[openssl] master update

beldmit at gmail.com beldmit at gmail.com
Wed Jan 5 10:26:06 UTC 2022 

The branch master has been updated
       via  e66c41725f03dae2b295df048312fe6d28729e98 (commit)
       via  db87f89b7393eea395b82050c7fc4e1869ef112e (commit)
       via  cccbb4fa60ca890a0ce6757fcba5669208fffa46 (commit)
      from  0da3b39af3d961486758262ca71d2135d7013048 (commit)


- Log -----------------------------------------------------------------
commit e66c41725f03dae2b295df048312fe6d28729e98
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Thu Dec 23 11:19:07 2021 +0100

    Run TLSfuzzer tests for CI
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17340)

commit db87f89b7393eea395b82050c7fc4e1869ef112e
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Wed Dec 22 18:13:40 2021 +0100

    TLS Fuzzer: initial test infrastructure
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17340)

commit cccbb4fa60ca890a0ce6757fcba5669208fffa46
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Wed Dec 22 18:11:21 2021 +0100

    TLSfuzzer: submodules
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17340)

-----------------------------------------------------------------------

Summary of changes:
 .github/workflows/ci.yml                           |  2 +
 .gitmodules                                        |  9 +++
 python-ecdsa                                       |  1 +
 test/recipes/95-test_external_tlsfuzzer.t          | 28 +++++++++
 .../95-test_external_tlsfuzzer_data/cert.json.in   | 38 +++++++++++
 .../tls-fuzzer-cert.sh                             |  9 +++
 .../95-test_external_tlsfuzzer_data/tlsfuzzer.sh   | 73 ++++++++++++++++++++++
 tlsfuzzer                                          |  1 +
 tlslite-ng                                         |  1 +
 9 files changed, 162 insertions(+)
 create mode 160000 python-ecdsa
 create mode 100644 test/recipes/95-test_external_tlsfuzzer.t
 create mode 100644 test/recipes/95-test_external_tlsfuzzer_data/cert.json.in
 create mode 100644 test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh
 create mode 100644 test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh
 create mode 160000 tlsfuzzer
 create mode 160000 tlslite-ng

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b52b8c15f4..103f4c774f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -273,6 +273,8 @@ jobs:
       run: make test TESTS="test_external_gost_engine"
     - name: test external krb5
       run: make test TESTS="test_external_krb5"
+    - name: test external_tlsfuzzer
+      run: make test TESTS="test_external_tlsfuzzer"
 
   external-test-pyca:
     runs-on: ubuntu-latest
diff --git a/.gitmodules b/.gitmodules
index 35f803a99c..1d4c6c9da7 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -13,3 +13,12 @@
 [submodule "wycheproof"]
 	path = wycheproof
 	url = https://github.com/google/wycheproof
+[submodule "tlsfuzzer"]
+	path = tlsfuzzer
+	url = https://github.com/tlsfuzzer/tlsfuzzer
+[submodule "python-ecdsa"]
+	path = python-ecdsa
+	url = https://github.com/tlsfuzzer/python-ecdsa
+[submodule "tlslite-ng"]
+	path = tlslite-ng
+	url = https://github.com/tlsfuzzer/tlslite-ng
diff --git a/python-ecdsa b/python-ecdsa
new file mode 160000
index 0000000000..4de8d5bf89
--- /dev/null
+++ b/python-ecdsa
@@ -0,0 +1 @@
+Subproject commit 4de8d5bf89089d1140eb99aa5d7eb2dc8e6337b6
diff --git a/test/recipes/95-test_external_tlsfuzzer.t b/test/recipes/95-test_external_tlsfuzzer.t
new file mode 100644
index 0000000000..e506f8007a
--- /dev/null
+++ b/test/recipes/95-test_external_tlsfuzzer.t
@@ -0,0 +1,28 @@
+#! /usr/bin/env perl
+# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT data_file data_dir bldtop_dir srctop_dir cmdstr/;
+use Cwd qw(abs_path);
+
+setup("test_external_tlsfuzzer");
+
+plan skip_all => "No external tests in this configuration"
+    if disabled("external-tests");
+plan skip_all => "TLSFuzzer tests not available on Windows or VMS"
+    if $^O =~ /^(VMS|MSWin32)$/;
+plan skip_all => "TLSFuzzer tests not supported in out of tree builds"
+    if bldtop_dir() ne srctop_dir();
+
+$ENV{TESTDATADIR} = abs_path(data_dir());
+plan tests => 1;
+
+ok(run(cmd(["sh", data_file("tls-fuzzer-cert.sh")])),
+   "running TLSFuzzer tests");
diff --git a/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in
new file mode 100644
index 0000000000..1bc20799d9
--- /dev/null
+++ b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in
@@ -0,0 +1,38 @@
+[
+    {"server_command": ["@SERVER@", "s_server", "-www",
+                 "-key", "tests/serverX509Key.pem",
+                 "-cert", "tests/serverX509Cert.pem",
+                 "-verify", "1", "-CAfile", "tests/clientX509Cert.pem"],
+     "comment": "Use ANY certificate just to ensure that server tries to authorise a client",
+     "environment": {"PYTHONPATH" : "."},
+     "server_hostname": "localhost",
+     "server_port": @PORT@,
+     "tests" : [
+	 {"name" : "test-tls13-certificate-verify.py",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem",
+			 "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224",
+	                 "-p", "@PORT@"]},
+	 {"name" : "test-tls13-ecdsa-in-certificate-verify.py",
+          "arguments" : ["-k", "tests/serverECKey.pem",
+                         "-c", "tests/serverECCert.pem",
+			 "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224",
+	                 "-p", "@PORT@"]}
+     ]
+    },
+    {"server_command": ["@SERVER@", "s_server", "-www",
+                 "-key", "tests/serverX509Key.pem",
+                 "-cert", "tests/serverX509Cert.pem"],
+     "environment": {"PYTHONPATH" : "."},
+     "server_hostname": "localhost",
+     "server_port": @PORT@,
+     "tests" : [
+	 {"name" : "test-tls13-conversation.py",
+          "arguments" : ["-p", "@PORT@"]},
+	 {"name" : "test-conversation.py",
+          "arguments" : ["-p", "@PORT@",
+		  "-d"]}
+     ]
+    }
+
+]
diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh
new file mode 100644
index 0000000000..60bb8cffa1
--- /dev/null
+++ b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+tls_fuzzer_prepare() {
+
+sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ${TESTDATADIR}/cert.json.in >${TMPFILE}
+}
+
+. "${TESTDATADIR}/tlsfuzzer.sh"
+
diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh
new file mode 100644
index 0000000000..a9f781de33
--- /dev/null
+++ b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+#
+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+#
+# OpenSSL external testing using the TLSFuzzer test suite
+#
+set -e
+
+PWD="$(pwd)"
+
+SRCTOP="$(cd $SRCTOP; pwd)"
+BLDTOP="$(cd $BLDTOP; pwd)"
+
+if [ "$SRCTOP" != "$BLDTOP" ] ; then
+    echo "Out of tree builds not supported with TLSFuzzer test!"
+    exit 1
+fi
+
+O_EXE="$BLDTOP/apps"
+O_BINC="$BLDTOP/include"
+O_SINC="$SRCTOP/include"
+O_LIB="$BLDTOP"
+
+export PATH="$O_EXE:$PATH"
+export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH"
+export OPENSSL_ROOT_DIR="$O_LIB"
+
+# Check/Set openssl version
+OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '`
+
+CLI="${O_EXE}/openssl"
+SERV="${O_EXE}/openssl"
+
+TMPFILE="${PWD}/tls-fuzzer.$$.tmp"
+PSKFILE="${PWD}/tls-fuzzer.psk.$$.tmp"
+
+PYTHON=`which python`
+PORT=4433
+
+echo "------------------------------------------------------------------"
+echo "Testing OpenSSL using TLSFuzzer:"
+echo "   CWD:                $PWD"
+echo "   SRCTOP:             $SRCTOP"
+echo "   BLDTOP:             $BLDTOP"
+echo "   OPENSSL_ROOT_DIR:   $OPENSSL_ROOT_DIR"
+echo "   Python:             $PYTHON"
+echo "   TESTDATADIR:        $TESTDATADIR"
+echo "------------------------------------------------------------------"
+
+cd "${SRCTOP}/tlsfuzzer"
+
+test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa
+test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null
+
+retval=0
+
+tls_fuzzer_prepare
+
+PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py ${TMPFILE} ${SERV} 821
+retval=$?
+
+rm -f ${TMPFILE}
+[ -f "${PSKFILE}" ] && rm -f ${PSKFILE}
+
+cd $PWD
+
+exit $retval
diff --git a/tlsfuzzer b/tlsfuzzer
new file mode 160000
index 0000000000..dbd56c1490
--- /dev/null
+++ b/tlsfuzzer
@@ -0,0 +1 @@
+Subproject commit dbd56c149072e656ca8d6a43a59588f3e7513da2
diff --git a/tlslite-ng b/tlslite-ng
new file mode 160000
index 0000000000..771e9f59d6
--- /dev/null
+++ b/tlslite-ng
@@ -0,0 +1 @@
+Subproject commit 771e9f59d639dbb0e2fa8e646c8e588405d3903e

More information about the openssl-commits mailing list