Extend tlsfuzzer coverage

Signed-off-by: Jakub Jelen <[email protected]>
latchset · Dec 18, 2024 · 2449efb · 2449efb
1 parent f2fc43c
commit 2449efb
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 19 deletions.
diff --git a/.reuse/dep5 b/.reuse/dep5
@@ -29,7 +29,9 @@ Files: .github/*
        tools/openssl*.cnf
        tests/*.pem
        tests/cert.json.in
-       tests/cert.json.part.in
+       tests/cert.json.rsa.in
+       tests/cert.json.ecdsa.in
+       tests/cert.json.eddsa.in
        scripts/clean-dist.sh
 Copyright: (C) 2022 - 2024 Simo Sorce <[email protected]>
 License: Apache-2.0

diff --git a/tests/cert.json.ecdsa.in b/tests/cert.json.ecdsa.in
@@ -0,0 +1,65 @@
+,
+    {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
+     "comment": "Run test with @PRIURI@ without certificate verify",
+     "environment": {"PYTHONPATH" : "."},
+     "server_hostname": "localhost",
+     "server_port": @PORT@,
+     "common_arguments": ["-p", "@PORT@"],
+     "tests" : [
+       {"name" : "test-tls13-conversation.py"},
+       {"name" : "test-conversation.py",
+        "arguments" : ["-d"]},
+       {"name" : "test-ecdsa-sig-flexibility.py",
+        "arguments" : [
+          "-n", "0",
+          "-e", "connect with ecdsa_brainpoolP256r1tls13_sha256 only",
+          "-e", "connect with ecdsa_brainpoolP384r1tls13_sha384 only",
+          "-e", "connect with ecdsa_brainpoolP512r1tls13_sha512 only",
+          "-x", "connect with sha1+ecdsa only", "-X", "handshake_failure"
+        ],
+	"comment": "Crypto-Policies disable SHA-1 and Brainpool"
+       },
+       {"name" : "test-signature-algorithms.py",
+        "arguments" : [
+          "-n", "0", "--ecdsa",
+          "-x", "duplicated 206 non-rsa schemes", "-X", "handshake_failure",
+          "-x", "duplicated 2346 non-rsa schemes", "-X", "handshake_failure",
+          "-x", "duplicated 8123 non-rsa schemes", "-X", "handshake_failure",
+          "-x", "duplicated 23745 non-rsa schemes", "-X", "handshake_failure",
+          "-x", "duplicated 32748 non-rsa schemes", "-X", "handshake_failure",
+          "-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure",
+          "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
+          "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
+          "-x", "implicit SHA-1 check", "-X", "handshake_failure",
+          "-x", "tolerance 10+RSA or ECDSA method", "-X", "handshake_failure",
+          "-x", "tolerance 215 RSA or ECDSA methods", "-X", "handshake_failure",
+          "-x", "tolerance 2355 RSA or ECDSA methods", "-X", "handshake_failure",
+          "-x", "tolerance 8132 RSA or ECDSA methods", "-X", "handshake_failure",
+          "-x", "tolerance 32758 methods with sig_alg_cert", "-X", "handshake_failure",
+          "-x", "tolerance max 32748 number of methods with sig_alg_cert", "-X", "handshake_failure",
+          "-x", "tolerance none+RSA or ECDSA", "-X", "handshake_failure",
+          "-x", "unique and well-known sig_algs, ecdsa algorithm last", "-X", "handshake_failure"
+        ]
+       },
+       {"name" : "test-signature-algorithms.py",
+        "arguments" : [
+          "-n", "0", "--ecdsa", "-g", "secp384r1",
+          "-x", "sanity", "-X", "handshake_failure",
+          "-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure",
+          "sanity", "explicit SHA-256+RSA or ECDSA"
+        ],
+	"comment": "Crypto-Policies disable SHA-1"
+       },
+       {"name" : "test-tls13-ecdsa-support.py",
+        "arguments" : [
+          "-n", "0",
+          "-x", "Test with ecdsa_secp384r1_sha384", "-X", "handshake_failure",
+          "-x", "Test with ecdsa_secp521r1_sha512", "-X", "handshake_failure",
+          "-x", "Test with ecdsa_brainpoolP256r1tls13_sha256", "-X", "handshake_failure",
+          "-x", "Test with ecdsa_brainpoolP384r1tls13_sha384", "-X", "handshake_failure",
+          "-x", "Test with ecdsa_brainpoolP512r1tls13_sha512", "-X", "handshake_failure"
+        ]
+       }
+     ]
+    }
+
diff --git a/tests/cert.json.eddsa.in b/tests/cert.json.eddsa.in
@@ -0,0 +1,23 @@
+,
+    {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
+     "comment": "Run test with @PRIURI@ without certificate verify",
+     "environment": {"PYTHONPATH" : "."},
+     "server_hostname": "localhost",
+     "server_port": @PORT@,
+     "common_arguments": ["-p", "@PORT@"],
+     "tests" : [
+       {"name" : "test-tls13-conversation.py"},
+       {"name" : "test-conversation.py",
+        "arguments" : ["-d"]},
+       {"name" : "test-signature-algorithms.py",
+        "arguments" : [
+          "--ecdsa", "-x", "implicit SHA-1 check",
+          "-X", "handshake_failure", "sanity", "implicit SHA-1 check"
+        ]
+       },
+       {"name" : "test-tls13-eddsa.py",
+        "arguments" : ["-x", "ed448 only", "-X", "handshake_failure"]
+       }
+     ]
+    }
+
diff --git a/tests/cert.json.part.in b/tests/cert.json.part.in
diff --git a/tests/cert.json.rsa.in b/tests/cert.json.rsa.in
@@ -0,0 +1,40 @@
+,
+    {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
+     "comment": "Run test with @PRIURI@ without certificate verify",
+     "environment": {"PYTHONPATH" : "."},
+     "server_hostname": "localhost",
+     "server_port": @PORT@,
+     "common_arguments": ["-p", "@PORT@"],
+     "tests" : [
+       {"name" : "test-tls13-conversation.py"},
+       {"name" : "test-conversation.py",
+        "arguments" : ["-d"]},
+       {"name" : "test-dhe-rsa-key-exchange-signatures.py",
+        "arguments" : [
+          "-n", "0",
+          "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha1 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha256 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha384 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha512 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha1 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha1 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha1 signature", "-X", "handshake_failure",
+          "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha1 signature", "-X", "handshake_failure"
+        ],
+	"comment": "Crypto-Policies disable SHA-1 signatures"
+       },
+       {"name" : "test-sig-algs.py",
+        "arguments" : [
+          "-n", "0",
+          "-x", "rsa_pss_pss_sha256 only", "-X", "handshake_failure",
+          "-x", "rsa_pss_pss_sha384 only", "-X", "handshake_failure",
+          "-x", "rsa_pss_pss_sha512 only", "-X", "handshake_failure"
+        ]
+       },
+       {"name" : "test-tls13-rsa-signatures.py"},
+       {"name" : "test-tls13-signature-algorithms.py",
+        "arguments" : ["-n", "0"]}
+     ]
+    }
+
diff --git a/tests/ttlsfuzzer b/tests/ttlsfuzzer
@@ -55,14 +55,14 @@ run_tests() {
     prepare_test cert.json.in "$PRIURI" "$CRTURI"
 
     title PARA "Prepare test for RSA"
-    prepare_test cert.json.part.in "$PRIURI" "$CRTURI"
+    prepare_test cert.json.rsa.in "$PRIURI" "$CRTURI"
 
     title PARA "Prepare test for ECDSA"
-    prepare_test cert.json.part.in "$ECPRIURI" "$ECCRTURI"
+    prepare_test cert.json.ecdsa.in "$ECPRIURI" "$ECCRTURI"
 
     if [[ -n "$EDBASEURI" ]]; then
         title PARA "Prepare test for EdDSA"
-        prepare_test cert.json.part.in "$EDPRIURI" "$EDCRTURI"
+        prepare_test cert.json.eddsa.in "$EDPRIURI" "$EDCRTURI"
     fi
 
     # the missing closing brace