From patchwork Tue Dec 14 05:59:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2179 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id MLvQDOnNuGHWWAAAqwncew (envelope-from ) for ; Tue, 14 Dec 2021 12:01:29 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id kNQSLunNuGHEewAAovjBpQ (envelope-from ) for ; Tue, 14 Dec 2021 12:01:29 -0500 Received: from smtp35.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id AMZILenNuGFQJQAAGdz6CA (envelope-from ) for ; Tue, 14 Dec 2021 12:01:29 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 7a965e64-5cff-11ec-a9be-525400a7b7b4-1-1 Received: from [216.105.38.7] ([216.105.38.7:38932] helo=lists.sourceforge.net) by smtp35.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FF/B2-19503-8EDC8B16; Tue, 14 Dec 2021 12:01:29 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mxBA7-0003Bx-P9; Tue, 14 Dec 2021 17:00:24 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mxBA4-0003BX-97 for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=x12ifAdZabRrPcGJjhzFF+14rjzPkhByvPbtZgPdOCo=; b=kQIFR6dLCBVbQmZKoaG8k3fsXk fhNE6IalyMDQ0kI04DgIloY6XRqI8TE9/02P3BI+16cMEb1AOdNNhQ4xImJWnKy/2pDuHcxXPnZbC UXU4QsdvedvIF+OdlhG7O5DbbBZoO+eldAaD91xV/NNupA+XpYIil7O/YdLzASJkRUDs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=x12ifAdZabRrPcGJjhzFF+14rjzPkhByvPbtZgPdOCo=; b=kCYfv4fx69LVnLRgJCMkzeWj2y Bh+C0wMHDMdeabHKKiIqTIiBhAIpiJIHx6IZQzhnLdwk5EjWRRSp74PbMX4wtgFU0wHLVoBoc+LmM kWyrySHbv2zgxHASKVu6lZCi9gca2ZOCDpXCTONTTx+ej9BwE45irRoOKuHcDa21lWvA=; Received: from mail-il1-f179.google.com ([209.85.166.179]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mxB9x-0000bx-1E for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:21 +0000 Received: by mail-il1-f179.google.com with SMTP id l5so17917863ilv.7 for ; Tue, 14 Dec 2021 09:00:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=x12ifAdZabRrPcGJjhzFF+14rjzPkhByvPbtZgPdOCo=; b=pX/3cq8kcOvjzblpBVHMrl9d1Xr5gIJLGAiRW05WMS8V+TcYv9i0HvDNTO3c1pUODa UreMsULgVeCv2EyHwN5UxgN87/07J+wPseBuKpF4ao16/hkFSAiTH4TA58FJaW5Wmhp7 kKXr0knPjiZsVSUA/1MgvWagFmDSWsggpGnsRi9vyYn/PdndXHwtDnzy1483gEFtGEF9 Ypv+q9nNW3Q0cyckIWksnIXjoHNVr3+n7CLQ3pn2ywHcnyHIMnqX+L0+oN1jPeWRX67M mCbJhEwzMlzihNLO4LLdt0KmqKMc2vVFAT378QOinV+A8yFq/KnuVkg6XLp1SMjvUj+z 61Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=x12ifAdZabRrPcGJjhzFF+14rjzPkhByvPbtZgPdOCo=; b=ClUUnVnv36rJM5B/WsDJnj0FhliDvykcicHRfDzpTHbhESO3XA4sPOdK2Lbll5Ehl7 tfVQAWlhh5v8hkKKJEqL+/1A5mht/OwKKt8kx1CeF7+XShG6gu12BaUQhvbxf+gQR3UZ 7LqZGx5zHQt4fbdrj4C6ZmBq4pBga/IMgApqaMMG6ADC/tInuK4hPvsr9Xwl6jplZ8KG Te/Choq0ebk663XTHrGbmjW8J33aiZ6ww9k4vSWJulAMzeZk9UTHg2rOJp8HQAZ3Smgb JF2Wynn6igYnDjd4fnxNl5xParsiJax/tEqsLICAEUP9+fwmHsID6qmL7RGjhp8zb7Ek N2oQ== X-Gm-Message-State: AOAM532iqBIh0T62RqjoUzz0VGUx7lkdcySS5mFX9zNLTTLJ72svVDiv mDxHAN63/OcHvjuQ1u9Lm4FSJ+J9jA4= X-Google-Smtp-Source: ABdhPJy8tq2vDUdRaUhIjdnQW+Pn9CCuXKkn1tkQRPUNZ72d1lKx9V3EenUFxFEcVG9oIn/jrxhrOg== X-Received: by 2002:a05:6e02:16cd:: with SMTP id 13mr4335340ilx.255.1639501207253; Tue, 14 Dec 2021 09:00:07 -0800 (PST) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-8.dsl.bell.ca. [70.51.223.8]) by smtp.gmail.com with ESMTPSA id e9sm178778ilm.44.2021.12.14.09.00.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Dec 2021 09:00:07 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Dec 2021 11:59:27 -0500 Message-Id: <20211214165928.30676-18-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211214165928.30676-1-selva.nair@gmail.com> References: <20211214165928.30676-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Signed-off-by: Selva Nair --- configure.ac | 2 - tests/unit_tests/openvpn/Makefile.am | 4 - tests/unit_tests/openvpn/test_provider.c | 112 +++++++++++++++++++++-- 3 files changed, 105 insertions(+), [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.179 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.179 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-Headers-End: 1mxB9x-0000bx-1E Subject: [Openvpn-devel] [PATCH v3 17/18] xkey-provider: Add a test for generic key load and signature X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- configure.ac | 2 - tests/unit_tests/openvpn/Makefile.am | 4 - tests/unit_tests/openvpn/test_provider.c | 112 +++++++++++++++++++++-- 3 files changed, 105 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index c446f631..e0f9c332 100644 --- a/configure.ac +++ b/configure.ac @@ -766,8 +766,6 @@ PKG_CHECK_MODULES( [] ) -AM_CONDITIONAL([HAVE_XKEY_PROVIDER], [false]) - if test "${with_crypto_library}" = "openssl"; then AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL]) AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL]) diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 96b670ae..6b5c94ab 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -11,9 +11,7 @@ if HAVE_LD_WRAP_SUPPORT test_binaries += tls_crypt_testdriver endif -if HAVE_XKEY_PROVIDER test_binaries += provider_testdriver -endif TESTS = $(test_binaries) check_PROGRAMS = $(test_binaries) @@ -99,7 +97,6 @@ networking_testdriver_SOURCES = test_networking.c mock_msg.c \ $(openvpn_srcdir)/platform.c endif -if HAVE_XKEY_PROVIDER provider_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ $(OPTIONAL_CRYPTO_CFLAGS) @@ -113,7 +110,6 @@ provider_testdriver_SOURCES = test_provider.c mock_msg.c \ $(openvpn_srcdir)/base64.c \ mock_get_random.c \ $(openvpn_srcdir)/platform.c -endif auth_token_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ diff --git a/tests/unit_tests/openvpn/test_provider.c b/tests/unit_tests/openvpn/test_provider.c index dcf39019..0182b3b4 100644 --- a/tests/unit_tests/openvpn/test_provider.c +++ b/tests/unit_tests/openvpn/test_provider.c @@ -29,6 +29,10 @@ #endif #include "syshead.h" +#include "manage.h" +#include "xkey_common.h" + +#ifdef HAVE_XKEY_PROVIDER #include #include @@ -37,9 +41,6 @@ #include #include -#include "manage.h" -#include "xkey_common.h" - struct management *management; /* global */ static int mgmt_callback_called; @@ -91,11 +92,11 @@ static const char *test_digest_b64 = "dzhlAB6WSMZXC67At5b5Zk1f0Lfb8zq/Asx4YYMgIO * --- the smallest size of the actual signature with the above * keys. */ -const uint8_t good_sig[] = +static const uint8_t good_sig[] = {0xd8, 0xa7, 0xd9, 0x81, 0xd8, 0xaa, 0xd8, 0xad, 0x20, 0xd9, 0x8a, 0xd8, 0xa7, 0x20, 0xd8, 0xb3, 0xd9, 0x85, 0xd8, 0xb3, 0xd9, 0x85, 0x0}; -const char *good_sig_b64 = "2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQA="; +static const char *good_sig_b64 = "2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQA="; static EVP_PKEY * load_pubkey(const char *pem) @@ -155,10 +156,16 @@ management_query_pk_sig(struct management *man, const char *b64_data, if (strstr(algorithm, "data=message")) { expected_tbs = test_msg_b64; + assert_non_null(strstr(algorithm, "hashalg=SHA256")); } - assert_string_equal(b64_data, expected_tbs); + /* We test using ECDSA or PSS with saltlen = digest */ + if (!strstr(algorithm, "ECDSA")) + { + assert_non_null(strstr(algorithm, "RSA_PKCS1_PSS_PADDING,hashalg=SHA256,saltlen=digest")); + } + /* Return a predefined string as sig so that the caller * can confirm that this callback was exercised. */ @@ -230,7 +237,6 @@ digest_sign(EVP_PKEY *pkey) goto done; } - /* sign with sig = NULL to get required siglen */ assert_int_equal(EVP_DigestSign(mctx, sig, &siglen, (uint8_t*)test_msg, strlen(test_msg)), 1); assert_true(siglen > 0); @@ -288,6 +294,90 @@ again: } } +/* helpers for testing generic key load and sign */ +static int xkey_free_called; +static int xkey_sign_called; +static void +xkey_free(void *handle) +{ + xkey_free_called = 1; + /* We use a dummy string as handle -- check its value */ + assert_string_equal(handle, "xkey_handle"); +} + +static int +xkey_sign(void *handle, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen, XKEY_SIGALG s) +{ + if (!sig) + { + *siglen = 256; /* some arbitrary size */ + return 1; + } + + xkey_sign_called = 1; /* called with non-null sig */ + + if (!strcmp(s.op, "DigestSign")) + { + assert_memory_equal(tbs, test_msg, strlen(test_msg)); + } + else + { + assert_memory_equal(tbs, test_digest, sizeof(test_digest)); + } + + /* For the test use sha256 and PSS padding for RSA */ + assert_int_equal(OBJ_sn2nid(s.mdname), NID_sha256); + if (!strcmp(s.keytype, "RSA")) + { + assert_string_equal(s.padmode, "pss"); /* we use PSS for the test */ + } + else if (strcmp(s.keytype, "EC")) + { + fail_msg("Unknown keytype: %s", s.keytype); + } + + /* return a predefined string as sig */ + memcpy(sig, good_sig, min_int(sizeof(good_sig), *siglen)); + + return 1; +} + +/* Load a key as a generic key and check its sign op gets + * called for signature. + */ +static void +xkey_provider_test_generic_sign_cb(void **state) +{ + EVP_PKEY *pubkey; + const char *dummy = "xkey_handle"; /* a dummy handle for the external key */ + + for (size_t i = 0; i < _countof(pubkeys); i++) + { + pubkey = load_pubkey(pubkeys[i]); + assert_true(pubkey != NULL); + + EVP_PKEY *privkey = xkey_load_generic_key(NULL, (void*)dummy, pubkey, xkey_sign, xkey_free); + assert_true(privkey != NULL); + + xkey_sign_called = 0; + xkey_free_called = 0; + uint8_t *sig = digest_sign(privkey); + assert_non_null(sig); + + /* check callback for signature got exercised */ + assert_int_equal(xkey_sign_called, 1); + assert_memory_equal(sig, good_sig, sizeof(good_sig)); + test_free(sig); + + EVP_PKEY_free(pubkey); + EVP_PKEY_free(privkey); + + /* check key's free-op got called */ + assert_int_equal(xkey_free_called, 1); + } +} + int main(void) { @@ -296,6 +386,7 @@ main(void) const struct CMUnitTest tests[] = { cmocka_unit_test(xkey_provider_test_fetch), cmocka_unit_test(xkey_provider_test_mgmt_sign_cb), + cmocka_unit_test(xkey_provider_test_generic_sign_cb), }; int ret = cmocka_run_group_tests_name("xkey provider tests", tests, NULL, NULL); @@ -303,3 +394,10 @@ main(void) uninit_test(); return ret; } +#else +int +main(void) +{ + return 0; +} +#endif /* HAVE_XKEY_PROVIDER */