From patchwork Sat Dec 30 14:28:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3538 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:2791:b0:100:d2e5:60d with SMTP id hm17csp588767dyb; Sat, 30 Dec 2023 06:43:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IEY5Wlj0pvlx6iJR8dvAimFaUlKhcmt/X3v9FSBWBUA4UIpDi1T2guOJpIT9kxNvORZZ3z8 X-Received: by 2002:a17:90a:8a89:b0:28b:cfa3:8f0e with SMTP id x9-20020a17090a8a8900b0028bcfa38f0emr20304808pjn.3.1703947437194; Sat, 30 Dec 2023 06:43:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703947437; cv=none; d=google.com; s=arc-20160816; b=ElEaFclbj/noCSRrMQWG7FvgKFoaydDrs4TMqetIRbB36GHCTm/CORA8g/PpZbM+Nm ZpP5Y0UALfIhjXl04f5/9N5ONxuuQtzNwqgnfwwfiVtr6o6R7CkMEnY85dLWcXoF7nfM 4avMZZ5gqfEdTBt9VxOWPjRfob0sGDaR6Frvx6/oT0k+o5UtPwZqHr0rRkOfvvmWqiNk Vwkno4lps2uyNx2RLWtDXQQe/Hz6SNelBuIoPvYpp4V7zF+A70+ytYNxOzNsuyJR/qRb qxtYCeVbcW4qv6DbkNxaPwdTncpPuR0E7BF7JYK45m61VEHBMlkIDcYBwSQ5vCVa+Dsc PF/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=KW2qgRW/35RYVMNxECKK/rSdI7XqlIBEmK6t4dMNlHo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=bDr20i6MA5VKKOWNRX6vUS8Y/4jb0gGIkPppafhCSXH6hfM4EYuqOeATQIDl9r4uQg d7noLOuUiYK8kJqXplkaMrPTmfLe/vsdqLeQidMH6pgYeqaR4M0CINKEu+tD7GxFnTmh uF7HWBdNX31zJCUH3ti0l5ctolgRI/sHiSoJI/JwYW63r9aoesMrZ1zzRKXAZdbsk/Cx sFkziO0uMiTyPgO0gWayO0bQU4HZitgqdXHwtZD3+oXYncuEzQk4ObT8WHet1NWHxeep EzNOQrhhkNKvwE7BbnVtoBzG9tGQnFijILxUPsTew66uVPa1e7sTJ1BL0PdfPt7UqhtN cRdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PZGGc8Ip; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=e1rY3eqB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id l13-20020a17090b078d00b0028ad32112d2si18975285pjz.78.2023.12.30.06.43.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 30 Dec 2023 06:43:57 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PZGGc8Ip; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=e1rY3eqB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rJaYo-00037B-Hv; Sat, 30 Dec 2023 14:43:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rJaYk-000375-KF for openvpn-devel@lists.sourceforge.net; Sat, 30 Dec 2023 14:43:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qS24pLatVKWCdzR7M4+sCG4S5V8py3p5Rd3NM3qafQQ=; b=PZGGc8Ip0mFlMrKgdAl3zRv5ks wfkbTfH84Cov5n1wWpHabIIeX2AqwMMJhH9Aq00+gFBPv+4sRYz7KtdbDkhfmHXRQUYmnQmxRz/gp SgaopY8badhj6dsh5Qy95h9ExdB417NvwXIDLfkrYpNkKt0oQNvr9LzUWSpIOmR60bEQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qS24pLatVKWCdzR7M4+sCG4S5V8py3p5Rd3NM3qafQQ=; b=e1rY3eqBSTOLgev848CCgiZkFH EIte1hcBjjIM6SY9ICGw/Z2ntBt+7OevZ8RJyMC0c31udrpBulFFdSX/ef6B9sCKvb9svRistlF9g 7bAWvkhYe5xiRzJ1fBsCM4pA0O9D1amUEk0tsEv9b0kS7wTuczrPJHjRTEnp77D2Tp3k=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rJaYg-0007cl-Uy for openvpn-devel@lists.sourceforge.net; Sat, 30 Dec 2023 14:43:30 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 3BUESXN3031833 for ; Sat, 30 Dec 2023 15:28:33 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 3BUESXdn031832 for openvpn-devel@lists.sourceforge.net; Sat, 30 Dec 2023 15:28:33 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 30 Dec 2023 15:28:32 +0100 Message-ID: <20231230142832.31823-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This introduces a number of mock function to be able to compile ssl_verify_*.c and ssl_mbedtls.c/ssl_openssl.c into a unit and adds quite a number of files to that unit. But it allows similar unit tes [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rJaYg-0007cl-Uy Subject: [Openvpn-devel] [PATCH v3] Add test_ssl unit test and test export of PEM to file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1786718388204053047?= X-GMAIL-MSGID: =?utf-8?q?1786718388204053047?= From: Arne Schwabe This introduces a number of mock function to be able to compile ssl_verify_*.c and ssl_mbedtls.c/ssl_openssl.c into a unit and adds quite a number of files to that unit. But it allows similar unit tests (in term of dependencies) to be added in the future. Change-Id: Ie248d35d063bb6878f3dd42840c77ba0d6fa3381 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/471 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4393f5c..bdb30c8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -85,7 +85,7 @@ fail-fast: false matrix: arch: [x86, x64] - test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, packet_id, pkt, provider, tls_crypt] + test: [argv, auth_token, buffer, cryptoapi, crypto, misc, ncp, packet_id, pkt, provider, ssl, tls_crypt] runs-on: windows-latest name: "mingw unittest ${{ matrix.test }} - ${{ matrix.arch }} - OSSL" diff --git a/CMakeLists.txt b/CMakeLists.txt index 6cbee56..6ac453c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -588,6 +588,7 @@ "test_packet_id" "test_pkt" "test_provider" + "test_ssl" ) if (WIN32) @@ -697,6 +698,34 @@ src/openvpn/mss.c ) + target_sources(test_ssl PRIVATE + tests/unit_tests/openvpn/mock_management.c + tests/unit_tests/openvpn/mock_ssl_dependencies.c + tests/unit_tests/openvpn/mock_win32_execve.c + src/openvpn/argv.c + src/openvpn/base64.c + src/openvpn/block_dns.c + src/openvpn/crypto.c + src/openvpn/crypto_mbedtls.c + src/openvpn/crypto_openssl.c + src/openvpn/cryptoapi.c + src/openvpn/env_set.c + src/openvpn/env_set.c + src/openvpn/mss.c + src/openvpn/mtu.c + src/openvpn/options_util.c + src/openvpn/otime.c + src/openvpn/packet_id.c + src/openvpn/run_command.c + src/openvpn/ssl_mbedtls.c + src/openvpn/ssl_openssl.c + src/openvpn/ssl_util.c + src/openvpn/ssl_verify_mbedtls.c + src/openvpn/ssl_verify_openssl.c + src/openvpn/xkey_helper.c + src/openvpn/xkey_provider.c + ) + target_sources(test_misc PRIVATE tests/unit_tests/openvpn/mock_get_random.c src/openvpn/options_util.c diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index ef45b11..eb8ccc8 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -7,7 +7,8 @@ endif test_binaries += crypto_testdriver packet_id_testdriver auth_token_testdriver ncp_testdriver misc_testdriver \ - pkt_testdriver + pkt_testdriver ssl_testdriver + if HAVE_LD_WRAP_SUPPORT if !WIN32 test_binaries += tls_crypt_testdriver @@ -67,6 +68,28 @@ $(top_srcdir)/src/openvpn/win32-util.c \ $(top_srcdir)/src/openvpn/mss.c +ssl_testdriver_CFLAGS = @TEST_CFLAGS@ \ + -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn +ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ +ssl_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ + mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \ + $(top_srcdir)/src/openvpn/buffer.c \ + $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ + $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/otime.c \ + $(top_srcdir)/src/openvpn/packet_id.c \ + $(top_srcdir)/src/openvpn/platform.c \ + $(top_srcdir)/src/openvpn/mtu.c \ + $(top_srcdir)/src/openvpn/win32-util.c \ + $(top_srcdir)/src/openvpn/mss.c \ + $(top_srcdir)/src/openvpn/xkey_provider.c \ + $(top_srcdir)/src/openvpn/xkey_helper.c \ + $(top_srcdir)/src/openvpn/ssl_util.c \ + $(top_srcdir)/src/openvpn/base64.c \ + $(top_srcdir)/src/openvpn/cryptoapi.c + + packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ diff --git a/tests/unit_tests/openvpn/mock_management.c b/tests/unit_tests/openvpn/mock_management.c new file mode 100644 index 0000000..8936c3a --- /dev/null +++ b/tests/unit_tests/openvpn/mock_management.c @@ -0,0 +1,51 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* Minimal set of mocked management function/globals to get unit tests to + * compile */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include "manage.h" + +#ifdef ENABLE_MANAGEMENT + +struct management *management; /* GLOBAL */ + +void +management_auth_failure(struct management *man, const char *type, const char *reason) +{ + ASSERT(false); +} + +char * +management_query_pk_sig(struct management *man, const char *b64_data, + const char *algorithm) +{ + return NULL; +} +#endif diff --git a/tests/unit_tests/openvpn/mock_ssl_dependencies.c b/tests/unit_tests/openvpn/mock_ssl_dependencies.c new file mode 100644 index 0000000..9231d65 --- /dev/null +++ b/tests/unit_tests/openvpn/mock_ssl_dependencies.c @@ -0,0 +1,67 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* Minimal set of mocked function/globals to get unit tests to + * compile that use the ssl_* files */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include +#include + + +#include "ssl.h" +#include "ssl_verify.h" + +int +parse_line(const char *line, char **p, const int n, const char *file, + const int line_num, int msglevel, struct gc_arena *gc) +{ + /* Dummy function to get the linker happy, should never be called */ + assert_true(false); + return 0; +} + + +int +pem_password_callback(char *buf, int size, int rwflag, void *u) +{ + return 0; +} + +void +cert_hash_remember(struct tls_session *session, const int cert_depth, + const struct buffer *cert_hash) +{ + assert_false(true); +} + +result_t +verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) +{ + return FAILURE; +} diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c new file mode 100644 index 0000000..acaaad5 --- /dev/null +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -0,0 +1,139 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include +#include +#include +#include +#include +#include + +#include "crypto.h" +#include "options.h" +#include "ssl_backend.h" +#include "options_util.h" + +#include "mock_msg.h" +#include "mss.h" +#include "ssl_verify_backend.h" +#include "win32.h" + +/* Mock function to be allowed to include win32.c which is required for + * getting the temp directory */ +#ifdef _WIN32 +struct signal_info siginfo_static; /* GLOBAL */ + +const char * +strerror_win32(DWORD errnum, struct gc_arena *gc) +{ + ASSERT(false); +} + +void +throw_signal(const int signum) +{ + ASSERT(false); +} +#endif + + +const char *unittest_cert = "-----BEGIN CERTIFICATE-----\n" + "MIIBuTCCAUCgAwIBAgIUTLtjSBzx53qZRvZ6Ur7D9kgoOHkwCgYIKoZIzj0EAwIw\n" + "EzERMA8GA1UEAwwIdW5pdHRlc3QwIBcNMjMxMTIxMDk1NDQ3WhgPMjA3ODA4MjQw\n" + "OTU0NDdaMBMxETAPBgNVBAMMCHVuaXR0ZXN0MHYwEAYHKoZIzj0CAQYFK4EEACID\n" + "YgAEHYB2hn2xx3f4lClXDtdi36P19pMZA+kI1Dkv/Vn10vBZ/j9oa+P99T8duz/e\n" + "QlPeHpesNJO4fX8iEDj6+vMeWejOT7jAQ4MmG5EZjpcBKxCfwFooEvzu8bVujUcu\n" + "wTQEo1MwUTAdBgNVHQ4EFgQUPcgBEVXjF5vYfDsInoE3dF6UfQswHwYDVR0jBBgw\n" + "FoAUPcgBEVXjF5vYfDsInoE3dF6UfQswDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO\n" + "PQQDAgNnADBkAjBLPAGrQAyinigqiu0RomoV8TVaknVLFSq6H6A8jgvzfsFCUK1O\n" + "dvNZhFPM6idKB+oCME2JLOBANCSV8o7aJzq7SYHKwPyb1J4JFlwKe/0Jpv7oh9b1\n" + "IJbuaM9Z/VSKbrIXGg==\n" + "-----END CERTIFICATE-----\n"; + +static const char * +get_tmp_dir() +{ + const char *ret; +#ifdef _WIN32 + ret = win_get_tempdir(); +#else + ret = "/tmp"; +#endif + assert_non_null(ret); + return ret; +} + +static void +crypto_pem_encode_certificate(void **state) +{ + struct gc_arena gc = gc_new(); + + struct tls_root_ctx ctx = { 0 }; + tls_ctx_client_new(&ctx); + tls_ctx_load_cert_file(&ctx, unittest_cert, true); + + openvpn_x509_cert_t *cert = NULL; + + /* we do not have methods to fetch certificates from ssl contexts, use + * internal TLS library methods for the unit test */ +#ifdef ENABLE_CRYPTO_OPENSSL + cert = SSL_CTX_get0_certificate(ctx.ctx); +#elif defined(ENABLE_CRYPTO_MBEDTLS) + cert = ctx.crt_chain; +#endif + + const char *tmpfile = platform_create_temp_file(get_tmp_dir(), "ut_pem", &gc); + backend_x509_write_pem(cert, tmpfile); + + struct buffer exported_pem = buffer_read_from_file(tmpfile, &gc); + assert_string_equal(BSTR(&exported_pem), unittest_cert); + + unlink(tmpfile); + gc_free(&gc); +} + +int +main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test(crypto_pem_encode_certificate) + }; + +#if defined(ENABLE_CRYPTO_OPENSSL) + OpenSSL_add_all_algorithms(); +#endif + + int ret = cmocka_run_group_tests_name("crypto tests", tests, NULL, NULL); + +#if defined(ENABLE_CRYPTO_OPENSSL) + EVP_cleanup(); +#endif + + return ret; +}