9bqiPRtVbeBlZHoy+1YP6NUF7T5291W4PifYbE |
| 120 | jioDyEpNGkFMxQtESOILXQWoWoQBwfJHBPnwYqLAbpKFf0jEpQs0R62+Lc96Pg9y |
| 121 | 9TyBFVJkcabrxorR8LFVclsCgYB8+eJ5MBneRy/aixIZAZxb//uTdAQxQFCohi2i |
| 122 | Adpwu9HFGufhV3Q296u0XU3/XnvWxZ47+qES9Nujq//suXd32hnFrhcEJSpNXTHf |
| 123 | I2bIGEmrgUYK4Fst+ANzobrOYWDYMQ0u2xSzHEoQFNH6xFHriTSsIJ/gZk8fMbdE |
| 124 | wodrOQKBgQCOsFLo97vhlv6abA4v0T6bXuq4pzedIEh3bkqC/8rpLxqG98VoymHM |
| 125 | bZIYf0U0KK3aNVfyXkIjGBaqA9/A0ttx/guOacf8M3yXbl3uEqlKevJTjhWlbUjp |
| 126 | fM2med+fZ0+bh4DZ3O8BUJ1+6dxHngF/86GlwxTK4iSRkLIv6n3YSA== |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 127 | -----END RSA PRIVATE KEY-----""" |
| 128 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 129 | def handle_server_hello_done(self, server_hello_done): |
| 130 | if server_hello_done[-4:] == self.server_hello_done_signature: |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 131 | log.info('server hello received') |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 132 | self.server_hello_done_received = True |
| 133 | |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 134 | def __init__(self, intf = 'veth0', client_cert = None, client_priv_key = None, |
| 135 | fail_cb = None, src_mac='default', version = "TLS_1_0", session_id = '', |
| 136 | session_id_length = None, gmt_unix_time=1234, invalid_content_type = 22, |
| 137 | record_fragment_length = None, cipher_suites_length = None, |
| 138 | compression_methods_length = None, compression_methods = TLSCompressionMethod.NULL, |
| 139 | CipherSuite = True, cipher_suite = 'RSA_WITH_AES_256_CBC_SHA', id_mismatch_in_identifier_response_packet = False, |
| 140 | id_mismatch_in_client_hello_packet = False , dont_send_client_certificate = False, |
| 141 | dont_send_client_hello = False, restart_radius = False, invalid_client_hello_handshake_type = False, |
| 142 | invalid_cert_req_handshake = False, incorrect_tlsrecord_type_cert_req = False, |
| 143 | invalid_client_hello_handshake_length = False, clientkeyex_replace_with_serverkeyex = False): |
| 144 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 145 | self.fsmTable = tlsAuthHolder.initTlsAuthHolderFsmTable(self, self.tlsStateTable, self.tlsEventTable) |
| 146 | EapolPacket.__init__(self, intf) |
| 147 | CordTester.__init__(self, self.fsmTable, self.tlsStateTable.ST_EAP_TLS_DONE) |
| 148 | #self.tlsStateTable, self.tlsEventTable) |
| 149 | self.currentState = self.tlsStateTable.ST_EAP_SETUP |
| 150 | self.currentEvent = self.tlsEventTable.EVT_EAP_SETUP |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 151 | self.src_mac = src_mac |
| 152 | self.version = version |
| 153 | self.session_id_length = session_id_length |
| 154 | self.session_id = session_id |
| 155 | self.gmt_unix_time = gmt_unix_time |
| 156 | self.invalid_content_type = invalid_content_type |
| 157 | self.CipherSuite = CipherSuite |
| 158 | self.cipher_suites_length = cipher_suites_length |
| 159 | self.compression_methods_length = compression_methods_length |
| 160 | self.cipher_suite = cipher_suite |
| 161 | self.compression_methods_length = compression_methods_length |
| 162 | self.compression_methods = compression_methods |
| 163 | self.record_fragment_length = record_fragment_length |
| 164 | self.invalid_client_hello_handshake_type = invalid_client_hello_handshake_type |
| 165 | self.invalid_client_hello_handshake_length = invalid_client_hello_handshake_length |
| 166 | self.invalid_cert_req_handshake = invalid_cert_req_handshake |
| 167 | self.id_mismatch_in_identifier_response_packet = id_mismatch_in_identifier_response_packet |
| 168 | self.id_mismatch_in_client_hello_packet = id_mismatch_in_client_hello_packet |
| 169 | self.dont_send_client_certificate = dont_send_client_certificate |
| 170 | self.dont_send_client_hello = dont_send_client_hello |
| 171 | self.incorrect_tlsrecord_type_cert_req = incorrect_tlsrecord_type_cert_req |
| 172 | self.restart_radius = restart_radius |
| 173 | self.clientkeyex_replace_with_serverkeyex = clientkeyex_replace_with_serverkeyex |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 174 | self.nextState = None |
| 175 | self.nextEvent = None |
| 176 | self.pending_bytes = 0 #for TLS fragment reassembly |
| 177 | self.server_hello_done_received = False |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 178 | self.server_hello_done_eap_id = 0 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 179 | self.send_tls_response = True |
| 180 | self.server_certs = [] |
| 181 | self.pkt_last = '' |
| 182 | self.pkt_history = [] |
| 183 | self.pkt_map = { self.SERVER_HELLO: ['', '', lambda pkt: pkt ], |
| 184 | self.SERVER_CERTIFICATE: ['', '', lambda pkt: pkt ], |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 185 | self.CERTIFICATE_REQUEST: ['', '', lambda pkt: pkt ], |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 186 | self.SERVER_HELLO_DONE: ['', '', self.handle_server_hello_done ], |
| 187 | self.SERVER_UNKNOWN: ['', '', lambda pkt: pkt ] |
| 188 | } |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 189 | if self.clientkeyex_replace_with_serverkeyex: |
| 190 | self.tls_ctx = TLSSessionCtx(client = False) |
| 191 | else: |
| 192 | self.tls_ctx = TLSSessionCtx(client = True) |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 193 | self.client_cert = self.CLIENT_CERT if client_cert is None else client_cert |
| 194 | self.client_priv_key = self.CLIENT_PRIV_KEY if client_priv_key is None else client_priv_key |
| 195 | self.failTest = False |
| 196 | self.fail_cb = fail_cb |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 197 | |
| 198 | def load_tls_record(self, data, pkt_type = ''): |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 199 | #if pkt_type not in [ self.SERVER_HELLO_DONE, self.SERVER_UNKNOWN ]: |
| 200 | if pkt_type == self.SERVER_HELLO_DONE: |
| 201 | data = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/data) |
| 202 | elif pkt_type == self.CERTIFICATE_REQUEST: |
| 203 | data = str(TLSRecord()/TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/data[9:]) |
| 204 | data = None #For now ignore this record |
| 205 | if data: |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 206 | TLS(data, ctx = self.tls_ctx) |
| 207 | |
| 208 | def pkt_update(self, pkt_type, data, hdr=None, reassembled = False): |
| 209 | if not self.pkt_map.has_key(pkt_type): |
| 210 | return |
| 211 | if hdr is not None: |
| 212 | self.pkt_map[pkt_type][self.HDR_IDX] += hdr |
| 213 | self.pkt_map[pkt_type][self.DATA_IDX] += data |
| 214 | if reassembled is True: |
| 215 | self.pkt_map[pkt_type][self.CB_IDX](self.pkt_map[pkt_type][self.DATA_IDX]) |
| 216 | log.info('Appending packet type %02x to packet history of len %d' |
| 217 | %(ord(pkt_type), len(self.pkt_map[pkt_type][self.DATA_IDX]))) |
| 218 | self.pkt_history.append(self.pkt_map[pkt_type][self.DATA_IDX]) |
| 219 | data = ''.join(self.pkt_map[pkt_type][:self.DATA_IDX+1]) |
| 220 | self.load_tls_record(data, pkt_type = pkt_type) |
| 221 | self.pkt_map[pkt_type][self.HDR_IDX] = '' |
| 222 | self.pkt_map[pkt_type][self.DATA_IDX] = '' |
| 223 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 224 | def tlsFail(self): |
| 225 | ##Force a failure |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 226 | log.info('entering into testFail function') |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 227 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_FINISHED |
A.R Karthick | 7eb2ce0 | 2016-06-10 19:00:50 -0700 | [diff] [blame] | 228 | self.nextState = self.tlsStateTable.ST_EAP_TLS_FINISHED |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 229 | self.failTest = True |
| 230 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 231 | def eapol_server_hello_cb(self, pkt): |
| 232 | '''Reassemble and send response for server hello/certificate fragments''' |
| 233 | r = str(pkt) |
| 234 | offset = self.TLS_OFFSET |
| 235 | tls_data = r[offset:] |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 236 | type_hdrlen = 0 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 237 | if self.pending_bytes > 0: |
| 238 | if len(tls_data) >= self.pending_bytes: |
| 239 | self.pkt_update(self.pkt_last, tls_data[:self.pending_bytes], reassembled = True) |
| 240 | offset += self.pending_bytes |
| 241 | self.pkt_last = '' |
| 242 | self.pending_bytes = 0 |
| 243 | else: |
| 244 | self.pkt_update(self.pkt_last, tls_data) |
| 245 | self.pending_bytes -= len(tls_data) |
A R Karthick | 2b93d6a | 2016-09-06 15:19:09 -0700 | [diff] [blame] | 246 | print('Offset: %d, pkt : %d, pending %d\n' %(offset, len(pkt), self.pending_bytes)) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 247 | while self.pending_bytes == 0 and offset < len(pkt): |
| 248 | tls_data = r[offset:] |
A R Karthick | 2b93d6a | 2016-09-06 15:19:09 -0700 | [diff] [blame] | 249 | hexdump(tls_data) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 250 | self.pending_bytes = bytes_to_num(tls_data[3:5]) |
A R Karthick | 2b93d6a | 2016-09-06 15:19:09 -0700 | [diff] [blame] | 251 | if self.pending_bytes < 0: |
| 252 | self.pending_bytes = 0 |
| 253 | return |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 254 | if tls_data[0] == self.HANDSHAKE: |
| 255 | pkt_type = tls_data[5] |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 256 | if pkt_type in [ self.CERTIFICATE_REQUEST ]: |
| 257 | self.pending_bytes = bytes_to_num(tls_data[6:9]) |
| 258 | type_hdrlen = 4 |
| 259 | if len(tls_data) - 5 - type_hdrlen >= self.pending_bytes: |
| 260 | data_received = tls_data[5: 5 + type_hdrlen + self.pending_bytes ] |
| 261 | offset += 5 + type_hdrlen + self.pending_bytes |
| 262 | type_hdrlen = 0 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 263 | self.pending_bytes = 0 |
| 264 | self.pkt_update(pkt_type, data_received, |
| 265 | hdr = tls_data[:5], |
| 266 | reassembled = True) |
| 267 | else: |
| 268 | self.pkt_update(pkt_type, tls_data[5:], |
| 269 | hdr = tls_data[:5], |
| 270 | reassembled = False) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 271 | self.pending_bytes -= len(tls_data) - 5 - type_hdrlen |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 272 | self.pkt_last = pkt_type |
| 273 | log.info('Pending bytes left %d' %(self.pending_bytes)) |
| 274 | assert self.pending_bytes > 0 |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 275 | elif tls_data[0] == self.SERVER_HELLO_DONE: |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 276 | self.server_hello_done_eap_id = pkt[EAP].id |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 277 | self.pkt_update(tls_data[0], tls_data, reassembled = True) |
| 278 | break |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 279 | else: |
| 280 | self.pkt_last = self.SERVER_UNKNOWN |
| 281 | if len(tls_data) - 5 >= self.pending_bytes: |
| 282 | offset += 5 + self.pending_bytes |
| 283 | self.pending_bytes = 0 |
| 284 | self.pkt_last = '' |
| 285 | |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 286 | #send TLS response ack till we receive server hello done |
| 287 | if self.server_hello_done_received == False: |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 288 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, '') |
| 289 | self.eapol_send(EAPOL_EAPPACKET, eap_payload) |
| 290 | |
| 291 | def _eapSetup(self): |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 292 | #if self.src_mac == 'bcast':self.setup(src_mac='bcast') |
| 293 | #if self.src_mac == 'mcast': self.setup(src_mac='mcast') |
| 294 | #if self.src_mac == 'zeros': self.setup(src_mac='zeros') |
| 295 | #if self.src_mac == 'default': self.setup(src_mac='default') |
ChetanGaonker | e2b665b | 2016-12-07 00:50:56 -0800 | [diff] [blame] | 296 | log.info('source mac is %s'%self.src_mac) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 297 | self.setup(src_mac=self.src_mac) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 298 | self.nextEvent = self.tlsEventTable.EVT_EAP_START |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 299 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 300 | def _eapStart(self): |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 301 | log.info('_eapStart method started') |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 302 | self.eapol_start() |
| 303 | self.nextEvent = self.tlsEventTable.EVT_EAP_ID_REQ |
| 304 | |
| 305 | def _eapIdReq(self): |
| 306 | log.info( 'Inside EAP ID Req' ) |
| 307 | def eapol_cb(pkt): |
| 308 | log.info('Got EAPOL packet with type id and code request') |
| 309 | log.info('Packet code: %d, type: %d, id: %d', pkt[EAP].code, pkt[EAP].type, pkt[EAP].id) |
| 310 | log.info("<====== Send EAP Response with identity = %s ================>" % USER) |
ChetanGaonker | e2b665b | 2016-12-07 00:50:56 -0800 | [diff] [blame] | 311 | if self.id_mismatch_in_identifier_response_packet: |
| 312 | log.info('\nSending invalid id field in EAP Identity Response packet') |
| 313 | self.eapol_id_req(pkt[EAP].id+10, USER) |
| 314 | else: |
| 315 | self.eapol_id_req(pkt[EAP].id, USER) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 316 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 317 | r = self.eapol_scapy_recv(cb = eapol_cb, |
| 318 | lfilter = |
| 319 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP.TYPE_ID and pkt[EAP].code == EAP.REQUEST) |
| 320 | if len(r) > 0: |
| 321 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_HELLO_REQ |
| 322 | else: |
| 323 | self.tlsFail() |
| 324 | return r |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 325 | |
| 326 | def _eapTlsHelloReq(self): |
| 327 | |
| 328 | def eapol_cb(pkt): |
| 329 | log.info('Got hello request for id %d', pkt[EAP].id) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 330 | self.client_hello = TLSClientHello(version= self.version, |
| 331 | gmt_unix_time=self.gmt_unix_time, |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 332 | random_bytes= '\xAB' * 28, |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 333 | session_id_length = self.session_id_length, |
| 334 | session_id= self.session_id, |
| 335 | compression_methods_length = self.compression_methods_length, |
| 336 | compression_methods= self.compression_methods, |
| 337 | cipher_suites_length = self.cipher_suites_length, |
| 338 | cipher_suites=[self.cipher_suite] |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 339 | ) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 340 | if self.invalid_client_hello_handshake_type: |
| 341 | log.info('sending server_hello instead of client_hello handshape type in client hello packet') |
| 342 | client_hello_data = TLSHandshake(type='server_hello')/self.client_hello |
| 343 | elif self.invalid_client_hello_handshake_length: |
| 344 | log.info('sending TLS Handshake message with zero length field in client hello packet') |
| 345 | client_hello_data = TLSHandshake(length=0)/self.client_hello |
| 346 | else: |
| 347 | client_hello_data = TLSHandshake()/self.client_hello |
| 348 | #client_hello_data = TLSHandshake()/self.client_hello |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 349 | self.pkt_history.append( str(client_hello_data) ) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 350 | if self.record_fragment_length: |
| 351 | reqdata = TLSRecord(length=self.record_fragment_length)/client_hello_data |
| 352 | else: |
| 353 | reqdata = TLSRecord()/client_hello_data |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 354 | self.load_tls_record(str(reqdata)) |
| 355 | log.info("Sending Client Hello TLS payload of len %d, id %d" %(len(reqdata),pkt[EAP].id)) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 356 | if self.id_mismatch_in_client_hello_packet: |
| 357 | log.info('\nsending invalid id field in client hello packet') |
| 358 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id+10, TLS_LENGTH_INCLUDED, str(reqdata)) |
| 359 | else: |
| 360 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, str(reqdata)) |
| 361 | if self.dont_send_client_hello: |
| 362 | log.info('\nskipping client hello packet sending part') |
| 363 | pass |
| 364 | else: |
| 365 | self.eapol_send(EAPOL_EAPPACKET, eap_payload) |
| 366 | if self.restart_radius: |
| 367 | cord_test_radius_restart() |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 368 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 369 | r = self.eapol_scapy_recv(cb = eapol_cb, |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 370 | lfilter = |
| 371 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST) |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 372 | |
| 373 | if len(r) == 0: |
| 374 | self.tlsFail() |
| 375 | return r |
| 376 | |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 377 | #move to client/server certificate request |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 378 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CERT_REQ |
| 379 | |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 380 | def get_verify_data(self): |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 381 | all_handshake_pkts = ''.join(self.pkt_history) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 382 | return self.tls_ctx.get_verify_data(data = all_handshake_pkts) |
| 383 | |
| 384 | def get_verify_signature(self, pem_data): |
| 385 | all_handshake_pkts = ''.join(self.pkt_history) |
| 386 | k = Key(pem_data) |
| 387 | signature = k.sign(all_handshake_pkts, t = 'pkcs', h = 'tls') |
| 388 | signature_data = '{}{}'.format(struct.pack('!H', len(signature)), signature) |
| 389 | return signature_data |
| 390 | |
| 391 | def get_encrypted_handshake_msg(self, finish_val=''): |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 392 | if not finish_val: |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 393 | finish_val = self.get_verify_data() |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 394 | msg = str(TLSHandshake(type=TLSHandshakeType.FINISHED)/finish_val) |
| 395 | crypto_container = CryptoContainer(self.tls_ctx, data = msg, |
| 396 | content_type = TLSContentType.HANDSHAKE) |
| 397 | return crypto_container.encrypt() |
| 398 | |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 399 | def get_encrypted_application_msg(self, msg = ''): |
| 400 | '''Needed with tunneled TLS''' |
| 401 | if not msg: |
| 402 | msg = 'test data' |
| 403 | return to_raw(TLSPlaintext(data = 'GET / HTTP/1.1\r\nHOST: localhost\r\n\r\n'), self.tls_ctx) |
| 404 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 405 | def _eapTlsCertReq(self): |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 406 | log.info('Receiving server certificates') |
| 407 | while self.server_hello_done_received == False: |
| 408 | r = self.eapol_scapy_recv(cb = self.eapol_server_hello_cb, |
| 409 | lfilter = |
| 410 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and \ |
| 411 | pkt[EAP].code == EAP.REQUEST) |
| 412 | if len(r) == 0: |
| 413 | self.tlsFail() |
| 414 | return r |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 415 | log.info('Sending client certificate request') |
| 416 | rex_pem = re.compile(r'\-+BEGIN[^\-]+\-+(.*?)\-+END[^\-]+\-+', re.DOTALL) |
| 417 | if self.client_cert: |
| 418 | der_cert = rex_pem.findall(self.client_cert)[0].decode("base64") |
| 419 | client_certificate_list = TLSHandshake()/TLSCertificateList( |
| 420 | certificates=[TLSCertificate(data=x509.X509Cert(der_cert))]) |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 421 | else: |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 422 | client_certificate_list = TLSHandshake()/TLSCertificateList(certificates=[]) |
| 423 | client_certificate = TLSRecord(version="TLS_1_0")/client_certificate_list |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 424 | kex_data = self.tls_ctx.get_client_kex_data() |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 425 | client_key_ex_data = TLSHandshake()/kex_data |
| 426 | client_key_ex = TLSRecord()/client_key_ex_data |
| 427 | if self.client_cert: |
| 428 | self.load_tls_record(str(client_certificate)) |
| 429 | self.pkt_history.append(str(client_certificate_list)) |
| 430 | self.load_tls_record(str(client_key_ex)) |
| 431 | self.pkt_history.append(str(client_key_ex_data)) |
| 432 | verify_signature = self.get_verify_signature(self.client_priv_key) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 433 | if self.invalid_cert_req_handshake: |
| 434 | log.info("sending 'certificate-request' type of handshake message instead of 'certificate-verify' type") |
| 435 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/verify_signature |
| 436 | else: |
| 437 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_VERIFY)/verify_signature |
| 438 | if self.incorrect_tlsrecord_type_cert_req: |
| 439 | log.info("sending TLS Record type as ALERT instead of HANDSHAKE in certificate request packet") |
| 440 | client_cert_record = TLSRecord(content_type=TLSContentType.ALERT)/client_cert_verify |
| 441 | else: |
| 442 | client_cert_record = TLSRecord(content_type=TLSContentType.HANDSHAKE)/client_cert_verify |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 443 | self.pkt_history.append(str(client_cert_verify)) |
| 444 | #log.info('TLS ctxt: %s' %self.tls_ctx) |
| 445 | client_ccs = TLSRecord(version="TLS_1_0")/TLSChangeCipherSpec() |
| 446 | enc_handshake_msg = self.get_encrypted_handshake_msg() |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 447 | if self.invalid_content_type: |
| 448 | handshake_msg = str(TLSRecord(content_type=self.invalid_content_type)/enc_handshake_msg) |
| 449 | else: |
| 450 | handshake_msg = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/enc_handshake_msg) |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 451 | reqdata = str(TLS.from_records([client_certificate, client_key_ex, client_cert_record, client_ccs])) |
| 452 | reqdata += handshake_msg |
| 453 | log.info("------> Sending Client Hello TLS Certificate payload of len %d ----------->" %len(reqdata)) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 454 | if self.dont_send_client_certificate: |
| 455 | log.info('\nskipping sending client certificate part') |
| 456 | pass |
| 457 | else: |
| 458 | status = self.eapFragmentSend(EAP_RESPONSE, self.server_hello_done_eap_id, TLS_LENGTH_INCLUDED, |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 459 | payload = reqdata, fragsize = 1024) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 460 | assert_equal(status, True) |
| 461 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CHANGE_CIPHER_SPEC |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 462 | |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 463 | def _eapTlsCertReq_delay(self): |
| 464 | self.server_hello_done_received = True |
| 465 | log.info('Sending client certificate request') |
| 466 | rex_pem = re.compile(r'\-+BEGIN[^\-]+\-+(.*?)\-+END[^\-]+\-+', re.DOTALL) |
| 467 | |
| 468 | if self.client_cert: |
| 469 | der_cert = rex_pem.findall(self.client_cert)[0].decode("base64") |
| 470 | client_certificate_list = TLSHandshake()/TLSCertificateList( |
| 471 | certificates=[TLSCertificate(data=x509.X509Cert(der_cert))]) |
| 472 | else: |
| 473 | client_certificate_list = TLSHandshake()/TLSCertificateList(certificates=[]) |
| 474 | |
| 475 | client_certificate = TLSRecord(version="TLS_1_0")/client_certificate_list |
| 476 | kex_data = self.tls_ctx.get_client_kex_data() |
| 477 | client_key_ex_data = TLSHandshake()/kex_data |
| 478 | client_key_ex = TLSRecord()/client_key_ex_data |
| 479 | |
| 480 | if self.client_cert: |
| 481 | self.load_tls_record(str(client_certificate)) |
| 482 | self.pkt_history.append(str(client_certificate_list)) |
| 483 | |
| 484 | self.load_tls_record(str(client_key_ex)) |
| 485 | self.pkt_history.append(str(client_key_ex_data)) |
| 486 | verify_signature = self.get_verify_signature(self.client_priv_key) |
| 487 | |
| 488 | if self.invalid_cert_req_handshake: |
| 489 | log.info("Sending 'certificate-request' type of handshake message instead of 'certificate-verify' type") |
| 490 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/verify_signature |
| 491 | else: |
| 492 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_VERIFY)/verify_signature |
| 493 | |
| 494 | if self.incorrect_tlsrecord_type_cert_req: |
| 495 | log.info("Sending TLS Record type as ALERT instead of HANDSHAKE in certificate request packet") |
| 496 | client_cert_record = TLSRecord(content_type=TLSContentType.ALERT)/client_cert_verify |
| 497 | else: |
| 498 | client_cert_record = TLSRecord(content_type=TLSContentType.HANDSHAKE)/client_cert_verify |
| 499 | |
| 500 | self.pkt_history.append(str(client_cert_verify)) |
| 501 | #log.info('TLS ctxt: %s' %self.tls_ctx) |
| 502 | client_ccs = TLSRecord(version="TLS_1_0")/TLSChangeCipherSpec() |
| 503 | enc_handshake_msg = self.get_encrypted_handshake_msg() |
| 504 | |
| 505 | if self.invalid_content_type: |
| 506 | handshake_msg = str(TLSRecord(content_type=self.invalid_content_type)/enc_handshake_msg) |
| 507 | else: |
| 508 | handshake_msg = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/enc_handshake_msg) |
| 509 | reqdata = str(TLS.from_records([client_certificate, client_key_ex, client_cert_record, client_ccs])) |
| 510 | reqdata += handshake_msg |
| 511 | log.info("------> Sending Client Hello TLS Certificate payload of len %d ----------->" %len(reqdata)) |
| 512 | |
| 513 | if self.dont_send_client_certificate: |
| 514 | log.info('\nSkipping sending client certificate part') |
| 515 | pass |
| 516 | else: |
| 517 | status = self.eapFragmentSend(EAP_RESPONSE, self.server_hello_done_eap_id, TLS_LENGTH_INCLUDED, |
| 518 | payload = reqdata, fragsize = 1024) |
| 519 | assert_equal(status, True) |
| 520 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CHANGE_CIPHER_SPEC |
| 521 | |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 522 | def _eapTlsChangeCipherSpec(self): |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 523 | def eapol_cb(pkt): |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 524 | r = str(pkt) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 525 | log.info('data received in change cipher spec function is %s'%pkt.show()) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 526 | tls_data = r[self.TLS_OFFSET:] |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 527 | log.info('Verifying TLS Change Cipher spec record type %x' %ord(tls_data[0])) |
| 528 | assert tls_data[0] == self.CHANGE_CIPHER |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 529 | log.info('Handshake finished. Sending empty data') |
| 530 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, 0, '') |
| 531 | self.eapol_send(EAPOL_EAPPACKET, eap_payload) |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 532 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 533 | r = self.eapol_scapy_recv(cb = eapol_cb, |
| 534 | lfilter = |
| 535 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST) |
| 536 | if len(r) > 0: |
| 537 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_FINISHED |
| 538 | else: |
| 539 | self.tlsFail() |
| 540 | return r |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 541 | |
| 542 | def _eapTlsFinished(self): |
A.R Karthick | 7eb2ce0 | 2016-06-10 19:00:50 -0700 | [diff] [blame] | 543 | self.nextEvent = None |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 544 | def eapol_cb(pkt): |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 545 | log.info('Server authentication successfull') |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 546 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 547 | timeout = 5 |
| 548 | if self.failTest is True: |
| 549 | if self.fail_cb is not None: |
| 550 | self.fail_cb() |
| 551 | return |
| 552 | timeout = None ##Wait forever on failure and force testcase timeouts |
| 553 | |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 554 | self.eapol_scapy_recv(cb = eapol_cb, |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 555 | lfilter = |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 556 | lambda pkt: EAP in pkt and pkt[EAP].code == EAP.SUCCESS, |
| 557 | timeout = timeout) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 558 | self.eapol_logoff() |