diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-18 14:17:18 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-03-07 22:06:43 +0100 |
commit | c645079cbd10200ac1ed1dd406df16f4bb8cf1bd (patch) | |
tree | 7578892df0000c1a31386697a7e11a71261c3bec /tests | |
parent | 12ab4f725d605130a7719a687981d9d1d3e6337f (diff) | |
download | gnutls-c645079cbd10200ac1ed1dd406df16f4bb8cf1bd.tar.gz |
testsuite: added tlsfuzzer
This enhances the testsuite by running all the tlsfuzzer
fuzzer tests which require no certificates from server.
https://github.com/tomato42/tlsfuzzer
Diffstat (limited to 'tests')
-rw-r--r-- | tests/suite/Makefile.am | 2 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 94 | ||||
m--------- | tests/suite/tls-fuzzer/python-ecdsa | 0 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh | 68 | ||||
m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 | ||||
m--------- | tests/suite/tls-fuzzer/tlslite-ng | 0 |
6 files changed, 163 insertions, 1 deletions
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index ae7c647f5c..bacc485ff5 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -90,7 +90,7 @@ EXTRA_DIST += testcompat-main-polarssl testcompat-main-openssl testcompat-common testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm nodist_check_SCRIPTS = testsrn.sh chain.sh invalid-cert.sh \ testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \ - testrandom.sh pkcs7-cat certtool-pkcs11.sh + testrandom.sh pkcs7-cat certtool-pkcs11.sh tls-fuzzer/tls-fuzzer-nocert.sh if ENABLE_PKCS11 nodist_check_SCRIPTS += testpkcs11.sh crl-test diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json new file mode 100644 index 0000000000..ca360b45e3 --- /dev/null +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -0,0 +1,94 @@ +[ + {"server_command": ["@SERVER@", "--http", + "--x509keyfile", "tests/serverX509Key.pem", + "--x509certfile", "tests/serverX509Cert.pem", + "--debug=3", + "--priority=@PRIORITY@", + "--disable-client-cert", "--port=@PORT@"], + "tests" : [ + {"name" : "test-aes-gcm-nonces.py" }, + {"name" : "test-atypical-padding.py" }, + {"name" : "test-bleichenbacher-workaround.py" }, + {"name" : "test-clienthello-md5.py"}, + {"name" : "test-client-compatibility.py"}, + {"name" : "test-client-compatibility.py"}, + {"name" : "test-client-compatibility.py"}, + {"name" : "test-client-compatibility.py"}, + {"name" : "test-conversation.py"}, + {"name" : "test-cve-2016-2107.py"}, + {"name" : "test-dhe-rsa-key-exchange.py"}, + {"name" : "test-dhe-rsa-key-exchange-signatures.py"}, + {"name" : "test-dhe-rsa-key-exchange-with-bad-messages.py"}, + {"name" : "test-early-application-data.py"}, + {"name" : "test-ecdhe-rsa-key-exchange.py"}, + {"name" : "test-ecdhe-rsa-key-exchange-with-bad-messages.py"}, + {"name" : "test-empty-extensions.py"}, + {"name" : "test-export-ciphers-rejected.py", + "comment" : "we negotiate AES even in SSL3.0", + "arguments" : ["--ssl3"] }, + {"name" : "test-extensions.py"}, + {"name" : "test-extended-master-secret-extension.py", + "comment" : "gnutls does not allow switching from EMS to no EMS", + "arguments" : ["-e", "renegotiate without EMS in session with EMS", + "-e", "EMS with session resume without extension"], + "comment" : "FIXME: This script doesn't accept -e", + "exp_pass" : false}, + {"name" : "test-fallback-scsv.py"}, + {"name" : "test-fuzzed-ciphertext.py"}, + {"name" : "test-fuzzed-finished.py"}, + {"name" : "test-fuzzed-MAC.py"}, + {"name" : "test-fuzzed-padding.py"}, + {"name" : "test-hello-request-by-client.py"}, + {"name" : "test-interleaved-application-data-and-fragmented-handshakes-in-renegotiation.py", + "comment" : "gnutls doesn't support interleaved data with handshake", + "exp_pass" : false}, + {"name" : "test-interleaved-application-data-in-renegotiation.py", + "comment" : "gnutls doesn't support interleaved data with handshake", + "exp_pass" : false}, + {"name" : "test-invalid-cipher-suites.py"}, + {"name" : "test-invalid-client-hello.py"}, + {"name" : "test-invalid-client-hello-w-record-overflow.py"}, + {"name" : "test-invalid-compression-methods.py"}, + {"name" : "test-invalid-content-type.py"}, + {"name" : "test-invalid-rsa-key-exchange-messages.py"}, + {"name" : "test-invalid-session-id.py"}, + {"name" : "test-invalid-version.py"}, + {"name" : "test-large-number-of-extensions.py"}, + {"name" : "test-message-duplication.py"}, + {"name" : "test-message-skipping.py"}, + {"name" : "test-ocsp-stapling.py", + "comment" : "test requires OCSP setup", + "exp_pass" : false}, + {"name" : "test-openssl-3712.py", + "comment" : "gnutls doesn't support interleaved data with handshake", + "exp_pass" : false}, + {"name" : "test-record-layer-fragmentation.py", + "comment" : "FIXME: these need investigation", + "arguments" : ["-e", "non fragmented, over fragmentation limit: 65535 fragment - 16332B extension", + "-e", "small, maximum fragmentation: 1 fragment - 20B extension", + "-e", "medium, maximum fragmentation: 1 fragment - 1024B extension"]}, + {"name" : "test-sessionID-resumption.py"}, + {"name" : "test-sig-algs.py"}, + {"name" : "test-signature-algorithms.py", + "comment" : "gnutls doesn't tolerate that much", + "arguments" : ["-e", "tolerance max (32764) number of methods"] + }, + {"name" : "test-sslv2-connection.py"}, + {"name" : "test-sslv2-force-cipher-3des.py"}, + {"name" : "test-sslv2-force-cipher-non3des.py"}, + {"name" : "test-sslv2-force-cipher.py"}, + {"name" : "test-sslv2-force-export-cipher.py"}, + {"name" : "test-sslv2hello-protocol.py"}, + {"name" : "test-SSLv3-padding.py", + "comment" : "we accept zero filled padding in SSLv3", + "exp_pass" : false}, + {"name" : "test-TLSv1_2-rejected-without-TLSv1_2.py"}, + {"name" : "test-truncating-of-client-hello.py" }, + {"name" : "test-truncating-of-finished.py"}, + {"name" : "test-truncating-of-kRSA-client-key-exchange.py"}, + {"name" : "test-unsupported-cuve-fallback.py"}, + {"name" : "test-version-numbers.py"}, + {"name" : "test-zero-length-data.py"} + ] + } +] diff --git a/tests/suite/tls-fuzzer/python-ecdsa b/tests/suite/tls-fuzzer/python-ecdsa new file mode 160000 +Subproject c877639b55fa0651ecbbcc8b0d01627d25e5e8c diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh new file mode 100755 index 0000000000..ea19ffcd1f --- /dev/null +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# Copyright (C) 2016-2017 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +SERV="../../../../src/gnutls-serv${EXEEXT}" +CLI="../../../../src/gnutls-cli${EXEEXT}" + +OUTFILE=tls-fuzzer.debug.log +TMPFILE=tls-fuzzer.$$.tmp + +. "${srcdir}/../scripts/common.sh" + +# We hard-code the port because of limitations in tlsfuzzer +#eval "${GETPORT}" +PORT=4433 + +pushd tls-fuzzer + +if ! test -d tlsfuzzer;then + exit 77 +fi + +rm -f "$OUTFILE" + +pushd tlsfuzzer +test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa +test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null + +wait_for_free_port $PORT + +retval=0 + +PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0" +${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 +if test $? != 0;then + PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0" +fi + +TLS_PY=./tlslite-ng/scripts/tls.py +#TLS_PY=$(which tls.py) + +sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert.json >${TMPFILE} + +PYTHONPATH=. python tests/scripts_retention.py ${TMPFILE} ${SERV} +retval=$? + +rm -f ${TMPFILE} + +popd + +exit $retval diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer new file mode 160000 +Subproject 06c4054658d8e434424aadd90c84996a480baf1 diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng new file mode 160000 +Subproject 26a323a8beb51a8696f578769295db98121570b |