From 24c10d72c72f9404467df9f3447055e565094999 Mon Sep 17 00:00:00 2001
From: Andreas Schultz <aschultz@tpip.net>
Date: Wed, 19 Sep 2012 19:25:14 +0200
Subject: SSL: add tests for PSK and SRP ciphers

---
 lib/ssl/test/ssl_basic_SUITE.erl | 47 +++++++++++++++++++++++++++--
 lib/ssl/test/ssl_test_lib.erl    | 64 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 108 insertions(+), 3 deletions(-)

(limited to 'lib/ssl/test')

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 6b8f226a77..5cedde5d27 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -154,6 +154,10 @@ cipher_tests() ->
      ciphers_dsa_signed_certs,
      ciphers_dsa_signed_certs_openssl_names,
      anonymous_cipher_suites,
+     psk_cipher_suites,
+     psk_with_hint_cipher_suites,
+     srp_cipher_suites,
+     srp_dsa_cipher_suites,
      default_reject_anonymous].
 
 error_handling_tests()->
@@ -1575,7 +1579,34 @@ anonymous_cipher_suites(Config) when is_list(Config) ->
     Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
     Ciphers = ssl_test_lib:anonymous_suites(),
     run_suites(Ciphers, Version, Config, anonymous).
-
+%%-------------------------------------------------------------------
+psk_cipher_suites() ->
+    [{doc, "Test the PSK ciphersuites WITHOUT server supplied identity hint"}].
+psk_cipher_suites(Config) when is_list(Config) ->
+    Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
+    Ciphers = ssl_test_lib:psk_suites(),
+    run_suites(Ciphers, Version, Config, psk).
+%%-------------------------------------------------------------------
+psk_with_hint_cipher_suites()->
+    [{doc, "Test the PSK ciphersuites WITH server supplied identity hint"}].
+psk_with_hint_cipher_suites(Config) when is_list(Config) ->
+    Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
+    Ciphers = ssl_test_lib:psk_suites(),
+    run_suites(Ciphers, Version, Config, psk_with_hint).
+%%-------------------------------------------------------------------
+srp_cipher_suites()->
+    [{doc, "Test the SRP ciphersuites"}].
+srp_cipher_suites(Config) when is_list(Config) ->
+    Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
+    Ciphers = ssl_test_lib:srp_suites(),
+    run_suites(Ciphers, Version, Config, srp).
+%%-------------------------------------------------------------------
+srp_dsa_cipher_suites()->
+    [{doc, "Test the SRP DSA ciphersuites"}].
+srp_dsa_cipher_suites(Config) when is_list(Config) ->
+    Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
+    Ciphers = ssl_test_lib:srp_dss_suites(),
+    run_suites(Ciphers, Version, Config, srp_dsa).
 %%--------------------------------------------------------------------
 default_reject_anonymous()->
     [{doc,"Test that by default anonymous cipher suites are rejected "}].
@@ -3113,7 +3144,19 @@ run_suites(Ciphers, Version, Config, Type) ->
 	    anonymous ->
 		%% No certs in opts!
 		{?config(client_opts, Config),
-		 ?config(server_anon, Config)}
+		 ?config(server_anon, Config)};
+	    psk ->
+		{?config(client_psk, Config),
+		 ?config(server_psk, Config)};
+	    psk_with_hint ->
+		{?config(client_psk, Config),
+		 ?config(server_psk_hint, Config)};
+	    srp ->
+		{?config(client_srp, Config),
+		 ?config(server_srp, Config)};
+	    srp_dsa ->
+		{?config(client_srp_dsa, Config),
+		 ?config(server_srp_dsa, Config)}
 	    end,
 
     Result =  lists:map(fun(Cipher) ->
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 76b302b1cb..d655d7659e 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -281,6 +281,13 @@ wait_for_result(Pid, Msg) ->
 	%%     Unexpected
     end.
 
+user_lookup(psk, _Identity, UserState) ->
+    {ok, UserState};
+user_lookup(srp, Username, _UserState) ->
+    Salt = ssl:random_bytes(16),
+    UserPassHash = crypto:sha([Salt, crypto:sha([Username, <<$:>>, <<"secret">>])]),
+    {ok, {srp_1024, Salt, UserPassHash}}.
+
 cert_options(Config) ->
     ClientCaCertFile = filename:join([?config(priv_dir, Config), 
 				      "client", "cacerts.pem"]),
@@ -307,6 +314,7 @@ cert_options(Config) ->
 				   "badcert.pem"]),
     BadKeyFile = filename:join([?config(priv_dir, Config), 
 			      "badkey.pem"]),
+    PskSharedSecret = <<1,2,3,4,5,6,7,8,9,10,11,12,13,14,15>>,
     [{client_opts, [{ssl_imp, new},{reuseaddr, true}]}, 
      {client_verification_opts, [{cacertfile, ClientCaCertFile}, 
 				{certfile, ClientCertFile},  
@@ -319,6 +327,24 @@ cert_options(Config) ->
      {server_opts, [{ssl_imp, new},{reuseaddr, true}, 
 		    {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
      {server_anon, [{ssl_imp, new},{reuseaddr, true}, {ciphers, anonymous_suites()}]},
+     {client_psk, [{ssl_imp, new},{reuseaddr, true},
+		   {psk_identity, "Test-User"},
+		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
+     {server_psk, [{ssl_imp, new},{reuseaddr, true},
+		   {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
+		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
+		   {ciphers, psk_suites()}]},
+     {server_psk_hint, [{ssl_imp, new},{reuseaddr, true},
+			{certfile, ServerCertFile}, {keyfile, ServerKeyFile},
+			{psk_identity, "HINT"},
+			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
+			{ciphers, psk_suites()}]},
+     {client_srp, [{ssl_imp, new},{reuseaddr, true},
+		   {srp_identity, {"Test-User", "secret"}}]},
+     {server_srp, [{ssl_imp, new},{reuseaddr, true},
+		   {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
+		   {user_lookup_fun, {fun user_lookup/3, undefined}},
+		   {ciphers, srp_suites()}]},
      {server_verification_opts, [{ssl_imp, new},{reuseaddr, true}, 
 		    {cacertfile, ServerCaCertFile},
 		    {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
@@ -356,7 +382,16 @@ make_dsa_cert(Config) ->
 			       {verify, verify_peer}]},
      {client_dsa_opts, [{ssl_imp, new},{reuseaddr, true}, 
 			{cacertfile, ClientCaCertFile},
-			{certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}
+			{certfile, ClientCertFile}, {keyfile, ClientKeyFile}]},
+     {server_srp_dsa, [{ssl_imp, new},{reuseaddr, true}, 
+		       {cacertfile, ServerCaCertFile},
+		       {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
+		       {user_lookup_fun, {fun user_lookup/3, undefined}},
+		       {ciphers, srp_dss_suites()}]},
+     {client_srp_dsa, [{ssl_imp, new},{reuseaddr, true}, 
+		       {srp_identity, {"Test-User", "secret"}},
+		       {cacertfile, ClientCaCertFile},
+		       {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}
      | Config].
 
 
@@ -675,6 +710,33 @@ anonymous_suites() ->
      {dh_anon, aes_128_cbc, sha},
      {dh_anon, aes_256_cbc, sha}].
 
+psk_suites() ->
+    [{psk, rc4_128, sha},
+     {psk, '3des_ede_cbc', sha},
+     {psk, aes_128_cbc, sha},
+     {psk, aes_256_cbc, sha},
+     {dhe_psk, rc4_128, sha},
+     {dhe_psk, '3des_ede_cbc', sha},
+     {dhe_psk, aes_128_cbc, sha},
+     {dhe_psk, aes_256_cbc, sha},
+     {rsa_psk, rc4_128, sha},
+     {rsa_psk, '3des_ede_cbc', sha},
+     {rsa_psk, aes_128_cbc, sha},
+     {rsa_psk, aes_256_cbc, sha}].
+
+srp_suites() ->
+    [{srp_anon, '3des_ede_cbc', sha},
+     {srp_rsa, '3des_ede_cbc', sha},
+     {srp_anon, aes_128_cbc, sha},
+     {srp_rsa, aes_128_cbc, sha},
+     {srp_anon, aes_256_cbc, sha},
+     {srp_rsa, aes_256_cbc, sha}].
+
+srp_dss_suites() ->
+    [{srp_dss, '3des_ede_cbc', sha},
+     {srp_dss, aes_128_cbc, sha},
+     {srp_dss, aes_256_cbc, sha}].
+
 pem_to_der(File) ->
     {ok, PemBin} = file:read_file(File),
     public_key:pem_decode(PemBin).
-- 
cgit v1.2.3