From 31d5aca7c9a562810c309d4bf82313db0eaa7c9f Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 13 Nov 2024 15:24:34 +0100 Subject: [PATCH] Extend the tlsfuzzer tests with the eddsa host key Signed-off-by: Jakub Jelen --- .reuse/dep5 | 1 + tests/cert.json.in | 17 +-------------- tests/cert.json.part.in | 15 +++++++++++++ tests/ttlsfuzzer | 48 +++++++++++++++++++++++++++++++++-------- 4 files changed, 56 insertions(+), 25 deletions(-) create mode 100644 tests/cert.json.part.in diff --git a/.reuse/dep5 b/.reuse/dep5 index ebbd0c1f..a6696ce4 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -28,6 +28,7 @@ Files: .github/* tools/openssl*.cnf tests/*.pem tests/cert.json.in + tests/cert.json.part.in scripts/clean-dist.sh Copyright: (C) 2022 - 2024 Simo Sorce License: Apache-2.0 diff --git a/tests/cert.json.in b/tests/cert.json.in index e3181062..eaeb86ae 100644 --- a/tests/cert.json.in +++ b/tests/cert.json.in @@ -1,5 +1,5 @@ [ - {"server_command": [@CHECKER@"openssl", "s_server", "-www", "-port", "@PORT@", + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@", "-verify", "1", "-CAfile", "tests/clientX509Cert.pem"], "comment": "Use ANY certificate just to ensure that server tries to authorise a client", @@ -18,19 +18,4 @@ "-s", "@SIGALGS@", "-p", "@PORT@"]} ] - }, - {"server_command": [@CHECKER@"openssl", "s_server", "-www", "-port", "@PORT@", "-key", "@ECPRIURI@", "-cert", "@ECCRTURI@"], - "comment": "Run test with ECDSA hostkey in pkcs11 provider", - "environment": {"PYTHONPATH" : "."}, - "server_hostname": "localhost", - "server_port": @PORT@, - "tests" : [ - {"name" : "test-tls13-conversation.py", - "arguments" : ["-p", "@PORT@"]}, - {"name" : "test-conversation.py", - "arguments" : ["-p", "@PORT@", - "-d"]} - ] } -] - diff --git a/tests/cert.json.part.in b/tests/cert.json.part.in new file mode 100644 index 00000000..5e644752 --- /dev/null +++ b/tests/cert.json.part.in @@ -0,0 +1,15 @@ +, + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], + "comment": "Run test without certificate verify", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-tls13-conversation.py", + "arguments" : ["-p", "@PORT@"]}, + {"name" : "test-conversation.py", + "arguments" : ["-p", "@PORT@", + "-d"]} + ] + } + diff --git a/tests/ttlsfuzzer b/tests/ttlsfuzzer index 682be7e7..de4a5120 100755 --- a/tests/ttlsfuzzer +++ b/tests/ttlsfuzzer @@ -9,7 +9,7 @@ if [[ ! -d "${TESTSSRCDIR}/../tlsfuzzer/tlsfuzzer" ]]; then exit 77; fi -TMPFILE="${PWD}/tls-fuzzer.$$.tmp" +TMPFILE="${TMPPDIR}/tls-fuzzer.$$.tmp" PORT="$TESTPORT" PYTHON=$(which python3) @@ -20,13 +20,18 @@ else SIGALGS="ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224" fi -run_tests() { +prepare_test() { + TEMPLATE="$1" + KEY="$2" + CERT="$3" # Prepare the tlsfuzzer configuration - sed -e "s|@PRIURI@|$PRIURI|g" -e "s/@CRTURI@/$CRTURI/g" \ - -e "s|@ECPRIURI@|$ECPRIURI|g" -e "s/@ECCRTURI@/$ECCRTURI/g" \ + sed -e "s|@PRIURI@|$KEY|g" -e "s/@CRTURI@/$CERT/g" \ -e "s/@PORT@/$PORT/g" \ - -e "s/@SIGALGS@/$SIGALGS/g" "${TESTSSRCDIR}/cert.json.in" >"${TMPFILE}" + -e "s/@PROPQ@/$PROPQ/g" \ + -e "s/@SIGALGS@/$SIGALGS/g" "${TESTSSRCDIR}/${TEMPLATE}" >>"${TMPFILE}" +} +run_test() { # Run openssl under checker program if needed if [[ -n "$CHECKER" ]]; then IFS=" " read -r -a ARR <<< "$CHECKER" @@ -39,19 +44,44 @@ run_tests() { test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py "${TMPFILE}" openssl 821 - rm -f "${TMPFILE}" popd } +run_tests() { + # truncate + true > "${TMPFILE}" + + title PARA "Prepare CertificateVerify test with RSA" + prepare_test cert.json.in "$PRIURI" "$CRTURI" + + title PARA "Prepare test for RSA" + prepare_test cert.json.part.in "$PRIURI" "$CRTURI" + + title PARA "Prepare test for ECDSA" + prepare_test cert.json.part.in "$ECPRIURI" "$ECCRTURI" + + if [[ -n "$EDBASEURI" ]]; then + title PARA "Prepare test for EdDSA" + prepare_test cert.json.part.in "$EDPRIURI" "$EDCRTURI" + fi + + # the missing closing brace + echo "]" >> "${TMPFILE}" + + run_test +} + title SECTION "Run TLS fuzzer with server key on provider" run_tests title ENDSECTION title SECTION "Run TLS fuzzer forcing the provider for all server operations" -#We need to disable digest operations as OpenSSL depends on context duplication working +# We can not put this into the openssl.cnf directly, as it would be picked up by softhsm +# causing infinite recursion when doing EdDSA key operations. +PROPQ="\"-propquery\", \"?provider=pkcs11\", " +# We need to disable digest operations as OpenSSL depends on context duplication working ORIG_OPENSSL_CONF=${OPENSSL_CONF} -sed -e "s/^#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \ - -e "s/^#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \ +sed -e "s/^#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \ "${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken" export OPENSSL_CONF=${OPENSSL_CONF}.forcetoken