tlsfuzzer: enable atypical padding check

author Nikos Mavrogiannopoulos <nmav@redhat.com>

Thu, 12 Sep 2019 13:21:55 +0000 (15:21 +0200)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Fri, 13 Sep 2019 06:30:29 +0000 (08:30 +0200)
author Nikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 12 Sep 2019 13:21:55 +0000 (15:21 +0200)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 13 Sep 2019 06:30:29 +0000 (08:30 +0200)
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json

index 073c14383310ebd3e502d05948a19d0e60d7ace8..31f63e53988c451b5b807419dd4f09753dd218dd 100644 (file)
--- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
+++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
@@ -81,6 +81,11 @@
           "arguments": ["-p", "@PORT@"]},
          {"name" : "test-tls13-nociphers.py",
           "arguments": ["-p", "@PORT@"]},
+        {"name" : "test-tls13-non-support.py",
+         "arguments": ["-p", "@PORT@"],
+         "exp_pass" : false},
+        {"name" : "test-tls13-obsolete-curves.py",
+         "arguments": ["-p", "@PORT@"]},
          {"name" : "test-tls13-pkcs-signature.py",
           "arguments": ["-p", "@PORT@"]},
          {"name" : "test-tls13-record-padding.py",
@@ -102,6 +107,8 @@
                         "-e", "8130 invalid schemes",
                         "-e", "23752 invalid schemes",
                         "-e", "32715 invalid schemes"]},
+        {"name" : "test-tls13-symetric-ciphers.py",
+         "arguments": ["-p", "@PORT@"]},
          {"name" : "test-tls13-unrecognised-groups.py",
           "arguments": ["-p", "@PORT@"]},
          {"name" : "test-tls13-version-negotiation.py",
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json

index b56ea40163f32431e9f34d7220dced4d6f8797f3..bc3c7a88b23d3ba13a7fbec5f886f04fb8ae2876 100644 (file)
--- a/tests/suite/tls-fuzzer/gnutls-nocert.json
+++ b/tests/suite/tls-fuzzer/gnutls-nocert.json
@@ -32,6 +32,8 @@
            "fragmented, padding ext 16213 bytes"]},
           {"name" : "test-ecdsa-sig-flexibility.py",
            "arguments" : ["-p", "@PORT@"] },
+         {"name" : "test-encrypt-then-mac.py",
+          "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-ocsp-stapling.py",
            "arguments" : ["-p", "@PORT@",
                           "--no-status"] },
@@ -99,20 +101,16 @@
           {"name" : "test-cve-2016-2107.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-dhe-key-share-random.py",
-          "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0",
            "arguments" : ["-p", "@PORT@",
-                         "-e", "Protocol (3, 1)",
-                         "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
                           "-e", "Protocol (3, 0)",
-                         "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello"]},
+                         "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
+                         "-z"]},
           {"name" : "test-dhe-no-shared-secret-padding.py",
-          "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0",
            "arguments" : ["-p", "@PORT@",
-                         "-e", "Protocol (3, 1)",
-                         "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
                           "-e", "Protocol (3, 0)",
                           "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
-                         "-n", "4"]},
+                         "-n", "6",
+                         "-z"]},
           {"name" : "test-dhe-rsa-key-exchange.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-dhe-rsa-key-exchange-signatures.py",
@@ -129,23 +127,29 @@
           {"name" : "test-early-application-data.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-ecdhe-padded-shared-secret.py",
-          "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448",
            "arguments" : ["-p", "@PORT@",
                           "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
                           "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
+                         "-e", "Protocol (3, 1) with x448 group",
                           "-e", "Protocol (3, 2) with x448 group",
-                         "-n", "4"]},
+                         "-e", "Protocol (3, 3) with x448 group",
+                         "-e", "Protocol (3, 0)",
+                         "-z",
+                         "-n", "6"]},
           {"name" : "test-ecdhe-rsa-key-exchange.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-ecdhe-rsa-key-exchange-with-bad-messages.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-ecdhe-rsa-key-share-random.py",
-          "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448",
            "arguments" : ["-p", "@PORT@",
                           "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
                           "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
+                         "-e", "Protocol (3, 1) with x448 group",
                           "-e", "Protocol (3, 2) with x448 group",
-                         "-n", "4"]},
+                         "-e", "Protocol (3, 3) with x448 group",
+                         "-e", "Protocol (3, 0)",
+                         "-z",
+                         "-n", "6"]},
           {"name" : "test-empty-extensions.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-export-ciphers-rejected.py",
@@ -201,7 +205,8 @@
           {"name" : "test-invalid-client-hello.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-invalid-client-hello-w-record-overflow.py",
-          "arguments" : ["-p", "@PORT@"] },
+          "arguments" : ["-p", "@PORT@",
+                         "-n", "10"] },
           {"name" : "test-invalid-compression-methods.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-invalid-content-type.py",
@@ -256,12 +261,14 @@
           {"name" : "test-sessionID-resumption.py",
            "arguments" : ["-p", "@PORT@"] },
           {"name" : "test-serverhello-random.py",
-          "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448",
            "arguments" : ["-p", "@PORT@",
                           "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
-                         "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
+                         "-e", "Protocol (3, 1) with x448 group",
                           "-e", "Protocol (3, 2) with x448 group",
-                         "-n", "4"]},
+                         "-e", "Protocol (3, 3) with x448 group",
+                         "-e", "Protocol (3, 0)",
+                         "-z",
+                         "-n", "6"]},
           {"name" : "test-sig-algs.py",
            "arguments" : ["-p", "@PORT@",
                           "-e", "rsa_pss_pss_sha256 only",
diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh

index 77a1d050cd2131c05214134d94f9363aab38986f..6e6b809c5707478d3bea5ccd133755d4f73d5fee 100755 (executable)
--- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
+++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
@@ -22,10 +22,10 @@ srcdir="${srcdir:-.}"
  
  tls_fuzzer_prepare() {
  VERSIONS="-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"
-PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256"
+PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:+SHA384"
  ${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1
  if test $? != 0;then
-       PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256"
+       PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256:+SHA384"
  fi
  
  sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert.json >${TMPFILE}
diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer

index 79936b86187ca48ced7c40b9b1a3872386c3f563..3d57169c83e960597d7f90f4b837858d9530d7fb 160000 (submodule)
--- a/tests/suite/tls-fuzzer/tlsfuzzer
+++ b/tests/suite/tls-fuzzer/tlsfuzzer
@@ -1 +1 @@
-Subproject commit 79936b86187ca48ced7c40b9b1a3872386c3f563
+Subproject commit 3d57169c83e960597d7f90f4b837858d9530d7fb
author	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Thu, 12 Sep 2019 13:21:55 +0000 (15:21 +0200)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Fri, 13 Sep 2019 06:30:29 +0000 (08:30 +0200)
tests/suite/tls-fuzzer/gnutls-nocert-tls13.json		patch \| blob \| blame \| history
tests/suite/tls-fuzzer/gnutls-nocert.json		patch \| blob \| blame \| history
tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh		patch \| blob \| blame \| history
tests/suite/tls-fuzzer/tlsfuzzer		patch \| blob \| blame \| history