From 2449efb7e430ff75455879477effabc069078376 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 16 Dec 2024 18:48:13 +0100 Subject: [PATCH] Extend tlsfuzzer coverage Signed-off-by: Jakub Jelen --- .reuse/dep5 | 4 ++- tests/cert.json.ecdsa.in | 65 ++++++++++++++++++++++++++++++++++++++++ tests/cert.json.eddsa.in | 23 ++++++++++++++ tests/cert.json.part.in | 15 ---------- tests/cert.json.rsa.in | 40 +++++++++++++++++++++++++ tests/ttlsfuzzer | 6 ++-- 6 files changed, 134 insertions(+), 19 deletions(-) create mode 100644 tests/cert.json.ecdsa.in create mode 100644 tests/cert.json.eddsa.in delete mode 100644 tests/cert.json.part.in create mode 100644 tests/cert.json.rsa.in diff --git a/.reuse/dep5 b/.reuse/dep5 index cb066372..6a5c8f43 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -29,7 +29,9 @@ Files: .github/* tools/openssl*.cnf tests/*.pem tests/cert.json.in - tests/cert.json.part.in + tests/cert.json.rsa.in + tests/cert.json.ecdsa.in + tests/cert.json.eddsa.in scripts/clean-dist.sh Copyright: (C) 2022 - 2024 Simo Sorce License: Apache-2.0 diff --git a/tests/cert.json.ecdsa.in b/tests/cert.json.ecdsa.in new file mode 100644 index 00000000..0f647503 --- /dev/null +++ b/tests/cert.json.ecdsa.in @@ -0,0 +1,65 @@ +, + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], + "comment": "Run test with @PRIURI@ without certificate verify", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "common_arguments": ["-p", "@PORT@"], + "tests" : [ + {"name" : "test-tls13-conversation.py"}, + {"name" : "test-conversation.py", + "arguments" : ["-d"]}, + {"name" : "test-ecdsa-sig-flexibility.py", + "arguments" : [ + "-n", "0", + "-e", "connect with ecdsa_brainpoolP256r1tls13_sha256 only", + "-e", "connect with ecdsa_brainpoolP384r1tls13_sha384 only", + "-e", "connect with ecdsa_brainpoolP512r1tls13_sha512 only", + "-x", "connect with sha1+ecdsa only", "-X", "handshake_failure" + ], + "comment": "Crypto-Policies disable SHA-1 and Brainpool" + }, + {"name" : "test-signature-algorithms.py", + "arguments" : [ + "-n", "0", "--ecdsa", + "-x", "duplicated 206 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 2346 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 8123 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 23745 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 32748 non-rsa schemes", "-X", "handshake_failure", + "-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure", + "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure", + "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure", + "-x", "implicit SHA-1 check", "-X", "handshake_failure", + "-x", "tolerance 10+RSA or ECDSA method", "-X", "handshake_failure", + "-x", "tolerance 215 RSA or ECDSA methods", "-X", "handshake_failure", + "-x", "tolerance 2355 RSA or ECDSA methods", "-X", "handshake_failure", + "-x", "tolerance 8132 RSA or ECDSA methods", "-X", "handshake_failure", + "-x", "tolerance 32758 methods with sig_alg_cert", "-X", "handshake_failure", + "-x", "tolerance max 32748 number of methods with sig_alg_cert", "-X", "handshake_failure", + "-x", "tolerance none+RSA or ECDSA", "-X", "handshake_failure", + "-x", "unique and well-known sig_algs, ecdsa algorithm last", "-X", "handshake_failure" + ] + }, + {"name" : "test-signature-algorithms.py", + "arguments" : [ + "-n", "0", "--ecdsa", "-g", "secp384r1", + "-x", "sanity", "-X", "handshake_failure", + "-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure", + "sanity", "explicit SHA-256+RSA or ECDSA" + ], + "comment": "Crypto-Policies disable SHA-1" + }, + {"name" : "test-tls13-ecdsa-support.py", + "arguments" : [ + "-n", "0", + "-x", "Test with ecdsa_secp384r1_sha384", "-X", "handshake_failure", + "-x", "Test with ecdsa_secp521r1_sha512", "-X", "handshake_failure", + "-x", "Test with ecdsa_brainpoolP256r1tls13_sha256", "-X", "handshake_failure", + "-x", "Test with ecdsa_brainpoolP384r1tls13_sha384", "-X", "handshake_failure", + "-x", "Test with ecdsa_brainpoolP512r1tls13_sha512", "-X", "handshake_failure" + ] + } + ] + } + diff --git a/tests/cert.json.eddsa.in b/tests/cert.json.eddsa.in new file mode 100644 index 00000000..f1df8ac2 --- /dev/null +++ b/tests/cert.json.eddsa.in @@ -0,0 +1,23 @@ +, + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], + "comment": "Run test with @PRIURI@ without certificate verify", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "common_arguments": ["-p", "@PORT@"], + "tests" : [ + {"name" : "test-tls13-conversation.py"}, + {"name" : "test-conversation.py", + "arguments" : ["-d"]}, + {"name" : "test-signature-algorithms.py", + "arguments" : [ + "--ecdsa", "-x", "implicit SHA-1 check", + "-X", "handshake_failure", "sanity", "implicit SHA-1 check" + ] + }, + {"name" : "test-tls13-eddsa.py", + "arguments" : ["-x", "ed448 only", "-X", "handshake_failure"] + } + ] + } + diff --git a/tests/cert.json.part.in b/tests/cert.json.part.in deleted file mode 100644 index 5e644752..00000000 --- a/tests/cert.json.part.in +++ /dev/null @@ -1,15 +0,0 @@ -, - {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], - "comment": "Run test without certificate verify", - "environment": {"PYTHONPATH" : "."}, - "server_hostname": "localhost", - "server_port": @PORT@, - "tests" : [ - {"name" : "test-tls13-conversation.py", - "arguments" : ["-p", "@PORT@"]}, - {"name" : "test-conversation.py", - "arguments" : ["-p", "@PORT@", - "-d"]} - ] - } - diff --git a/tests/cert.json.rsa.in b/tests/cert.json.rsa.in new file mode 100644 index 00000000..59be53e5 --- /dev/null +++ b/tests/cert.json.rsa.in @@ -0,0 +1,40 @@ +, + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], + "comment": "Run test with @PRIURI@ without certificate verify", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "common_arguments": ["-p", "@PORT@"], + "tests" : [ + {"name" : "test-tls13-conversation.py"}, + {"name" : "test-conversation.py", + "arguments" : ["-d"]}, + {"name" : "test-dhe-rsa-key-exchange-signatures.py", + "arguments" : [ + "-n", "0", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha256 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha384 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha512 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha1 signature", "-X", "handshake_failure" + ], + "comment": "Crypto-Policies disable SHA-1 signatures" + }, + {"name" : "test-sig-algs.py", + "arguments" : [ + "-n", "0", + "-x", "rsa_pss_pss_sha256 only", "-X", "handshake_failure", + "-x", "rsa_pss_pss_sha384 only", "-X", "handshake_failure", + "-x", "rsa_pss_pss_sha512 only", "-X", "handshake_failure" + ] + }, + {"name" : "test-tls13-rsa-signatures.py"}, + {"name" : "test-tls13-signature-algorithms.py", + "arguments" : ["-n", "0"]} + ] + } + diff --git a/tests/ttlsfuzzer b/tests/ttlsfuzzer index de4a5120..11c36e5c 100755 --- a/tests/ttlsfuzzer +++ b/tests/ttlsfuzzer @@ -55,14 +55,14 @@ run_tests() { prepare_test cert.json.in "$PRIURI" "$CRTURI" title PARA "Prepare test for RSA" - prepare_test cert.json.part.in "$PRIURI" "$CRTURI" + prepare_test cert.json.rsa.in "$PRIURI" "$CRTURI" title PARA "Prepare test for ECDSA" - prepare_test cert.json.part.in "$ECPRIURI" "$ECCRTURI" + prepare_test cert.json.ecdsa.in "$ECPRIURI" "$ECCRTURI" if [[ -n "$EDBASEURI" ]]; then title PARA "Prepare test for EdDSA" - prepare_test cert.json.part.in "$EDPRIURI" "$EDCRTURI" + prepare_test cert.json.eddsa.in "$EDPRIURI" "$EDCRTURI" fi # the missing closing brace