Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend tlsfuzzer coverage #488

Merged
merged 2 commits into from
Dec 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .reuse/dep5
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ Files: .github/*
tools/openssl*.cnf
tests/*.pem
tests/cert.json.in
tests/cert.json.part.in
tests/cert.json.rsa.in
tests/cert.json.ecdsa.in
tests/cert.json.eddsa.in
scripts/clean-dist.sh
Copyright: (C) 2022 - 2024 Simo Sorce <[email protected]>
License: Apache-2.0
Expand Down
67 changes: 67 additions & 0 deletions tests/cert.json.ecdsa.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
,
{"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
"comment": "Run test with @PRIURI@ without certificate verify",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"common_arguments": ["-p", "@PORT@"],
"tests" : [
Jakuje marked this conversation as resolved.
Show resolved Hide resolved
{"name" : "test-tls13-conversation.py"},
{"name" : "test-conversation.py",
"arguments" : ["-d"]},
{"name" : "test-ecdsa-sig-flexibility.py",
"arguments" : [
"-n", "0",
"-e", "connect with ecdsa_brainpoolP256r1tls13_sha256 only",
Jakuje marked this conversation as resolved.
Show resolved Hide resolved
"-e", "connect with ecdsa_brainpoolP384r1tls13_sha384 only",
"-e", "connect with ecdsa_brainpoolP512r1tls13_sha512 only",
"-x", "connect with sha1+ecdsa only", "-X", "handshake_failure"
],
"comment": "Crypto-Policies disable SHA-1. The brainpool is broken in OpenSSL."
},
{"name" : "test-signature-algorithms.py",
"arguments" : [
"-n", "0", "--ecdsa",
"-x", "duplicated 206 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 2346 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 8123 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 23745 non-rsa schemes", "-X", "handshake_failure",
"-x", "duplicated 32748 non-rsa schemes", "-X", "handshake_failure",
"-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure",
Jakuje marked this conversation as resolved.
Show resolved Hide resolved
"-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
"-x", "explicit SHA-1+RSA/ECDSA", "-X", "handshake_failure",
"-x", "implicit SHA-1 check", "-X", "handshake_failure",
"-x", "tolerance 10+RSA or ECDSA method", "-X", "handshake_failure",
"-x", "tolerance 215 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 2355 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 8132 RSA or ECDSA methods", "-X", "handshake_failure",
"-x", "tolerance 32758 methods with sig_alg_cert", "-X", "handshake_failure",
"-x", "tolerance max 32748 number of methods with sig_alg_cert", "-X", "handshake_failure",
"-x", "tolerance none+RSA or ECDSA", "-X", "handshake_failure",
"-x", "unique and well-known sig_algs, ecdsa algorithm last", "-X", "handshake_failure"
],
"comment": "Crypto-Policies disable SHA-1."
},
{"name" : "test-signature-algorithms.py",
Jakuje marked this conversation as resolved.
Show resolved Hide resolved
"arguments" : [
"-n", "0", "--ecdsa", "-g", "secp384r1",
"-x", "sanity", "-X", "handshake_failure",
"-x", "explicit SHA-256+RSA or ECDSA", "-X", "handshake_failure",
"sanity", "explicit SHA-256+RSA or ECDSA"
],
"comment": "Incompatible curve should fail"
},
{"name" : "test-tls13-ecdsa-support.py",
"arguments" : [
"-n", "0",
"-x", "Test with ecdsa_secp384r1_sha384", "-X", "handshake_failure",
"-x", "Test with ecdsa_secp521r1_sha512", "-X", "handshake_failure",
"-x", "Test with ecdsa_brainpoolP256r1tls13_sha256", "-X", "handshake_failure",
"-x", "Test with ecdsa_brainpoolP384r1tls13_sha384", "-X", "handshake_failure",
"-x", "Test with ecdsa_brainpoolP512r1tls13_sha512", "-X", "handshake_failure"
],
"comment": "We have only P-256 key. The brainpool is broken in OpenSSL."
}
]
}

25 changes: 25 additions & 0 deletions tests/cert.json.eddsa.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
,
{"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
"comment": "Run test with @PRIURI@ without certificate verify",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"common_arguments": ["-p", "@PORT@"],
"tests" : [
{"name" : "test-tls13-conversation.py"},
{"name" : "test-conversation.py",
"arguments" : ["-d"]},
{"name" : "test-signature-algorithms.py",
"arguments" : [
"--ecdsa", "-x", "implicit SHA-1 check",
"-X", "handshake_failure", "sanity", "implicit SHA-1 check"
],
"comment": "SHA-1 is disabled by crypto policies."
},
{"name" : "test-tls13-eddsa.py",
"arguments" : ["-x", "ed448 only", "-X", "handshake_failure"],
"comment": "We have only ed25519 key."
}
]
}

15 changes: 0 additions & 15 deletions tests/cert.json.part.in

This file was deleted.

41 changes: 41 additions & 0 deletions tests/cert.json.rsa.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
,
{"server_command": [@CHECKER@"openssl", "s_server", @PROPQ@"-www", "-port", "@PORT@", "-key", "@PRIURI@", "-cert", "@CRTURI@"],
"comment": "Run test with @PRIURI@ without certificate verify",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"common_arguments": ["-p", "@PORT@"],
"tests" : [
{"name" : "test-tls13-conversation.py"},
{"name" : "test-conversation.py",
"arguments" : ["-d"]},
{"name" : "test-dhe-rsa-key-exchange-signatures.py",
"arguments" : [
"-n", "0",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha256 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha384 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha512 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 sha1 signature", "-X", "handshake_failure",
"-x", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha1 signature", "-X", "handshake_failure"
],
"comment": "The 3DES ciphersuites are not enabled. Crypto-Policies disable SHA-1 signatures."
},
{"name" : "test-sig-algs.py",
"arguments" : [
"-n", "0",
"-x", "rsa_pss_pss_sha256 only", "-X", "handshake_failure",
"-x", "rsa_pss_pss_sha384 only", "-X", "handshake_failure",
"-x", "rsa_pss_pss_sha512 only", "-X", "handshake_failure"
],
"comment": "Server has only RSA key here."
},
{"name" : "test-tls13-rsa-signatures.py"},
{"name" : "test-tls13-signature-algorithms.py",
"arguments" : ["-n", "0"]}
]
}

6 changes: 3 additions & 3 deletions tests/ttlsfuzzer
Original file line number Diff line number Diff line change
Expand Up @@ -55,14 +55,14 @@ run_tests() {
prepare_test cert.json.in "$PRIURI" "$CRTURI"

title PARA "Prepare test for RSA"
prepare_test cert.json.part.in "$PRIURI" "$CRTURI"
prepare_test cert.json.rsa.in "$PRIURI" "$CRTURI"

title PARA "Prepare test for ECDSA"
prepare_test cert.json.part.in "$ECPRIURI" "$ECCRTURI"
prepare_test cert.json.ecdsa.in "$ECPRIURI" "$ECCRTURI"

if [[ -n "$EDBASEURI" ]]; then
title PARA "Prepare test for EdDSA"
prepare_test cert.json.part.in "$EDPRIURI" "$EDCRTURI"
prepare_test cert.json.eddsa.in "$EDPRIURI" "$EDCRTURI"
fi

# the missing closing brace
Expand Down
2 changes: 1 addition & 1 deletion tlsfuzzer
Submodule tlsfuzzer updated 35 files
+2 −2 .github/workflows/ci.yml
+1 −1 requirements.txt
+38 −0 sbom.cdx.json
+12 −8 scripts/test-certificate-request.py
+13 −5 scripts/test-conversation.py
+48 −2 scripts/test-dsa-in-certificate-verify.py
+344 −0 scripts/test-dsa-sig-flexibility.py
+75 −13 scripts/test-ecdsa-in-certificate-verify.py
+69 −22 scripts/test-ecdsa-sig-flexibility.py
+78 −13 scripts/test-invalid-server-name-extension-resumption.py
+171 −38 scripts/test-invalid-server-name-extension.py
+1 −1 scripts/test-rsa-sigs-on-certificate-verify.py
+15 −22 scripts/test-signature-algorithms.py
+56 −1 scripts/test-tls13-client-certificate-compression.py
+10 −2 scripts/test-tls13-conversation.py
+429 −0 scripts/test-tls13-ecdhe-brainpool-curves.py
+582 −0 scripts/test-tls13-ecdsa-brainpool-in-certificate-verify.py
+26 −11 scripts/test-tls13-ecdsa-support.py
+307 −0 scripts/test-tls13-eddsa.py
+9 −8 scripts/test-tls13-obsolete-curves.py
+11 −0 tests/serverBrainpoolP256r1ECCert.pem
+5 −0 tests/serverBrainpoolP256r1ECKey.pem
+12 −0 tests/serverBrainpoolP384r1ECCert.pem
+6 −0 tests/serverBrainpoolP384r1ECKey.pem
+13 −0 tests/serverBrainpoolP512r1ECCert.pem
+7 −0 tests/serverBrainpoolP512r1ECKey.pem
+96 −8 tests/tlslite-ng-py3.8.json
+96 −8 tests/tlslite-ng-random-subset-py3.8.json
+96 −8 tests/tlslite-ng-random-subset.json
+96 −8 tests/tlslite-ng.json
+63 −6 tlsfuzzer/analysis.py
+40 −9 tlsfuzzer/expect.py
+6 −0 tlsfuzzer/handshake_helpers.py
+8 −2 tlsfuzzer/helpers.py
+28 −7 tlsfuzzer/messages.py
Loading