Gitiles
Code Review Sign In
gerrit.opencord.org / cord-tester / 9a5edc401eb5645591fb8fda0fa66370013e7679 / . / src / test / utils / EapTLS.py
blob: 8f3150904bbfe53a4c8fd831e7d61c1fc6ab67bc [file] [log] [blame]
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]1#
Chetan Gaonkercfcce782016-05-10 10:10:42 -0700[diff] [blame]2# Copyright 2016-present Ciena Corporation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]7#
Chetan Gaonkercfcce782016-05-10 10:10:42 -0700[diff] [blame]8# http://www.apache.org/licenses/LICENSE-2.0
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]9#
Chetan Gaonkercfcce782016-05-10 10:10:42 -0700[diff] [blame]10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15#
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]16import sys, os
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]17from EapolAAA import *
18from enum import *
19import noseTlsAuthHolder as tlsAuthHolder
20from scapy_ssl_tls.ssl_tls import *
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]21from scapy_ssl_tls.ssl_tls_crypto import *
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]22from tls_cert import Key
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]23from socket import *
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]24from CordTestServer import cord_test_radius_restart
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]25import struct
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]26import scapy
27from nose.tools import *
28from CordTestBase import CordTester
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]29from CordContainer import *
Chetan Gaonker4a25e2b2016-03-04 14:45:15 -0800[diff] [blame]30import re
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]31import time
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]32
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]33log.setLevel('INFO')
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]34
35def bytes_to_num(data):
36 return int(data.encode('hex'), 16)
37
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]38class TLSAuthTest(EapolPacket, CordTester):
39
40 tlsStateTable = Enumeration("TLSStateTable", ("ST_EAP_SETUP",
41 "ST_EAP_START",
42 "ST_EAP_ID_REQ",
43 "ST_EAP_TLS_HELLO_REQ",
44 "ST_EAP_TLS_CERT_REQ",
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]45 "ST_EAP_TLS_CHANGE_CIPHER_SPEC",
46 "ST_EAP_TLS_FINISHED",
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]47 "ST_EAP_TLS_DONE"
48 )
49 )
50 tlsEventTable = Enumeration("TLSEventTable", ("EVT_EAP_SETUP",
51 "EVT_EAP_START",
52 "EVT_EAP_ID_REQ",
53 "EVT_EAP_TLS_HELLO_REQ",
54 "EVT_EAP_TLS_CERT_REQ",
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]55 "EVT_EAP_TLS_CHANGE_CIPHER_SPEC",
56 "EVT_EAP_TLS_FINISHED",
A R Karthicka2e53d62016-02-19 17:38:30 -0800[diff] [blame]57 "EVT_EAP_TLS_DONE"
58 )
59 )
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]60 server_hello_done_signature = '\x0e\x00\x00\x00'
61 SERVER_HELLO = '\x02'
62 SERVER_CERTIFICATE = '\x0b'
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]63 CERTIFICATE_REQUEST = '\x0d'
64 SERVER_HELLO_DONE = '\x0e'
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]65 SERVER_UNKNOWN = '\xff'
66 HANDSHAKE = '\x16'
67 CHANGE_CIPHER = '\x14'
68 TLS_OFFSET = 28
69 HDR_IDX = 0
70 DATA_IDX = 1
71 CB_IDX = 2
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]72
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]73 CLIENT_CERT = """-----BEGIN CERTIFICATE-----
A R Karthickaa10a202016-08-15 15:06:21 -0700[diff] [blame]74MIIDvTCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBizELMAkGA1UEBhMCVVMx
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]75CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTb21ld2hlcmUxEzARBgNVBAoTCkNpZW5h
76IEluYy4xHjAcBgkqhkiG9w0BCQEWD2FkbWluQGNpZW5hLmNvbTEmMCQGA1UEAxMd
A R Karthickaa10a202016-08-15 15:06:21 -0700[diff] [blame]77RXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMzExMTg1MzM2WhcN
78MTcwMzA2MTg1MzM2WjBnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNV
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]79BAoTCkNpZW5hIEluYy4xFzAVBgNVBAMUDnVzZXJAY2llbmEuY29tMR0wGwYJKoZI
A R Karthickaa10a202016-08-15 15:06:21 -0700[diff] [blame]80hvcNAQkBFg51c2VyQGNpZW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
81AQoCggEBAOxemcBsPn9tZsCa5o2JA6sQDC7A6JgCNXXl2VFzKLNNvB9PS6D7ZBsQ
825An0zEDMNzi51q7lnrYg1XyiE4S8FzMGAFr94RlGMQJUbRD9V/oqszMX4k++iAOK
83tIA1gr3x7Zi+0tkjVSVzXTmgNnhChAamdMsjYUG5+CY9WAicXyy+VEV3zTphZZDR
84OjcjEp4m/TSXVPYPgYDXI40YZKX5BdvqykWtT/tIgZb48RS1NPyN/XkCYzl3bv21
85qx7Mc0fcEbsJBIIRYTUkfxnsilcnmLxSYO+p+DZ9uBLBzcQt+4Rd5pLSfi21WM39
862Z2oOi3vs/OYAPAqgmi2JWOv3mePa/8CAwEAAaNPME0wEwYDVR0lBAwwCgYIKwYB
87BQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9l
88eGFtcGxlX2NhLmNybDANBgkqhkiG9w0BAQUFAAOCAQEALBzMPDTIB6sLyPl0T6JV
89MjOkyldAVhXWiQsTjaGQGJUUe1cmUJyZbUZEc13MygXMPOM4x7z6VpXGuq1c/Vxn
90VzQ2fNnbJcIAHi/7G8W5/SQfPesIVDsHTEc4ZspPi5jlS/MVX3HOC+BDbOjdbwqP
91RX0JEr+uOyhjO+lRxG8ilMRACoBUbw1eDuVDoEBgErSUC44pq5ioDw2xelc+Y6hQ
92dmtYwfY0DbvwxHtA495frLyPcastDiT/zre7NL51MyUDPjjYjghNQEwvu66IKbQ3
93T1tJBrgI7/WI+dqhKBFolKGKTDWIHsZXQvZ1snGu/FRYzg1l+R/jT8cRB9BDwhUt
94yg==
Chetan Gaonker4a25e2b2016-03-04 14:45:15 -0800[diff] [blame]95-----END CERTIFICATE-----"""
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]96
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]97 CLIENT_PRIV_KEY = """-----BEGIN RSA PRIVATE KEY-----
A R Karthickaa10a202016-08-15 15:06:21 -0700[diff] [blame]98MIIEpAIBAAKCAQEA7F6ZwGw+f21mwJrmjYkDqxAMLsDomAI1deXZUXMos028H09L
99oPtkGxDkCfTMQMw3OLnWruWetiDVfKIThLwXMwYAWv3hGUYxAlRtEP1X+iqzMxfi
100T76IA4q0gDWCvfHtmL7S2SNVJXNdOaA2eEKEBqZ0yyNhQbn4Jj1YCJxfLL5URXfN
101OmFlkNE6NyMSnib9NJdU9g+BgNcjjRhkpfkF2+rKRa1P+0iBlvjxFLU0/I39eQJj
102OXdu/bWrHsxzR9wRuwkEghFhNSR/GeyKVyeYvFJg76n4Nn24EsHNxC37hF3mktJ+
103LbVYzf3Znag6Le+z85gA8CqCaLYlY6/eZ49r/wIDAQABAoIBAQC9Oha4l2+JMBoc
104g2WjVVcccWJvY3xRhSMrWXEa5ahlswuxvRd8rwS7LlCBL/r8vQBQZ2ZY6fafM7X1
105awNZNgMUk+9g6PJ1+11s0g3mlgsCeYCwnKRO1ueofjh2k2AxlCZ0LAA8WS7nJm4x
106nfM9X3K2qDfEEHTh23Gvm1iIvDbtZ3+kXnjsdAuYduiaDDPNSyNOSCe2eCt2d9vt
107twV5pEf0PXcuLJ29i2LkRKdPwz/1J/AAE0dTJS9lrlLKE9qWXO2my4eUQI2FXVzW
108RpxhjGoFNXa59okobZ555rRrp4LHe8HPx5aowLSS5HGGrXHpiyYpFR9uciQxMD6q
109BQgmim5RAoGBAP09mWJS2gyiB9xqNY8MYyTrldXUIfujJ5OZch088rmbdS2p3TvG
110Oy6K0rOufBMCl95Ncv6YQ7cjQKpq8Q7fTfPkRI3/994DZu5D+vwyqIZpBnHDAnTi
111R9kf1Ep1QHmJPPE1GcijTnksaXP5g9+me2fTi4cCcl+An8GPv06z/KKjAoGBAO7x
1128MH1Dy2zAJhvlPbXdQLa/6b5aQeEVqObnJUvEaEy4M3c0QakULTDVQjsu/+ONNNV
1130Z5ZsBIWe/LaXxenub9lRJpD4KZOdz5bYIIq+Oa8L4bqTvyB/pVcZOE5a4ANvGiC
1144rVdAenPu734skgDFQPNZWKi/T6OZyJYgNzHG4L1AoGAEugvdHzVFM5gId+4Ifb9
115y/re0/kjlGMJCGcTcwVi5eKqa/9bqiPRtVbeBlZHoy+1YP6NUF7T5291W4PifYbE
116jioDyEpNGkFMxQtESOILXQWoWoQBwfJHBPnwYqLAbpKFf0jEpQs0R62+Lc96Pg9y
1179TyBFVJkcabrxorR8LFVclsCgYB8+eJ5MBneRy/aixIZAZxb//uTdAQxQFCohi2i
118Adpwu9HFGufhV3Q296u0XU3/XnvWxZ47+qES9Nujq//suXd32hnFrhcEJSpNXTHf
119I2bIGEmrgUYK4Fst+ANzobrOYWDYMQ0u2xSzHEoQFNH6xFHriTSsIJ/gZk8fMbdE
120wodrOQKBgQCOsFLo97vhlv6abA4v0T6bXuq4pzedIEh3bkqC/8rpLxqG98VoymHM
121bZIYf0U0KK3aNVfyXkIjGBaqA9/A0ttx/guOacf8M3yXbl3uEqlKevJTjhWlbUjp
122fM2med+fZ0+bh4DZ3O8BUJ1+6dxHngF/86GlwxTK4iSRkLIv6n3YSA==
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]123-----END RSA PRIVATE KEY-----"""
124
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]125 def handle_server_hello_done(self, server_hello_done):
126 if server_hello_done[-4:] == self.server_hello_done_signature:
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]127 log.info('server hello received')
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]128 self.server_hello_done_received = True
129
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]130 def __init__(self, intf = 'veth0', client_cert = None, client_priv_key = None,
131 fail_cb = None, src_mac='default', version = "TLS_1_0", session_id = '',
132 session_id_length = None, gmt_unix_time=1234, invalid_content_type = 22,
133 record_fragment_length = None, cipher_suites_length = None,
134 compression_methods_length = None, compression_methods = TLSCompressionMethod.NULL,
135 CipherSuite = True, cipher_suite = 'RSA_WITH_AES_256_CBC_SHA', id_mismatch_in_identifier_response_packet = False,
136 id_mismatch_in_client_hello_packet = False , dont_send_client_certificate = False,
137 dont_send_client_hello = False, restart_radius = False, invalid_client_hello_handshake_type = False,
138 invalid_cert_req_handshake = False, incorrect_tlsrecord_type_cert_req = False,
139 invalid_client_hello_handshake_length = False, clientkeyex_replace_with_serverkeyex = False):
140
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]141 self.fsmTable = tlsAuthHolder.initTlsAuthHolderFsmTable(self, self.tlsStateTable, self.tlsEventTable)
142 EapolPacket.__init__(self, intf)
143 CordTester.__init__(self, self.fsmTable, self.tlsStateTable.ST_EAP_TLS_DONE)
144 #self.tlsStateTable, self.tlsEventTable)
145 self.currentState = self.tlsStateTable.ST_EAP_SETUP
146 self.currentEvent = self.tlsEventTable.EVT_EAP_SETUP
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]147 self.src_mac = src_mac
148 self.version = version
149 self.session_id_length = session_id_length
150 self.session_id = session_id
151 self.gmt_unix_time = gmt_unix_time
152 self.invalid_content_type = invalid_content_type
153 self.CipherSuite = CipherSuite
154 self.cipher_suites_length = cipher_suites_length
155 self.compression_methods_length = compression_methods_length
156 self.cipher_suite = cipher_suite
157 self.compression_methods_length = compression_methods_length
158 self.compression_methods = compression_methods
159 self.record_fragment_length = record_fragment_length
160 self.invalid_client_hello_handshake_type = invalid_client_hello_handshake_type
161 self.invalid_client_hello_handshake_length = invalid_client_hello_handshake_length
162 self.invalid_cert_req_handshake = invalid_cert_req_handshake
163 self.id_mismatch_in_identifier_response_packet = id_mismatch_in_identifier_response_packet
164 self.id_mismatch_in_client_hello_packet = id_mismatch_in_client_hello_packet
165 self.dont_send_client_certificate = dont_send_client_certificate
166 self.dont_send_client_hello = dont_send_client_hello
167 self.incorrect_tlsrecord_type_cert_req = incorrect_tlsrecord_type_cert_req
168 self.restart_radius = restart_radius
169 self.clientkeyex_replace_with_serverkeyex = clientkeyex_replace_with_serverkeyex
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]170 self.nextState = None
171 self.nextEvent = None
172 self.pending_bytes = 0 #for TLS fragment reassembly
173 self.server_hello_done_received = False
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]174 self.server_hello_done_eap_id = 0
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]175 self.send_tls_response = True
176 self.server_certs = []
177 self.pkt_last = ''
178 self.pkt_history = []
179 self.pkt_map = { self.SERVER_HELLO: ['', '', lambda pkt: pkt ],
180 self.SERVER_CERTIFICATE: ['', '', lambda pkt: pkt ],
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]181 self.CERTIFICATE_REQUEST: ['', '', lambda pkt: pkt ],
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]182 self.SERVER_HELLO_DONE: ['', '', self.handle_server_hello_done ],
183 self.SERVER_UNKNOWN: ['', '', lambda pkt: pkt ]
184 }
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]185 if self.clientkeyex_replace_with_serverkeyex:
186 self.tls_ctx = TLSSessionCtx(client = False)
187 else:
188 self.tls_ctx = TLSSessionCtx(client = True)
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]189 self.client_cert = self.CLIENT_CERT if client_cert is None else client_cert
190 self.client_priv_key = self.CLIENT_PRIV_KEY if client_priv_key is None else client_priv_key
191 self.failTest = False
192 self.fail_cb = fail_cb
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]193
194 def load_tls_record(self, data, pkt_type = ''):
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]195 #if pkt_type not in [ self.SERVER_HELLO_DONE, self.SERVER_UNKNOWN ]:
196 if pkt_type == self.SERVER_HELLO_DONE:
197 data = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/data)
198 elif pkt_type == self.CERTIFICATE_REQUEST:
199 data = str(TLSRecord()/TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/data[9:])
200 data = None #For now ignore this record
201 if data:
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]202 TLS(data, ctx = self.tls_ctx)
203
204 def pkt_update(self, pkt_type, data, hdr=None, reassembled = False):
205 if not self.pkt_map.has_key(pkt_type):
206 return
207 if hdr is not None:
208 self.pkt_map[pkt_type][self.HDR_IDX] += hdr
209 self.pkt_map[pkt_type][self.DATA_IDX] += data
210 if reassembled is True:
211 self.pkt_map[pkt_type][self.CB_IDX](self.pkt_map[pkt_type][self.DATA_IDX])
212 log.info('Appending packet type %02x to packet history of len %d'
213 %(ord(pkt_type), len(self.pkt_map[pkt_type][self.DATA_IDX])))
214 self.pkt_history.append(self.pkt_map[pkt_type][self.DATA_IDX])
215 data = ''.join(self.pkt_map[pkt_type][:self.DATA_IDX+1])
216 self.load_tls_record(data, pkt_type = pkt_type)
217 self.pkt_map[pkt_type][self.HDR_IDX] = ''
218 self.pkt_map[pkt_type][self.DATA_IDX] = ''
219
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]220 def tlsFail(self):
221 ##Force a failure
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]222 log.info('entering into testFail funciton')
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]223 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_FINISHED
A.R Karthick7eb2ce02016-06-10 19:00:50 -0700[diff] [blame]224 self.nextState = self.tlsStateTable.ST_EAP_TLS_FINISHED
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]225 self.failTest = True
226
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]227 def eapol_server_hello_cb(self, pkt):
228 '''Reassemble and send response for server hello/certificate fragments'''
229 r = str(pkt)
230 offset = self.TLS_OFFSET
231 tls_data = r[offset:]
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]232 type_hdrlen = 0
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]233 if self.pending_bytes > 0:
234 if len(tls_data) >= self.pending_bytes:
235 self.pkt_update(self.pkt_last, tls_data[:self.pending_bytes], reassembled = True)
236 offset += self.pending_bytes
237 self.pkt_last = ''
238 self.pending_bytes = 0
239 else:
240 self.pkt_update(self.pkt_last, tls_data)
241 self.pending_bytes -= len(tls_data)
242
243 while self.pending_bytes == 0 and offset < len(pkt):
244 tls_data = r[offset:]
245 self.pending_bytes = bytes_to_num(tls_data[3:5])
246 if tls_data[0] == self.HANDSHAKE:
247 pkt_type = tls_data[5]
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]248 if pkt_type in [ self.CERTIFICATE_REQUEST ]:
249 self.pending_bytes = bytes_to_num(tls_data[6:9])
250 type_hdrlen = 4
251 if len(tls_data) - 5 - type_hdrlen >= self.pending_bytes:
252 data_received = tls_data[5: 5 + type_hdrlen + self.pending_bytes ]
253 offset += 5 + type_hdrlen + self.pending_bytes
254 type_hdrlen = 0
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]255 self.pending_bytes = 0
256 self.pkt_update(pkt_type, data_received,
257 hdr = tls_data[:5],
258 reassembled = True)
259 else:
260 self.pkt_update(pkt_type, tls_data[5:],
261 hdr = tls_data[:5],
262 reassembled = False)
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]263 self.pending_bytes -= len(tls_data) - 5 - type_hdrlen
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]264 self.pkt_last = pkt_type
265 log.info('Pending bytes left %d' %(self.pending_bytes))
266 assert self.pending_bytes > 0
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]267 elif tls_data[0] == self.SERVER_HELLO_DONE:
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]268 self.server_hello_done_eap_id = pkt[EAP].id
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]269 self.pkt_update(tls_data[0], tls_data, reassembled = True)
270 break
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]271 else:
272 self.pkt_last = self.SERVER_UNKNOWN
273 if len(tls_data) - 5 >= self.pending_bytes:
274 offset += 5 + self.pending_bytes
275 self.pending_bytes = 0
276 self.pkt_last = ''
277
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]278 #send TLS response ack till we receive server hello done
279 if self.server_hello_done_received == False:
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]280 eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, '')
281 self.eapol_send(EAPOL_EAPPACKET, eap_payload)
282
283 def _eapSetup(self):
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]284 #if self.src_mac == 'bcast':self.setup(src_mac='bcast')
285 #if self.src_mac == 'mcast': self.setup(src_mac='mcast')
286 #if self.src_mac == 'zeros': self.setup(src_mac='zeros')
287 #if self.src_mac == 'default': self.setup(src_mac='default')
288 self.setup(src_mac=self.src_mac)
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]289 self.nextEvent = self.tlsEventTable.EVT_EAP_START
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]290
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]291 def _eapStart(self):
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]292 log.info('_eapStart method started')
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]293 self.eapol_start()
294 self.nextEvent = self.tlsEventTable.EVT_EAP_ID_REQ
295
296 def _eapIdReq(self):
297 log.info( 'Inside EAP ID Req' )
298 def eapol_cb(pkt):
299 log.info('Got EAPOL packet with type id and code request')
300 log.info('Packet code: %d, type: %d, id: %d', pkt[EAP].code, pkt[EAP].type, pkt[EAP].id)
301 log.info("<====== Send EAP Response with identity = %s ================>" % USER)
302 self.eapol_id_req(pkt[EAP].id, USER)
303
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]304 r = self.eapol_scapy_recv(cb = eapol_cb,
305 lfilter =
306 lambda pkt: EAP in pkt and pkt[EAP].type == EAP.TYPE_ID and pkt[EAP].code == EAP.REQUEST)
307 if len(r) > 0:
308 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_HELLO_REQ
309 else:
310 self.tlsFail()
311 return r
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]312
313 def _eapTlsHelloReq(self):
314
315 def eapol_cb(pkt):
316 log.info('Got hello request for id %d', pkt[EAP].id)
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]317 self.client_hello = TLSClientHello(version= self.version,
318 gmt_unix_time=self.gmt_unix_time,
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]319 random_bytes= '\xAB' * 28,
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]320 session_id_length = self.session_id_length,
321 session_id= self.session_id,
322 compression_methods_length = self.compression_methods_length,
323 compression_methods= self.compression_methods,
324 cipher_suites_length = self.cipher_suites_length,
325 cipher_suites=[self.cipher_suite]
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]326 )
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]327 if self.invalid_client_hello_handshake_type:
328 log.info('sending server_hello instead of client_hello handshape type in client hello packet')
329 client_hello_data = TLSHandshake(type='server_hello')/self.client_hello
330 elif self.invalid_client_hello_handshake_length:
331 log.info('sending TLS Handshake message with zero length field in client hello packet')
332 client_hello_data = TLSHandshake(length=0)/self.client_hello
333 else:
334 client_hello_data = TLSHandshake()/self.client_hello
335 #client_hello_data = TLSHandshake()/self.client_hello
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]336 self.pkt_history.append( str(client_hello_data) )
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]337 if self.record_fragment_length:
338 reqdata = TLSRecord(length=self.record_fragment_length)/client_hello_data
339 else:
340 reqdata = TLSRecord()/client_hello_data
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]341 self.load_tls_record(str(reqdata))
342 log.info("Sending Client Hello TLS payload of len %d, id %d" %(len(reqdata),pkt[EAP].id))
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]343 if self.id_mismatch_in_client_hello_packet:
344 log.info('\nsending invalid id field in client hello packet')
345 eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id+10, TLS_LENGTH_INCLUDED, str(reqdata))
346 else:
347 eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, TLS_LENGTH_INCLUDED, str(reqdata))
348 if self.dont_send_client_hello:
349 log.info('\nskipping client hello packet sending part')
350 pass
351 else:
352 self.eapol_send(EAPOL_EAPPACKET, eap_payload)
353 if self.restart_radius:
354 cord_test_radius_restart()
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]355
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]356 r = self.eapol_scapy_recv(cb = eapol_cb,
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]357 lfilter =
358 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST)
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]359
360 if len(r) == 0:
361 self.tlsFail()
362 return r
363
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]364 #move to client/server certificate request
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]365 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CERT_REQ
366
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]367 def get_verify_data(self):
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]368 all_handshake_pkts = ''.join(self.pkt_history)
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]369 return self.tls_ctx.get_verify_data(data = all_handshake_pkts)
370
371 def get_verify_signature(self, pem_data):
372 all_handshake_pkts = ''.join(self.pkt_history)
373 k = Key(pem_data)
374 signature = k.sign(all_handshake_pkts, t = 'pkcs', h = 'tls')
375 signature_data = '{}{}'.format(struct.pack('!H', len(signature)), signature)
376 return signature_data
377
378 def get_encrypted_handshake_msg(self, finish_val=''):
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]379 if not finish_val:
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]380 finish_val = self.get_verify_data()
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]381 msg = str(TLSHandshake(type=TLSHandshakeType.FINISHED)/finish_val)
382 crypto_container = CryptoContainer(self.tls_ctx, data = msg,
383 content_type = TLSContentType.HANDSHAKE)
384 return crypto_container.encrypt()
385
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]386 def get_encrypted_application_msg(self, msg = ''):
387 '''Needed with tunneled TLS'''
388 if not msg:
389 msg = 'test data'
390 return to_raw(TLSPlaintext(data = 'GET / HTTP/1.1\r\nHOST: localhost\r\n\r\n'), self.tls_ctx)
391
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]392 def _eapTlsCertReq(self):
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]393 log.info('Receiving server certificates')
394 while self.server_hello_done_received == False:
395 r = self.eapol_scapy_recv(cb = self.eapol_server_hello_cb,
396 lfilter =
397 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and \
398 pkt[EAP].code == EAP.REQUEST)
399 if len(r) == 0:
400 self.tlsFail()
401 return r
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]402
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]403 log.info('Sending client certificate request')
404 rex_pem = re.compile(r'\-+BEGIN[^\-]+\-+(.*?)\-+END[^\-]+\-+', re.DOTALL)
405 if self.client_cert:
406 der_cert = rex_pem.findall(self.client_cert)[0].decode("base64")
407 client_certificate_list = TLSHandshake()/TLSCertificateList(
408 certificates=[TLSCertificate(data=x509.X509Cert(der_cert))])
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]409 else:
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]410 client_certificate_list = TLSHandshake()/TLSCertificateList(certificates=[])
411 client_certificate = TLSRecord(version="TLS_1_0")/client_certificate_list
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]412 kex_data = self.tls_ctx.get_client_kex_data()
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]413 client_key_ex_data = TLSHandshake()/kex_data
414 client_key_ex = TLSRecord()/client_key_ex_data
415 if self.client_cert:
416 self.load_tls_record(str(client_certificate))
417 self.pkt_history.append(str(client_certificate_list))
418 self.load_tls_record(str(client_key_ex))
419 self.pkt_history.append(str(client_key_ex_data))
420 verify_signature = self.get_verify_signature(self.client_priv_key)
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]421 if self.invalid_cert_req_handshake:
422 log.info("sending 'certificate-request' type of handshake message instead of 'certificate-verify' type")
423 client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_REQUEST)/verify_signature
424 else:
425 client_cert_verify = TLSHandshake(type=TLSHandshakeType.CERTIFICATE_VERIFY)/verify_signature
426 if self.incorrect_tlsrecord_type_cert_req:
427 log.info("sending TLS Record type as ALERT instead of HANDSHAKE in certificate request packet")
428 client_cert_record = TLSRecord(content_type=TLSContentType.ALERT)/client_cert_verify
429 else:
430 client_cert_record = TLSRecord(content_type=TLSContentType.HANDSHAKE)/client_cert_verify
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]431 self.pkt_history.append(str(client_cert_verify))
432 #log.info('TLS ctxt: %s' %self.tls_ctx)
433 client_ccs = TLSRecord(version="TLS_1_0")/TLSChangeCipherSpec()
434 enc_handshake_msg = self.get_encrypted_handshake_msg()
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]435 if self.invalid_content_type:
436 handshake_msg = str(TLSRecord(content_type=self.invalid_content_type)/enc_handshake_msg)
437 else:
438 handshake_msg = str(TLSRecord(content_type=TLSContentType.HANDSHAKE)/enc_handshake_msg)
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]439 reqdata = str(TLS.from_records([client_certificate, client_key_ex, client_cert_record, client_ccs]))
440 reqdata += handshake_msg
441 log.info("------> Sending Client Hello TLS Certificate payload of len %d ----------->" %len(reqdata))
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]442 if self.dont_send_client_certificate:
443 log.info('\nskipping sending client certificate part')
444 pass
445 else:
446 status = self.eapFragmentSend(EAP_RESPONSE, self.server_hello_done_eap_id, TLS_LENGTH_INCLUDED,
A R Karthickf028ec92016-08-15 16:58:11 -0700[diff] [blame]447 payload = reqdata, fragsize = 1024)
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]448 assert_equal(status, True)
449 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_CHANGE_CIPHER_SPEC
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]450
451 def _eapTlsChangeCipherSpec(self):
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]452 def eapol_cb(pkt):
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]453 r = str(pkt)
ChetanGaonker6138fcd2016-08-18 17:56:39 -0700[diff] [blame]454 log.info('data received in change cipher spec function is %s'%pkt.show())
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]455 tls_data = r[self.TLS_OFFSET:]
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]456 log.info('Verifying TLS Change Cipher spec record type %x' %ord(tls_data[0]))
457 assert tls_data[0] == self.CHANGE_CIPHER
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]458 log.info('Handshake finished. Sending empty data')
459 eap_payload = self.eapTLS(EAP_RESPONSE, pkt[EAP].id, 0, '')
460 self.eapol_send(EAPOL_EAPPACKET, eap_payload)
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]461
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]462 r = self.eapol_scapy_recv(cb = eapol_cb,
463 lfilter =
464 lambda pkt: EAP in pkt and pkt[EAP].type == EAP_TYPE_TLS and pkt[EAP].code == EAP.REQUEST)
465 if len(r) > 0:
466 self.nextEvent = self.tlsEventTable.EVT_EAP_TLS_FINISHED
467 else:
468 self.tlsFail()
469 return r
Chetan Gaonkerf8f77182016-03-11 15:34:57 -0800[diff] [blame]470
471 def _eapTlsFinished(self):
A.R Karthick7eb2ce02016-06-10 19:00:50 -0700[diff] [blame]472 self.nextEvent = None
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]473 def eapol_cb(pkt):
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]474 log.info('Server authentication successfull')
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]475
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]476 timeout = 5
477 if self.failTest is True:
478 if self.fail_cb is not None:
479 self.fail_cb()
480 return
481 timeout = None ##Wait forever on failure and force testcase timeouts
482
Chetan Gaonker5b366302016-03-21 16:18:21 -0700[diff] [blame]483 self.eapol_scapy_recv(cb = eapol_cb,
A R Karthick22aa0c62016-05-31 11:17:12 -0700[diff] [blame]484 lfilter =
A R Karthick05d9b5f2016-06-08 11:53:54 -0700[diff] [blame]485 lambda pkt: EAP in pkt and pkt[EAP].code == EAP.SUCCESS,
486 timeout = timeout)
A R Karthick307483c2016-06-06 17:05:19 -0700[diff] [blame]487 self.eapol_logoff()