diff options
Diffstat (limited to 'security/nss/tests/tlsfuzzer')
-rw-r--r-- | security/nss/tests/tlsfuzzer/config.json.in | 166 | ||||
-rw-r--r-- | security/nss/tests/tlsfuzzer/tlsfuzzer.sh | 110 |
2 files changed, 276 insertions, 0 deletions
diff --git a/security/nss/tests/tlsfuzzer/config.json.in b/security/nss/tests/tlsfuzzer/config.json.in new file mode 100644 index 000000000..051bae2be --- /dev/null +++ b/security/nss/tests/tlsfuzzer/config.json.in @@ -0,0 +1,166 @@ +[ + { + "server_command": [ + "@SELFSERV@", "-w", "nss", "-d", "@SERVERDIR@", + "-V", "tls1.0:", "-H", "1", + "-n", "rsa", + "-n", "rsa-pss", + "-J", "rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256", + "-u", "-Z", "-p", "@PORT@" + ], + "server_hostname": "@HOSTADDR@", + "server_port": @PORT@, + "tests" : [ + { + "name" : "test-tls13-conversation.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-count-tickets.py", + "arguments": [ + "-p", "@PORT@", "-t", "1" + ] + }, + { + "name" : "test-tls13-dhe-shared-secret-padding.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1305243", + "arguments": [ + "-p", "@PORT@", + "-e", "TLS 1.3 with x448" + ] + }, + { + "name" : "test-tls13-empty-alert.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1471656", + "exp_pass": false + }, + { + "name" : "test-tls13-ffdhe-sanity.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-finished.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment" : "https://bugzilla.mozilla.org/show_bug.cgi?id=1472747", + "exp_pass": false + }, + { + "name" : "test-tls13-0rtt-garbage.py", + "comment": "the disabled test timeouts because of https://bugzilla.mozilla.org/show_bug.cgi?id=1472747", + "arguments": [ + "-p", "@PORT@", "--cookie", + "-e", "undecryptable record later in handshake together with early_data" + ] + }, + { + "name" : "test-tls13-hrr.py", + "arguments": [ + "-p", "@PORT@", "--cookie" + ] + }, + { + "name" : "test-tls13-legacy-version.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006", + "exp_pass": false + }, + { + "name" : "test-tls13-nociphers.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-pkcs-signature.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1489997", + "arguments": [ + "-p", "@PORT@", + "-e", "rsa_pkcs1_sha256 signature", + "-e", "rsa_pkcs1_sha384 signature", + "-e", "rsa_pkcs1_sha512 signature" + ] + }, + { + "name" : "test-tls13-rsa-signatures.py", + "comment": "selfserv can be set up to use multiple certs, but only one for each auth type", + "arguments": [ + "-p", "@PORT@", "-b", + "-e", "tls13 signature rsa_pss_pss_sha384", + "-e", "tls13 signature rsa_pss_pss_sha512" + ] + }, + { + "name" : "test-tls13-rsapss-signatures.py", + "comment": "selfserv can be set up to use multiple certs, but only one to each auth type", + "arguments": [ + "-p", "@PORT@", "-b", + "-e", "tls13 signature rsa_pss_pss_sha384", + "-e", "tls13 signature rsa_pss_pss_sha512" + ] + }, + { + "name" : "test-tls13-record-padding.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-session-resumption.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-tls13-signature-algorithms.py", + "arguments": [ + "-p", "@PORT@" + ], + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1482386", + "exp_pass": false + }, + { + "name" : "test-tls13-unrecognised-groups.py", + "arguments": [ + "-p", "@PORT@", "--cookie" + ] + }, + { + "name" : "test-tls13-version-negotiation.py", + "comment": "the disabled test timeouts because of https://github.com/tomato42/tlsfuzzer/issues/452", + "arguments": [ + "-p", "@PORT@", + "-e", "SSL 2.0 ClientHello with TLS 1.3 version and TLS 1.3 only ciphersuites" + ] + }, + { + "name" : "test-tls13-zero-length-data.py", + "arguments": [ + "-p", "@PORT@" + ] + }, + { + "name" : "test-dhe-no-shared-secret-padding.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1494221 and SSLv3 cannot be enabled in server", + "arguments": [ + "-p", "@PORT@", + "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 2) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 3) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 0)" + ] + } + ] + } +] diff --git a/security/nss/tests/tlsfuzzer/tlsfuzzer.sh b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh new file mode 100644 index 000000000..ecc146c24 --- /dev/null +++ b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh @@ -0,0 +1,110 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# tests/tlsfuzzer/tlsfuzzer.sh +# +# Script to drive the ssl tlsfuzzer interop unit tests +# +######################################################################## + +tlsfuzzer_certs() +{ + PROFILEDIR=`pwd` + + ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1 + html_msg $? 0 "create tlsfuzzer database" + + pushd "${QADIR}" + . common/certsetup.sh + popd + + counter=0 + make_cert rsa rsa2048 sign kex + make_cert rsa-pss rsapss sign kex +} + +tlsfuzzer_init() +{ + SCRIPTNAME="tlsfuzzer.sh" + if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then + cd ../common + . ./init.sh + fi + + mkdir -p "${HOSTDIR}/tlsfuzzer" + pushd "${HOSTDIR}/tlsfuzzer" + tlsfuzzer_certs + + TLSFUZZER=${TLSFUZZER:=tlsfuzzer} + if [ ! -d "$TLSFUZZER" ]; then + # Can't use git-copy.sh here, as tlsfuzzer doesn't have any tags + git clone -q https://github.com/tomato42/tlsfuzzer/ "$TLSFUZZER" + git -C "$TLSFUZZER" checkout a40ce4085052a4da9a05f9149b835a76c194a0c6 + + # We could use tlslite-ng from pip, but the pip command installed + # on TC is too old to support --pre + ${QADIR}/../fuzz/config/git-copy.sh https://github.com/tomato42/tlslite-ng/ v0.8.0-alpha18 tlslite-ng + + pushd "$TLSFUZZER" + ln -s ../tlslite-ng/tlslite tlslite + popd + + # Install tlslite-ng dependencies + ${QADIR}/../fuzz/config/git-copy.sh https://github.com/warner/python-ecdsa master python-ecdsa + ${QADIR}/../fuzz/config/git-copy.sh https://github.com/benjaminp/six master six + + pushd "$TLSFUZZER" + ln -s ../python-ecdsa/src/ecdsa ecdsa + ln -s ../six/six.py . + popd + fi + + # Find usable port + PORT=${PORT-8443} + while true; do + "${BINDIR}/selfserv" -w nss -d "${HOSTDIR}/tlsfuzzer" -n rsa \ + -p "${PORT}" -i selfserv.pid & + [ -f selfserv.pid ] || sleep 5 + if [ -f selfserv.pid ]; then + kill $(cat selfserv.pid) + wait $(cat selfserv.pid) + rm -f selfserv.pid + break + fi + PORT=$(($PORT + 1)) + done + + sed -e "s|@PORT@|${PORT}|g" \ + -e "s|@SELFSERV@|${BINDIR}/selfserv|g" \ + -e "s|@SERVERDIR@|${HOSTDIR}/tlsfuzzer|g" \ + -e "s|@HOSTADDR@|${HOSTADDR}|g" \ + ${QADIR}/tlsfuzzer/config.json.in > ${TLSFUZZER}/config.json + popd + + SCRIPTNAME="tlsfuzzer.sh" + html_head "tlsfuzzer test" +} + +tlsfuzzer_cleanup() +{ + cd ${QADIR} + . common/cleanup.sh +} + +tlsfuzzer_run_tests() +{ + pushd "${HOSTDIR}/tlsfuzzer/${TLSFUZZER}" + PYTHONPATH=. python tests/scripts_retention.py config.json "${BINDIR}/selfserv" + html_msg $? 0 "tlsfuzzer" "Run successfully" + popd +} + +cd "$(dirname "$0")" +tlsfuzzer_init +tlsfuzzer_run_tests +tlsfuzzer_cleanup |