testsuite: added tlsfuzzer

This enhances the testsuite by running all the tlsfuzzer fuzzer tests which require no certificates from server. https://github.com/tomato42/tlsfuzzer
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-04-18 14:17:18 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2017-03-07 22:06:43 +0100
commit: c645079cbd10200ac1ed1dd406df16f4bb8cf1bd (patch)
tree: 7578892df0000c1a31386697a7e11a71261c3bec /tests
parent: 12ab4f725d605130a7719a687981d9d1d3e6337f (diff)
download: gnutls-c645079cbd10200ac1ed1dd406df16f4bb8cf1bd.tar.gz
6 files changed, 163 insertions, 1 deletions
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am
index ae7c647f5c..bacc485ff5 100644
--- a/tests/suite/Makefile.am
+++ b/tests/suite/Makefile.am
@@ -90,7 +90,7 @@ EXTRA_DIST += testcompat-main-polarssl testcompat-main-openssl testcompat-common
 	testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm
 nodist_check_SCRIPTS = testsrn.sh chain.sh invalid-cert.sh \
 	testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \
-	testrandom.sh pkcs7-cat certtool-pkcs11.sh
+	testrandom.sh pkcs7-cat certtool-pkcs11.sh tls-fuzzer/tls-fuzzer-nocert.sh
 
 if ENABLE_PKCS11
 nodist_check_SCRIPTS += testpkcs11.sh crl-test
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json
new file mode 100644
index 0000000000..ca360b45e3
--- /dev/null
+++ b/tests/suite/tls-fuzzer/gnutls-nocert.json
@@ -0,0 +1,94 @@
+[
+    {"server_command": ["@SERVER@", "--http",
+                 "--x509keyfile", "tests/serverX509Key.pem",
+                 "--x509certfile", "tests/serverX509Cert.pem",
+                 "--debug=3",
+                 "--priority=@PRIORITY@",
+                 "--disable-client-cert", "--port=@PORT@"],
+     "tests" : [
+         {"name" : "test-aes-gcm-nonces.py" },
+         {"name" : "test-atypical-padding.py" },
+         {"name" : "test-bleichenbacher-workaround.py" },
+         {"name" : "test-clienthello-md5.py"},
+         {"name" : "test-client-compatibility.py"},
+         {"name" : "test-client-compatibility.py"},
+         {"name" : "test-client-compatibility.py"},
+         {"name" : "test-client-compatibility.py"},
+         {"name" : "test-conversation.py"},
+         {"name" : "test-cve-2016-2107.py"},
+         {"name" : "test-dhe-rsa-key-exchange.py"},
+         {"name" : "test-dhe-rsa-key-exchange-signatures.py"},
+         {"name" : "test-dhe-rsa-key-exchange-with-bad-messages.py"},
+         {"name" : "test-early-application-data.py"},
+         {"name" : "test-ecdhe-rsa-key-exchange.py"},
+         {"name" : "test-ecdhe-rsa-key-exchange-with-bad-messages.py"},
+         {"name" : "test-empty-extensions.py"},
+         {"name" : "test-export-ciphers-rejected.py",
+          "comment" : "we negotiate AES even in SSL3.0",
+          "arguments" : ["--ssl3"] },
+         {"name" : "test-extensions.py"},
+         {"name" : "test-extended-master-secret-extension.py",
+          "comment" : "gnutls does not allow switching from EMS to no EMS",
+          "arguments" : ["-e", "renegotiate without EMS in session with EMS",
+                         "-e", "EMS with session resume without extension"],
+          "comment" : "FIXME: This script doesn't accept -e",
+          "exp_pass" : false},
+         {"name" : "test-fallback-scsv.py"},
+         {"name" : "test-fuzzed-ciphertext.py"},
+         {"name" : "test-fuzzed-finished.py"},
+         {"name" : "test-fuzzed-MAC.py"},
+         {"name" : "test-fuzzed-padding.py"},
+         {"name" : "test-hello-request-by-client.py"},
+         {"name" : "test-interleaved-application-data-and-fragmented-handshakes-in-renegotiation.py",
+          "comment" : "gnutls doesn't support interleaved data with handshake",
+          "exp_pass" : false},
+         {"name" : "test-interleaved-application-data-in-renegotiation.py",
+          "comment" : "gnutls doesn't support interleaved data with handshake",
+          "exp_pass" : false},
+         {"name" : "test-invalid-cipher-suites.py"},
+         {"name" : "test-invalid-client-hello.py"},
+         {"name" : "test-invalid-client-hello-w-record-overflow.py"},
+         {"name" : "test-invalid-compression-methods.py"},
+         {"name" : "test-invalid-content-type.py"},
+         {"name" : "test-invalid-rsa-key-exchange-messages.py"},
+         {"name" : "test-invalid-session-id.py"},
+         {"name" : "test-invalid-version.py"},
+         {"name" : "test-large-number-of-extensions.py"},
+         {"name" : "test-message-duplication.py"},
+         {"name" : "test-message-skipping.py"},
+         {"name" : "test-ocsp-stapling.py",
+          "comment" : "test requires OCSP setup",
+          "exp_pass" : false},
+         {"name" : "test-openssl-3712.py",
+          "comment" : "gnutls doesn't support interleaved data with handshake",
+          "exp_pass" : false},
+         {"name" : "test-record-layer-fragmentation.py",
+          "comment" : "FIXME: these need investigation",
+          "arguments" : ["-e", "non fragmented, over fragmentation limit: 65535 fragment - 16332B extension",
+                         "-e", "small, maximum fragmentation: 1 fragment - 20B extension",
+                         "-e", "medium, maximum fragmentation: 1 fragment - 1024B extension"]},
+         {"name" : "test-sessionID-resumption.py"},
+         {"name" : "test-sig-algs.py"},
+         {"name" : "test-signature-algorithms.py",
+          "comment" : "gnutls doesn't tolerate that much",
+          "arguments" : ["-e", "tolerance max (32764) number of methods"]
+         },
+         {"name" : "test-sslv2-connection.py"},
+         {"name" : "test-sslv2-force-cipher-3des.py"},
+         {"name" : "test-sslv2-force-cipher-non3des.py"},
+         {"name" : "test-sslv2-force-cipher.py"},
+         {"name" : "test-sslv2-force-export-cipher.py"},
+         {"name" : "test-sslv2hello-protocol.py"},
+         {"name" : "test-SSLv3-padding.py",
+                   "comment" : "we accept zero filled padding in SSLv3",
+                   "exp_pass" : false},
+         {"name" : "test-TLSv1_2-rejected-without-TLSv1_2.py"},
+         {"name" : "test-truncating-of-client-hello.py" },
+         {"name" : "test-truncating-of-finished.py"},
+         {"name" : "test-truncating-of-kRSA-client-key-exchange.py"},
+         {"name" : "test-unsupported-cuve-fallback.py"},
+         {"name" : "test-version-numbers.py"},
+         {"name" : "test-zero-length-data.py"}
+     ]
+    }
+]
diff --git a/tests/suite/tls-fuzzer/python-ecdsa b/tests/suite/tls-fuzzer/python-ecdsa
new file mode 160000
+Subproject c877639b55fa0651ecbbcc8b0d01627d25e5e8c
diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
new file mode 100755
index 0000000000..ea19ffcd1f
--- /dev/null
+++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Copyright (C) 2016-2017 Red Hat, Inc.
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+SERV="../../../../src/gnutls-serv${EXEEXT}"
+CLI="../../../../src/gnutls-cli${EXEEXT}"
+
+OUTFILE=tls-fuzzer.debug.log
+TMPFILE=tls-fuzzer.$$.tmp
+
+. "${srcdir}/../scripts/common.sh"
+
+# We hard-code the port because of limitations in tlsfuzzer
+#eval "${GETPORT}"
+PORT=4433
+
+pushd tls-fuzzer
+
+if ! test -d tlsfuzzer;then
+	exit 77
+fi
+
+rm -f "$OUTFILE"
+
+pushd tlsfuzzer
+test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa
+test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null
+
+wait_for_free_port $PORT
+
+retval=0
+
+PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
+${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1
+if test $? != 0;then
+	PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
+fi
+
+TLS_PY=./tlslite-ng/scripts/tls.py
+#TLS_PY=$(which tls.py)
+
+sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert.json >${TMPFILE}
+
+PYTHONPATH=. python tests/scripts_retention.py ${TMPFILE} ${SERV}
+retval=$?
+
+rm -f ${TMPFILE}
+
+popd
+
+exit $retval
diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer
new file mode 160000
+Subproject 06c4054658d8e434424aadd90c84996a480baf1
diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng
new file mode 160000
+Subproject 26a323a8beb51a8696f578769295db98121570b
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-04-18 14:17:18 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-03-07 22:06:43 +0100
commit	c645079cbd10200ac1ed1dd406df16f4bb8cf1bd (patch)
tree	7578892df0000c1a31386697a7e11a71261c3bec /tests
parent	12ab4f725d605130a7719a687981d9d1d3e6337f (diff)
download	gnutls-c645079cbd10200ac1ed1dd406df16f4bb8cf1bd.tar.gz