forked from latchset/pkcs11-provider
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Integrate tlsfuzzer integration test
Signed-off-by: Jakub Jelen <[email protected]>
- Loading branch information
Showing
14 changed files
with
148 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
[submodule "tlsfuzzer"] | ||
path = tlsfuzzer | ||
url = https://github.com/tlsfuzzer/tlsfuzzer.git | ||
[submodule "python-ecdsa"] | ||
path = python-ecdsa | ||
url = https://github.com/tlsfuzzer/python-ecdsa.git | ||
[submodule "tlslite-ng"] | ||
path = tlslite-ng | ||
url = https://github.com/tlsfuzzer/tlslite-ng.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,6 +8,7 @@ Source: https://github.com/latchset/pkcs11-provider/ | |
# | ||
Files: .github/* | ||
.gitignore | ||
.gitmodules | ||
Makefile | ||
meson.build | ||
meson_options.txt | ||
|
@@ -26,7 +27,9 @@ Files: .github/* | |
tests/lsan.supp | ||
tools/openssl*.cnf | ||
tests/*.pem | ||
Copyright: (C) 2022 Simo Sorce <[email protected]> | ||
tests/cert.json.in | ||
scripts/clean-dist.sh | ||
Copyright: (C) 2022 - 2024 Simo Sorce <[email protected]> | ||
License: Apache-2.0 | ||
|
||
# | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Submodule python-ecdsa
added at
ea9666
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
|
||
cd "$MESON_DIST_ROOT" | ||
|
||
# Remove the submodules | ||
rm -rf tlsfuzzer python-ecdsa tlslite-ng |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
[ | ||
{"server_command": [@CHECKER@"openssl", "s_server", "-www", | ||
"-key", "@PRIURI@", "-cert", "@CRTURI@", | ||
"-verify", "1", "-CAfile", "tests/clientX509Cert.pem"], | ||
"comment": "Use ANY certificate just to ensure that server tries to authorise a client", | ||
"environment": {"PYTHONPATH" : "."}, | ||
"server_hostname": "localhost", | ||
"server_port": @PORT@, | ||
"tests" : [ | ||
{"name" : "test-tls13-certificate-verify.py", | ||
"arguments" : ["-k", "tests/clientX509Key.pem", | ||
"-c", "tests/clientX509Cert.pem", | ||
"-s", "@SIGALGS@", | ||
"-p", "@PORT@"]}, | ||
{"name" : "test-tls13-ecdsa-in-certificate-verify.py", | ||
"arguments" : ["-k", "tests/serverECKey.pem", | ||
"-c", "tests/serverECCert.pem", | ||
"-s", "@SIGALGS@", | ||
"-p", "@PORT@"]} | ||
] | ||
}, | ||
{"server_command": [@CHECKER@"openssl", "s_server", "-www", "-key", "@ECPRIURI@", "-cert", "@ECCRTURI@"], | ||
"comment": "Run test with ECDSA hostkey in pkcs11 provider", | ||
"environment": {"PYTHONPATH" : "."}, | ||
"server_hostname": "localhost", | ||
"server_port": @PORT@, | ||
"tests" : [ | ||
{"name" : "test-tls13-conversation.py", | ||
"arguments" : ["-p", "@PORT@"]}, | ||
{"name" : "test-conversation.py", | ||
"arguments" : ["-p", "@PORT@", | ||
"-d"]} | ||
] | ||
} | ||
] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
#!/bin/bash -e | ||
# Copyright (C) 2024 Jakub Jelen <[email protected]> | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
source "${TESTSSRCDIR}/helpers.sh" | ||
|
||
if [[ ! -d "${TESTSSRCDIR}/../tlsfuzzer/tlsfuzzer" ]]; then | ||
title "TLS fuzzer is not available -- skipping" | ||
exit 77; | ||
fi | ||
|
||
TMPFILE="${PWD}/tls-fuzzer.$$.tmp" | ||
PORT=4433 | ||
PYTHON=$(which python3) | ||
|
||
if [[ -f /etc/debian_version ]] && grep Ubuntu /etc/lsb-release; then | ||
# the ubuntu builds miss Brainpool curves, but Debian has them already | ||
SIGALGS="ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224" | ||
else | ||
SIGALGS="ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224" | ||
fi | ||
|
||
run_tests() { | ||
# Prepare the tlsfuzzer configuration | ||
sed -e "s|@PRIURI@|$PRIURI|g" -e "s/@CRTURI@/$CRTURI/g" \ | ||
-e "s|@ECPRIURI@|$ECPRIURI|g" -e "s/@ECCRTURI@/$ECCRTURI/g" \ | ||
-e "s/@PORT@/$PORT/g" \ | ||
-e "s/@SIGALGS@/$SIGALGS/g" "${TESTSSRCDIR}/cert.json.in" >"${TMPFILE}" | ||
|
||
# Run openssl under checker program if needed | ||
if [[ -n "$CHECKER" ]]; then | ||
IFS=" " read -r -a ARR <<< "$CHECKER" | ||
sed -e "s|@CHECKER@|$(printf "\"%s\", " "${ARR[@]}")|g" "${sed_inplace[@]}" "${TMPFILE}" | ||
else | ||
sed -e "s|@CHECKER@||g" "${sed_inplace[@]}" "${TMPFILE}" | ||
fi | ||
|
||
pushd "${TESTSSRCDIR}/../tlsfuzzer" | ||
test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa | ||
test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null | ||
PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py "${TMPFILE}" openssl 821 | ||
rm -f "${TMPFILE}" | ||
popd | ||
} | ||
|
||
title SECTION "Run TLS fuzzer with server key on provider" | ||
run_tests | ||
title ENDSECTION | ||
|
||
title SECTION "Run TLS fuzzer forcing the provider for all server operations" | ||
#We need to disable digest operations as OpenSSL depends on context duplication working | ||
ORIG_OPENSSL_CONF=${OPENSSL_CONF} | ||
sed -e "s/^#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \ | ||
-e "s/^#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \ | ||
"${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken" | ||
export OPENSSL_CONF=${OPENSSL_CONF}.forcetoken | ||
|
||
run_tests | ||
|
||
OPENSSL_CONF=${ORIG_OPENSSL_CONF} | ||
title ENDSECTION | ||
|
||
exit 0 |
Submodule tlslite-ng
added at
768c26