From 4e71014200f5b53619ae028b927ebc793af0468e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 16 Dec 2024 18:47:20 +0100 Subject: [PATCH 1/2] Update tlsfuzzer submodules Signed-off-by: Jakub Jelen --- tlsfuzzer | 2 +- tlslite-ng | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tlsfuzzer b/tlsfuzzer index a0c066cd..32fcb0d8 160000 --- a/tlsfuzzer +++ b/tlsfuzzer @@ -1 +1 @@ -Subproject commit a0c066cdfd927bd10e3a154d7efd209797ed2cc0 +Subproject commit 32fcb0d8e78fd9ffc4568d11ba5916936a46af8c diff --git a/tlslite-ng b/tlslite-ng index 768c262e..4e16574d 160000 --- a/tlslite-ng +++ b/tlslite-ng @@ -1 +1 @@ -Subproject commit 768c262e59ec0b4084bbb436a88c64fcb757e496 +Subproject commit 4e16574d7c52f17c81c3f5e0aa547776a67fdf8e From 1121ba023681a54d72aa288407c0ca242a69a26b Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 16 Dec 2024 18:48:13 +0100 Subject: [PATCH 2/2] Extend tlsfuzzer coverage Based on the OpenSSL coverage done in the following issue: https://github.com/openssl/openssl/pull/25724 Signed-off-by: Jakub Jelen --- .reuse/dep5 | 4 ++- tests/cert.json.ecdsa.in | 67 ++++++++++++++++++++++++++++++++++++++++ tests/cert.json.eddsa.in | 25 +++++++++++++++ tests/cert.json.part.in | 15 --------- tests/cert.json.rsa.in | 41 ++++++++++++++++++++++++ tests/ttlsfuzzer | 6 ++-- 6 files changed, 139 insertions(+), 19 deletions(-) create mode 100644 tests/cert.json.ecdsa.in create mode 100644 tests/cert.json.eddsa.in delete mode 100644 tests/cert.json.part.in create mode 100644 tests/cert.json.rsa.in diff --git a/.reuse/dep5 b/.reuse/dep5 index cb066372..6a5c8f43 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -29,7 +29,9 @@ Files: .github/* tools/openssl*.cnf tests/*.pem tests/cert.json.in - tests/cert.json.part.in + tests/cert.json.rsa.in + tests/cert.json.ecdsa.in + tests/cert.json.eddsa.in scripts/clean-dist.sh Copyright: (C) 2022 - 2024 Simo Sorce License: Apache-2.0 diff --git a/tests/cert.json.ecdsa.in b/tests/cert.json.ecdsa.in new file mode 100644 index 00000000..5633a85a --- /dev/null +++ b/tests/cert.json.ecdsa.in @@ -0,0 +1,67 @@ +, + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], + "comment": "Run test with @PRIURI@ without certificate verify", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "common_arguments": ["-p", "@PORT@"], + "tests" : [ + {"name" : "test-tls13-conversation.py"}, + {"name" : "test-conversation.py", + "arguments" : ["-d"]}, + {"name" : "test-ecdsa-sig-flexibility.py", + "arguments" : [ + "-n", "0", + "-e", "connect with ecdsa_brainpoolP256r1tls13_sha256 only", + "-e", "connect with ecdsa_brainpoolP384r1tls13_sha384 only", + "-e", "connect with ecdsa_brainpoolP512r1tls13_sha512 only", + "-x", "connect with sha1+ecdsa only", "-X", "handshake_failure" + ], + "comment": "Crypto-Policies disable SHA-1. The brainpool is broken in OpenSSL." + }, + {"name" : "test-signature-algorithms.py", + "arguments" : [ + "-n", "0", "--ecdsa", + "-x", "duplicated 206 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 2346 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 8123 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 23745 non-rsa schemes", "-X", "handshake_failure", + "-x", "duplicated 32748 non-rsa schemes", "-X", "handshake_failure", + "-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure", + "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure", + "-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure", + "-x", "implicit SHA-1 check", "-X", "handshake_failure", + "-x", "tolerance 10+RSA or ECDSA method", "-X", "handshake_failure", + "-x", "tolerance 215 RSA or ECDSA methods", "-X", "handshake_failure", + "-x", "tolerance 2355 RSA or ECDSA methods", "-X", "handshake_failure", + "-x", "tolerance 8132 RSA or ECDSA methods", "-X", "handshake_failure", + "-x", "tolerance 32758 methods with sig_alg_cert", "-X", "handshake_failure", + "-x", "tolerance max 32748 number of methods with sig_alg_cert", "-X", "handshake_failure", + "-x", "tolerance none+RSA or ECDSA", "-X", "handshake_failure", + "-x", "unique and well-known sig_algs, ecdsa algorithm last", "-X", "handshake_failure" + ], + "comment": "Crypto-Policies disable SHA-1." + }, + {"name" : "test-signature-algorithms.py", + "arguments" : [ + "-n", "0", "--ecdsa", "-g", "secp384r1", + "-x", "sanity", "-X", "handshake_failure", + "-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure", + "sanity", "explicit SHA-256+RSA or ECDSA" + ], + "comment": "Incompatible curve should fail" + }, + {"name" : "test-tls13-ecdsa-support.py", + "arguments" : [ + "-n", "0", + "-x", "Test with ecdsa_secp384r1_sha384", "-X", "handshake_failure", + "-x", "Test with ecdsa_secp521r1_sha512", "-X", "handshake_failure", + "-x", "Test with ecdsa_brainpoolP256r1tls13_sha256", "-X", "handshake_failure", + "-x", "Test with ecdsa_brainpoolP384r1tls13_sha384", "-X", "handshake_failure", + "-x", "Test with ecdsa_brainpoolP512r1tls13_sha512", "-X", "handshake_failure" + ], + "comment": "We have only P-256 key. The brainpool is broken in OpenSSL." + } + ] + } + diff --git a/tests/cert.json.eddsa.in b/tests/cert.json.eddsa.in new file mode 100644 index 00000000..88cdbfe0 --- /dev/null +++ b/tests/cert.json.eddsa.in @@ -0,0 +1,25 @@ +, + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], + "comment": "Run test with @PRIURI@ without certificate verify", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "common_arguments": ["-p", "@PORT@"], + "tests" : [ + {"name" : "test-tls13-conversation.py"}, + {"name" : "test-conversation.py", + "arguments" : ["-d"]}, + {"name" : "test-signature-algorithms.py", + "arguments" : [ + "--ecdsa", "-x", "implicit SHA-1 check", + "-X", "handshake_failure", "sanity", "implicit SHA-1 check" + ], + "comment": "SHA-1 is disabled by crypto policies." + }, + {"name" : "test-tls13-eddsa.py", + "arguments" : ["-x", "ed448 only", "-X", "handshake_failure"], + "comment": "We have only ed25519 key." + } + ] + } + diff --git a/tests/cert.json.part.in b/tests/cert.json.part.in deleted file mode 100644 index 5e644752..00000000 --- a/tests/cert.json.part.in +++ /dev/null @@ -1,15 +0,0 @@ -, - {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], - "comment": "Run test without certificate verify", - "environment": {"PYTHONPATH" : "."}, - "server_hostname": "localhost", - "server_port": @PORT@, - "tests" : [ - {"name" : "test-tls13-conversation.py", - "arguments" : ["-p", "@PORT@"]}, - {"name" : "test-conversation.py", - "arguments" : ["-p", "@PORT@", - "-d"]} - ] - } - diff --git a/tests/cert.json.rsa.in b/tests/cert.json.rsa.in new file mode 100644 index 00000000..34949adf --- /dev/null +++ b/tests/cert.json.rsa.in @@ -0,0 +1,41 @@ +, + {"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"], + "comment": "Run test with @PRIURI@ without certificate verify", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "common_arguments": ["-p", "@PORT@"], + "tests" : [ + {"name" : "test-tls13-conversation.py"}, + {"name" : "test-conversation.py", + "arguments" : ["-d"]}, + {"name" : "test-dhe-rsa-key-exchange-signatures.py", + "arguments" : [ + "-n", "0", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha256 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha384 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha512 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha1 signature", "-X", "handshake_failure", + "-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha1 signature", "-X", "handshake_failure" + ], + "comment": "The 3DES ciphersuites are not enabled. Crypto-Policies disable SHA-1 signatures." + }, + {"name" : "test-sig-algs.py", + "arguments" : [ + "-n", "0", + "-x", "rsa_pss_pss_sha256 only", "-X", "handshake_failure", + "-x", "rsa_pss_pss_sha384 only", "-X", "handshake_failure", + "-x", "rsa_pss_pss_sha512 only", "-X", "handshake_failure" + ], + "comment": "Server has only RSA key here." + }, + {"name" : "test-tls13-rsa-signatures.py"}, + {"name" : "test-tls13-signature-algorithms.py", + "arguments" : ["-n", "0"]} + ] + } + diff --git a/tests/ttlsfuzzer b/tests/ttlsfuzzer index de4a5120..11c36e5c 100755 --- a/tests/ttlsfuzzer +++ b/tests/ttlsfuzzer @@ -55,14 +55,14 @@ run_tests() { prepare_test cert.json.in "$PRIURI" "$CRTURI" title PARA "Prepare test for RSA" - prepare_test cert.json.part.in "$PRIURI" "$CRTURI" + prepare_test cert.json.rsa.in "$PRIURI" "$CRTURI" title PARA "Prepare test for ECDSA" - prepare_test cert.json.part.in "$ECPRIURI" "$ECCRTURI" + prepare_test cert.json.ecdsa.in "$ECPRIURI" "$ECCRTURI" if [[ -n "$EDBASEURI" ]]; then title PARA "Prepare test for EdDSA" - prepare_test cert.json.part.in "$EDPRIURI" "$EDCRTURI" + prepare_test cert.json.eddsa.in "$EDPRIURI" "$EDCRTURI" fi # the missing closing brace