From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 19 Aug 2019 13:57:55 +0000 (+0300)
Subject: tests: sigma_dut and initial UOSC with TOD-STRICT/TOFU
X-Git-Tag: hostap_2_10~2432
X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fhostap.git;a=commitdiff_plain;h=35337b448a421b88c2d0048c048b495f7950db67

tests: sigma_dut and initial UOSC with TOD-STRICT/TOFU

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/tests/hwsim/test_sigma_dut.py b/tests/hwsim/test_sigma_dut.py
index e1a0d7961..33ec0751c 100644
--- a/tests/hwsim/test_sigma_dut.py
+++ b/tests/hwsim/test_sigma_dut.py
@@ -2869,10 +2869,6 @@ def run_sigma_dut_eap_ttls_uosc_tod(dev, apdev, params, tofu):
     with open(hashdst, "w") as f:
         f.write(binascii.hexlify(hash).decode())
 
-    dst = os.path.join(logdir, name + ".incorrect.pem.sha256")
-    with open(dst, "w") as f:
-        f.write(32*"00")
-
     ssid = "test-wpa2-eap"
     params = int_eap_server_params()
     params["ssid"] = ssid
@@ -2916,6 +2912,73 @@ def run_sigma_dut_eap_ttls_uosc_tod(dev, apdev, params, tofu):
     finally:
         stop_sigma_dut(sigma)
 
+def test_sigma_dut_eap_ttls_uosc_initial_tod_strict(dev, apdev, params):
+    """sigma_dut controlled STA and EAP-TTLS with initial UOSC/TOD-STRICT"""
+    run_sigma_dut_eap_ttls_uosc_initial_tod(dev, apdev, params, False)
+
+def test_sigma_dut_eap_ttls_uosc_initial_tod_tofu(dev, apdev, params):
+    """sigma_dut controlled STA and EAP-TTLS with initial UOSC/TOD-TOFU"""
+    run_sigma_dut_eap_ttls_uosc_initial_tod(dev, apdev, params, True)
+
+def run_sigma_dut_eap_ttls_uosc_initial_tod(dev, apdev, params, tofu):
+    logdir = params['logdir']
+
+    name = "sigma_dut_eap_ttls_uosc_initial_tod"
+    if tofu:
+        name += "_tofu"
+    with open("auth_serv/rsa3072-ca.pem", "r") as f:
+        with open(os.path.join(logdir, name + ".ca.pem"), "w") as f2:
+            f2.write(f.read())
+
+    if tofu:
+        src = "auth_serv/server-certpol2.pem"
+    else:
+        src = "auth_serv/server-certpol.pem"
+    dst = os.path.join(logdir, name + ".server.der")
+    hashdst = os.path.join(logdir, name + ".server.pem.sha256")
+    subprocess.check_call(["openssl", "x509", "-in", src, "-out", dst,
+                           "-outform", "DER"],
+                          stderr=open('/dev/null', 'w'))
+    with open(dst, "rb") as f:
+        der = f.read()
+    hash = hashlib.sha256(der).digest()
+    with open(hashdst, "w") as f:
+        f.write(binascii.hexlify(hash).decode())
+
+    ssid = "test-wpa2-eap"
+    params = int_eap_server_params()
+    params["ssid"] = ssid
+    if tofu:
+        params["server_cert"] = "auth_serv/server-certpol2.pem"
+        params["private_key"] = "auth_serv/server-certpol2.key"
+    else:
+        params["server_cert"] = "auth_serv/server-certpol.pem"
+        params["private_key"] = "auth_serv/server-certpol.key"
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    ifname = dev[0].ifname
+    sigma = start_sigma_dut(ifname, cert_path=logdir, debug=True)
+
+    try:
+        cmd = ("sta_set_security,type,eapttls,interface,%s,ssid,%s,keymgmttype,wpa2,encType,AES-CCMP,PairwiseCipher,AES-CCMP-128,trustedRootCA," + name + ".ca.pem,username,DOMAIN\mschapv2 user,password,password") % (ifname, ssid)
+        sigma_dut_cmd_check("sta_reset_default,interface,%s,prog,WPA3" % ifname)
+        sigma_dut_cmd_check("sta_set_ip_config,interface,%s,dhcp,0,ip,127.0.0.11,mask,255.255.255.0" % ifname)
+        sigma_dut_cmd_check(cmd)
+        sigma_dut_cmd_check("sta_associate,interface,%s,ssid,%s,channel,1" % (ifname, ssid))
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=15)
+        if ev is None:
+            raise Exception("Server certificate validation failure not reported")
+
+        res = sigma_dut_cmd_check("dev_exec_action,program,WPA3,interface,%s,ServerCertTrust,Accept" % ifname)
+        if not tofu and "ServerCertTrustResult,Accepted" in res:
+            raise Exception("Server certificate trust override was accepted unexpectedly")
+        if tofu and "ServerCertTrustResult,Accepted" not in res:
+            raise Exception("Server certificate trust override was not accepted")
+        sigma_dut_cmd_check("sta_reset_default,interface," + ifname)
+        dev[0].dump_monitor()
+    finally:
+        stop_sigma_dut(sigma)
+
 def test_sigma_dut_eap_ttls_uosc_ca_mistrust(dev, apdev, params):
     """sigma_dut controlled STA and EAP-TTLS with UOSC when CA is not trusted"""
     logdir = params['logdir']