Skip to content

Commit

Permalink
Extend tlsfuzzer coverage
Browse files Browse the repository at this point in the history
Based on the OpenSSL coverage done in the following issue:

openssl/openssl#25724

Signed-off-by: Jakub Jelen <[email protected]>
  • Loading branch information
Jakuje authored and simo5 committed Dec 19, 2024
1 parent 24609e8 commit d7b1339
Show file tree
Hide file tree
Showing 6 changed files with 139 additions and 19 deletions.
4 changes: 3 additions & 1 deletion .reuse/dep5
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ Files: .github/*
tools/openssl*.cnf
tests/*.pem
tests/cert.json.in
tests/cert.json.part.in
tests/cert.json.rsa.in
tests/cert.json.ecdsa.in
tests/cert.json.eddsa.in
scripts/clean-dist.sh
Copyright: (C) 2022 - 2024 Simo Sorce <[email protected]>
License: Apache-2.0
Expand Down
67 changes: 67 additions & 0 deletions tests/cert.json.ecdsa.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
,
{"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
"comment": "Run test with @PRIURI@ without certificate verify",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"common_arguments": ["-p", "@PORT@"],
"tests" : [
{"name" : "test-tls13-conversation.py"},
{"name" : "test-conversation.py",
"arguments" : ["-d"]},
{"name" : "test-ecdsa-sig-flexibility.py",
"arguments" : [
"-n", "0",
"-e", "connect with ecdsa_brainpoolP256r1tls13_sha256 only",
"-e", "connect with ecdsa_brainpoolP384r1tls13_sha384 only",
"-e", "connect with ecdsa_brainpoolP512r1tls13_sha512 only",
"-x", "connect with sha1+ecdsa only", "-X", "handshake_failure"
],
"comment": "Crypto-Policies disable SHA-1. The brainpool is broken in OpenSSL."
},
{"name" : "test-signature-algorithms.py",
"arguments" : [
"-n", "0", "--ecdsa",
"-x", "duplicated 206 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 2346 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 8123 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 23745 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 32748 non-rsa schemes", "-X", "handshake_failure",
"-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure",
"-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
"-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
"-x", "implicit SHA-1 check", "-X", "handshake_failure",
"-x", "tolerance 10+RSA or ECDSA method", "-X", "handshake_failure",
"-x", "tolerance 215 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 2355 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 8132 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 32758 methods with sig_alg_cert", "-X", "handshake_failure",
"-x", "tolerance max 32748 number of methods with sig_alg_cert", "-X", "handshake_failure",
"-x", "tolerance none+RSA or ECDSA", "-X", "handshake_failure",
"-x", "unique and well-known sig_algs, ecdsa algorithm last", "-X", "handshake_failure"
],
"comment": "Crypto-Policies disable SHA-1."
},
{"name" : "test-signature-algorithms.py",
"arguments" : [
"-n", "0", "--ecdsa", "-g", "secp384r1",
"-x", "sanity", "-X", "handshake_failure",
"-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure",
"sanity", "explicit SHA-256+RSA or ECDSA"
],
"comment": "Incompatible curve should fail"
},
{"name" : "test-tls13-ecdsa-support.py",
"arguments" : [
"-n", "0",
"-x", "Test with ecdsa_secp384r1_sha384", "-X", "handshake_failure",
"-x", "Test with ecdsa_secp521r1_sha512", "-X", "handshake_failure",
"-x", "Test with ecdsa_brainpoolP256r1tls13_sha256", "-X", "handshake_failure",
"-x", "Test with ecdsa_brainpoolP384r1tls13_sha384", "-X", "handshake_failure",
"-x", "Test with ecdsa_brainpoolP512r1tls13_sha512", "-X", "handshake_failure"
],
"comment": "We have only P-256 key. The brainpool is broken in OpenSSL."
}
]
}

25 changes: 25 additions & 0 deletions tests/cert.json.eddsa.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
,
{"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
"comment": "Run test with @PRIURI@ without certificate verify",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"common_arguments": ["-p", "@PORT@"],
"tests" : [
{"name" : "test-tls13-conversation.py"},
{"name" : "test-conversation.py",
"arguments" : ["-d"]},
{"name" : "test-signature-algorithms.py",
"arguments" : [
"--ecdsa", "-x", "implicit SHA-1 check",
"-X", "handshake_failure", "sanity", "implicit SHA-1 check"
],
"comment": "SHA-1 is disabled by crypto policies."
},
{"name" : "test-tls13-eddsa.py",
"arguments" : ["-x", "ed448 only", "-X", "handshake_failure"],
"comment": "We have only ed25519 key."
}
]
}

15 changes: 0 additions & 15 deletions tests/cert.json.part.in

This file was deleted.

41 changes: 41 additions & 0 deletions tests/cert.json.rsa.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
,
{"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
"comment": "Run test with @PRIURI@ without certificate verify",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"common_arguments": ["-p", "@PORT@"],
"tests" : [
{"name" : "test-tls13-conversation.py"},
{"name" : "test-conversation.py",
"arguments" : ["-d"]},
{"name" : "test-dhe-rsa-key-exchange-signatures.py",
"arguments" : [
"-n", "0",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha256 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha384 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha512 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha1 signature", "-X", "handshake_failure"
],
"comment": "The 3DES ciphersuites are not enabled. Crypto-Policies disable SHA-1 signatures."
},
{"name" : "test-sig-algs.py",
"arguments" : [
"-n", "0",
"-x", "rsa_pss_pss_sha256 only", "-X", "handshake_failure",
"-x", "rsa_pss_pss_sha384 only", "-X", "handshake_failure",
"-x", "rsa_pss_pss_sha512 only", "-X", "handshake_failure"
],
"comment": "Server has only RSA key here."
},
{"name" : "test-tls13-rsa-signatures.py"},
{"name" : "test-tls13-signature-algorithms.py",
"arguments" : ["-n", "0"]}
]
}

6 changes: 3 additions & 3 deletions tests/ttlsfuzzer
Original file line number Diff line number Diff line change
Expand Up @@ -55,14 +55,14 @@ run_tests() {
prepare_test cert.json.in "$PRIURI" "$CRTURI"

title PARA "Prepare test for RSA"
prepare_test cert.json.part.in "$PRIURI" "$CRTURI"
prepare_test cert.json.rsa.in "$PRIURI" "$CRTURI"

title PARA "Prepare test for ECDSA"
prepare_test cert.json.part.in "$ECPRIURI" "$ECCRTURI"
prepare_test cert.json.ecdsa.in "$ECPRIURI" "$ECCRTURI"

if [[ -n "$EDBASEURI" ]]; then
title PARA "Prepare test for EdDSA"
prepare_test cert.json.part.in "$EDPRIURI" "$EDCRTURI"
prepare_test cert.json.eddsa.in "$EDPRIURI" "$EDCRTURI"
fi

# the missing closing brace
Expand Down

0 comments on commit d7b1339

Please sign in to comment.