diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-28 08:58:29 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-28 09:30:13 +0200 |
commit | d189cd7979450c2d6d2c1fa3ec4ae0584c82525c (patch) | |
tree | 046a769c5216d922387e8384c83d8666366edf44 /tests | |
parent | 211aec736078e3f775e11c5db812111c809d1842 (diff) | |
download | gnutls-d189cd7979450c2d6d2c1fa3ec4ae0584c82525c.tar.gz |
testsuite: added tlsfuzzer certificate requiring tests
This enhances the testsuite by running all the tlsfuzzer
fuzzer tests which require certificates from server.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/suite/Makefile.am | 3 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-cert.json | 43 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-cert.sh | 68 |
3 files changed, 113 insertions, 1 deletions
diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 27c8689b1e..233e6545ff 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -91,7 +91,8 @@ EXTRA_DIST += testcompat-main-polarssl testcompat-main-openssl testcompat-common testpkcs11.pkcs15 testpkcs11.softhsm testpkcs11.sc-hsm nodist_check_SCRIPTS = testsrn.sh chain.sh invalid-cert.sh \ testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \ - testrandom.sh pkcs7-cat certtool-pkcs11.sh tls-fuzzer/tls-fuzzer-nocert.sh + testrandom.sh pkcs7-cat certtool-pkcs11.sh tls-fuzzer/tls-fuzzer-nocert.sh \ + tls-fuzzer/tls-fuzzer-cert.sh if ENABLE_PKCS11 nodist_check_SCRIPTS += testpkcs11.sh crl-test diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json new file mode 100644 index 0000000000..68720b48fd --- /dev/null +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -0,0 +1,43 @@ +[ + {"server_command": ["@SERVER@", "--http", + "--x509keyfile", "tests/serverX509Key.pem", + "--x509certfile", "tests/serverX509Cert.pem", + "--debug=4", + "--priority=@PRIORITY@", + "--port=@PORT@"], + "environment": {"PYTHONPATH" : "."}, + "tests" : [ + {"name": "test-rsa-sigs-on-certificate-verify.py", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem"] + }, + {"name" : "test-certificate-verify.py", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem"] + }, + {"name" : "test-certificate-verify-malformed.py", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem"], + "comment" : "for some reason tlsfuzzer does require decryption error alert", + "exp_pass" : false + }, + {"name" : "test-certificate-verify-malformed-sig.py", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem"] + }, + {"name" : "test-certificate-request.py", + "comment" : "tlsfuzzer doesn't like our set of algorithms", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem", + "-e", "check sigalgs in cert request"] + }, + {"name": "test-certificate-malformed.py", + "comment" : "tlsfuzzer doesn't like the alerts we send", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem", + "-e", "fuzz empty certificate - overall 7, certs 4, cert 1", + "-e", "fuzz empty certificate - overall 8, certs 5, cert 2"] + } + ] + } +] diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh new file mode 100755 index 0000000000..ac942f3e6c --- /dev/null +++ b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# Copyright (C) 2017 Red Hat, Inc. +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +SERV="../../../../src/gnutls-serv${EXEEXT}" +CLI="../../../../src/gnutls-cli${EXEEXT}" + +OUTFILE=tls-fuzzer-cert.debug.log +TMPFILE=tls-fuzzer-cert.$$.tmp + +. "${srcdir}/../scripts/common.sh" + +# We hard-code the port because of limitations in tlsfuzzer +#eval "${GETPORT}" +PORT=4433 + +pushd tls-fuzzer + +if ! test -d tlsfuzzer;then + exit 77 +fi + +rm -f "$OUTFILE" + +pushd tlsfuzzer +test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa +test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null + +wait_for_free_port $PORT + +retval=0 + +PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0" +${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 +if test $? != 0;then + PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0" +fi + +TLS_PY=./tlslite-ng/scripts/tls.py +#TLS_PY=$(which tls.py) + +sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-cert.json >${TMPFILE} + +PYTHONPATH=. python tests/scripts_retention.py ${TMPFILE} ${SERV} +retval=$? + +rm -f ${TMPFILE} + +popd + +exit $retval |