Also add negative tests for password mismatch.
Reviewed-by: Richard Levitte <levitte@openssl.org>
protocols can be specified as a comma-separated list, and a callback with the
recommended behaviour will be installed automatically.
+* SRPUser, SRPPassword - SRP settings. For client, this is the SRP user to
+ connect as; for server, this is a known SRP user.
+
### Default server and client configurations
The default server certificate and CA files are added to the configurations
#include <openssl/bio.h>
#include <openssl/x509_vfy.h>
#include <openssl/ssl.h>
+#ifndef OPENSSL_NO_SRP
+#include <openssl/srp.h>
+#endif
#include "handshake_helper.h"
#include "testutil.h"
size_t npn_protocols_len;
unsigned char *alpn_protocols;
size_t alpn_protocols_len;
+ char *srp_user;
+ char *srp_password;
} CTX_DATA;
/* |ctx_data| itself is stack-allocated. */
ctx_data->npn_protocols = NULL;
OPENSSL_free(ctx_data->alpn_protocols);
ctx_data->alpn_protocols = NULL;
+ OPENSSL_free(ctx_data->srp_user);
+ ctx_data->srp_user = NULL;
+ OPENSSL_free(ctx_data->srp_password);
+ ctx_data->srp_password = NULL;
}
static int ex_data_idx;
: SSL_TLSEXT_ERR_NOACK;
}
+#ifndef OPENSSL_NO_SRP
+static char *client_srp_cb(SSL *s, void *arg)
+{
+ CTX_DATA *ctx_data = (CTX_DATA*)(arg);
+ return OPENSSL_strdup(ctx_data->srp_password);
+}
+
+static int server_srp_cb(SSL *s, int *ad, void *arg)
+{
+ CTX_DATA *ctx_data = (CTX_DATA*)(arg);
+ if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0)
+ return SSL3_AL_FATAL;
+ if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user,
+ ctx_data->srp_password,
+ "2048" /* known group */) < 0) {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL3_AL_FATAL;
+ }
+ return SSL_ERROR_NONE;
+}
+#endif /* !OPENSSL_NO_SRP */
+
/*
* Configure callbacks and other properties that can't be set directly
* in the server/client CONF.
break;
}
#endif
+#ifndef OPENSSL_NO_SRP
+ if (extra->server.srp_user != NULL) {
+ SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb);
+ server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user);
+ server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password);
+ SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data);
+ }
+ if (extra->server2.srp_user != NULL) {
+ TEST_check(server2_ctx != NULL);
+ SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb);
+ server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user);
+ server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password);
+ SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data);
+ }
+ if (extra->client.srp_user != NULL) {
+ TEST_check(SSL_CTX_set_srp_username(client_ctx, extra->client.srp_user));
+ SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb);
+ client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password);
+ SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data);
+ }
+#endif /* !OPENSSL_NO_SRP */
}
/* Configure per-SSL callbacks and other properties. */
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
-plan tests => 22; # = scalar @conf_srcs
+plan tests => 23; # = scalar @conf_srcs
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
"20-cert-select.conf" => disabled("tls1_2") || $no_ec,
"21-key-update.conf" => disabled("tls1_3"),
"22-compression.conf" => disabled("zlib") || $no_tls,
+ "23-srp.conf" => (disabled("tls1") && disabled ("tls1_1")
+ && disabled("tls1_2")) || disabled("srp"),
);
foreach my $conf (@conf_files) {
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
-my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
+my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk,
$no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3,
$no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =
- anydisabled qw/rsa dsa dh ec srp psk
+ anydisabled qw/rsa dsa dh ec psk
ssl3 tls1 tls1_1 tls1_2 tls1_3
dtls dtls1 dtls1_2 ct/;
my $no_anytls = alldisabled(available_protocols("tls"));
# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
plan tests =>
1 # For testss
- +6 # For the first testssl
+ +5 # For the first testssl
;
subtest 'test_ss' => sub {
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
}
};
-
- subtest 'SRP tests' => sub {
-
- plan tests => 4;
-
- SKIP: {
- skip "skipping SRP tests", 4
- if $no_srp || alldisabled(grep !/^ssl3/, available_protocols("tls"));
-
- ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
- 'test tls1 with SRP');
-
- ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
- 'test tls1 with SRP via BIO pair');
-
- ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
- 'test tls1 with SRP auth');
-
- ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
- 'test tls1 with SRP auth via BIO pair');
- }
- };
}
unlink $CAkey;
--- /dev/null
+# Generated with generate_ssl_tests.pl
+
+num_tests = 4
+
+test-0 = 0-srp
+test-1 = 1-srp-bad-password
+test-2 = 2-srp-auth
+test-3 = 3-srp-auth-bad-password
+# ===========================================================
+
+[0-srp]
+ssl_conf = 0-srp-ssl
+
+[0-srp-ssl]
+server = 0-srp-server
+client = 0-srp-client
+
+[0-srp-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = SRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-srp-client]
+CipherString = SRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = Success
+server = 0-srp-server-extra
+client = 0-srp-client-extra
+
+[0-srp-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[0-srp-client-extra]
+SRPPassword = password
+SRPUser = user
+
+
+# ===========================================================
+
+[1-srp-bad-password]
+ssl_conf = 1-srp-bad-password-ssl
+
+[1-srp-bad-password-ssl]
+server = 1-srp-bad-password-server
+client = 1-srp-bad-password-client
+
+[1-srp-bad-password-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = SRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-srp-bad-password-client]
+CipherString = SRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = ServerFail
+server = 1-srp-bad-password-server-extra
+client = 1-srp-bad-password-client-extra
+
+[1-srp-bad-password-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[1-srp-bad-password-client-extra]
+SRPPassword = passw0rd
+SRPUser = user
+
+
+# ===========================================================
+
+[2-srp-auth]
+ssl_conf = 2-srp-auth-ssl
+
+[2-srp-auth-ssl]
+server = 2-srp-auth-server
+client = 2-srp-auth-client
+
+[2-srp-auth-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aSRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-srp-auth-client]
+CipherString = aSRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+ExpectedResult = Success
+server = 2-srp-auth-server-extra
+client = 2-srp-auth-client-extra
+
+[2-srp-auth-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[2-srp-auth-client-extra]
+SRPPassword = password
+SRPUser = user
+
+
+# ===========================================================
+
+[3-srp-auth-bad-password]
+ssl_conf = 3-srp-auth-bad-password-ssl
+
+[3-srp-auth-bad-password-ssl]
+server = 3-srp-auth-bad-password-server
+client = 3-srp-auth-bad-password-client
+
+[3-srp-auth-bad-password-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aSRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-srp-auth-bad-password-client]
+CipherString = aSRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = ServerFail
+server = 3-srp-auth-bad-password-server-extra
+client = 3-srp-auth-bad-password-client-extra
+
+[3-srp-auth-bad-password-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[3-srp-auth-bad-password-client-extra]
+SRPPassword = passw0rd
+SRPUser = user
+
+
--- /dev/null
+# -*- mode: perl; -*-
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+package ssltests;
+
+# SRP is only supported up to TLSv1.2
+
+our @tests = (
+ {
+ name => "srp",
+ server => {
+ "CipherString" => "SRP",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "srp-bad-password",
+ server => {
+ "CipherString" => "SRP",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "passw0rd",
+ },
+ },
+ test => {
+ # Server fails first with bad client Finished.
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "srp-auth",
+ server => {
+ "CipherString" => "aSRP",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "srp-auth-bad-password",
+ server => {
+ "CipherString" => "aSRP",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "passw0rd",
+ },
+ },
+ test => {
+ # Server fails first with bad client Finished.
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+);
\ No newline at end of file
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, alpn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_alpn_protocol)
+/* SRP options */
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, srp_user)
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, srp_user)
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, srp_password)
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, srp_password)
+
/* Handshake mode */
static const test_enum ssl_handshake_modes[] = {
{ "ALPNProtocols", &parse_client_alpn_protocols },
{ "CTValidation", &parse_ct_validation },
{ "RenegotiateCiphers", &parse_client_reneg_ciphers},
+ { "SRPUser", &parse_client_srp_user },
+ { "SRPPassword", &parse_client_srp_password },
};
/* Nested server options. */
{ "ALPNProtocols", &parse_server_alpn_protocols },
{ "BrokenSessionTicket", &parse_server_broken_session_ticket },
{ "CertStatus", &parse_certstatus },
+ { "SRPUser", &parse_server_srp_user },
+ { "SRPPassword", &parse_server_srp_password },
};
/*
OPENSSL_free(conf->server.alpn_protocols);
OPENSSL_free(conf->server2.alpn_protocols);
OPENSSL_free(conf->client.reneg_ciphers);
+ OPENSSL_free(conf->server.srp_user);
+ OPENSSL_free(conf->server.srp_password);
+ OPENSSL_free(conf->server2.srp_user);
+ OPENSSL_free(conf->server2.srp_password);
+ OPENSSL_free(conf->client.srp_user);
+ OPENSSL_free(conf->client.srp_password);
}
static void ssl_test_ctx_free_extra_data(SSL_TEST_CTX *ctx)
SSL_TEST_CERT_STATUS_GOOD_RESPONSE,
SSL_TEST_CERT_STATUS_BAD_RESPONSE
} ssl_cert_status_t;
+
/*
* Server/client settings that aren't supported by the SSL CONF library,
* such as callbacks.
ssl_ct_validation_t ct_validation;
/* Ciphersuites to set on a renegotiation */
char *reneg_ciphers;
+ char *srp_user;
+ char *srp_password;
} SSL_TEST_CLIENT_CONF;
typedef struct {
int broken_session_ticket;
/* Should we send a CertStatus message? */
ssl_cert_status_t cert_status;
+ /* An SRP user known to the server. */
+ char *srp_user;
+ char *srp_password;
} SSL_TEST_SERVER_CONF;
typedef struct {
#ifndef OPENSSL_NO_DH
# include <openssl/dh.h>
#endif
-#ifndef OPENSSL_NO_SRP
-# include <openssl/srp.h>
-#endif
#include <openssl/bn.h>
#ifndef OPENSSL_NO_CT
# include <openssl/ct.h>
unsigned int max_psk_len);
#endif
-#ifndef OPENSSL_NO_SRP
-/* SRP client */
-/* This is a context that we pass to all callbacks */
-typedef struct srp_client_arg_st {
- char *srppassin;
- char *srplogin;
-} SRP_CLIENT_ARG;
-
-# define PWD_STRLEN 1024
-
-static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
-{
- SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
- return OPENSSL_strdup((char *)srp_client_arg->srppassin);
-}
-
-/* SRP server */
-/* This is a context that we pass to SRP server callbacks */
-typedef struct srp_server_arg_st {
- char *expected_user;
- char *pass;
-} SRP_SERVER_ARG;
-
-static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
-{
- SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg;
-
- if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
- fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
- return SSL3_AL_FATAL;
- }
- if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL3_AL_FATAL;
- }
- return SSL_ERROR_NONE;
-}
-#endif
-
static BIO *bio_err = NULL;
static BIO *bio_stdout = NULL;
#ifndef OPENSSL_NO_PSK
fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
#endif
-#ifndef OPENSSL_NO_SRP
- fprintf(stderr, " -srpuser user - SRP username to use\n");
- fprintf(stderr, " -srppass arg - password for 'user'\n");
-#endif
#ifndef OPENSSL_NO_SSL3
fprintf(stderr, " -ssl3 - use SSLv3\n");
#endif
#ifndef OPENSSL_NO_DH
DH *dh;
int dhe512 = 0, dhe1024dsa = 0;
-#endif
-#ifndef OPENSSL_NO_SRP
- /* client */
- SRP_CLIENT_ARG srp_client_arg = { NULL, NULL };
- /* server */
- SRP_SERVER_ARG srp_server_arg = { NULL, NULL };
#endif
int no_dhe = 0;
int no_psk = 0;
no_psk = 1;
#endif
}
-#ifndef OPENSSL_NO_SRP
- else if (strcmp(*argv, "-srpuser") == 0) {
- if (--argc < 1)
- goto bad;
- srp_server_arg.expected_user = srp_client_arg.srplogin =
- *(++argv);
- min_version = TLS1_VERSION;
- } else if (strcmp(*argv, "-srppass") == 0) {
- if (--argc < 1)
- goto bad;
- srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
- min_version = TLS1_VERSION;
- }
-#endif
else if (strcmp(*argv, "-tls1_2") == 0) {
tls1_2 = 1;
} else if (strcmp(*argv, "-tls1") == 0) {
}
#endif
}
-#ifndef OPENSSL_NO_SRP
- if (srp_client_arg.srplogin) {
- if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
- BIO_printf(bio_err, "Unable to set SRP username\n");
- goto end;
- }
- SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
- SSL_CTX_set_srp_client_pwd_callback(c_ctx,
- ssl_give_srp_client_pwd_cb);
- /*
- * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);
- */
- }
-
- if (srp_server_arg.expected_user != NULL) {
- SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
- SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback);
- SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
- SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg);
- SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
- SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb);
- }
-#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
if (npn_client) {