sasl: Add tests for signature failure from the server (#179)

2023-05-29 11:53:08 +02:00 · 2023-05-29 11:53:08 +02:00 · 79bbdd2948
parent a03e9bb8ea
commit 79bbdd2948
3 changed files with 33 additions and 3 deletions
--- a/.github/workflows/test-stable.yml
+++ b/.github/workflows/test-stable.yml
@ -894,7 +894,7 @@ jobs:
      with:
        python-version: 3.7
    - name: Install dependencies
-      run: pip install limnoria==2022.03.17 cryptography pyxmpp2-scram
+      run: pip install limnoria==2023.5.27 cryptography pyxmpp2-scram
    - name: Install system dependencies
      run: sudo apt-get install atheme-services faketime
    - name: Install irctest dependencies
--- a/irctest/client_tests/sasl.py
+++ b/irctest/client_tests/sasl.py
@ -228,7 +228,7 @@ class SaslTestCase(cases.BaseClientTestCase):
        self.assertEqual(m.params, ["+"], m)

    @cases.skipUnlessHasMechanism("SCRAM-SHA-256")
-    def testScramBadPassword(self):
+    def testScramBadPassword(self, server_fakes_success=False, fake_response=None):
        """Test SCRAM-SHA-256 authentication with a bad password."""
        auth = authentication.Authentication(
            mechanisms=[authentication.Mechanisms.scram_sha_256],
@ -261,6 +261,36 @@ class SaslTestCase(cases.BaseClientTestCase):
        with self.assertRaises(scram.NotAuthorizedException):
            authenticator.response(msg)

+        if server_fakes_success:
+            self.sendLine(f"AUTHENTICATE :{fake_response}")
+
+            m = self.getMessage()
+            while m.command == "PING":
+                self.sendLine(f"PONG server. {m.params[-1]}")
+                m = self.getMessage()
+            self.assertMessageMatch(
+                m,
+                command="AUTHENTICATE",
+                params=["*"],
+                fail_msg="Client did not abort: {msg}",
+            )
+
+    @cases.skipUnlessHasMechanism("SCRAM-SHA-256")
+    @pytest.mark.parametrize(
+        "fake_response",
+        [
+            "",
+            "AAAA",
+            "dj1ubU1mM1FIV2NKUWk5cE1ndHFLU0tQclZueUk2c3FOTzZJN3BFLzBveUdjPQ==",
+        ],
+    )
+    def testScramMaliciousServer(self, fake_response):
+        """Test SCRAM-SHA-256 authentication to a server which pretends to know
+        the password"""
+        self.testScramBadPassword(
+            server_fakes_success=True, fake_response=fake_response
+        )
+

 class Irc302SaslTestCase(cases.BaseClientTestCase):
    @cases.skipUnlessHasMechanism("PLAIN")
--- a/workflows.yml
+++ b/workflows.yml
@ -355,7 +355,7 @@ software:
        install_steps:
            stable:
                - name: Install dependencies
-                  run: pip install limnoria==2022.03.17 cryptography pyxmpp2-scram
+                  run: pip install limnoria==2023.5.27 cryptography pyxmpp2-scram
            release:
                - name: Install dependencies
                  run: pip install limnoria cryptography pyxmpp2-scram