From d4c7a2b9e6f53e6b879b1ee411d04efffd1e65f1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 8 Jan 2014 17:45:56 +0200 Subject: [PATCH] tests: EAP-TLS with OCSP Signed-hostap: Jouni Malinen --- tests/hwsim/auth_serv/as.conf | 1 + tests/hwsim/auth_serv/ocsp-server-cache.der | Bin 0 -> 343 bytes .../auth_serv/ocsp-server-cache.der-invalid | Bin 0 -> 343 bytes tests/hwsim/test_ap_eap.py | 43 +++++++++++++++++- tests/hwsim/wpasupplicant.py | 4 +- 5 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 tests/hwsim/auth_serv/ocsp-server-cache.der create mode 100644 tests/hwsim/auth_serv/ocsp-server-cache.der-invalid diff --git a/tests/hwsim/auth_serv/as.conf b/tests/hwsim/auth_serv/as.conf index d89ab464e..a4ff2f65c 100644 --- a/tests/hwsim/auth_serv/as.conf +++ b/tests/hwsim/auth_serv/as.conf @@ -6,6 +6,7 @@ eap_user_file=auth_serv/eap_user.conf ca_cert=auth_serv/ca.pem server_cert=auth_serv/server.pem private_key=auth_serv/server.key +ocsp_stapling_response=auth_serv/ocsp-server-cache.der server_id=server.w1.fi eap_sim_db=unix:/tmp/hlr_auc_gw.sock dh_file=auth_serv/dh.conf diff --git a/tests/hwsim/auth_serv/ocsp-server-cache.der b/tests/hwsim/auth_serv/ocsp-server-cache.der new file mode 100644 index 0000000000000000000000000000000000000000..650731d342bcf6287e7f03d2ee9404f34727ef23 GIT binary patch literal 343 zcmXqLVhrYDWLVI|=wr~t=)uOR&Bn;e%5K2O$kN1U2^2ClXq>;$&_Lgi+klgeIh2J> zn90r4kk5bz#Npy$EjQFl%QO@)-~;iQdDw&U^Gg(*9VPgU3=B;S3=J#{O^uCA%%Th; z4Z;nafM&32^D#3?u`;lToGA#<-?4ey#(jSL$p=?9r8+%gu4fV1G3nmlE{V+shv$cW zHjdqLLbJtu~Lg@4Spaw=*y|HZrV>(5x@GGHu=| z1(8k916)qcbDb5Sc8BRRi`4YpEX;XJ=bQ7dekgEHc5%r6qn9qp?0V%bvaR^w_xVDy zxl3#87gi-Mdgk=kS1)6EPvLoni*>I|#J4c<{Y~I{|BEMW@~cDNUNc6W0C literal 0 HcmV?d00001 diff --git a/tests/hwsim/auth_serv/ocsp-server-cache.der-invalid b/tests/hwsim/auth_serv/ocsp-server-cache.der-invalid new file mode 100644 index 0000000000000000000000000000000000000000..218bd035a34db7e318d1dd48836b4a86cee6afa6 GIT binary patch literal 343 zcmXqLVhrYDWLVI|=wr~t=)uOR&Bn;e%5K2O$kN1U2^2ClXq>;$&_Lgi+klgeIh2J> zn90r4kk5bz#Npy$EjQFl%QO@)-~;iQdDw&U^Gg(*9VPgU3=B;S3=J#{O^q!~Ori`T z4Z;nafM&32^D#3?u`;lToGA#<-?4ey#(jSL$p=?9r8+%gu4fV1G3nmlE{V+shv$cW zHjdqLLbJtu~Lg@4Spaw=*y|HZqib+4-b`t#_V8 zcI7xk46K&DOGkIX{GsBR`$iuk^6dIjyZi|uTS~OOQxoG ZTjv(a_Amw>?D%<`%jtt^s2{tV0sy6ncOw7* literal 0 HcmV?d00001 diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 0c29a9379..5afbd35a4 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -24,7 +24,7 @@ def eap_connect(dev, ap, method, identity, anonymous_identity=None, local_error_report=False, ca_cert2=None, client_cert2=None, private_key2=None, pac_file=None, subject_match=None, altsubject_match=None, - private_key_passwd=None): + private_key_passwd=None, ocsp=None): hapd = hostapd.Hostapd(ap['ifname']) id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256", eap=method, identity=identity, @@ -39,7 +39,8 @@ def eap_connect(dev, ap, method, identity, anonymous_identity=None, private_key2=private_key2, pac_file=pac_file, subject_match=subject_match, altsubject_match=altsubject_match, - private_key_passwd=private_key_passwd) + private_key_passwd=private_key_passwd, + ocsp=ocsp) eap_check_auth(dev, method, True, sha256=sha256, expect_failure=expect_failure, local_error_report=local_error_report) @@ -838,3 +839,41 @@ def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev): phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth") hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) eap_reauth(dev[0], "FAST") + +def test_ap_wpa2_eap_tls_ocsp(dev, apdev): + """WPA2-Enterprise connection using EAP-TLS and verifying OCSP""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hostapd.add_ap(apdev[0]['ifname'], params) + eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", ocsp=2) + +def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev): + """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response""" + params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP", + "rsn_pairwise": "CCMP", "ieee8021x": "1", + "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", + "ca_cert": "auth_serv/ca.pem", + "server_cert": "auth_serv/server.pem", + "private_key": "auth_serv/server.key", + "ocsp_stapling_response": "auth_serv/ocsp-server-cache.der-invalid" } + hostapd.add_ap(apdev[0]['ifname'], params) + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", + identity="tls user", ca_cert="auth_serv/ca.pem", + private_key="auth_serv/user.pkcs12", + private_key_passwd="whatever", ocsp=2, + wait_connect=False, scan_freq="2412") + count = 0 + while True: + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"]) + if ev is None: + raise Exception("Timeout on EAP status") + if 'bad certificate status response' in ev: + break + count = count + 1 + if count > 10: + raise Exception("Unexpected number of EAP status messages") + + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"]) + if ev is None: + raise Exception("Timeout on EAP failure report") diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index 6c1bb584a..403a89f32 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -573,7 +573,7 @@ class WpaSupplicant: ca_cert2=None, client_cert2=None, private_key2=None, scan_ssid=None, raw_psk=None, pac_file=None, subject_match=None, altsubject_match=None, - private_key_passwd=None): + private_key_passwd=None, ocsp=None): logger.info("Connect STA " + self.ifname + " to AP") id = self.add_network() if ssid: @@ -649,6 +649,8 @@ class WpaSupplicant: self.set_network(id, "scan_ssid", scan_ssid) if pac_file: self.set_network_quoted(id, "pac_file", pac_file) + if ocsp: + self.set_network(id, "ocsp", str(ocsp)) if only_add_network: return id if wait_connect: