From: Nikos Mavrogiannopoulos Date: Thu, 12 Sep 2019 13:21:55 +0000 (+0200) Subject: tlsfuzzer: enable atypical padding check X-Git-Tag: gnutls_3_6_10~13^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5fac5af99b418171c285ae49d3cd8381a852dfd7;p=thirdparty%2Fgnutls.git tlsfuzzer: enable atypical padding check The atypical padding check is complementary to the existing GnuTLS 2.12.x interop test. This commit also upgrades to the latest version, and adds new TLS1.3 tests as well. Signed-off-by: Nikos Mavrogiannopoulos --- diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index 073c143833..31f63e5398 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -81,6 +81,11 @@ "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-nociphers.py", "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-non-support.py", + "arguments": ["-p", "@PORT@"], + "exp_pass" : false}, + {"name" : "test-tls13-obsolete-curves.py", + "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-pkcs-signature.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-record-padding.py", @@ -102,6 +107,8 @@ "-e", "8130 invalid schemes", "-e", "23752 invalid schemes", "-e", "32715 invalid schemes"]}, + {"name" : "test-tls13-symetric-ciphers.py", + "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-unrecognised-groups.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-version-negotiation.py", diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index b56ea40163..bc3c7a88b2 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -32,6 +32,8 @@ "fragmented, padding ext 16213 bytes"]}, {"name" : "test-ecdsa-sig-flexibility.py", "arguments" : ["-p", "@PORT@"] }, + {"name" : "test-encrypt-then-mac.py", + "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ocsp-stapling.py", "arguments" : ["-p", "@PORT@", "--no-status"] }, @@ -99,20 +101,16 @@ {"name" : "test-cve-2016-2107.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-dhe-key-share-random.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0", "arguments" : ["-p", "@PORT@", - "-e", "Protocol (3, 1)", - "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", - "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello"]}, + "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", + "-z"]}, {"name" : "test-dhe-no-shared-secret-padding.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0", "arguments" : ["-p", "@PORT@", - "-e", "Protocol (3, 1)", - "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", - "-n", "4"]}, + "-n", "6", + "-z"]}, {"name" : "test-dhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-dhe-rsa-key-exchange-signatures.py", @@ -129,23 +127,29 @@ {"name" : "test-early-application-data.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-padded-shared-secret.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", - "-n", "4"]}, + "-e", "Protocol (3, 3) with x448 group", + "-e", "Protocol (3, 0)", + "-z", + "-n", "6"]}, {"name" : "test-ecdhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-rsa-key-exchange-with-bad-messages.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-rsa-key-share-random.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", - "-n", "4"]}, + "-e", "Protocol (3, 3) with x448 group", + "-e", "Protocol (3, 0)", + "-z", + "-n", "6"]}, {"name" : "test-empty-extensions.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-export-ciphers-rejected.py", @@ -201,7 +205,8 @@ {"name" : "test-invalid-client-hello.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-client-hello-w-record-overflow.py", - "arguments" : ["-p", "@PORT@"] }, + "arguments" : ["-p", "@PORT@", + "-n", "10"] }, {"name" : "test-invalid-compression-methods.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-content-type.py", @@ -256,12 +261,14 @@ {"name" : "test-sessionID-resumption.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-serverhello-random.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", - "-n", "4"]}, + "-e", "Protocol (3, 3) with x448 group", + "-e", "Protocol (3, 0)", + "-z", + "-n", "6"]}, {"name" : "test-sig-algs.py", "arguments" : ["-p", "@PORT@", "-e", "rsa_pss_pss_sha256 only", diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh index 77a1d050cd..6e6b809c57 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh @@ -22,10 +22,10 @@ srcdir="${srcdir:-.}" tls_fuzzer_prepare() { VERSIONS="-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0" -PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256" +PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:+SHA384" ${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 if test $? != 0;then - PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256" + PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256:+SHA384" fi sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert.json >${TMPFILE} diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer index 79936b8618..3d57169c83 160000 --- a/tests/suite/tls-fuzzer/tlsfuzzer +++ b/tests/suite/tls-fuzzer/tlsfuzzer @@ -1 +1 @@ -Subproject commit 79936b86187ca48ced7c40b9b1a3872386c3f563 +Subproject commit 3d57169c83e960597d7f90f4b837858d9530d7fb