tests: ocsp: fix openssl command, check for errors

Message ID	20170418191814.9520-1-johannes@sipsolutions.net
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Johannes Berg <johannes@sipsolutions.net> To: hostap@lists.infradead.org Subject: [PATCH] tests: ocsp: fix openssl command, check for errors Date: Tue, 18 Apr 2017 21:18:14 +0200 Message-Id: <20170418191814.9520-1-johannes@sipsolutions.net> summary: Content analysis details: (-1.9 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Precedence: list Cc: Johannes Berg <johannes.berg@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

20170418191814.9520-1-johannes@sipsolutions.net

State

Accepted

Headers

From: Johannes Berg <johannes@sipsolutions.net>
To: hostap@lists.infradead.org
Subject: [PATCH] tests: ocsp: fix openssl command, check for errors
Date: Tue, 18 Apr 2017 21:18:14 +0200
Message-Id: <20170418191814.9520-1-johannes@sipsolutions.net>
Precedence: list
Cc: Johannes Berg <johannes.berg@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit Message

Johannes Berg April 18, 2017, 7:18 p.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

Fix the openssl ocsp command line and check if it returns
an error - so that instead of having something unusable
later we error out immediately.

This still doesn't get the test to pass for me, but at
least openssl is no longer complaining.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 tests/hwsim/test_ap_eap.py | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

Comments

Jouni Malinen May 9, 2017, 6:28 p.m. UTC | #1

On Tue, Apr 18, 2017 at 09:18:14PM +0200, Johannes Berg wrote:
> Fix the openssl ocsp command line and check if it returns
> an error - so that instead of having something unusable
> later we error out immediately.
> 
> This still doesn't get the test to pass for me, but at
> least openssl is no longer complaining.

This breaks ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked ("Unexpected
EAP-Success") and
ap_wpa2_eap_tls_intermediate_ca_ocsp ("Connection timed out") for me.

> diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
> @@ -4078,13 +4078,17 @@ def root_ocsp(cert):
> -    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
> -            "-no_nonce", "-sha256", "-text" ]
> +    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
> +            "-cert", cert, "-no_nonce", "-text" ]

What does this fix? This moves the command line arguments "-sha256" to
be earlier, but the man page for openssl ocsp shows the hash algorithm
arguments to be at the end.. What did openssl complain for you and which
version of openssl is that?

Interestingly, I do see a difference here, i.e., the location of the
-sha256 argument does indeed change behavior for me. The current script
ends up using SHA-1 instead of SHA-256 which was the purpose and your
change does indeed make it use SHA-256. However, that does not remove
anyh warning of error message from openssl for me.

The fact that the test fails then is problematic, though..

> @@ -4111,13 +4118,16 @@ def ica_ocsp(cert):
> -    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
> -            "-no_nonce", "-sha256", "-text" ]
> +    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
> +            "-cert", cert, "-no_nonce", "-text" ]

And obviously the same here..

It looks like OpenSSL is rejecting the OCSP response in the SHA-256 case
("bad certificate status response"). Interestingly, the internal TLS
implementation in hostap.git does pass the test cases with the SHA-256
case as well.

Or to be more exact, the tls_openssl.c code in wpa_supplicant is failing
to find the current server certificate from the OCSP response when
SHA-256 hash is used instead of SHA-1. Looks like this is due to the
OCSP_cert_to_id() use there with NULL dgst argument. Hmph.. I guess that
needs to loop over different hash algorithms to make this more generic.

Jouni Malinen May 9, 2017, 9:27 p.m. UTC | #2

On Tue, Apr 18, 2017 at 09:18:14PM +0200, Johannes Berg wrote:
> Fix the openssl ocsp command line and check if it returns
> an error - so that instead of having something unusable
> later we error out immediately.
> 
> This still doesn't get the test to pass for me, but at
> least openssl is no longer complaining.

Thanks, applied with a bit modified commit message to describe what
exactly changed with older openssl versions and with wpa_supplicant
changes to support SHA256 hash in OCSP response to identify the server
certificate. This hopefully fixes the issue you were seeing.

diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 754f7b0e7a3a..aa4fdc002c49 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -4078,13 +4078,17 @@  def root_ocsp(cert):
     fd2, fn2 = tempfile.mkstemp()
     os.close(fd2)
 
-    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
-            "-no_nonce", "-sha256", "-text" ]
+    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
+            "-cert", cert, "-no_nonce", "-text" ]
+    logger.info(' '.join(arg))
     cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP request:\n" + res)
 
     fd, fn = tempfile.mkstemp()
@@ -4099,6 +4103,9 @@  def root_ocsp(cert):
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP response:\n" + res)
     os.unlink(fn2)
     return fn
@@ -4111,13 +4118,16 @@  def ica_ocsp(cert):
     fd2, fn2 = tempfile.mkstemp()
     os.close(fd2)
 
-    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
-            "-no_nonce", "-sha256", "-text" ]
+    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
+            "-cert", cert, "-no_nonce", "-text" ]
     cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP request:\n" + res)
 
     fd, fn = tempfile.mkstemp()
@@ -4132,6 +4142,9 @@  def ica_ocsp(cert):
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP response:\n" + res)
     os.unlink(fn2)
     return fn

tests: ocsp: fix openssl command, check for errors

Commit Message

Comments

Patch