From patchwork Sat Mar 18 14:43:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3139 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp432912dye; Sat, 18 Mar 2023 07:44:31 -0700 (PDT) X-Google-Smtp-Source: AK7set8iN2BvfDh+2I/vMGp7/kNGcZy3jWCCkwCISLb3E/U4b8GLGuC2XbrRLJUlehn2gT6wMUka X-Received: by 2002:a05:6a20:6a1c:b0:d4:8199:e64c with SMTP id p28-20020a056a206a1c00b000d48199e64cmr13963581pzk.60.1679150670941; Sat, 18 Mar 2023 07:44:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679150670; cv=none; d=google.com; s=arc-20160816; b=g7iqLey2JC0LdI6QEjRnChz6DLaZOJNSuF3Buvk3jcvcHd/+gxwVsAV/rGvx72stcW lTPGCvG+5KY/opaOVb4p5DGpgE4Cj5BT7UGjtGBAKg30Ip7iRJ0rp8qfVidFn1aDoxZS jOvPRzug8o0Fh2s7Zl3S1ARcQuv7BPeA7P3WtgAwMQ40wlQJ4Kps1AK3MtXYj+I+kSLZ nNUZ4kKCMpN1LtG2HG8yziaGwdwi+jkxBN+PK5rZVBlO0bEr3FyfhZEl59caZHgJ/E/0 HN763/3iqkDMjFS7h7+pGplp2BDvFzJDEoDwWoByFZGN3AaBSsFWHdAQpHimrCJoT5m9 uqoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=BTrHC9BKVD6FuXdIhhvpoK81k8mYBYns6gPbrL/moAE=; b=srBYbOkUp1yaAmLDUuFS3e3adbtpu5F0rc3vQVBmCWO0sN/QNGeylteNaHqAzJYGbM ha/RfQVTpmmjg2VFfRyAkloSQFveagVRukY1yt0MvRw6WgaWkyliKHxZfswLL2QDihgO +XkcLvPC9nkMs4Ln4SSEPN34doSbFObjHDr6WS0V2DkrNF8NadTDCjPr6auE+x+WAUzJ lEN0oMNyM4WSX8AqFNviGh/q8dOtA4Cw1nRkjuDkqOGr2V8aSZXsDLO79yoO0ehsZoQ+ QChqefzAg0xOn0nxrG22FZZJ4Ki4ocf/gmyvEVoCcYo4nqDq+sGmDcxnDKllwXqaavdK 3kdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QJrAh5Ft; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YSXaIYgv; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=Boiq2gQR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id u19-20020a632353000000b00502f60c6809si5334038pgm.358.2023.03.18.07.44.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 18 Mar 2023 07:44:30 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QJrAh5Ft; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YSXaIYgv; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=Boiq2gQR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pdXmV-0001iN-PB; Sat, 18 Mar 2023 14:43:40 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pdXmU-0001i8-BX for openvpn-devel@lists.sourceforge.net; Sat, 18 Mar 2023 14:43:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=SACpY2T+UPF2J/5c7Kwu40E+3p8UuIqPSYxS1hcnNRE=; b=QJrAh5Ft5JWgjJaLWVdZg6xz2T UefUcUd2dtiqfASGHne20zgkZwan+48TZzf1CJ/FUEoxo2oJLRVHoVYMcNGrpECo65dX6pljMrX3r eXwOF1f1od5qZtt2QwGEKgX+OvaqOiA+Calwxr3JBjFtAuOxZbrTSLFteYbNruHbt+wg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=SACpY2T+UPF2J/5c7Kwu40E+3p8UuIqPSYxS1hcnNRE=; b=Y SXaIYgvjwu1mMg9LPIhoVxw9OsmGKSMJlCagbo8cK/WCND6RMLibEL7+Oaif8IqmmUVHqomUFpyaq XAUm0QTWAlkjlJSdXBmBdRJDPHd1tHA2ZMVV2iemP6pw5GKAnF5sn49sg0fN/zaKEsJSl2cRXbp9K rhdY2KNqdlq+2amU=; Received: from mail-il1-f173.google.com ([209.85.166.173]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pdXmQ-0007j3-5x for openvpn-devel@lists.sourceforge.net; Sat, 18 Mar 2023 14:43:38 +0000 Received: by mail-il1-f173.google.com with SMTP id h7so4294478ila.5 for ; Sat, 18 Mar 2023 07:43:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679150608; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=SACpY2T+UPF2J/5c7Kwu40E+3p8UuIqPSYxS1hcnNRE=; b=Boiq2gQROnArvVXynEXzxrngE7E/04HMUubs8FWaun69iEeOgY9d9PlKz4Sy5nP63w QNz9HwlmUkcQ11kHZE4qPkap87Y+k7SabXqdAqIIzWJZcvKrVzcyvYaWczVcvdfCT2PQ yaFPfnEoRpTP8Se1zT2qzDBlctnobdclRI18eo/vCMGAvTyZK0c7jnIqME/Od6LOiJTS c4X/doHuZl8K9DYD5ohcXS0/Shj/tCCFxwIbR0Y57eyBGExVe0BUFzBElm19ymjM32en 2c1DOMBTbL1lIt8aPXu5L8IhwKozq8J/5iyyhaAjODXUn7OstVoXvR6sr9x7umbPQX/L StnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679150608; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SACpY2T+UPF2J/5c7Kwu40E+3p8UuIqPSYxS1hcnNRE=; b=HD1hY1vBLxYMRw5NA8T0bRV+TRefpGSoVbHplPcHGidBSP4Yvh4PMtWtxLWbxfo5Ag AOK1+yZj8ZXjC0Yo0VW7rPhBuQXuhXcLe/6655mDrcrQ64MI3w6P9A9OjVRzbAILJi7j XXg5ldL68CqgLo0OzVz6t6vZsCcPy3sA6MhJiYBOWJMDTl5Xjwoz32Q2TbDv/LPhXAFo ihDb+QAbR9675Peh+LLCsxbzwxWDvqfMMbkpOcKI2yZF3fKwt10bDJ5/R3sAftTswhce cY+HTlwh/rOnQTkJMBcK0ib6yIRe1EXQuFB2jafSz617/6SxVRtXmGuG+C38ToCgd+m1 D4wg== X-Gm-Message-State: AO0yUKXu01GSt50/JeN5cRZKBGhUFxenyhjahrRpdE6yaCyxJGHNAYD3 +elnONDPJfLuLT7P3l3jxD+RzLKYHUA= X-Received: by 2002:a05:6e02:1545:b0:324:4102:8a9 with SMTP id j5-20020a056e02154500b00324410208a9mr5498713ilu.1.1679150608376; Sat, 18 Mar 2023 07:43:28 -0700 (PDT) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id s20-20020a92ae14000000b003141b775fbasm1417640ilh.16.2023.03.18.07.43.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Mar 2023 07:43:28 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sat, 18 Mar 2023 10:43:25 -0400 Message-Id: <20230318144325.1316320-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - This is the only remaining function in cryptoapi.c that has no direct or indirect test. This test confirms that an SSL_CTX context gets a certificate and private key loaded into it and the public key in the certificate matches the private key. As signing with certificate/key pairs fetch [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.173 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.173 listed in list.dnswl.org] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1pdXmQ-0007j3-5x Subject: [Openvpn-devel] [PATCH] Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1760717094087699717?= X-GMAIL-MSGID: =?utf-8?q?1760717094087699717?= From: Selva Nair - This is the only remaining function in cryptoapi.c that has no direct or indirect test. This test confirms that an SSL_CTX context gets a certificate and private key loaded into it and the public key in the certificate matches the private key. As signing with certificate/key pairs fetched from the store is independently tested by the 'cryptoapi_sign' test, signing is not re-tested here. The functions "setup_/teardown_cryptoapi_sign()" are renamed to "setup_/teardown_xkey_provider()" to better reflect their purpose. These are also reused for the new test. While touching this context, also fix a memory leak in test_cryptoapi_sign: X509_get_pubkey() -> X509_get0_pubkey() Signed-off-by: Selva Nair Acked-by: Gert Doering --- tests/unit_tests/openvpn/test_cryptoapi.c | 51 ++++++++++++++++++++--- 1 file changed, 46 insertions(+), 5 deletions(-) diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index b07e8935..e64a1de3 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -343,7 +343,7 @@ test_find_cert_byissuer(void **state) } static int -setup_cryptoapi_sign(void **state) +setup_xkey_provider(void **state) { (void) state; /* Initialize providers in a way matching what OpenVPN core does */ @@ -358,7 +358,7 @@ setup_cryptoapi_sign(void **state) } static int -teardown_cryptoapi_sign(void **state) +teardown_xkey_provider(void **state) { (void) state; for (size_t i = 0; i < _countof(prov); i++) @@ -493,13 +493,52 @@ test_cryptoapi_sign(void **state) fail_msg("Load_CryptoAPI_certificate failed: <%s>", c->friendly_name); return; } - EVP_PKEY *pubkey = X509_get_pubkey(x509); + EVP_PKEY *pubkey = X509_get0_pubkey(x509); + assert_non_null(pubkey); assert_int_equal(digest_sign_verify(privkey, pubkey), 1); X509_free(x509); EVP_PKEY_free(privkey); } } +/* Test that SSL_CTX_use_Cryptoapi_certificate() sets a matching certificate + * and key in ssl_ctx. + */ +void +test_ssl_ctx_use_cryptoapicert(void **state) +{ + (void) state; + char select_string[64]; + + import_certs(state); /* a no-op if already imported */ + assert_true(certs_loaded); + + for (struct test_cert *c = certs; c->cert; c++) + { + if (c->valid == 0) + { + continue; + } + SSL_CTX *ssl_ctx = SSL_CTX_new_ex(tls_libctx, NULL, SSLv23_client_method()); + assert_non_null(ssl_ctx); + + openvpn_snprintf(select_string, sizeof(select_string), "THUMB:%s", c->hash); + if (!SSL_CTX_use_CryptoAPI_certificate(ssl_ctx, select_string)) + { + fail_msg("SSL_CTX_use_CryptoAPI_certificate failed: <%s>", c->friendly_name); + return; + } + /* Use OpenSSL to check that the cert and private key in ssl_ctx "match" */ + if (!SSL_CTX_check_private_key(ssl_ctx)) + { + fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", c->friendly_name); + return; + } + + SSL_CTX_free(ssl_ctx); + } +} + static void test_parse_hexstring(void **state) { @@ -530,8 +569,10 @@ main(void) cmocka_unit_test(test_find_cert_bythumb), cmocka_unit_test(test_find_cert_byname), cmocka_unit_test(test_find_cert_byissuer), - cmocka_unit_test_setup_teardown(test_cryptoapi_sign, setup_cryptoapi_sign, - teardown_cryptoapi_sign), + cmocka_unit_test_setup_teardown(test_cryptoapi_sign, setup_xkey_provider, + teardown_xkey_provider), + cmocka_unit_test_setup_teardown(test_ssl_ctx_use_cryptoapicert, setup_xkey_provider, + teardown_xkey_provider), }; int ret = cmocka_run_group_tests_name("cryptoapi tests", tests, NULL, cleanup);