testsuite: added tlsfuzzer certificate requiring tests

This enhances the testsuite by running all the tlsfuzzer
fuzzer tests which require certificates from server.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

3 files changed, 113 insertions, 1 deletions

diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am
index 27c8689b1e..233e6545ff 100644
--- a/tests/suite/Makefile.am
+++ b/tests/suite/Makefile.am
@@ -91,7 +91,8 @@ EXTRA_DIST += testcompat-main-polarssl testcompat-main-openssl testcompat-common
 	testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm
 nodist_check_SCRIPTS = testsrn.sh chain.sh invalid-cert.sh \
 	testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \
-	testrandom.sh pkcs7-cat certtool-pkcs11.sh tls-fuzzer/tls-fuzzer-nocert.sh
+	testrandom.sh pkcs7-cat certtool-pkcs11.sh tls-fuzzer/tls-fuzzer-nocert.sh \
+	tls-fuzzer/tls-fuzzer-cert.sh
 
 if ENABLE_PKCS11
 nodist_check_SCRIPTS += testpkcs11.sh crl-test
diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json
new file mode 100644
index 0000000000..68720b48fd
--- /dev/null
+++ b/tests/suite/tls-fuzzer/gnutls-cert.json
@@ -0,0 +1,43 @@
+[
+    {"server_command": ["@SERVER@", "--http",
+                 "--x509keyfile", "tests/serverX509Key.pem",
+                 "--x509certfile", "tests/serverX509Cert.pem",
+                 "--debug=4",
+                 "--priority=@PRIORITY@",
+                 "--port=@PORT@"],
+     "environment": {"PYTHONPATH" : "."},
+     "tests" : [
+         {"name": "test-rsa-sigs-on-certificate-verify.py",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem"]
+         },
+         {"name" : "test-certificate-verify.py",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem"]
+          },
+         {"name" : "test-certificate-verify-malformed.py",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem"],
+          "comment" : "for some reason tlsfuzzer does require decryption error alert",
+          "exp_pass" : false
+          },
+         {"name" : "test-certificate-verify-malformed-sig.py",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem"]
+          },
+         {"name" : "test-certificate-request.py",
+          "comment" : "tlsfuzzer doesn't like our set of algorithms",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem",
+                         "-e", "check sigalgs in cert request"]
+          },
+         {"name": "test-certificate-malformed.py",
+          "comment" : "tlsfuzzer doesn't like the alerts we send",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem",
+                         "-e", "fuzz empty certificate - overall 7, certs 4, cert 1",
+                         "-e", "fuzz empty certificate - overall 8, certs 5, cert 2"]
+	 }
+     ]
+    }
+]
diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh
new file mode 100755
index 0000000000..ac942f3e6c
--- /dev/null
+++ b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Copyright (C) 2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+SERV="../../../../src/gnutls-serv${EXEEXT}"
+CLI="../../../../src/gnutls-cli${EXEEXT}"
+
+OUTFILE=tls-fuzzer-cert.debug.log
+TMPFILE=tls-fuzzer-cert.$$.tmp
+
+. "${srcdir}/../scripts/common.sh"
+
+# We hard-code the port because of limitations in tlsfuzzer
+#eval "${GETPORT}"
+PORT=4433
+
+pushd tls-fuzzer
+
+if ! test -d tlsfuzzer;then
+	exit 77
+fi
+
+rm -f "$OUTFILE"
+
+pushd tlsfuzzer
+test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa
+test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null
+
+wait_for_free_port $PORT
+
+retval=0
+
+PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
+${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1
+if test $? != 0;then
+	PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
+fi
+
+TLS_PY=./tlslite-ng/scripts/tls.py
+#TLS_PY=$(which tls.py)
+
+sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-cert.json >${TMPFILE}
+
+PYTHONPATH=. python tests/scripts_retention.py ${TMPFILE} ${SERV}
+retval=$?
+
+rm -f ${TMPFILE}
+
+popd
+
+exit $retval