forked from latchset/pkcs11-provider
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Integrate tlsfuzzer integration test
Signed-off-by: Jakub Jelen <[email protected]>
- Loading branch information
Showing
10 changed files
with
112 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
[submodule "tlsfuzzer"] | ||
path = tlsfuzzer | ||
url = https://github.com/tlsfuzzer/tlsfuzzer.git | ||
[submodule "python-ecdsa"] | ||
path = python-ecdsa | ||
url = https://github.com/tlsfuzzer/python-ecdsa.git | ||
[submodule "tlslite-ng"] | ||
path = tlslite-ng | ||
url = https://github.com/tlsfuzzer/tlslite-ng.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,6 +8,7 @@ Source: https://github.com/latchset/pkcs11-provider/ | |
# | ||
Files: .github/* | ||
.gitignore | ||
.gitmodules | ||
Makefile | ||
meson.build | ||
meson_options.txt | ||
|
@@ -26,6 +27,7 @@ Files: .github/* | |
tests/lsan.supp | ||
tools/openssl*.cnf | ||
tests/*.pem | ||
tests/cert.json.in | ||
Copyright: (C) 2022 Simo Sorce <[email protected]> | ||
License: Apache-2.0 | ||
|
||
|
Submodule python-ecdsa
added at
ea9666
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
[ | ||
{"server_command": [@CHECKER@"openssl", "s_server", "-www", | ||
"-key", "@PRIURI@", "-cert", "@CRTURI@", | ||
"-verify", "1", "-CAfile", "tests/clientX509Cert.pem"], | ||
"comment": "Use ANY certificate just to ensure that server tries to authorise a client", | ||
"environment": {"PYTHONPATH" : "."}, | ||
"server_hostname": "localhost", | ||
"server_port": @PORT@, | ||
"tests" : [ | ||
{"name" : "test-tls13-certificate-verify.py", | ||
"arguments" : ["-k", "tests/clientX509Key.pem", | ||
"-c", "tests/clientX509Cert.pem", | ||
"-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", | ||
"-p", "@PORT@"]}, | ||
{"name" : "test-tls13-ecdsa-in-certificate-verify.py", | ||
"arguments" : ["-k", "tests/serverECKey.pem", | ||
"-c", "tests/serverECCert.pem", | ||
"-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", | ||
"-p", "@PORT@"]} | ||
] | ||
}, | ||
{"server_command": [@CHECKER@"openssl", "s_server", "-www", "-key", "@ECPRIURI@", "-cert", "@ECCRTURI@"], | ||
"comment": "Run test with ECDSA hostkey in pkcs11 provider", | ||
"environment": {"PYTHONPATH" : "."}, | ||
"server_hostname": "localhost", | ||
"server_port": @PORT@, | ||
"tests" : [ | ||
{"name" : "test-tls13-conversation.py", | ||
"arguments" : ["-p", "@PORT@"]}, | ||
{"name" : "test-conversation.py", | ||
"arguments" : ["-p", "@PORT@", | ||
"-d"]} | ||
] | ||
} | ||
] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
#!/bin/bash -e | ||
# Copyright (C) 2024 Jakub Jelen <[email protected]> | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
source "${TESTSSRCDIR}/helpers.sh" | ||
|
||
if [[ ! -d "${TESTSSRCDIR}/../tlsfuzzer" ]]; then | ||
title "TLS fuzzer is not available -- skipping" | ||
exit 77; | ||
fi | ||
|
||
TMPFILE="${PWD}/tls-fuzzer.$$.tmp" | ||
PORT=4433 | ||
|
||
run_tests() { | ||
# Prepare the tlsfuzzer configuration | ||
sed -e "s|@PRIURI@|$PRIURI|g" -e "s/@CRTURI@/$CRTURI/g" \ | ||
-e "s|@ECPRIURI@|$ECPRIURI|g" -e "s/@ECCRTURI@/$ECCRTURI/g" \ | ||
-e "s/@PORT@/$PORT/g" "${TESTSSRCDIR}/cert.json.in" >"${TMPFILE}" | ||
|
||
# Run openssl under checker program if needed | ||
if [[ -n "$CHECKER" ]]; then | ||
sed -e "s|@CHECKER@|\"$CHECKER\", |g" "${sed_inplace[@]}" "${TMPFILE}" | ||
else | ||
sed -e "s|@CHECKER@||g" "${sed_inplace[@]}" "${TMPFILE}" | ||
fi | ||
|
||
pushd "${TESTSSRCDIR}/../tlsfuzzer" | ||
test -d ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa | ||
test -d tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null | ||
PYTHONPATH=. python tests/scripts_retention.py "${TMPFILE}" openssl 821 | ||
rm -f "${TMPFILE}" | ||
popd | ||
} | ||
|
||
title SECTION "Run TLS fuzzer with server key on provider" | ||
run_tests | ||
title ENDSECTION | ||
|
||
title SECTION "Run TLS fuzzer forcing the provider for all server operations" | ||
#We need to disable digest operations as OpenSSL depends on context duplication working | ||
ORIG_OPENSSL_CONF=${OPENSSL_CONF} | ||
sed -e "s/^#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \ | ||
-e "s/^#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \ | ||
"${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken" | ||
export OPENSSL_CONF=${OPENSSL_CONF}.forcetoken | ||
|
||
run_tests | ||
|
||
OPENSSL_CONF=${ORIG_OPENSSL_CONF} | ||
title ENDSECTION | ||
|
||
exit 0 |
Submodule tlslite-ng
added at
768c26