The branch master has been updated via e66c41725f03dae2b295df048312fe6d28729e98 (commit) via db87f89b7393eea395b82050c7fc4e1869ef112e (commit) via cccbb4fa60ca890a0ce6757fcba5669208fffa46 (commit) from 0da3b39af3d961486758262ca71d2135d7013048 (commit)
- Log ----------------------------------------------------------------- commit e66c41725f03dae2b295df048312fe6d28729e98 Author: Dmitry Belyavskiy <beld...@gmail.com> Date: Thu Dec 23 11:19:07 2021 +0100 Run TLSfuzzer tests for CI Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17340) commit db87f89b7393eea395b82050c7fc4e1869ef112e Author: Dmitry Belyavskiy <beld...@gmail.com> Date: Wed Dec 22 18:13:40 2021 +0100 TLS Fuzzer: initial test infrastructure Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17340) commit cccbb4fa60ca890a0ce6757fcba5669208fffa46 Author: Dmitry Belyavskiy <beld...@gmail.com> Date: Wed Dec 22 18:11:21 2021 +0100 TLSfuzzer: submodules Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17340) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 2 + .gitmodules | 9 +++ python-ecdsa | 1 + test/recipes/95-test_external_tlsfuzzer.t | 28 +++++++++ .../95-test_external_tlsfuzzer_data/cert.json.in | 38 +++++++++++ .../tls-fuzzer-cert.sh | 9 +++ .../95-test_external_tlsfuzzer_data/tlsfuzzer.sh | 73 ++++++++++++++++++++++ tlsfuzzer | 1 + tlslite-ng | 1 + 9 files changed, 162 insertions(+) create mode 160000 python-ecdsa create mode 100644 test/recipes/95-test_external_tlsfuzzer.t create mode 100644 test/recipes/95-test_external_tlsfuzzer_data/cert.json.in create mode 100644 test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh create mode 100644 test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh create mode 160000 tlsfuzzer create mode 160000 tlslite-ng diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b52b8c15f4..103f4c774f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -273,6 +273,8 @@ jobs: run: make test TESTS="test_external_gost_engine" - name: test external krb5 run: make test TESTS="test_external_krb5" + - name: test external_tlsfuzzer + run: make test TESTS="test_external_tlsfuzzer" external-test-pyca: runs-on: ubuntu-latest diff --git a/.gitmodules b/.gitmodules index 35f803a99c..1d4c6c9da7 100644 --- a/.gitmodules +++ b/.gitmodules @@ -13,3 +13,12 @@ [submodule "wycheproof"] path = wycheproof url = https://github.com/google/wycheproof +[submodule "tlsfuzzer"] + path = tlsfuzzer + url = https://github.com/tlsfuzzer/tlsfuzzer +[submodule "python-ecdsa"] + path = python-ecdsa + url = https://github.com/tlsfuzzer/python-ecdsa +[submodule "tlslite-ng"] + path = tlslite-ng + url = https://github.com/tlsfuzzer/tlslite-ng diff --git a/python-ecdsa b/python-ecdsa new file mode 160000 index 0000000000..4de8d5bf89 --- /dev/null +++ b/python-ecdsa @@ -0,0 +1 @@ +Subproject commit 4de8d5bf89089d1140eb99aa5d7eb2dc8e6337b6 diff --git a/test/recipes/95-test_external_tlsfuzzer.t b/test/recipes/95-test_external_tlsfuzzer.t new file mode 100644 index 0000000000..e506f8007a --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer.t @@ -0,0 +1,28 @@ +#! /usr/bin/env perl +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT data_file data_dir bldtop_dir srctop_dir cmdstr/; +use Cwd qw(abs_path); + +setup("test_external_tlsfuzzer"); + +plan skip_all => "No external tests in this configuration" + if disabled("external-tests"); +plan skip_all => "TLSFuzzer tests not available on Windows or VMS" + if $^O =~ /^(VMS|MSWin32)$/; +plan skip_all => "TLSFuzzer tests not supported in out of tree builds" + if bldtop_dir() ne srctop_dir(); + +$ENV{TESTDATADIR} = abs_path(data_dir()); +plan tests => 1; + +ok(run(cmd(["sh", data_file("tls-fuzzer-cert.sh")])), + "running TLSFuzzer tests"); diff --git a/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in new file mode 100644 index 0000000000..1bc20799d9 --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in @@ -0,0 +1,38 @@ +[ + {"server_command": ["@SERVER@", "s_server", "-www", + "-key", "tests/serverX509Key.pem", + "-cert", "tests/serverX509Cert.pem", + "-verify", "1", "-CAfile", "tests/clientX509Cert.pem"], + "comment": "Use ANY certificate just to ensure that server tries to authorise a client", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-tls13-certificate-verify.py", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem", + "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", + "-p", "@PORT@"]}, + {"name" : "test-tls13-ecdsa-in-certificate-verify.py", + "arguments" : ["-k", "tests/serverECKey.pem", + "-c", "tests/serverECCert.pem", + "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", + "-p", "@PORT@"]} + ] + }, + {"server_command": ["@SERVER@", "s_server", "-www", + "-key", "tests/serverX509Key.pem", + "-cert", "tests/serverX509Cert.pem"], + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-tls13-conversation.py", + "arguments" : ["-p", "@PORT@"]}, + {"name" : "test-conversation.py", + "arguments" : ["-p", "@PORT@", + "-d"]} + ] + } + +] diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh new file mode 100644 index 0000000000..60bb8cffa1 --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +tls_fuzzer_prepare() { + +sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ${TESTDATADIR}/cert.json.in >${TMPFILE} +} + +. "${TESTDATADIR}/tlsfuzzer.sh" + diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh new file mode 100644 index 0000000000..a9f781de33 --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# OpenSSL external testing using the TLSFuzzer test suite +# +set -e + +PWD="$(pwd)" + +SRCTOP="$(cd $SRCTOP; pwd)" +BLDTOP="$(cd $BLDTOP; pwd)" + +if [ "$SRCTOP" != "$BLDTOP" ] ; then + echo "Out of tree builds not supported with TLSFuzzer test!" + exit 1 +fi + +O_EXE="$BLDTOP/apps" +O_BINC="$BLDTOP/include" +O_SINC="$SRCTOP/include" +O_LIB="$BLDTOP" + +export PATH="$O_EXE:$PATH" +export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH" +export OPENSSL_ROOT_DIR="$O_LIB" + +# Check/Set openssl version +OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '` + +CLI="${O_EXE}/openssl" +SERV="${O_EXE}/openssl" + +TMPFILE="${PWD}/tls-fuzzer.$$.tmp" +PSKFILE="${PWD}/tls-fuzzer.psk.$$.tmp" + +PYTHON=`which python` +PORT=4433 + +echo "------------------------------------------------------------------" +echo "Testing OpenSSL using TLSFuzzer:" +echo " CWD: $PWD" +echo " SRCTOP: $SRCTOP" +echo " BLDTOP: $BLDTOP" +echo " OPENSSL_ROOT_DIR: $OPENSSL_ROOT_DIR" +echo " Python: $PYTHON" +echo " TESTDATADIR: $TESTDATADIR" +echo "------------------------------------------------------------------" + +cd "${SRCTOP}/tlsfuzzer" + +test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa +test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null + +retval=0 + +tls_fuzzer_prepare + +PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py ${TMPFILE} ${SERV} 821 +retval=$? + +rm -f ${TMPFILE} +[ -f "${PSKFILE}" ] && rm -f ${PSKFILE} + +cd $PWD + +exit $retval diff --git a/tlsfuzzer b/tlsfuzzer new file mode 160000 index 0000000000..dbd56c1490 --- /dev/null +++ b/tlsfuzzer @@ -0,0 +1 @@ +Subproject commit dbd56c149072e656ca8d6a43a59588f3e7513da2 diff --git a/tlslite-ng b/tlslite-ng new file mode 160000 index 0000000000..771e9f59d6 --- /dev/null +++ b/tlslite-ng @@ -0,0 +1 @@ +Subproject commit 771e9f59d639dbb0e2fa8e646c8e588405d3903e