diff options
author | Daiki Ueno <dueno@redhat.com> | 2019-06-07 11:39:53 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2019-06-19 15:14:47 +0200 |
commit | d2d225d33276d0e07162337bf9d095970c09978b (patch) | |
tree | 31e1307035d29a28ee5ebd33f26a715856de9a08 | |
parent | 100d9bcf183f64a61894c728fd32492f46a53c8c (diff) | |
download | gnutls-d2d225d33276d0e07162337bf9d095970c09978b.tar.gz |
tlsfuzzer: test both with and without %ALLOW_SMALL_RECORDS
The option changes the behavior of the server, it would make sense to
check both with and without %ALLOW_SMALL_RECORDS.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
-rw-r--r-- | tests/suite/Makefile.am | 1 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-tls13.json | 1 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 1 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nolimit-tls13.json | 42 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nolimit.json | 37 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh | 2 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh | 4 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nolimit-tls13.sh | 29 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nolimit.sh | 34 |
9 files changed, 148 insertions, 3 deletions
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 8dccbc5726..bd3a56cc35 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -93,6 +93,7 @@ scripts_to_test = chain.sh \ testrandom.sh tls-fuzzer/tls-fuzzer-nocert.sh \ tls-fuzzer/tls-fuzzer-cert.sh tls-fuzzer/tls-fuzzer-alpn.sh \ tls-fuzzer/tls-fuzzer-nocert-tls13.sh tls-fuzzer/tls-fuzzer-psk.sh \ + tls-fuzzer/tls-fuzzer-nolimit.sh tls-fuzzer/tls-fuzzer-nolimit-tls13.sh \ multi-ticket-reception.sh TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \ diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index 30bbf11e46..073c143833 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -16,6 +16,7 @@ {"name" : "test-record-size-limit.py", "comment" : "changed extension after HRR is not supported #617", "arguments" : ["-p", "@PORT@", "--reply-AD-size", "1024", + "--minimal-size", "512", "-e", "change size in TLS 1.2 resumption", "-e", "check if server accepts maximum size in TLS 1.0", "-e", "check if server accepts maximum size in TLS 1.1", diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index dc3ffd8e85..b56ea40163 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -235,6 +235,7 @@ {"name" : "test-record-size-limit.py", "comment" : "TLS 1.3 tests are done separately; 1/n-1 splitting is not supported in TLS 1.0", "arguments" : ["-p", "@PORT@", "--reply-AD-size", "1024", + "--minimal-size", "512", "-e", "check if server accepts maximum size in TLS 1.0", "-e", "check if server accepts maximum size in TLS 1.3", "-e", "check if server accepts minimal size in TLS 1.0", diff --git a/tests/suite/tls-fuzzer/gnutls-nolimit-tls13.json b/tests/suite/tls-fuzzer/gnutls-nolimit-tls13.json new file mode 100644 index 0000000000..9139c78667 --- /dev/null +++ b/tests/suite/tls-fuzzer/gnutls-nolimit-tls13.json @@ -0,0 +1,42 @@ +[ + {"server_command": ["@SERVER@", "--http", + "--x509keyfile", "tests/serverX509Key.pem", + "--x509certfile", "tests/serverX509Cert.pem", + "--x509keyfile", "tests/serverRSAPSSKey.pem", + "--x509certfile", "tests/serverRSAPSSCert.pem", + "--x509keyfile", "../../../certs/ecc256.pem", + "--x509certfile", "../../../certs/cert-ecc256.pem", + "--debug=3", + "--httpdata=../http.dat", + "--priority=@PRIORITY@", + "--disable-client-cert", "--port=@PORT@"], + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-record-size-limit.py", + "comment" : "changed extension after HRR is not supported #617", + "arguments" : ["-p", "@PORT@", "--reply-AD-size", "1024", + "-e", "change size in TLS 1.2 resumption", + "-e", "check if server accepts maximum size in TLS 1.0", + "-e", "check if server accepts maximum size in TLS 1.1", + "-e", "check if server accepts maximum size in TLS 1.2", + "-e", "check if server accepts minimal size in TLS 1.0", + "-e", "check if server accepts minimal size in TLS 1.1", + "-e", "check if server accepts minimal size in TLS 1.2", + "-e", "check interaction with sha256 prf", + "-e", "check interaction with sha384 prf", + "-e", "check server sent size in TLS 1.0", + "-e", "check server sent size in TLS 1.1", + "-e", "check server sent size in TLS 1.2", + "-e", "drop extension in TLS 1.2 resumption", + "-e", "modified extension in 2nd CH in HRR handshake", + "-e", "renegotiation with changed limit", + "-e", "renegotiation with dropped extension", + "-e", "added extension in 2nd CH in HRR handshake", + "-e", "check server sent size in TLS 1.0 with max_fragment_length", + "-e", "check server sent size in TLS 1.1 with max_fragment_length", + "-e", "check server sent size in TLS 1.2 with max_fragment_length", + "-e", "removed extension in 2nd CH in HRR handshake"] } + ] + } +] diff --git a/tests/suite/tls-fuzzer/gnutls-nolimit.json b/tests/suite/tls-fuzzer/gnutls-nolimit.json new file mode 100644 index 0000000000..2383a786c8 --- /dev/null +++ b/tests/suite/tls-fuzzer/gnutls-nolimit.json @@ -0,0 +1,37 @@ +[ + {"server_command": ["@SERVER@", "--http", + "--x509keyfile", "tests/serverX509Key.pem", + "--x509certfile", "tests/serverX509Cert.pem", + "--x509keyfile", "../../../certs/ecc256.pem", + "--x509certfile", "../../../certs/cert-ecc256.pem", + "--debug=3", + "--httpdata=../http.dat", + "--noticket", + "--priority=@PRIORITY@", + "--disable-client-cert", "--port=@PORT@"], + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-record-size-limit.py", + "comment" : "TLS 1.3 tests are done separately; 1/n-1 splitting is not supported in TLS 1.0", + "arguments" : ["-p", "@PORT@", "--reply-AD-size", "1024", + "-e", "check if server accepts maximum size in TLS 1.0", + "-e", "check if server accepts maximum size in TLS 1.3", + "-e", "check if server accepts minimal size in TLS 1.0", + "-e", "check if server accepts minimal size in TLS 1.3", + "-e", "check if server omits extension for unrecognized size 64 in TLS 1.3", + "-e", "check if server omits extension for unrecognized size 511 in TLS 1.3", + "-e", "check server sent size in TLS 1.0", + "-e", "check server sent size in TLS 1.3", + "-e", "HRR sanity", + "-e", "too large record payload in TLS 1.3", + "-e", "change size in TLS 1.3 session resumption", + "-e", "drop extension in TLS 1.3 session resumption", + "-e", "modified extension in 2nd CH in HRR handshake", + "-e", "added extension in 2nd CH in HRR handshake", + "-e", "check server sent size in TLS 1.0 with max_fragment_length", + "-e", "check server sent size in TLS 1.3 with max_fragment_length", + "-e", "removed extension in 2nd CH in HRR handshake"] } + ] + } +] diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh index d1fe2ed100..1b9b0f1765 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh @@ -21,7 +21,7 @@ srcdir="${srcdir:-.}" tls_fuzzer_prepare() { -PRIORITY="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:%ALLOW_SMALL_RECORDS" +PRIORITY="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1" sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert-tls13.json >${TMPFILE} } diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh index 1d23e98c61..77a1d050cd 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh @@ -22,10 +22,10 @@ srcdir="${srcdir:-.}" tls_fuzzer_prepare() { VERSIONS="-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0" -PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:%ALLOW_SMALL_RECORDS" +PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256" ${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 if test $? != 0;then - PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256:%ALLOW_SMALL_RECORDS" + PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256" fi sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert.json >${TMPFILE} diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nolimit-tls13.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nolimit-tls13.sh new file mode 100755 index 0000000000..4b0e0fa087 --- /dev/null +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nolimit-tls13.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# Copyright (C) 2016-2017 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" + +tls_fuzzer_prepare() { +PRIORITY="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:%ALLOW_SMALL_RECORDS" + +sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nolimit-tls13.json >${TMPFILE} +} + +. "${srcdir}/tls-fuzzer/tls-fuzzer-common.sh" diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nolimit.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nolimit.sh new file mode 100755 index 0000000000..df1ae6bcc2 --- /dev/null +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nolimit.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# Copyright (C) 2016-2017 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" + +tls_fuzzer_prepare() { +VERSIONS="-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0" +PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:%ALLOW_SMALL_RECORDS" +${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 +if test $? != 0;then + PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256:%ALLOW_SMALL_RECORDS" +fi + +sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nolimit.json >${TMPFILE} +} + +. "${srcdir}/tls-fuzzer/tls-fuzzer-common.sh" |