A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 1 | # |
Chetan Gaonker | cfcce78 | 2016-05-10 10:10:42 -0700 | [diff] [blame] | 2 | # Copyright 2016-present Ciena Corporation |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 7 | # |
Chetan Gaonker | cfcce78 | 2016-05-10 10:10:42 -0700 | [diff] [blame] | 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 9 | # |
Chetan Gaonker | cfcce78 | 2016-05-10 10:10:42 -0700 | [diff] [blame] | 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
| 15 | # |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 16 | import sys, os |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 17 | from EapolAAA import * |
A R Karthick | 74d0031 | 2017-04-18 14:26:01 -0700 | [diff] [blame] | 18 | from Enum import * |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 19 | import noseTlsAuthHolder as tlsAuthHolder |
| 20 | from scapy_ssl_tls.ssl_tls import * |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 21 | from scapy_ssl_tls.ssl_tls_crypto import * |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 22 | from tls_cert import Key |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 23 | from socket import * |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 24 | from CordTestServer import cord_test_radius_restart |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 25 | import struct |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 26 | import scapy |
| 27 | from nose.tools import * |
| 28 | from CordTestBase import CordTester |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 29 | from CordContainer import * |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 30 | from CordTestUtils import log_test |
Chetan Gaonker | 4a25e2b | 2016-03-04 14:45:15 -0800 | [diff] [blame] | 31 | import re |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 32 | import time |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 33 | |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 34 | log_test.setLevel('INFO') |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 35 | |
| 36 | def bytes_to_num(data): |
A R Karthick | 2b93d6a | 2016-09-06 15:19:09 -0700 | [diff] [blame] | 37 | try: |
| 38 | return int(data.encode('hex'), 16) |
| 39 | except: |
| 40 | print('Exception') |
| 41 | return -1 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 42 | |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 43 | class TLSAuthTest(EapolPacket, CordTester): |
| 44 | |
| 45 | tlsStateTable = Enumeration("TLSStateTable", ("ST_EAP_SETUP", |
| 46 | "ST_EAP_START", |
| 47 | "ST_EAP_ID_REQ", |
| 48 | "ST_EAP_TLS_HELLO_REQ", |
| 49 | "ST_EAP_TLS_CERT_REQ", |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 50 | "ST_EAP_TLS_CHANGE_CIPHER_SPEC", |
| 51 | "ST_EAP_TLS_FINISHED", |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 52 | "ST_EAP_TLS_DONE" |
| 53 | ) |
| 54 | ) |
| 55 | tlsEventTable = Enumeration("TLSEventTable", ("EVT_EAP_SETUP", |
| 56 | "EVT_EAP_START", |
| 57 | "EVT_EAP_ID_REQ", |
| 58 | "EVT_EAP_TLS_HELLO_REQ", |
| 59 | "EVT_EAP_TLS_CERT_REQ", |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 60 | "EVT_EAP_TLS_CHANGE_CIPHER_SPEC", |
| 61 | "EVT_EAP_TLS_FINISHED", |
A R Karthick | a2e53d6 | 2016-02-19 17:38:30 -0800 | [diff] [blame] | 62 | "EVT_EAP_TLS_DONE" |
| 63 | ) |
| 64 | ) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 65 | server_hello_done_signature = '\x0e\x00\x00\x00' |
| 66 | SERVER_HELLO = '\x02' |
| 67 | SERVER_CERTIFICATE = '\x0b' |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 68 | CERTIFICATE_REQUEST = '\x0d' |
| 69 | SERVER_HELLO_DONE = '\x0e' |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 70 | SERVER_UNKNOWN = '\xff' |
| 71 | HANDSHAKE = '\x16' |
| 72 | CHANGE_CIPHER = '\x14' |
| 73 | TLS_OFFSET = 28 |
| 74 | HDR_IDX = 0 |
| 75 | DATA_IDX = 1 |
| 76 | CB_IDX = 2 |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 77 | |
A R Karthick | eeac7e1 | 2017-03-10 17:35:39 -0800 | [diff] [blame] | 78 | #this is from client.crt file |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 79 | CLIENT_CERT = """-----BEGIN CERTIFICATE----- |
A R Karthick | eeac7e1 | 2017-03-10 17:35:39 -0800 | [diff] [blame] | 80 | MIIDvTCCAqWgAwIBAgIBBjANBgkqhkiG9w0BAQUFADCBizELMAkGA1UEBhMCVVMx |
| 81 | CzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUxEzARBgNVBAoMCkNpZW5h |
| 82 | IEluYy4xHjAcBgkqhkiG9w0BCQEWD2FkbWluQGNpZW5hLmNvbTEmMCQGA1UEAwwd |
| 83 | RXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwMzExMDA0NzQ0WhcN |
| 84 | MjIxMDMxMDA0NzQ0WjBnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEzARBgNV |
| 85 | BAoMCkNpZW5hIEluYy4xFzAVBgNVBAMMDnVzZXJAY2llbmEuY29tMR0wGwYJKoZI |
A R Karthick | aa10a20 | 2016-08-15 15:06:21 -0700 | [diff] [blame] | 86 | hvcNAQkBFg51c2VyQGNpZW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC |
A R Karthick | eeac7e1 | 2017-03-10 17:35:39 -0800 | [diff] [blame] | 87 | AQoCggEBAOTxi5+TUuaosUh7f/4U9unLV3qHCC7Sf3e0o8F+FP4BVQiIslUTEupw |
| 88 | gd3VkiVAhxX74Oc3w7XF98msKx7dTetpQaZPZgEgGiDmzGzlAGkwqD4FO5JotJMg |
| 89 | I0rpcYw+M/z+WDVgJx3I+VGyC6lFKhIJWTlTySheyMYpcgSvOuN4z8keCNg2uaRZ |
| 90 | IOvIf6aUCTF7fp2HC/468/3T6R/VuYKFNdpsyU1ogbQqCUL4WHM2uWz6G7rzXI0/ |
| 91 | skkKemoGouFw+0I3ydPpGpiWK4NpPKHax4dRGaO1NmTDCtrJOAKPQx8CYYH0HMNp |
| 92 | BbYvidTnHBxYUBrWNpzOJ/xgopawA8kCAwEAAaNPME0wEwYDVR0lBAwwCgYIKwYB |
A R Karthick | aa10a20 | 2016-08-15 15:06:21 -0700 | [diff] [blame] | 93 | BQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9l |
A R Karthick | eeac7e1 | 2017-03-10 17:35:39 -0800 | [diff] [blame] | 94 | eGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAosa5wV/RA2XO/SVGWx5K |
| 95 | JkQNBn6zKuLRODdkm1UwpkdSZpYoXw2ds6YPPbxV9gFeitCcPZQUho38Fg1LYrNW |
| 96 | 9UsDPC2HAYSxrvCinTLC2NuqLsPj7NSu+41l37hGVG4WTjPXPqet33e0mqz1eYVn |
| 97 | 3SsGvZl98sgG6ADD1RqUb0gpEocmoN+yx5W0hIAwZQPBt4nfAWdGH9AcJTL/Gjr7 |
| 98 | 5m4p3cQYm2AnROp+Bim4AELv02WIl77vYWivlzok1JfZ38GL94+CMLOSKNv9OLjc |
| 99 | M/uh5Q6PB+4xv8kAjmO/Fq9T6f0KcQNNPY63omZCjrFiMEMvoOD4GIg+WV2SKLsQ |
| 100 | 0g== |
Chetan Gaonker | 4a25e2b | 2016-03-04 14:45:15 -0800 | [diff] [blame] | 101 | -----END CERTIFICATE-----""" |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 102 | |
A R Karthick | eeac7e1 | 2017-03-10 17:35:39 -0800 | [diff] [blame] | 103 | #this is from client.key |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 104 | CLIENT_PRIV_KEY = """-----BEGIN RSA PRIVATE KEY----- |
A R Karthick | eeac7e1 | 2017-03-10 17:35:39 -0800 | [diff] [blame] | 105 | MIIEowIBAAKCAQEA5PGLn5NS5qixSHt//hT26ctXeocILtJ/d7SjwX4U/gFVCIiy |
| 106 | VRMS6nCB3dWSJUCHFfvg5zfDtcX3yawrHt1N62lBpk9mASAaIObMbOUAaTCoPgU7 |
| 107 | kmi0kyAjSulxjD4z/P5YNWAnHcj5UbILqUUqEglZOVPJKF7IxilyBK8643jPyR4I |
| 108 | 2Da5pFkg68h/ppQJMXt+nYcL/jrz/dPpH9W5goU12mzJTWiBtCoJQvhYcza5bPob |
| 109 | uvNcjT+ySQp6agai4XD7QjfJ0+kamJYrg2k8odrHh1EZo7U2ZMMK2sk4Ao9DHwJh |
| 110 | gfQcw2kFti+J1OccHFhQGtY2nM4n/GCilrADyQIDAQABAoIBAF+xepvDl3Yj8p4K |
| 111 | SPBp0N7eCH2FbW0svOzLC1t4GMwmwGUlxex7YX+ucQnJGCIL+6q7skDS9THIQo8A |
| 112 | MLHg7I3GXBNowokb4u/3qGCnw2k0Vk4+H61NqJSKbVYFh1mIMnC/2xzMSO1RMKzu |
| 113 | D6O77h7F245zr/P40lDJyAefOq0S6sgZqxmHmoRTHhp0tXV4mkzV7P7RqoJrvAiG |
| 114 | tGMk5OfdoILnNfoeXNC50nw201UK7xhrrqqlAWZRAaUZJtsb1GxW+jOra6OtsCVg |
| 115 | AKS/FxzUGMsoqluM5mHLBEN69DAvBBs8g7UVKdmCDZC+feJ31eAnPAoc1gxBHdQU |
| 116 | pCnA8dECgYEA+Q6X80gnoyG0g66Gh62R7RgDLYPpgkZimLeoX49mwizAUkeSf/Mj |
| 117 | raVajRmJ8J1n4UklHdQe0PE9Jhuxo4Uo9sP71ZqpQPEvN35/Sw0xxQHcwxD73SWa |
| 118 | UEVsnWIDJ6QrkoBOhjDMM6tyDSPVDS23352E6sZ9EU45qWvncb5OTdUCgYEA61Np |
| 119 | Qs/CpEWtPG8IiEPKPEWUEwoO8SS6C4R/UfXNC96GhfIpA4Uy3fQwTUtHEMPL+7lh |
| 120 | SPFPQDBH90jOTYg30EfHiBMlKW4l21XS+PotTP3ktqZMgx06SnoM2a/+crpzFqkb |
| 121 | i4eAPCsdTispElbtqleLuUbFO9aG3jHMsK2RtCUCgYB04G9YYL0RJgkTXryNQVvg |
| 122 | ussK+gOD+kncxxtBtQcRCnU6Z5INb2mH3LgwzRJZk1SjeXLsm5XWkc8Tah2j0iKW |
| 123 | IwS0if7xlf2Felx8OPXpMOWLuRWpAzN2hg3hkZRPbxBvkLzI5m99s/Ay0GTz6UeH |
| 124 | reEpV/prO519r0COtTMD/QKBgCdRinbVS8oysh002BIccX/ciD8eIRz9a/BctQE2 |
| 125 | tonTJlre+SdTbApVsHRZrYgJjt2CPdT4LKum5X9VtNKTfe/Y7me3+y+O7dhV4Kgk |
| 126 | 9Mi2ay5xXrtReNnUxqzgkP0OVghlPOr1OuHSulTDNVuRFqitc/UC9BVpZKNfYrnq |
| 127 | ZjvZAoGBALzgzXajgIdhghCt5PFLkhh3xyOliTXWFstHcMZdQF2wQyeF/uQ2zrC/ |
| 128 | 2t1Sa+egV3QDUPYzW9YLQs9eaLh7MS9wCHLY2SMElAqYiNjRfkT4wWdPfeyFx4+E |
| 129 | Euwtu+lPJ7sEpNu5jX63OS2AeZsQYlsT0Ai+lB4TeyoE6Pj04iC0 |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 130 | -----END RSA PRIVATE KEY-----""" |
| 131 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 132 | def handle_server_hello_done(self, server_hello_done): |
| 133 | if server_hello_done[-4:] == self.server_hello_done_signature: |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 134 | log_test.info('server hello received over interface %s' %self.intf) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 135 | self.server_hello_done_received = True |
| 136 | |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 137 | def __init__(self, intf = 'veth0', client_cert = None, client_priv_key = None, |
| 138 | fail_cb = None, src_mac='default', version = "TLS_1_0", session_id = '', |
| 139 | session_id_length = None, gmt_unix_time=1234, invalid_content_type = 22, |
| 140 | record_fragment_length = None, cipher_suites_length = None, |
| 141 | compression_methods_length = None, compression_methods = TLSCompressionMethod.NULL, |
| 142 | CipherSuite = True, cipher_suite = 'RSA_WITH_AES_256_CBC_SHA', id_mismatch_in_identifier_response_packet = False, |
| 143 | id_mismatch_in_client_hello_packet = False , dont_send_client_certificate = False, |
| 144 | dont_send_client_hello = False, restart_radius = False, invalid_client_hello_handshake_type = False, |
| 145 | invalid_cert_req_handshake = False, incorrect_tlsrecord_type_cert_req = False, |
| 146 | invalid_client_hello_handshake_length = False, clientkeyex_replace_with_serverkeyex = False): |
| 147 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 148 | self.fsmTable = tlsAuthHolder.initTlsAuthHolderFsmTable(self, self.tlsStateTable, self.tlsEventTable) |
| 149 | EapolPacket.__init__(self, intf) |
| 150 | CordTester.__init__(self, self.fsmTable, self.tlsStateTable.ST_EAP_TLS_DONE) |
| 151 | #self.tlsStateTable, self.tlsEventTable) |
| 152 | self.currentState = self.tlsStateTable.ST_EAP_SETUP |
| 153 | self.currentEvent = self.tlsEventTable.EVT_EAP_SETUP |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 154 | self.src_mac = src_mac |
| 155 | self.version = version |
| 156 | self.session_id_length = session_id_length |
| 157 | self.session_id = session_id |
| 158 | self.gmt_unix_time = gmt_unix_time |
| 159 | self.invalid_content_type = invalid_content_type |
| 160 | self.CipherSuite = CipherSuite |
| 161 | self.cipher_suites_length = cipher_suites_length |
| 162 | self.compression_methods_length = compression_methods_length |
| 163 | self.cipher_suite = cipher_suite |
| 164 | self.compression_methods_length = compression_methods_length |
| 165 | self.compression_methods = compression_methods |
| 166 | self.record_fragment_length = record_fragment_length |
| 167 | self.invalid_client_hello_handshake_type = invalid_client_hello_handshake_type |
| 168 | self.invalid_client_hello_handshake_length = invalid_client_hello_handshake_length |
| 169 | self.invalid_cert_req_handshake = invalid_cert_req_handshake |
| 170 | self.id_mismatch_in_identifier_response_packet = id_mismatch_in_identifier_response_packet |
| 171 | self.id_mismatch_in_client_hello_packet = id_mismatch_in_client_hello_packet |
| 172 | self.dont_send_client_certificate = dont_send_client_certificate |
| 173 | self.dont_send_client_hello = dont_send_client_hello |
| 174 | self.incorrect_tlsrecord_type_cert_req = incorrect_tlsrecord_type_cert_req |
| 175 | self.restart_radius = restart_radius |
| 176 | self.clientkeyex_replace_with_serverkeyex = clientkeyex_replace_with_serverkeyex |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 177 | self.nextState = None |
| 178 | self.nextEvent = None |
| 179 | self.pending_bytes = 0 #for TLS fragment reassembly |
| 180 | self.server_hello_done_received = False |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 181 | self.server_hello_done_eap_id = 0 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 182 | self.send_tls_response = True |
| 183 | self.server_certs = [] |
| 184 | self.pkt_last = '' |
| 185 | self.pkt_history = [] |
| 186 | self.pkt_map = { self.SERVER_HELLO: ['', '', lambda pkt: pkt ], |
| 187 | self.SERVER_CERTIFICATE: ['', '', lambda pkt: pkt ], |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 188 | self.CERTIFICATE_REQUEST: ['', '', lambda pkt: pkt ], |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 189 | self.SERVER_HELLO_DONE: ['', '', self.handle_server_hello_done ], |
| 190 | self.SERVER_UNKNOWN: ['', '', lambda pkt: pkt ] |
| 191 | } |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 192 | if self.clientkeyex_replace_with_serverkeyex: |
| 193 | self.tls_ctx = TLSSessionCtx(client = False) |
| 194 | else: |
| 195 | self.tls_ctx = TLSSessionCtx(client = True) |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 196 | self.client_cert = self.CLIENT_CERT if client_cert is None else client_cert |
| 197 | self.client_priv_key = self.CLIENT_PRIV_KEY if client_priv_key is None else client_priv_key |
| 198 | self.failTest = False |
| 199 | self.fail_cb = fail_cb |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 200 | |
| 201 | def load_tls_record(self, data, pkt_type = ''): |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 202 | #if pkt_type not in [ self.SERVER_HELLO_DONE, self.SERVER_UNKNOWN ]: |
| 203 | if pkt_type == self.SERVER_HELLO_DONE: |
| 204 | data = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/data) |
| 205 | elif pkt_type == self.CERTIFICATE_REQUEST: |
| 206 | data = str(TLSRecord()/TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/data[9:]) |
| 207 | data = None #For now ignore this record |
| 208 | if data: |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 209 | TLS(data, ctx = self.tls_ctx) |
| 210 | |
| 211 | def pkt_update(self, pkt_type, data, hdr=None, reassembled = False): |
| 212 | if not self.pkt_map.has_key(pkt_type): |
| 213 | return |
| 214 | if hdr is not None: |
| 215 | self.pkt_map[pkt_type][self.HDR_IDX] += hdr |
| 216 | self.pkt_map[pkt_type][self.DATA_IDX] += data |
| 217 | if reassembled is True: |
| 218 | self.pkt_map[pkt_type][self.CB_IDX](self.pkt_map[pkt_type][self.DATA_IDX]) |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 219 | log_test.info('Interface %s, Appending packet type %02x to packet history of len %d' |
| 220 | %(self.intf, ord(pkt_type), len(self.pkt_map[pkt_type][self.DATA_IDX]))) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 221 | self.pkt_history.append(self.pkt_map[pkt_type][self.DATA_IDX]) |
| 222 | data = ''.join(self.pkt_map[pkt_type][:self.DATA_IDX+1]) |
| 223 | self.load_tls_record(data, pkt_type = pkt_type) |
| 224 | self.pkt_map[pkt_type][self.HDR_IDX] = '' |
| 225 | self.pkt_map[pkt_type][self.DATA_IDX] = '' |
| 226 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 227 | def tlsFail(self): |
| 228 | ##Force a failure |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 229 | log_test.info('entering into testFail function for interface %s' %self.intf) |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 230 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_FINISHED |
A.R Karthick | 7eb2ce0 | 2016-06-10 19:00:50 -0700 | [diff] [blame] | 231 | self.nextState = self.tlsStateTable.ST_EAP_TLS_FINISHED |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 232 | self.failTest = True |
| 233 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 234 | def eapol_server_hello_cb(self, pkt): |
| 235 | '''Reassemble and send response for server hello/certificate fragments''' |
| 236 | r = str(pkt) |
| 237 | offset = self.TLS_OFFSET |
| 238 | tls_data = r[offset:] |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 239 | type_hdrlen = 0 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 240 | if self.pending_bytes > 0: |
| 241 | if len(tls_data) >= self.pending_bytes: |
| 242 | self.pkt_update(self.pkt_last, tls_data[:self.pending_bytes], reassembled = True) |
| 243 | offset += self.pending_bytes |
| 244 | self.pkt_last = '' |
| 245 | self.pending_bytes = 0 |
| 246 | else: |
| 247 | self.pkt_update(self.pkt_last, tls_data) |
| 248 | self.pending_bytes -= len(tls_data) |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 249 | print('Interface: %s, Offset: %d, pkt : %d, pending %d\n' %(self.intf, offset, len(pkt), self.pending_bytes)) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 250 | while self.pending_bytes == 0 and offset < len(pkt): |
| 251 | tls_data = r[offset:] |
A R Karthick | 2b93d6a | 2016-09-06 15:19:09 -0700 | [diff] [blame] | 252 | hexdump(tls_data) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 253 | self.pending_bytes = bytes_to_num(tls_data[3:5]) |
A R Karthick | 2b93d6a | 2016-09-06 15:19:09 -0700 | [diff] [blame] | 254 | if self.pending_bytes < 0: |
| 255 | self.pending_bytes = 0 |
| 256 | return |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 257 | if tls_data[0] == self.HANDSHAKE: |
| 258 | pkt_type = tls_data[5] |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 259 | if pkt_type in [ self.CERTIFICATE_REQUEST ]: |
| 260 | self.pending_bytes = bytes_to_num(tls_data[6:9]) |
| 261 | type_hdrlen = 4 |
| 262 | if len(tls_data) - 5 - type_hdrlen >= self.pending_bytes: |
| 263 | data_received = tls_data[5: 5 + type_hdrlen + self.pending_bytes ] |
| 264 | offset += 5 + type_hdrlen + self.pending_bytes |
| 265 | type_hdrlen = 0 |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 266 | self.pending_bytes = 0 |
| 267 | self.pkt_update(pkt_type, data_received, |
| 268 | hdr = tls_data[:5], |
| 269 | reassembled = True) |
| 270 | else: |
| 271 | self.pkt_update(pkt_type, tls_data[5:], |
| 272 | hdr = tls_data[:5], |
| 273 | reassembled = False) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 274 | self.pending_bytes -= len(tls_data) - 5 - type_hdrlen |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 275 | self.pkt_last = pkt_type |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 276 | log_test.info('Interface: %s, Pending bytes left %d' %(self.intf, self.pending_bytes)) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 277 | assert self.pending_bytes > 0 |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 278 | elif tls_data[0] == self.SERVER_HELLO_DONE: |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 279 | self.server_hello_done_eap_id = pkt[EAP].id |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 280 | self.pkt_update(tls_data[0], tls_data, reassembled = True) |
| 281 | break |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 282 | else: |
| 283 | self.pkt_last = self.SERVER_UNKNOWN |
| 284 | if len(tls_data) - 5 >= self.pending_bytes: |
| 285 | offset += 5 + self.pending_bytes |
| 286 | self.pending_bytes = 0 |
| 287 | self.pkt_last = '' |
| 288 | |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 289 | #send TLS response ack till we receive server hello done |
| 290 | if self.server_hello_done_received == False: |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 291 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, '') |
| 292 | self.eapol_send(EAPOL_EAPPACKET, eap_payload) |
| 293 | |
| 294 | def _eapSetup(self): |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 295 | #if self.src_mac == 'bcast':self.setup(src_mac='bcast') |
| 296 | #if self.src_mac == 'mcast': self.setup(src_mac='mcast') |
| 297 | #if self.src_mac == 'zeros': self.setup(src_mac='zeros') |
| 298 | #if self.src_mac == 'default': self.setup(src_mac='default') |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 299 | #log_test.info('Interface: %s, Source mac is %s' %(self.intf, self.src_mac)) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 300 | self.setup(src_mac=self.src_mac) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 301 | self.nextEvent = self.tlsEventTable.EVT_EAP_START |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 302 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 303 | def _eapStart(self): |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 304 | log_test.info('_eapStart method started over interface %s' %(self.intf)) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 305 | self.eapol_start() |
| 306 | self.nextEvent = self.tlsEventTable.EVT_EAP_ID_REQ |
| 307 | |
| 308 | def _eapIdReq(self): |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 309 | log_test.info('Inside EAP ID Req for interface %s' %(self.intf)) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 310 | def eapol_cb(pkt): |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 311 | log_test.info('Got EAPOL packet with type id and code request for interface %s' %(self.intf)) |
| 312 | log_test.info('Interface: %s, Packet code: %d, type: %d, id: %d' %(self.intf, pkt[EAP].code, pkt[EAP].type, pkt[EAP].id)) |
| 313 | log_test.info("Send EAP Response with identity %s over interface %s" % (USER, self.intf)) |
ChetanGaonker | e2b665b | 2016-12-07 00:50:56 -0800 | [diff] [blame] | 314 | if self.id_mismatch_in_identifier_response_packet: |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 315 | log_test.info('\nSending invalid id field in EAP Identity Response packet over interface %s' %(self.intf)) |
ChetanGaonker | e2b665b | 2016-12-07 00:50:56 -0800 | [diff] [blame] | 316 | self.eapol_id_req(pkt[EAP].id+10, USER) |
| 317 | else: |
| 318 | self.eapol_id_req(pkt[EAP].id, USER) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 319 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 320 | r = self.eapol_scapy_recv(cb = eapol_cb, |
| 321 | lfilter = |
| 322 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP.TYPE_ID and pkt[EAP].code == EAP.REQUEST) |
| 323 | if len(r) > 0: |
| 324 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_HELLO_REQ |
| 325 | else: |
| 326 | self.tlsFail() |
| 327 | return r |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 328 | |
| 329 | def _eapTlsHelloReq(self): |
| 330 | |
| 331 | def eapol_cb(pkt): |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 332 | log_test.info('Got hello request for id %d over interface %s', pkt[EAP].id, self.intf) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 333 | self.client_hello = TLSClientHello(version= self.version, |
| 334 | gmt_unix_time=self.gmt_unix_time, |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 335 | random_bytes= '\xAB' * 28, |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 336 | session_id_length = self.session_id_length, |
| 337 | session_id= self.session_id, |
| 338 | compression_methods_length = self.compression_methods_length, |
| 339 | compression_methods= self.compression_methods, |
| 340 | cipher_suites_length = self.cipher_suites_length, |
| 341 | cipher_suites=[self.cipher_suite] |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 342 | ) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 343 | if self.invalid_client_hello_handshake_type: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 344 | log_test.info('sending server_hello instead of client_hello handshape type in client hello packet') |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 345 | client_hello_data = TLSHandshake(type='server_hello')/self.client_hello |
| 346 | elif self.invalid_client_hello_handshake_length: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 347 | log_test.info('sending TLS Handshake message with zero length field in client hello packet') |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 348 | client_hello_data = TLSHandshake(length=0)/self.client_hello |
| 349 | else: |
| 350 | client_hello_data = TLSHandshake()/self.client_hello |
| 351 | #client_hello_data = TLSHandshake()/self.client_hello |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 352 | self.pkt_history.append( str(client_hello_data) ) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 353 | if self.record_fragment_length: |
| 354 | reqdata = TLSRecord(length=self.record_fragment_length)/client_hello_data |
| 355 | else: |
| 356 | reqdata = TLSRecord()/client_hello_data |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 357 | self.load_tls_record(str(reqdata)) |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 358 | log_test.info("Sending Client Hello TLS payload of len %d, id %d over interface %s" %(len(reqdata),pkt[EAP].id, self.intf)) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 359 | if self.id_mismatch_in_client_hello_packet: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 360 | log_test.info('\nsending invalid id field in client hello packet') |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 361 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id+10, TLS_LENGTH_INCLUDED, str(reqdata)) |
| 362 | else: |
| 363 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, str(reqdata)) |
| 364 | if self.dont_send_client_hello: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 365 | log_test.info('\nskipping client hello packet sending part') |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 366 | pass |
| 367 | else: |
| 368 | self.eapol_send(EAPOL_EAPPACKET, eap_payload) |
| 369 | if self.restart_radius: |
| 370 | cord_test_radius_restart() |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 371 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 372 | r = self.eapol_scapy_recv(cb = eapol_cb, |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 373 | lfilter = |
| 374 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST) |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 375 | |
| 376 | if len(r) == 0: |
| 377 | self.tlsFail() |
| 378 | return r |
| 379 | |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 380 | #move to client/server certificate request |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 381 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CERT_REQ |
| 382 | |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 383 | def get_verify_data(self): |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 384 | all_handshake_pkts = ''.join(self.pkt_history) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 385 | return self.tls_ctx.get_verify_data(data = all_handshake_pkts) |
| 386 | |
| 387 | def get_verify_signature(self, pem_data): |
| 388 | all_handshake_pkts = ''.join(self.pkt_history) |
| 389 | k = Key(pem_data) |
| 390 | signature = k.sign(all_handshake_pkts, t = 'pkcs', h = 'tls') |
| 391 | signature_data = '{}{}'.format(struct.pack('!H', len(signature)), signature) |
| 392 | return signature_data |
| 393 | |
| 394 | def get_encrypted_handshake_msg(self, finish_val=''): |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 395 | if not finish_val: |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 396 | finish_val = self.get_verify_data() |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 397 | msg = str(TLSHandshake(type=TLSHandshakeType.FINISHED)/finish_val) |
| 398 | crypto_container = CryptoContainer(self.tls_ctx, data = msg, |
| 399 | content_type = TLSContentType.HANDSHAKE) |
| 400 | return crypto_container.encrypt() |
| 401 | |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 402 | def get_encrypted_application_msg(self, msg = ''): |
| 403 | '''Needed with tunneled TLS''' |
| 404 | if not msg: |
| 405 | msg = 'test data' |
| 406 | return to_raw(TLSPlaintext(data = 'GET / HTTP/1.1\r\nHOST: localhost\r\n\r\n'), self.tls_ctx) |
| 407 | |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 408 | def _eapTlsCertReq(self): |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 409 | log_test.info('Receiving server certificates over interface %s', self.intf) |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 410 | while self.server_hello_done_received == False: |
| 411 | r = self.eapol_scapy_recv(cb = self.eapol_server_hello_cb, |
| 412 | lfilter = |
| 413 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and \ |
| 414 | pkt[EAP].code == EAP.REQUEST) |
| 415 | if len(r) == 0: |
| 416 | self.tlsFail() |
| 417 | return r |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 418 | log_test.info('Sending client certificate request over interface %s', self.intf) |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 419 | rex_pem = re.compile(r'\-+BEGIN[^\-]+\-+(.*?)\-+END[^\-]+\-+', re.DOTALL) |
| 420 | if self.client_cert: |
| 421 | der_cert = rex_pem.findall(self.client_cert)[0].decode("base64") |
| 422 | client_certificate_list = TLSHandshake()/TLSCertificateList( |
| 423 | certificates=[TLSCertificate(data=x509.X509Cert(der_cert))]) |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 424 | else: |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 425 | client_certificate_list = TLSHandshake()/TLSCertificateList(certificates=[]) |
| 426 | client_certificate = TLSRecord(version="TLS_1_0")/client_certificate_list |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 427 | kex_data = self.tls_ctx.get_client_kex_data() |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 428 | client_key_ex_data = TLSHandshake()/kex_data |
| 429 | client_key_ex = TLSRecord()/client_key_ex_data |
| 430 | if self.client_cert: |
| 431 | self.load_tls_record(str(client_certificate)) |
| 432 | self.pkt_history.append(str(client_certificate_list)) |
| 433 | self.load_tls_record(str(client_key_ex)) |
| 434 | self.pkt_history.append(str(client_key_ex_data)) |
| 435 | verify_signature = self.get_verify_signature(self.client_priv_key) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 436 | if self.invalid_cert_req_handshake: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 437 | log_test.info("sending 'certificate-request' type of handshake message instead of 'certificate-verify' type") |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 438 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/verify_signature |
| 439 | else: |
| 440 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_VERIFY)/verify_signature |
| 441 | if self.incorrect_tlsrecord_type_cert_req: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 442 | log_test.info("sending TLS Record type as ALERT instead of HANDSHAKE in certificate request packet") |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 443 | client_cert_record = TLSRecord(content_type=TLSContentType.ALERT)/client_cert_verify |
| 444 | else: |
| 445 | client_cert_record = TLSRecord(content_type=TLSContentType.HANDSHAKE)/client_cert_verify |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 446 | self.pkt_history.append(str(client_cert_verify)) |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 447 | #log_test.info('Interface: %s, TLS ctxt: %s' %(self.intf, self.tls_ctx)) |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 448 | client_ccs = TLSRecord(version="TLS_1_0")/TLSChangeCipherSpec() |
| 449 | enc_handshake_msg = self.get_encrypted_handshake_msg() |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 450 | if self.invalid_content_type: |
| 451 | handshake_msg = str(TLSRecord(content_type=self.invalid_content_type)/enc_handshake_msg) |
| 452 | else: |
| 453 | handshake_msg = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/enc_handshake_msg) |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 454 | reqdata = str(TLS.from_records([client_certificate, client_key_ex, client_cert_record, client_ccs])) |
| 455 | reqdata += handshake_msg |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 456 | log_test.info("Sending Client Hello TLS Certificate payload of len %d over interface %s" %(len(reqdata), self.intf)) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 457 | if self.dont_send_client_certificate: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 458 | log_test.info('\nskipping sending client certificate part') |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 459 | pass |
| 460 | else: |
| 461 | status = self.eapFragmentSend(EAP_RESPONSE, self.server_hello_done_eap_id, TLS_LENGTH_INCLUDED, |
A R Karthick | f028ec9 | 2016-08-15 16:58:11 -0700 | [diff] [blame] | 462 | payload = reqdata, fragsize = 1024) |
ChetanGaonker | 6138fcd | 2016-08-18 17:56:39 -0700 | [diff] [blame] | 463 | assert_equal(status, True) |
| 464 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CHANGE_CIPHER_SPEC |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 465 | |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 466 | def _eapTlsCertReq_delay(self): |
| 467 | self.server_hello_done_received = True |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 468 | log_test.info('Sending client certificate request over interface %s', self.intf) |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 469 | rex_pem = re.compile(r'\-+BEGIN[^\-]+\-+(.*?)\-+END[^\-]+\-+', re.DOTALL) |
| 470 | |
| 471 | if self.client_cert: |
| 472 | der_cert = rex_pem.findall(self.client_cert)[0].decode("base64") |
| 473 | client_certificate_list = TLSHandshake()/TLSCertificateList( |
| 474 | certificates=[TLSCertificate(data=x509.X509Cert(der_cert))]) |
| 475 | else: |
| 476 | client_certificate_list = TLSHandshake()/TLSCertificateList(certificates=[]) |
| 477 | |
| 478 | client_certificate = TLSRecord(version="TLS_1_0")/client_certificate_list |
| 479 | kex_data = self.tls_ctx.get_client_kex_data() |
| 480 | client_key_ex_data = TLSHandshake()/kex_data |
| 481 | client_key_ex = TLSRecord()/client_key_ex_data |
| 482 | |
| 483 | if self.client_cert: |
| 484 | self.load_tls_record(str(client_certificate)) |
| 485 | self.pkt_history.append(str(client_certificate_list)) |
| 486 | |
| 487 | self.load_tls_record(str(client_key_ex)) |
| 488 | self.pkt_history.append(str(client_key_ex_data)) |
| 489 | verify_signature = self.get_verify_signature(self.client_priv_key) |
| 490 | |
| 491 | if self.invalid_cert_req_handshake: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 492 | log_test.info("Sending 'certificate-request' type of handshake message instead of 'certificate-verify' type") |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 493 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/verify_signature |
| 494 | else: |
| 495 | client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_VERIFY)/verify_signature |
| 496 | |
| 497 | if self.incorrect_tlsrecord_type_cert_req: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 498 | log_test.info("Sending TLS Record type as ALERT instead of HANDSHAKE in certificate request packet") |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 499 | client_cert_record = TLSRecord(content_type=TLSContentType.ALERT)/client_cert_verify |
| 500 | else: |
| 501 | client_cert_record = TLSRecord(content_type=TLSContentType.HANDSHAKE)/client_cert_verify |
| 502 | |
| 503 | self.pkt_history.append(str(client_cert_verify)) |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 504 | #log_test.info('TLS ctxt: %s' %self.tls_ctx) |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 505 | client_ccs = TLSRecord(version="TLS_1_0")/TLSChangeCipherSpec() |
| 506 | enc_handshake_msg = self.get_encrypted_handshake_msg() |
| 507 | |
| 508 | if self.invalid_content_type: |
| 509 | handshake_msg = str(TLSRecord(content_type=self.invalid_content_type)/enc_handshake_msg) |
| 510 | else: |
| 511 | handshake_msg = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/enc_handshake_msg) |
| 512 | reqdata = str(TLS.from_records([client_certificate, client_key_ex, client_cert_record, client_ccs])) |
| 513 | reqdata += handshake_msg |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 514 | log_test.info("Sending Client Hello TLS Certificate payload of len %d over interface %s" %(len(reqdata), self.intf)) |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 515 | |
| 516 | if self.dont_send_client_certificate: |
A R Karthick | 76a497a | 2017-04-12 10:59:39 -0700 | [diff] [blame] | 517 | log_test.info('\nSkipping sending client certificate part') |
ChetanGaonker | 3441faf | 2016-10-27 12:15:21 -0700 | [diff] [blame] | 518 | pass |
| 519 | else: |
| 520 | status = self.eapFragmentSend(EAP_RESPONSE, self.server_hello_done_eap_id, TLS_LENGTH_INCLUDED, |
| 521 | payload = reqdata, fragsize = 1024) |
| 522 | assert_equal(status, True) |
| 523 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CHANGE_CIPHER_SPEC |
| 524 | |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 525 | def _eapTlsChangeCipherSpec(self): |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 526 | def eapol_cb(pkt): |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 527 | r = str(pkt) |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 528 | log_test.info('Interface %s. Received data in change cipher spec function is %s'%(self.intf, pkt.show())) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 529 | tls_data = r[self.TLS_OFFSET:] |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 530 | log_test.info('Verifying TLS Change Cipher spec record type %x over interface %s' %(ord(tls_data[0]), self.intf)) |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 531 | assert tls_data[0] == self.CHANGE_CIPHER |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 532 | log_test.info('Handshake finished. Sending empty data over interface %s' %self.intf) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 533 | eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, 0, '') |
| 534 | self.eapol_send(EAPOL_EAPPACKET, eap_payload) |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 535 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 536 | r = self.eapol_scapy_recv(cb = eapol_cb, |
| 537 | lfilter = |
| 538 | lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST) |
| 539 | if len(r) > 0: |
| 540 | self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_FINISHED |
| 541 | else: |
| 542 | self.tlsFail() |
| 543 | return r |
Chetan Gaonker | f8f7718 | 2016-03-11 15:34:57 -0800 | [diff] [blame] | 544 | |
| 545 | def _eapTlsFinished(self): |
A.R Karthick | 7eb2ce0 | 2016-06-10 19:00:50 -0700 | [diff] [blame] | 546 | self.nextEvent = None |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 547 | def eapol_cb(pkt): |
A R Karthick | 43613a7 | 2017-06-13 11:05:15 -0700 | [diff] [blame] | 548 | log_test.info('Server authentication successfull over interface %s' %self.intf) |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 549 | |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 550 | timeout = 5 |
| 551 | if self.failTest is True: |
| 552 | if self.fail_cb is not None: |
| 553 | self.fail_cb() |
| 554 | return |
| 555 | timeout = None ##Wait forever on failure and force testcase timeouts |
| 556 | |
Chetan Gaonker | 5b36630 | 2016-03-21 16:18:21 -0700 | [diff] [blame] | 557 | self.eapol_scapy_recv(cb = eapol_cb, |
A R Karthick | 22aa0c6 | 2016-05-31 11:17:12 -0700 | [diff] [blame] | 558 | lfilter = |
A R Karthick | 05d9b5f | 2016-06-08 11:53:54 -0700 | [diff] [blame] | 559 | lambda pkt: EAP in pkt and pkt[EAP].code == EAP.SUCCESS, |
| 560 | timeout = timeout) |
A R Karthick | 307483c | 2016-06-06 17:05:19 -0700 | [diff] [blame] | 561 | self.eapol_logoff() |