From b7288e5d32f5a1026aa03f39932d9ebf0dc028ed Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 9 May 2017 23:41:50 +0300
Subject: [PATCH] tests: OCSP test coverage with SHA-1 hash

The previous fix to the OCSP request construction ended up finally
moving from SHA-1 -based hash to SHA-256 for OCSP test cases. To
maintain coverage for SHA-1, add cloned versions of the two test cases
so that both SHA-256 and SHA-1 cases get covered.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 tests/hwsim/test_ap_eap.py | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index aa4fdc002..8ddbeb273 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -4110,7 +4110,7 @@ def root_ocsp(cert):
     os.unlink(fn2)
     return fn
 
-def ica_ocsp(cert):
+def ica_ocsp(cert, md="-sha256"):
     prefix = "auth_serv/iCA-server/"
     ca = prefix + "cacert.pem"
     cert = prefix + cert
@@ -4118,7 +4118,7 @@ def ica_ocsp(cert):
     fd2, fn2 = tempfile.mkstemp()
     os.close(fd2)
 
-    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-sha256",
+    arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, md,
             "-cert", cert, "-no_nonce", "-text" ]
     cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
@@ -4151,11 +4151,18 @@ def ica_ocsp(cert):
 
 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
     """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
+    run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha256")
+
+def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev, apdev, params):
+    """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
+    run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha1")
+
+def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
     params = int_eap_server_params()
     params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
     params["server_cert"] = "auth_serv/iCA-server/server.pem"
     params["private_key"] = "auth_serv/iCA-server/server.key"
-    fn = ica_ocsp("server.pem")
+    fn = ica_ocsp("server.pem", md)
     params["ocsp_stapling_response"] = fn
     try:
         hostapd.add_ap(apdev[0], params)
@@ -4170,11 +4177,20 @@ def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
 
 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
     """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
+    run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
+                                                     "-sha256")
+
+def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev, apdev, params):
+    """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
+    run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params,
+                                                     "-sha1")
+
+def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md):
     params = int_eap_server_params()
     params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
     params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
     params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
-    fn = ica_ocsp("server-revoked.pem")
+    fn = ica_ocsp("server-revoked.pem", md)
     params["ocsp_stapling_response"] = fn
     try:
         hostapd.add_ap(apdev[0], params)