From: Dmitry Belyavskiy Date: Wed, 22 Dec 2021 17:13:40 +0000 (+0100) Subject: TLS Fuzzer: initial test infrastructure X-Git-Tag: openssl-3.2.0-alpha1~3133 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db87f89b7393eea395b82050c7fc4e1869ef112e;p=thirdparty%2Fopenssl.git TLS Fuzzer: initial test infrastructure Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17340) --- diff --git a/test/recipes/95-test_external_tlsfuzzer.t b/test/recipes/95-test_external_tlsfuzzer.t new file mode 100644 index 00000000000..e506f8007a7 --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer.t @@ -0,0 +1,28 @@ +#! /usr/bin/env perl +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT data_file data_dir bldtop_dir srctop_dir cmdstr/; +use Cwd qw(abs_path); + +setup("test_external_tlsfuzzer"); + +plan skip_all => "No external tests in this configuration" + if disabled("external-tests"); +plan skip_all => "TLSFuzzer tests not available on Windows or VMS" + if $^O =~ /^(VMS|MSWin32)$/; +plan skip_all => "TLSFuzzer tests not supported in out of tree builds" + if bldtop_dir() ne srctop_dir(); + +$ENV{TESTDATADIR} = abs_path(data_dir()); +plan tests => 1; + +ok(run(cmd(["sh", data_file("tls-fuzzer-cert.sh")])), + "running TLSFuzzer tests"); diff --git a/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in new file mode 100644 index 00000000000..1bc20799d9b --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in @@ -0,0 +1,38 @@ +[ + {"server_command": ["@SERVER@", "s_server", "-www", + "-key", "tests/serverX509Key.pem", + "-cert", "tests/serverX509Cert.pem", + "-verify", "1", "-CAfile", "tests/clientX509Cert.pem"], + "comment": "Use ANY certificate just to ensure that server tries to authorise a client", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-tls13-certificate-verify.py", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem", + "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", + "-p", "@PORT@"]}, + {"name" : "test-tls13-ecdsa-in-certificate-verify.py", + "arguments" : ["-k", "tests/serverECKey.pem", + "-c", "tests/serverECCert.pem", + "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", + "-p", "@PORT@"]} + ] + }, + {"server_command": ["@SERVER@", "s_server", "-www", + "-key", "tests/serverX509Key.pem", + "-cert", "tests/serverX509Cert.pem"], + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-tls13-conversation.py", + "arguments" : ["-p", "@PORT@"]}, + {"name" : "test-conversation.py", + "arguments" : ["-p", "@PORT@", + "-d"]} + ] + } + +] diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh new file mode 100644 index 00000000000..60bb8cffa1e --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +tls_fuzzer_prepare() { + +sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ${TESTDATADIR}/cert.json.in >${TMPFILE} +} + +. "${TESTDATADIR}/tlsfuzzer.sh" + diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh new file mode 100644 index 00000000000..a9f781de333 --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# OpenSSL external testing using the TLSFuzzer test suite +# +set -e + +PWD="$(pwd)" + +SRCTOP="$(cd $SRCTOP; pwd)" +BLDTOP="$(cd $BLDTOP; pwd)" + +if [ "$SRCTOP" != "$BLDTOP" ] ; then + echo "Out of tree builds not supported with TLSFuzzer test!" + exit 1 +fi + +O_EXE="$BLDTOP/apps" +O_BINC="$BLDTOP/include" +O_SINC="$SRCTOP/include" +O_LIB="$BLDTOP" + +export PATH="$O_EXE:$PATH" +export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH" +export OPENSSL_ROOT_DIR="$O_LIB" + +# Check/Set openssl version +OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '` + +CLI="${O_EXE}/openssl" +SERV="${O_EXE}/openssl" + +TMPFILE="${PWD}/tls-fuzzer.$$.tmp" +PSKFILE="${PWD}/tls-fuzzer.psk.$$.tmp" + +PYTHON=`which python` +PORT=4433 + +echo "------------------------------------------------------------------" +echo "Testing OpenSSL using TLSFuzzer:" +echo " CWD: $PWD" +echo " SRCTOP: $SRCTOP" +echo " BLDTOP: $BLDTOP" +echo " OPENSSL_ROOT_DIR: $OPENSSL_ROOT_DIR" +echo " Python: $PYTHON" +echo " TESTDATADIR: $TESTDATADIR" +echo "------------------------------------------------------------------" + +cd "${SRCTOP}/tlsfuzzer" + +test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa +test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null + +retval=0 + +tls_fuzzer_prepare + +PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py ${TMPFILE} ${SERV} 821 +retval=$? + +rm -f ${TMPFILE} +[ -f "${PSKFILE}" ] && rm -f ${PSKFILE} + +cd $PWD + +exit $retval