Commit ea1ecd98 authored by Emilia Kasper's avatar Emilia Kasper
Browse files

Port SRP tests to the new test framework 



Also add negative tests for password mismatch.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent 4b5f7e75

test/README.ssltest.md

+3 −0
Original line number Diff line number Diff line
@@ -179,6 +179,9 @@ client => { 
  protocols can be specified as a comma-separated list, and a callback with the

  recommended behaviour will be installed automatically.



* SRPUser, SRPPassword - SRP settings. For client, this is the SRP user to

  connect as; for server, this is a known SRP user.



### Default server and client configurations



The default server certificate and CA files are added to the configurations

test/handshake_helper.c

+52 −0
Original line number Diff line number Diff line
@@ -12,6 +12,9 @@ 
#include <openssl/bio.h>

#include <openssl/x509_vfy.h>

#include <openssl/ssl.h>

#ifndef OPENSSL_NO_SRP

#include <openssl/srp.h>

#endif



#include "handshake_helper.h"

#include "testutil.h"
@@ -52,6 +55,8 @@ typedef struct ctx_data_st { 
    size_t npn_protocols_len;

    unsigned char *alpn_protocols;

    size_t alpn_protocols_len;

    char *srp_user;

    char *srp_password;

} CTX_DATA;



/* |ctx_data| itself is stack-allocated. */
@@ -61,6 +66,10 @@ static void ctx_data_free_data(CTX_DATA *ctx_data) 
    ctx_data->npn_protocols = NULL;

    OPENSSL_free(ctx_data->alpn_protocols);

    ctx_data->alpn_protocols = NULL;

    OPENSSL_free(ctx_data->srp_user);

    ctx_data->srp_user = NULL;

    OPENSSL_free(ctx_data->srp_password);

    ctx_data->srp_password = NULL;

}



static int ex_data_idx;
@@ -405,6 +414,28 @@ static int server_alpn_cb(SSL *s, const unsigned char **out, 
        : SSL_TLSEXT_ERR_NOACK;

}



#ifndef OPENSSL_NO_SRP

static char *client_srp_cb(SSL *s, void *arg)

{

    CTX_DATA *ctx_data = (CTX_DATA*)(arg);

    return OPENSSL_strdup(ctx_data->srp_password);

}



static int server_srp_cb(SSL *s, int *ad, void *arg)

{

    CTX_DATA *ctx_data = (CTX_DATA*)(arg);

    if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0)

        return SSL3_AL_FATAL;

    if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user,

                                    ctx_data->srp_password,

                                    "2048" /* known group */) < 0) {

        *ad = SSL_AD_INTERNAL_ERROR;

        return SSL3_AL_FATAL;

    }

    return SSL_ERROR_NONE;

}

#endif  /* !OPENSSL_NO_SRP */



/*

 * Configure callbacks and other properties that can't be set directly

 * in the server/client CONF.
@@ -562,6 +593,27 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, 
        break;

    }

#endif

#ifndef OPENSSL_NO_SRP

    if (extra->server.srp_user != NULL) {

        SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb);

        server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user);

        server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password);

        SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data);

    }

    if (extra->server2.srp_user != NULL) {

        TEST_check(server2_ctx != NULL);

        SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb);

        server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user);

        server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password);

        SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data);

    }

    if (extra->client.srp_user != NULL) {

        TEST_check(SSL_CTX_set_srp_username(client_ctx, extra->client.srp_user));

        SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb);

        client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password);

        SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data);

    }

#endif  /* !OPENSSL_NO_SRP */

}



/* Configure per-SSL callbacks and other properties. */

test/recipes/80-test_ssl_new.t

+3 −1
Original line number Diff line number Diff line
@@ -29,7 +29,7 @@ map { s/\^// } @conf_files if $^O eq "VMS"; 


# We hard-code the number of tests to double-check that the globbing above

# finds all files as expected.

plan tests => 22;  # = scalar @conf_srcs

plan tests => 23;  # = scalar @conf_srcs



# Some test results depend on the configuration of enabled protocols. We only

# verify generated sources in the default configuration.
@@ -90,6 +90,8 @@ my %skip = ( 
  "20-cert-select.conf" => disabled("tls1_2") || $no_ec,

  "21-key-update.conf" => disabled("tls1_3"),

  "22-compression.conf" => disabled("zlib") || $no_tls,

  "23-srp.conf" => (disabled("tls1") && disabled ("tls1_1")

                    && disabled("tls1_2")) || disabled("srp"),

);



foreach my $conf (@conf_files) {

test/recipes/80-test_ssl_old.t

+3 −25
Original line number Diff line number Diff line
@@ -20,10 +20,10 @@ setup("test_ssl"); 


$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");



my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,

my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk,

    $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3,

    $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =

    anydisabled qw/rsa dsa dh ec srp psk

    anydisabled qw/rsa dsa dh ec psk

                   ssl3 tls1 tls1_1 tls1_2 tls1_3

                   dtls dtls1 dtls1_2 ct/;

my $no_anytls = alldisabled(available_protocols("tls"));
@@ -79,7 +79,7 @@ my $client_sess="client.ss"; 
# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.

plan tests =>

    1				# For testss

    +6  			# For the first testssl

    +5  			# For the first testssl

    ;



subtest 'test_ss' => sub {
@@ -568,28 +568,6 @@ sub testssl { 
	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));

	}

    };



    subtest 'SRP tests' => sub {



	plan tests => 4;



      SKIP: {

	  skip "skipping SRP tests", 4

	      if $no_srp || alldisabled(grep !/^ssl3/, available_protocols("tls"));



	  ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),

	     'test tls1 with SRP');



	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),

	     'test tls1 with SRP via BIO pair');



	  ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),

	     'test tls1 with SRP auth');



	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),

	     'test tls1 with SRP auth via BIO pair');

	}

    };

}



unlink $CAkey;

test/ssl-tests/23-srp.conf

0 → 100644
+144 −0
Original line number Diff line number Diff line 
# Generated with generate_ssl_tests.pl



num_tests = 4



test-0 = 0-srp

test-1 = 1-srp-bad-password

test-2 = 2-srp-auth

test-3 = 3-srp-auth-bad-password

# ===========================================================



[0-srp]

ssl_conf = 0-srp-ssl



[0-srp-ssl]

server = 0-srp-server

client = 0-srp-client



[0-srp-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = SRP

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[0-srp-client]

CipherString = SRP

MaxProtocol = TLSv1.2

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-0]

ExpectedResult = Success

server = 0-srp-server-extra

client = 0-srp-client-extra



[0-srp-server-extra]

SRPPassword = password

SRPUser = user



[0-srp-client-extra]

SRPPassword = password

SRPUser = user





# ===========================================================



[1-srp-bad-password]

ssl_conf = 1-srp-bad-password-ssl



[1-srp-bad-password-ssl]

server = 1-srp-bad-password-server

client = 1-srp-bad-password-client



[1-srp-bad-password-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = SRP

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[1-srp-bad-password-client]

CipherString = SRP

MaxProtocol = TLSv1.2

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-1]

ExpectedResult = ServerFail

server = 1-srp-bad-password-server-extra

client = 1-srp-bad-password-client-extra



[1-srp-bad-password-server-extra]

SRPPassword = password

SRPUser = user



[1-srp-bad-password-client-extra]

SRPPassword = passw0rd

SRPUser = user





# ===========================================================



[2-srp-auth]

ssl_conf = 2-srp-auth-ssl



[2-srp-auth-ssl]

server = 2-srp-auth-server

client = 2-srp-auth-client



[2-srp-auth-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = aSRP

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[2-srp-auth-client]

CipherString = aSRP

MaxProtocol = TLSv1.2

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-2]

ExpectedResult = Success

server = 2-srp-auth-server-extra

client = 2-srp-auth-client-extra



[2-srp-auth-server-extra]

SRPPassword = password

SRPUser = user



[2-srp-auth-client-extra]

SRPPassword = password

SRPUser = user





# ===========================================================



[3-srp-auth-bad-password]

ssl_conf = 3-srp-auth-bad-password-ssl



[3-srp-auth-bad-password-ssl]

server = 3-srp-auth-bad-password-server

client = 3-srp-auth-bad-password-client



[3-srp-auth-bad-password-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = aSRP

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem



[3-srp-auth-bad-password-client]

CipherString = aSRP

MaxProtocol = TLSv1.2

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer



[test-3]

ExpectedResult = ServerFail

server = 3-srp-auth-bad-password-server-extra

client = 3-srp-auth-bad-password-client-extra



[3-srp-auth-bad-password-server-extra]

SRPPassword = password

SRPUser = user



[3-srp-auth-bad-password-client-extra]

SRPPassword = passw0rd

SRPUser = user