Skip to content

Commit

Permalink
Integrate tlsfuzzer integration test
Browse files Browse the repository at this point in the history
Signed-off-by: Jakub Jelen <[email protected]>
  • Loading branch information
Jakuje committed Oct 31, 2024
1 parent 3accb9c commit fdd3867
Show file tree
Hide file tree
Showing 18 changed files with 156 additions and 10 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/address-sanitizer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ jobs:
meson setup builddir -Db_sanitize=address -Dpreload_libasan=/usr/lib/x86_64-linux-gnu/libasan.so.8.0.0
fi
- name: Build and Test
# note, that this intentionally does not initialize submodules as
# the tlsfuzzer test does not work under address sanitizer well
run: |
meson compile -C builddir
meson test --num-processes 1 -C builddir
Expand Down
18 changes: 12 additions & 6 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ jobs:
fi
if [ -f /etc/redhat-release ]; then
dnf -y install $dnf_opts \
git ${{ matrix.compiler }} meson \
git ${{ matrix.compiler }} meson which \
pkgconf-pkg-config openssl-devel openssl \
diffutils expect valgrind opensc gnutls-utils
diffutils expect valgrind opensc gnutls-utils python3-six
if [ "${{ matrix.token }}" = "softokn" ]; then
dnf -y install nss-softokn nss-tools nss-softokn-devel \
nss-devel
Expand All @@ -48,7 +48,7 @@ jobs:
apt-get -q update
apt-get -yq install git ${{ matrix.compiler }} meson \
pkg-config libssl-dev openssl expect \
valgrind procps opensc gnutls-bin
valgrind procps opensc gnutls-bin python3-six
if [ "${{ matrix.token }}" = "softokn" ]; then
apt-get -yq install libnss3 libnss3-tools libnss3-dev
elif [ "${{ matrix.token }}" = "softhsm" ]; then
Expand All @@ -73,6 +73,9 @@ jobs:
- name: Setup
if : ( steps.nss-version-check.outputs.skiptest != 'true' )
run: |
git config --global --add safe.directory \
/__w/pkcs11-provider/pkcs11-provider
git submodule update --init
CC=${{ matrix.compiler }} meson setup builddir
- name: Build and Test
if : ( steps.nss-version-check.outputs.skiptest != 'true' )
Expand Down Expand Up @@ -120,17 +123,20 @@ jobs:
openssl@3 \
pkg-config \
opensc \
p11-kit
p11-kit \
six
if [ "${{ matrix.token }}" = "softokn" ]; then
brew install nss
elif [ "${{ matrix.token }}" = "softhsm" ]; then
brew install \
softhsm
brew install softhsm
fi
- name: Checkout Repository
uses: actions/checkout@v4
- name: Setup
run: |
git config --global --add safe.directory \
/__w/pkcs11-provider/pkcs11-provider
git submodule update --init
export PKG_CONFIG_PATH=$(brew --prefix openssl@3)/lib/pkgconfig
export PATH=$(brew --prefix openssl@3)/bin:$PATH
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/distcheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
fi
if [ -f /etc/redhat-release ]; then
dnf -y install $dnf_opts \
git gcc meson expect \
git gcc meson expect python3 python3-six which \
pkgconf-pkg-config openssl-devel openssl xz \
nss-softokn nss-tools nss-softokn-devel \
softhsm opensc p11-kit-devel p11-kit-server \
Expand All @@ -46,6 +46,9 @@ jobs:
uses: actions/checkout@v4
- name: Setup
run: |
git config --global --add safe.directory \
/__w/pkcs11-provider/pkcs11-provider
git submodule update --init
meson setup builddir
- name: Distcheck
run: |
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/kryoptic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ jobs:
gcc g++ perl-interpreter zlib-devel sqlite-devel \
'perl(Module::Load::Conditional)' 'perl(File::Temp)' \
'perl(IPC::Cmd)' 'perl(FindBin)' 'perl(lib)' \
'perl(File::Compare)' 'perl(File::Copy)'
'perl(File::Compare)' 'perl(File::Copy)' \
python3-six which
- name: Checkout Repository
uses: actions/checkout@v4
Expand Down Expand Up @@ -79,7 +80,10 @@ jobs:
grep -q "0 failed" testout.log
- name: Setup
run:
run: |
git config --global --add safe.directory \
/__w/pkcs11-provider/pkcs11-provider
git submodule update --init
meson setup builddir
- name: Build
run:
Expand Down
9 changes: 9 additions & 0 deletions .gitmodules
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[submodule "tlsfuzzer"]
path = tlsfuzzer
url = https://github.com/tlsfuzzer/tlsfuzzer.git
[submodule "python-ecdsa"]
path = python-ecdsa
url = https://github.com/tlsfuzzer/python-ecdsa.git
[submodule "tlslite-ng"]
path = tlslite-ng
url = https://github.com/tlsfuzzer/tlslite-ng.git
5 changes: 4 additions & 1 deletion .reuse/dep5
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ Source: https://github.com/latchset/pkcs11-provider/
#
Files: .github/*
.gitignore
.gitmodules
Makefile
meson.build
meson_options.txt
Expand All @@ -26,7 +27,9 @@ Files: .github/*
tests/lsan.supp
tools/openssl*.cnf
tests/*.pem
Copyright: (C) 2022 Simo Sorce <[email protected]>
tests/cert.json.in
scripts/clean-dist.sh
Copyright: (C) 2022 - 2024 Simo Sorce <[email protected]>
License: Apache-2.0

#
Expand Down
2 changes: 2 additions & 0 deletions meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ endforeach

configure_file(output: 'config.h', configuration: conf)

meson.add_dist_script('scripts/clean-dist.sh')

subdir('src')
subdir('docs')
subdir('tests')
Expand Down
1 change: 1 addition & 0 deletions python-ecdsa
Submodule python-ecdsa added at ea9666
6 changes: 6 additions & 0 deletions scripts/clean-dist.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash -e

cd "$MESON_DIST_ROOT"

# Remove the submodules
rm -rf tlsfuzzer python-ecdsa tlslite-ng
36 changes: 36 additions & 0 deletions tests/cert.json.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
[
{"server_command": [@CHECKER@"openssl", "s_server", "-www", "-port", "@PORT@",
"-key", "@PRIURI@", "-cert", "@CRTURI@",
"-verify", "1", "-CAfile", "tests/clientX509Cert.pem"],
"comment": "Use ANY certificate just to ensure that server tries to authorise a client",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"tests" : [
{"name" : "test-tls13-certificate-verify.py",
"arguments" : ["-k", "tests/clientX509Key.pem",
"-c", "tests/clientX509Cert.pem",
"-s", "@SIGALGS@",
"-p", "@PORT@"]},
{"name" : "test-tls13-ecdsa-in-certificate-verify.py",
"arguments" : ["-k", "tests/serverECKey.pem",
"-c", "tests/serverECCert.pem",
"-s", "@SIGALGS@",
"-p", "@PORT@"]}
]
},
{"server_command": [@CHECKER@"openssl", "s_server", "-www", "-port", "@PORT@", "-key", "@ECPRIURI@", "-cert", "@ECCRTURI@"],
"comment": "Run test with ECDSA hostkey in pkcs11 provider",
"environment": {"PYTHONPATH" : "."},
"server_hostname": "localhost",
"server_port": @PORT@,
"tests" : [
{"name" : "test-tls13-conversation.py",
"arguments" : ["-p", "@PORT@"]},
{"name" : "test-conversation.py",
"arguments" : ["-p", "@PORT@",
"-d"]}
]
}
]

2 changes: 2 additions & 0 deletions tests/kryoptic-init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,5 @@ pkcs11-tool --module "${P11LIB}" --so-pin "${PINVALUE}" \
--login --login-type so --init-pin --pin "${PINVALUE}" 2>&1

export TOKENCONFIGVARS="export KRYOPTIC_CONF=$TOKDIR/kryoptic.sql"

export TESTPORT="34000"
1 change: 1 addition & 0 deletions tests/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ tests = {
'rand': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'readkeys': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'tls': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false},
'tlsfuzzer': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']},
'ecxc': {'suites': ['softhsm', 'kryoptic']},
'cms': {'suites': ['softokn', 'kryoptic']},
Expand Down
2 changes: 2 additions & 0 deletions tests/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,8 @@ export OPENSSL_CONF="${OPENSSL_CONF}"
export TESTSSRCDIR="${TESTSSRCDIR}"
export TESTBLDDIR="${TESTBLDDIR}"
export TESTPORT="${TESTPORT}"
export CACRT="${CACRT_PEM}"
export TOKDIR="${TOKDIR}"
Expand Down
2 changes: 2 additions & 0 deletions tests/softhsm-init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,5 @@ softhsm2-util --init-token --label "${TOKENLABEL}" --free --pin "${PINVALUE}" --
export TOKENOPTIONS="pkcs11-module-quirks = no-deinit no-operation-state"

export TOKENCONFIGVARS="export SOFTHSM2_CONF=${TMPPDIR}/softhsm.conf"

export TESTPORT="32000"
2 changes: 2 additions & 0 deletions tests/softokn-init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,5 @@ export TOKENLABELURI="NSS%20Certificate%20DB"

export TOKENOPTIONS="pkcs11-module-quirks = no-operation-state no-allowed-mechanisms"
export TOKENCONFIGVARS="export NSS_LIB_PARAMS=configDir=${TOKDIR}"

export TESTPORT="30000"
63 changes: 63 additions & 0 deletions tests/ttlsfuzzer
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!/bin/bash -e
# Copyright (C) 2024 Jakub Jelen <[email protected]>
# SPDX-License-Identifier: Apache-2.0

source "${TESTSSRCDIR}/helpers.sh"

if [[ ! -d "${TESTSSRCDIR}/../tlsfuzzer/tlsfuzzer" ]]; then
title "TLS fuzzer is not available -- skipping"
exit 77;
fi

TMPFILE="${PWD}/tls-fuzzer.$$.tmp"
PORT="$TESTPORT"
PYTHON=$(which python3)

if [[ -f /etc/debian_version ]] && grep Ubuntu /etc/lsb-release; then
# the ubuntu builds miss Brainpool curves, but Debian has them already
SIGALGS="ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224"
else
SIGALGS="ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 8+26 8+27 8+28 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224"
fi

run_tests() {
# Prepare the tlsfuzzer configuration
sed -e "s|@PRIURI@|$PRIURI|g" -e "s/@CRTURI@/$CRTURI/g" \
-e "s|@ECPRIURI@|$ECPRIURI|g" -e "s/@ECCRTURI@/$ECCRTURI/g" \
-e "s/@PORT@/$PORT/g" \
-e "s/@SIGALGS@/$SIGALGS/g" "${TESTSSRCDIR}/cert.json.in" >"${TMPFILE}"

# Run openssl under checker program if needed
if [[ -n "$CHECKER" ]]; then
IFS=" " read -r -a ARR <<< "$CHECKER"
sed -e "s|@CHECKER@|$(printf "\"%s\", " "${ARR[@]}")|g" "${sed_inplace[@]}" "${TMPFILE}"
else
sed -e "s|@CHECKER@||g" "${sed_inplace[@]}" "${TMPFILE}"
fi

pushd "${TESTSSRCDIR}/../tlsfuzzer"
test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa
test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null
PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py "${TMPFILE}" openssl 821
rm -f "${TMPFILE}"
popd
}

title SECTION "Run TLS fuzzer with server key on provider"
run_tests
title ENDSECTION

title SECTION "Run TLS fuzzer forcing the provider for all server operations"
#We need to disable digest operations as OpenSSL depends on context duplication working
ORIG_OPENSSL_CONF=${OPENSSL_CONF}
sed -e "s/^#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
-e "s/^#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \
"${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken"
export OPENSSL_CONF=${OPENSSL_CONF}.forcetoken

run_tests

OPENSSL_CONF=${ORIG_OPENSSL_CONF}
title ENDSECTION

exit 0
1 change: 1 addition & 0 deletions tlsfuzzer
Submodule tlsfuzzer added at a0c066
1 change: 1 addition & 0 deletions tlslite-ng
Submodule tlslite-ng added at 768c26

0 comments on commit fdd3867

Please sign in to comment.