From 8520dac292912e1559d7ec3b4fddfdce15d4adf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 21 Feb 2014 12:12:23 +0100 Subject: [PATCH] Add tests for auth_mode --- library/ssl_srv.c | 2 +- tests/ssl-opt.sh | 91 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 90 insertions(+), 3 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d75141174..606e8a874 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2042,7 +2042,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl ) { ssl_get_ecdh_params_from_cert( ssl ); - SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); + SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); ssl->state++; return( 0 ); } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 08b30202f..83c4d2a74 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -53,7 +53,9 @@ run_test() { sleep 1 $CLI_CMD $2 > cli_out CLI_EXIT=$? - echo SERVERQUIT | openssl s_client -no_ticket >/dev/null 2>&1 + echo SERVERQUIT | openssl s_client -no_ticket \ + -cert data_files/cli2.crt -key data_files/cli2.key \ + >/dev/null 2>&1 wait $SRV_PID shift 2 @@ -67,7 +69,7 @@ run_test() { if [ \( "$1" = 0 -a "$CLI_EXIT" != 0 \) -o \ \( "$1" != 0 -a "$CLI_EXIT" = 0 \) ] then - fail "client exit" + fail "bad client exit code" return fi shift @@ -376,6 +378,91 @@ run_test "Renegotiation #5 (server-initiated, client-rejected)" \ -s "SSL - An unexpected message was received from our peer" \ -s "failed" +# Tests for auth_mode + +run_test "Authentication #1 (server badcert, client required)" \ + "crt_file=data_files/server5-badsign.crt \ + key_file=data_files/server5.key" \ + "debug_level=2 auth_mode=required" \ + 1 \ + -c "x509_verify_cert() returned" \ + -c "! self-signed or not signed by a trusted CA" \ + -c "! ssl_handshake returned" \ + -c "X509 - Certificate verification failed" + +run_test "Authentication #2 (server badcert, client optional)" \ + "crt_file=data_files/server5-badsign.crt \ + key_file=data_files/server5.key" \ + "debug_level=2 auth_mode=optional" \ + 0 \ + -c "x509_verify_cert() returned" \ + -c "! self-signed or not signed by a trusted CA" \ + -C "! ssl_handshake returned" \ + -C "X509 - Certificate verification failed" + +run_test "Authentication #3 (server badcert, client none)" \ + "crt_file=data_files/server5-badsign.crt \ + key_file=data_files/server5.key" \ + "debug_level=2 auth_mode=none" \ + 0 \ + -C "x509_verify_cert() returned" \ + -C "! self-signed or not signed by a trusted CA" \ + -C "! ssl_handshake returned" \ + -C "X509 - Certificate verification failed" + +run_test "Authentication #4 (client badcert, server required)" \ + "debug_level=4 auth_mode=required" \ + "debug_level=4 crt_file=data_files/server5-badsign.crt \ + key_file=data_files/server5.key" \ + 1 \ + -S "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got a certificate request" \ + -C "skip write certificate" \ + -C "skip write certificate verify" \ + -S "skip parse certificate verify" \ + -s "x509_verify_cert() returned" \ + -S "! self-signed or not signed by a trusted CA" \ + -s "! ssl_handshake returned" \ + -c "! ssl_handshake returned" \ + -s "X509 - Certificate verification failed" + +run_test "Authentication #5 (client badcert, server optional)" \ + "debug_level=4 auth_mode=optional" \ + "debug_level=4 crt_file=data_files/server5-badsign.crt \ + key_file=data_files/server5.key" \ + 0 \ + -S "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got a certificate request" \ + -C "skip write certificate" \ + -C "skip write certificate verify" \ + -S "skip parse certificate verify" \ + -s "x509_verify_cert() returned" \ + -s "! self-signed or not signed by a trusted CA" \ + -S "! ssl_handshake returned" \ + -C "! ssl_handshake returned" \ + -S "X509 - Certificate verification failed" + +run_test "Authentication #6 (client badcert, server none)" \ + "debug_level=4 auth_mode=none" \ + "debug_level=4 crt_file=data_files/server5-badsign.crt \ + key_file=data_files/server5.key" \ + 0 \ + -s "skip write certificate request" \ + -C "skip parse certificate request" \ + -c "got no certificate request" \ + -c "skip write certificate" \ + -c "skip write certificate verify" \ + -s "skip parse certificate verify" \ + -S "x509_verify_cert() returned" \ + -S "! self-signed or not signed by a trusted CA" \ + -S "! ssl_handshake returned" \ + -C "! ssl_handshake returned" \ + -S "X509 - Certificate verification failed" + +# Final report + echo "------------------------------------------------------------------------" if [ $FAILS = 0 ]; then