mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 00:38:24 -05:00
tests: Generate a fresh OCSP response for each test run
GnuTLS has a hardcoded three day limit on OCSP response age regardless of the next update value in the response. To make this work in the test scripts, try to generate a new response when starting the authentication server. The old mechanism of a response without next update value is used as a backup option if openssl is not available or fails to generate the response for some reason. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
0ff7afbc42
commit
279a0afffb
@ -11,7 +11,7 @@ ctrl_interface_group=admin
|
||||
ca_cert=auth_serv/ca.pem
|
||||
server_cert=auth_serv/server.pem
|
||||
private_key=auth_serv/server.key
|
||||
ocsp_stapling_response=auth_serv/ocsp-server-cache.der
|
||||
ocsp_stapling_response=LOGDIR/ocsp-server-cache.der
|
||||
server_id=server.w1.fi
|
||||
eap_sim_db=unix:/tmp/hlr_auc_gw.sock
|
||||
dh_file=auth_serv/dh.conf
|
||||
|
@ -11,7 +11,7 @@ ctrl_interface_group=admin
|
||||
ca_cert=auth_serv/ca.pem
|
||||
server_cert=auth_serv/server.pem
|
||||
private_key=auth_serv/server.key
|
||||
ocsp_stapling_response=auth_serv/ocsp-server-cache.der
|
||||
ocsp_stapling_response=LOGDIR/ocsp-server-cache.der
|
||||
server_id=server2.w1.fi
|
||||
eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=LOGDIR/hostapd.db
|
||||
dh_file=auth_serv/dh.conf
|
||||
|
8
tests/hwsim/auth_serv/index.txt
Normal file
8
tests/hwsim/auth_serv/index.txt
Normal file
@ -0,0 +1,8 @@
|
||||
V 230627164122Z D8D3E3A6CBE3CCC1 unknown /C=FI/O=w1.fi/CN=Root CA
|
||||
V 150215075930Z D8D3E3A6CBE3CCC9 unknown /C=FI/O=w1.fi/CN=server3.w1.fi
|
||||
V 140102000000Z D8D3E3A6CBE3CCCA unknown /C=FI/O=w1.fi/CN=server4.w1.fi
|
||||
V 150215083008Z D8D3E3A6CBE3CCCB unknown /C=FI/O=w1.fi/CN=server5.w1.fi
|
||||
V 150228224144Z D8D3E3A6CBE3CCCC unknown /C=FI/O=w1.fi/CN=server6.w1.fi
|
||||
V 160111185024Z D8D3E3A6CBE3CCCD unknown /C=FI/O=w1.fi/CN=ocsp.w1.fi
|
||||
V 150929211122Z D8D3E3A6CBE3CCD0 unknown /C=FI/O=w1.fi/CN=server.w1.fi
|
||||
V 150929211300Z D8D3E3A6CBE3CCD1 unknown /C=FI/O=w1.fi/CN=Test User
|
BIN
tests/hwsim/auth_serv/ocsp-req.der
Normal file
BIN
tests/hwsim/auth_serv/ocsp-req.der
Normal file
Binary file not shown.
16
tests/hwsim/auth_serv/ocsp-responder.key
Normal file
16
tests/hwsim/auth_serv/ocsp-responder.key
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALJeLx3nLPZsq7AW
|
||||
nvoSL7JMyCN7aAh2OIOX9T8FrF3ZganOdZKhvJbGyADuHtfw2orY58DXQsMlYufH
|
||||
YPqogkwbznOaq42z/j22fwH+WWRCdagEGActImQnufGvAbTtv6bqkXjRnDD1YTf/
|
||||
+Rv4Fl9rdzL51+OdDNXDuUMW8DrDAgMBAAECgYAja1yD3aIqFQ5K21MaaX4bM/AS
|
||||
S7Eu7Prv9r72ktPVlxmOdLcYNRHUBwk0VhS94NAk/kmXG6fgRI5NZGQ3ojqtOXLV
|
||||
VhlcitYAfJvNpyKmFKgdGZQIxaaQr/F2X8tH5yFdIt+6mDOGptTb/S3ljQwNsg59
|
||||
7t/jYzSe5mK/Gbw4MQJBAN3sZqGz6ABygLTuTiXhE9sCXDSGy4d8ZWMaajuD7N6k
|
||||
sAGKsaiVozeIvg0JNiCMm02A8M/cWjGedDWFxrnvvF8CQQDNwagUpozfXMboibHI
|
||||
BNwpUzyri/5bqJ/dU7/sAOA1AZ9yoO5s2WlNutXkG3mDoQCzseG/pNxU403dU0jQ
|
||||
wpwdAkEAk5lbWUkSkNmXCL9GcqMUVaFoOfc8/suZkyRKa3L+48Wc2imop3t+przn
|
||||
yjvKKDPcRtvvThA8XKwKll53Ict0+QJBAKj7o09Sed/4EmRosdnUI/zMn8dD8mLU
|
||||
2narkbQCBCGEc69w/F/pLtLn30K4TdQNJsZuETmT7GDLTee3vtW0/wECQCtyVgw/
|
||||
aZ0QTac8ut1oG072qOA2cFGhEuDELlX8JcNy28ygmzn0KS8uiTsq6YVu8V7WCj4X
|
||||
EkAZMm19nY5ZE+A=
|
||||
-----END PRIVATE KEY-----
|
54
tests/hwsim/auth_serv/ocsp-responder.pem
Normal file
54
tests/hwsim/auth_serv/ocsp-responder.pem
Normal file
@ -0,0 +1,54 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 15624081837803162829 (0xd8d3e3a6cbe3cccd)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C=FI, O=w1.fi, CN=Root CA
|
||||
Validity
|
||||
Not Before: Jan 11 18:50:24 2015 GMT
|
||||
Not After : Jan 11 18:50:24 2016 GMT
|
||||
Subject: C=FI, O=w1.fi, CN=ocsp.w1.fi
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (1024 bit)
|
||||
Modulus:
|
||||
00:b2:5e:2f:1d:e7:2c:f6:6c:ab:b0:16:9e:fa:12:
|
||||
2f:b2:4c:c8:23:7b:68:08:76:38:83:97:f5:3f:05:
|
||||
ac:5d:d9:81:a9:ce:75:92:a1:bc:96:c6:c8:00:ee:
|
||||
1e:d7:f0:da:8a:d8:e7:c0:d7:42:c3:25:62:e7:c7:
|
||||
60:fa:a8:82:4c:1b:ce:73:9a:ab:8d:b3:fe:3d:b6:
|
||||
7f:01:fe:59:64:42:75:a8:04:18:07:2d:22:64:27:
|
||||
b9:f1:af:01:b4:ed:bf:a6:ea:91:78:d1:9c:30:f5:
|
||||
61:37:ff:f9:1b:f8:16:5f:6b:77:32:f9:d7:e3:9d:
|
||||
0c:d5:c3:b9:43:16:f0:3a:c3
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Non Repudiation, Key Encipherment
|
||||
X509v3 Extended Key Usage:
|
||||
OCSP Signing
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
41:42:b6:70:4a:70:1f:ad:d9:25:f7:02:94:bd:91:b7:69:ad:
|
||||
31:59:c6:2a:4e:5e:4a:ed:5d:c1:24:09:98:94:15:42:86:2c:
|
||||
b2:9d:62:7a:e0:ec:60:39:47:93:c9:c7:61:01:b5:2c:00:53:
|
||||
86:6e:66:99:ee:b3:57:5d:fb:83:6b:d3:77:26:0c:c7:2d:16:
|
||||
ea:84:69:59:b7:a8:de:35:61:0b:7a:f3:62:1e:1a:94:91:c4:
|
||||
bd:85:4a:63:10:09:11:88:75:c9:f5:57:84:9a:ef:d1:78:29:
|
||||
5e:76:fc:33:76:84:b2:b5:f6:88:cc:fb:f9:cf:9f:b4:88:29:
|
||||
3c:9d
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICDjCCAXegAwIBAgIJANjT46bL48zNMA0GCSqGSIb3DQEBCwUAMC8xCzAJBgNV
|
||||
BAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0xNTAx
|
||||
MTExODUwMjRaFw0xNjAxMTExODUwMjRaMDIxCzAJBgNVBAYTAkZJMQ4wDAYDVQQK
|
||||
DAV3MS5maTETMBEGA1UEAwwKb2NzcC53MS5maTCBnzANBgkqhkiG9w0BAQEFAAOB
|
||||
jQAwgYkCgYEAsl4vHecs9myrsBae+hIvskzII3toCHY4g5f1PwWsXdmBqc51kqG8
|
||||
lsbIAO4e1/DaitjnwNdCwyVi58dg+qiCTBvOc5qrjbP+PbZ/Af5ZZEJ1qAQYBy0i
|
||||
ZCe58a8BtO2/puqReNGcMPVhN//5G/gWX2t3MvnX450M1cO5QxbwOsMCAwEAAaMv
|
||||
MC0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwkw
|
||||
DQYJKoZIhvcNAQELBQADgYEAQUK2cEpwH63ZJfcClL2Rt2mtMVnGKk5eSu1dwSQJ
|
||||
mJQVQoYssp1ieuDsYDlHk8nHYQG1LABThm5mme6zV137g2vTdyYMxy0W6oRpWbeo
|
||||
3jVhC3rzYh4alJHEvYVKYxAJEYh1yfVXhJrv0XgpXnb8M3aEsrX2iMz7+c+ftIgp
|
||||
PJ0=
|
||||
-----END CERTIFICATE-----
|
@ -65,8 +65,8 @@ for i in 0 1 2; do
|
||||
sed "s/ GROUP=.*$/ GROUP=$GROUP/" "$DIR/p2p$i.conf" > "$LOGDIR/p2p$i.conf"
|
||||
done
|
||||
|
||||
sed "s/group=admin/group=$GROUP/" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf"
|
||||
sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf"
|
||||
sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%g" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf"
|
||||
sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%g" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf"
|
||||
|
||||
if [ "$1" = "valgrind" ]; then
|
||||
VALGRIND=y
|
||||
@ -122,6 +122,18 @@ if [ -x $HLR_AUC_GW ]; then
|
||||
sudo $HLR_AUC_GW -u -m $LOGDIR/hlr_auc_gw.milenage_db -g $DIR/auth_serv/hlr_auc_gw.gsm > $LOGDIR/hlr_auc_gw &
|
||||
fi
|
||||
|
||||
openssl ocsp -index $DIR/auth_serv/index.txt \
|
||||
-rsigner $DIR/auth_serv/ocsp-responder.pem \
|
||||
-rkey $DIR/auth_serv/ocsp-responder.key \
|
||||
-CA $DIR/auth_serv/ca.pem \
|
||||
-issuer $DIR/auth_serv/ca.pem \
|
||||
-verify_other $DIR/auth_serv/ca.pem -trust_other \
|
||||
-ndays 7 \
|
||||
-reqin $DIR/auth_serv/ocsp-req.der \
|
||||
-respout $LOGDIR/ocsp-server-cache.der > $LOGDIR/ocsp.log 2>&1
|
||||
if [ ! -r $LOGDIR/ocsp-server-cache.der ]; then
|
||||
cp $DIR/auth_serv/ocsp-server-cache.der $LOGDIR/ocsp-server-cache.der
|
||||
fi
|
||||
touch $LOGDIR/hostapd.db
|
||||
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user