tests: ocsp: fix openssl command, check for errors

Submitted by Johannes Berg on April 18, 2017, 7:18 p.m.

Details

Message ID 20170418191814.9520-1-johannes@sipsolutions.net
State Accepted
Headers show

Commit Message

Johannes Berg April 18, 2017, 7:18 p.m.
From: Johannes Berg <johannes.berg@intel.com>

Fix the openssl ocsp command line and check if it returns
an error - so that instead of having something unusable
later we error out immediately.

This still doesn't get the test to pass for me, but at
least openssl is no longer complaining.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 tests/hwsim/test_ap_eap.py | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

Comments

Jouni Malinen May 9, 2017, 6:28 p.m.
On Tue, Apr 18, 2017 at 09:18:14PM +0200, Johannes Berg wrote:
> Fix the openssl ocsp command line and check if it returns
> an error - so that instead of having something unusable
> later we error out immediately.
> 
> This still doesn't get the test to pass for me, but at
> least openssl is no longer complaining.

This breaks ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked ("Unexpected
EAP-Success") and
ap_wpa2_eap_tls_intermediate_ca_ocsp ("Connection timed out") for me.

> diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
> @@ -4078,13 +4078,17 @@ def root_ocsp(cert):
> -    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
> -            "-no_nonce", "-sha256", "-text" ]
> +    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
> +            "-cert", cert, "-no_nonce", "-text" ]

What does this fix? This moves the command line arguments "-sha256" to
be earlier, but the man page for openssl ocsp shows the hash algorithm
arguments to be at the end.. What did openssl complain for you and which
version of openssl is that?

Interestingly, I do see a difference here, i.e., the location of the
-sha256 argument does indeed change behavior for me. The current script
ends up using SHA-1 instead of SHA-256 which was the purpose and your
change does indeed make it use SHA-256. However, that does not remove
anyh warning of error message from openssl for me.

The fact that the test fails then is problematic, though..

> @@ -4111,13 +4118,16 @@ def ica_ocsp(cert):
> -    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
> -            "-no_nonce", "-sha256", "-text" ]
> +    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
> +            "-cert", cert, "-no_nonce", "-text" ]

And obviously the same here..


It looks like OpenSSL is rejecting the OCSP response in the SHA-256 case
("bad certificate status response"). Interestingly, the internal TLS
implementation in hostap.git does pass the test cases with the SHA-256
case as well.

Or to be more exact, the tls_openssl.c code in wpa_supplicant is failing
to find the current server certificate from the OCSP response when
SHA-256 hash is used instead of SHA-1. Looks like this is due to the
OCSP_cert_to_id() use there with NULL dgst argument. Hmph.. I guess that
needs to loop over different hash algorithms to make this more generic.
Jouni Malinen May 9, 2017, 9:27 p.m.
On Tue, Apr 18, 2017 at 09:18:14PM +0200, Johannes Berg wrote:
> Fix the openssl ocsp command line and check if it returns
> an error - so that instead of having something unusable
> later we error out immediately.
> 
> This still doesn't get the test to pass for me, but at
> least openssl is no longer complaining.

Thanks, applied with a bit modified commit message to describe what
exactly changed with older openssl versions and with wpa_supplicant
changes to support SHA256 hash in OCSP response to identify the server
certificate. This hopefully fixes the issue you were seeing.

Patch hide | download patch | download mbox

diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 754f7b0e7a3a..aa4fdc002c49 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -4078,13 +4078,17 @@  def root_ocsp(cert):
     fd2, fn2 = tempfile.mkstemp()
     os.close(fd2)
 
-    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
-            "-no_nonce", "-sha256", "-text" ]
+    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
+            "-cert", cert, "-no_nonce", "-text" ]
+    logger.info(' '.join(arg))
     cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP request:\n" + res)
 
     fd, fn = tempfile.mkstemp()
@@ -4099,6 +4103,9 @@  def root_ocsp(cert):
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP response:\n" + res)
     os.unlink(fn2)
     return fn
@@ -4111,13 +4118,16 @@  def ica_ocsp(cert):
     fd2, fn2 = tempfile.mkstemp()
     os.close(fd2)
 
-    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
-            "-no_nonce", "-sha256", "-text" ]
+    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
+            "-cert", cert, "-no_nonce", "-text" ]
     cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP request:\n" + res)
 
     fd, fn = tempfile.mkstemp()
@@ -4132,6 +4142,9 @@  def ica_ocsp(cert):
     res = cmd.stdout.read() + "\n" + cmd.stderr.read()
     cmd.stdout.close()
     cmd.stderr.close()
+    cmd.wait()
+    if cmd.returncode != 0:
+        raise Exception("bad return code from openssl ocsp\n\n" + res)
     logger.info("OCSP response:\n" + res)
     os.unlink(fn2)
     return fn