From patchwork Wed Mar 22 22:14:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3155 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp3544288dye; Wed, 22 Mar 2023 15:15:50 -0700 (PDT) X-Google-Smtp-Source: AK7set9G5RVS2sNTuxZn7QSR6IPIBj71VojziB0bDpm7LSGvP4Y6mNyM6/hGpjNmE4tUy5UYSL33 X-Received: by 2002:a17:90b:3b4b:b0:23a:ad68:25a7 with SMTP id ot11-20020a17090b3b4b00b0023aad6825a7mr4954373pjb.2.1679523350237; Wed, 22 Mar 2023 15:15:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679523350; cv=none; d=google.com; s=arc-20160816; b=g3WRx4z1Rn21MXfpAhFFatpHSb4XFx+Rw+SVMf+cMPTeRm1pJnY+2EU9lc7JZxS9TO iRXlvEvdhEkF3auMDFaxrplVJ2lHWQ0GMH8w2dHM5Uuc2L8ZKG42guOgcPbfm6xprgK7 AcfCjtpKHH8xOJDMZNkPQUCmR3agZZ5o2pqiH/Ji9KWcktIEmP8uqPv76oc7pvoVyqXy b2hZSg5JsN7daHAuclzOK8fYJROwRpBoUdhK/R8BtTaE4XAED88P7axrRPzStLuVSCZo Te+3vaih6SXRjgirfOke+VWzrm1Ed+d+5Mmq4tA5KMICjNr4EIBkhP+Hu5eYoIg0VPzo EOuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=9oU6U0eTynbemEn8yFYTSKF5rfyLVXTERfdsdRwVHBs=; b=BUF5d7cZYjDw2j3dQrsRzSFkcAYZmIgvTgkroshaZLbThseixckR13wqv4sVsfDThD REhZCVEPFcVK4u23FqktDC63Sk/DVWL83hl6/00Kt7pBX96+NJzxBQLtqVdTtAfbQgVB v7824+J9b9BRtGi/I4wDYuPN2gZuyEJjiub+6wmntrIFfBa4jrTusc/wUuOpxZqIOwma 3yS7iPu04nUxzzvY2Bna39v5KTq8QJFhEi9ShaNOWjTgv6PUxDPF9JEdWgTnQRaPF0he rMLqJw6XLxsj5EU4niBo85efJ7WfDSR342qM5nMKxSBRrL8gITPNHn0/Ys2XC1EGhVw1 GxAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Im7UBqJe; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=f5d4+Zje; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=o0g2WZSK; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net ([216.105.38.7]) by mx.google.com with ESMTPS id gl18-20020a17090b121200b002340b11f1e8si53924pjb.44.2023.03.22.15.15.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Mar 2023 15:15:50 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Im7UBqJe; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=f5d4+Zje; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=o0g2WZSK; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pf6jk-0002pV-L4; Wed, 22 Mar 2023 22:15:17 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pf6jj-0002pP-0H for openvpn-devel@lists.sourceforge.net; Wed, 22 Mar 2023 22:15:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=; b=Im7UBqJexLWqQfUDq/DWWosRyR waziTvkMMQhIF4DbRVLkEJMw43qk5oWUEosG7OvWdzi1eMeFuGKMeMEukSTnUv9E7K/eS1/JxdPcJ O0pVyEKTSnW8JWfcRMiHHhPKKo69A4x6m5LZiWfXBCb/lZyFFfCKOGBKptolwrboUaSI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=; b=f 5d4+Zjei01WL86Yr3EPJItrCdNrwvjVUEdrxbd5WZC0uiaDPPUIev+4VAh9JP0pKcIaRN8fhcg25N RnYF/pUQ925nUlCs8RBqfLB7DTArzMagsOqHXdhdRZ9s4pZhQF/zyxhXgXMZ7EAMF+Dq7b4ngWEKE uyDZmbWE3t/aozwU=; Received: from mail-io1-f48.google.com ([209.85.166.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pf6ji-00H3S2-PH for openvpn-devel@lists.sourceforge.net; Wed, 22 Mar 2023 22:15:15 +0000 Received: by mail-io1-f48.google.com with SMTP id bf15so9171062iob.7 for ; Wed, 22 Mar 2023 15:15:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679523309; x=1682115309; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=; b=o0g2WZSKKnp7sKl1AXJqHp/96YHcOyTc89/otgjxC73GNscs/PI1hepBsBqtXV0MAa arMfMN6KfAUAZAVMz2GOsEy7KJGEkzORNnkaR82yJH76kykaQpESDL+/u8aqZG62NKUs 5DNavEpqy37conzm53XbeYkmcpNu5rvcBIMNTcAMGpke4McYVeenJb4vlnFTHItGhgTX 9B3yaJ/2Oici4L7NF4twHkQWa68rTJjfXbz6B5uM5Vnt91TOX+GSb0fk0O/BXn1lYwhV fxFf0xla/5mWrJ0c9XYfrARQ+D+HfRQengfxP4RsUzHV7M2obHdN87ADw++0ekC9ArDE UfoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679523309; x=1682115309; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=; b=Z391OnZgDpuoWkOS5MmV/Q1XlMCo6lzZ2ew3ZZp+YgHicKh8mEGgBc74ednQzXhv1u 0yiYTYW0Ni8ZVm4Uo+tXipzKRMPy80xz9HVqsWEzHZpOsPMAJ6uk5i71BpSR29yLu/BY nH6FFK242TQdzea4dDdNoEGWv7JCaiM8rsz6uD5VkylQbZuzX3OTclHEK1crwb7uXxXb gsmg3J1OibA3aWYh3s5V5syEb/phAr6Kpn/l2ZVHejsXn3FbJUi5Vx2a6qW5w/QDwsdg UaY4e0xsFzi4YhZwyB5Vo6CWTNYglTuBp4j9csz4ymWv7yymvDJ7cIKR/Yr68CcwGhiV OkMw== X-Gm-Message-State: AO0yUKWuj8IMk7r03DCQwnMOuPDTFcf6VMoYFAF3VW37odv1a4yxahMj p/dy58GcDg+gpHW1Da2xInYeML/SuLVsWQ== X-Received: by 2002:a05:6602:168a:b0:758:6517:c621 with SMTP id s10-20020a056602168a00b007586517c621mr4233818iow.2.1679523308834; Wed, 22 Mar 2023 15:15:08 -0700 (PDT) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id d2-20020a0566380d4200b00406d71405bcsm1573044jak.44.2023.03.22.15.15.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Mar 2023 15:15:08 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Mar 2023 18:14:54 -0400 Message-Id: <20230322221456.1660425-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - This function will be reused for testing pkcs11 Signed-off-by: Selva Nair --- tests/unit_tests/openvpn/Makefile.am | 1 + tests/unit_tests/openvpn/pkey_test_utils.c | 141 +++++++++++++++++++++ tests/unit_tests/openvpn/test_cryptoapi.c | 98 +------ [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.48 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pf6ji-00H3S2-PH Subject: [Openvpn-devel] [PATCH 1/3] Move digest_sign_verify out of test_cryptoapi.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1761107876339556643?= X-GMAIL-MSGID: =?utf-8?q?1761107876339556643?= From: Selva Nair - This function will be reused for testing pkcs11 Signed-off-by: Selva Nair Acked-By: Frank Lichtenheld --- tests/unit_tests/openvpn/Makefile.am | 1 + tests/unit_tests/openvpn/pkey_test_utils.c | 141 +++++++++++++++++++++ tests/unit_tests/openvpn/test_cryptoapi.c | 98 +------------- 3 files changed, 143 insertions(+), 97 deletions(-) create mode 100644 tests/unit_tests/openvpn/pkey_test_utils.c diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 4391a54e..30659561 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -156,6 +156,7 @@ cryptoapi_testdriver_CFLAGS = @TEST_CFLAGS@ \ cryptoapi_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ $(OPTIONAL_CRYPTO_LIBS) -lcrypt32 -lncrypt cryptoapi_testdriver_SOURCES = test_cryptoapi.c mock_msg.c \ + pkey_test_utils.c \ $(top_srcdir)/src/openvpn/xkey_helper.c \ $(top_srcdir)/src/openvpn/xkey_provider.c \ $(top_srcdir)/src/openvpn/buffer.c \ diff --git a/tests/unit_tests/openvpn/pkey_test_utils.c b/tests/unit_tests/openvpn/pkey_test_utils.c new file mode 100644 index 00000000..7adaf33f --- /dev/null +++ b/tests/unit_tests/openvpn/pkey_test_utils.c @@ -0,0 +1,141 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 2 of the License, + * or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + + +#include "syshead.h" +#include "xkey_common.h" +#include +#include + +#ifdef HAVE_XKEY_PROVIDER + +#include +#include + +extern OSSL_LIB_CTX *tls_libctx; + +/* A message for signing */ +static const char *test_msg = "Lorem ipsum dolor sit amet, consectetur " + "adipisici elit, sed eiusmod tempor incidunt " + "ut labore et dolore magna aliqua."; + +/** + * Sign "test_msg" using a private key. The key may be a "provided" key + * in which case its signed by the provider's backend -- cryptoapi in our + * case. Then verify the signature using OpenSSL. + * Returns 1 on success, 0 on error. + */ +int +digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey) +{ + uint8_t *sig = NULL; + size_t siglen = 0; + int ret = 0; + + OSSL_PARAM params[2] = {OSSL_PARAM_END}; + const char *mdname = "SHA256"; + + if (EVP_PKEY_get_id(privkey) == EVP_PKEY_RSA) + { + const char *padmode = "pss"; /* RSA_PSS: for all other params, use defaults */ + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, + (char *)padmode, 0); + params[1] = OSSL_PARAM_construct_end(); + } + else if (EVP_PKEY_get_id(privkey) == EVP_PKEY_EC) + { + params[0] = OSSL_PARAM_construct_end(); + } + else + { + print_error("Unknown key type in digest_sign_verify()"); + return ret; + } + + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + + if (!mctx + || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey, params) <= 0) + { + /* cmocka assert output for these kinds of failures is hardly explanatory, + * print a message and assert in caller. */ + print_error("Failed to initialize EVP_DigestSignInit_ex()\n"); + goto done; + } + + /* sign with sig = NULL to get required siglen */ + if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) + { + print_error("EVP_DigestSign: failed to get required signature size"); + goto done; + } + assert_true(siglen > 0); + + if ((sig = test_calloc(1, siglen)) == NULL) + { + print_error("Out of memory"); + goto done; + } + if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) + { + print_error("EVP_DigestSign: signing failed"); + goto done; + } + + /* + * Now validate the signature using OpenSSL. Just use the public key + * which is a native OpenSSL key. + */ + EVP_MD_CTX_free(mctx); /* this also frees pctx */ + mctx = EVP_MD_CTX_new(); + pctx = NULL; + if (!mctx + || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey, params) <= 0) + { + print_error("Failed to initialize EVP_DigestVerifyInit_ex()"); + goto done; + } + if (EVP_DigestVerify(mctx, sig, siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) + { + print_error("EVP_DigestVerify failed"); + goto done; + } + ret = 1; + +done: + if (mctx) + { + EVP_MD_CTX_free(mctx); /* this also frees pctx */ + } + test_free(sig); + return ret; +} +#endif /* HAVE_XKEY_PROVIDER */ diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c index e64a1de3..c8468103 100644 --- a/tests/unit_tests/openvpn/test_cryptoapi.c +++ b/tests/unit_tests/openvpn/test_cryptoapi.c @@ -67,11 +67,6 @@ OSSL_LIB_CTX *tls_libctx; #define _countof(x) sizeof((x))/sizeof(*(x)) #endif -/* A message for signing */ -static const char *test_msg = "Lorem ipsum dolor sit amet, consectetur " - "adipisici elit, sed eiusmod tempor incidunt " - "ut labore et dolore magna aliqua."; - /* test data */ static const uint8_t test_hash[] = { 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae, @@ -374,98 +369,7 @@ teardown_xkey_provider(void **state) return 0; } -/** - * Sign "test_msg" using a private key. The key may be a "provided" key - * in which case its signed by the provider's backend -- cryptoapi in our - * case. Then verify the signature using OpenSSL. - * Returns 1 on success, 0 on error. - */ -static int -digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey) -{ - uint8_t *sig = NULL; - size_t siglen = 0; - int ret = 0; - - OSSL_PARAM params[2] = {OSSL_PARAM_END}; - const char *mdname = "SHA256"; - - if (EVP_PKEY_get_id(privkey) == EVP_PKEY_RSA) - { - const char *padmode = "pss"; /* RSA_PSS: for all other params, use defaults */ - params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE, - (char *)padmode, 0); - params[1] = OSSL_PARAM_construct_end(); - } - else if (EVP_PKEY_get_id(privkey) == EVP_PKEY_EC) - { - params[0] = OSSL_PARAM_construct_end(); - } - else - { - print_error("Unknown key type in digest_sign_verify()"); - return ret; - } - - EVP_PKEY_CTX *pctx = NULL; - EVP_MD_CTX *mctx = EVP_MD_CTX_new(); - - if (!mctx - || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey, params) <= 0) - { - /* cmocka assert output for these kinds of failures is hardly explanatory, - * print a message and assert in caller. */ - print_error("Failed to initialize EVP_DigestSignInit_ex()\n"); - goto done; - } - - /* sign with sig = NULL to get required siglen */ - if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) - { - print_error("EVP_DigestSign: failed to get required signature size"); - goto done; - } - assert_true(siglen > 0); - - if ((sig = test_calloc(1, siglen)) == NULL) - { - print_error("Out of memory"); - goto done; - } - if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) - { - print_error("EVP_DigestSign: signing failed"); - goto done; - } - - /* - * Now validate the signature using OpenSSL. Just use the public key - * which is a native OpenSSL key. - */ - EVP_MD_CTX_free(mctx); /* this also frees pctx */ - mctx = EVP_MD_CTX_new(); - pctx = NULL; - if (!mctx - || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey, params) <= 0) - { - print_error("Failed to initialize EVP_DigestVerifyInit_ex()"); - goto done; - } - if (EVP_DigestVerify(mctx, sig, siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1) - { - print_error("EVP_DigestVerify failed"); - goto done; - } - ret = 1; - -done: - if (mctx) - { - EVP_MD_CTX_free(mctx); /* this also frees pctx */ - } - test_free(sig); - return ret; -} +int digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey); /* Load sample certificates & keys, sign a test message using * them and verify the signature.