From patchwork Fri Sep 6 10:39:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3799 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6bd4:b0:5b9:581e:f939 with SMTP id c20csp63808max; Fri, 6 Sep 2024 03:57:55 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVdMn8s4j9/ptk6sD9cZcDVlXqUiALRCwuOwOgEqY5vlWOd0wlQuxIAXch71JM2MT19NauL1Zf8MNM=@openvpn.net X-Google-Smtp-Source: AGHT+IEuOEmVJENJPob1n3CQDcJqRKY3qtC+Y72Ljf8zwNFS1rzTdd/HZFt0rYYhz8ldNa/Nkq/d X-Received: by 2002:a05:6870:3290:b0:277:c084:5f75 with SMTP id 586e51a60fabf-27b82e1710fmr2364869fac.18.1725620274976; Fri, 06 Sep 2024 03:57:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1725620274; cv=none; d=google.com; s=arc-20240605; b=lWi3hlaoAryseRkigojWHzO/ieRVRw3xFPj2SA6e/JABu/i1SfYmEYGmL9Kj7OT6l3 k/12D+cMCTFwXA/qitHi0jmro/hR04dpH3LW11szmmz0QU6ck10w98rAFN6KAE4jlpVO bSZNJTvuG5tFdT7+ifLBIsqO4ltteFiXS5jb3mrX5rk8r83NIdVHB1zhocPD1ERYea7T 13LIZ3ALWLiR7SL0E3S9OMv3daGLK0EGSXgpQlsAHMQRpjoQpr9jiHWmjYw3kPcGCziw j+hr5hM2xxn2fcjZ0hKDeBjp7yrXz7evb6Eg1LWpPgOPfl6oZ8F703Sgo341lVGiCVgN rZLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=pH0imCKHdjOMxHE7UXHq3pSyeiS7rUeAA3eRt0kb/pw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=bLegjmbbcmM786REARso+aVqt3r8vo+DtenZkjrMTbQTR3arh5L44URo2SPhmCxz+O tKosdd/RntNZFA3kbofYyBWNAdQUsUxZP7mcIZqxS8pT3eu6jshG2Bc8Ewx4X7c2kXgA lpv2Vt00+9VQ24y/oZU/HC/PDV9fDjYZA2ALuZA4tYs0SiqV3mVppOZfn6D2aFfO56t4 VAlel8e2RpuV5pDmcycM4rYu67HJr9px6xLDbopB0/MulvfWE7//WbdwvN2H8fZ2/tf5 6827iR/OIyBaUB9kPOpkW9/FmKNIzZqx3PvEBvyAZv+mzJXv6+C6LckKKqR/3MOy8gev mv4Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=J08BP1vr; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TKBXCtKX; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=k2dJqyVT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 41be03b00d2f7-7d50b82cf6fsi3700644a12.244.2024.09.06.03.57.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Sep 2024 03:57:54 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=J08BP1vr; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TKBXCtKX; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=k2dJqyVT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1smWej-00009r-Sv; Fri, 06 Sep 2024 10:57:33 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1smWei-00009a-4v for openvpn-devel@lists.sourceforge.net; Fri, 06 Sep 2024 10:57:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=KZfxyrhrtFST7oCmL5dYhan4xIBc5nRweHzwjOUg4Zw=; b=J08BP1vrmR+iHFxBKfJTvA8UlG lJuaIS/VnYB9GA+9Fc1YMQNK8tUTY9Ty3K2141h15+4jwUp8eBl4d+qIzWgBxi94YV/5afRAV/I2E CkzVJdtU98EEkPSNCggER5zxnyw6uR1SgxeQlVpqGGDfP0H3w4JhGQMDiPvGCgNVjEkY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KZfxyrhrtFST7oCmL5dYhan4xIBc5nRweHzwjOUg4Zw=; b=TKBXCtKX1Z9LQAoikCCIwVxGHd D6YHtE+lBOpj42ljFVSeCKaXWzQhDk1kzKwAWjP7sG8OfZDCUv46pttyogcL509DxYR43g/bZqnIa uttVd7WTjC2GErN00GS/9HxbqN7ZYAaj+58K/PaTPtEkfUJtjzQCV95DHV/g8/Ky7Fc8=; Received: from mout-p-103.mailbox.org ([80.241.56.161]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1smWeh-0004eN-Ao for openvpn-devel@lists.sourceforge.net; Fri, 06 Sep 2024 10:57:32 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4X0XlT2gJWz9sk9; Fri, 6 Sep 2024 12:39:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1725619141; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KZfxyrhrtFST7oCmL5dYhan4xIBc5nRweHzwjOUg4Zw=; b=k2dJqyVTxEd+CyKPzp0MkKjRDmKtNCOtbk+dEAE+IHjA3nxzgzYY+tpB7F7fEW3hpC3U+w 4nXc6uIOA5LnpLG7lStP2ihWgLuLcBm71aA0FB/RzQbGyEI2MPwm5jsJNb71JZdwg/GhiJ 0P6R+M1rtNVDa80RTj8SA5/W30YT05dzIehTiMovz130+CP8MSK0FfzncIvPZu6NrAJRZy KNnIfhJY0qbDFqYPOIPkprOTVZw0e+VMzY7UTE5igQvBrNsQpOWWqD7+HnM3ILO3GNVS0l iQ/GxhR4q/yct2SEyMvO6cUgPiWZigQoIvXFGYiiveHD6EIn8KhwixuEKVxI+w== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 6 Sep 2024 12:39:00 +0200 Message-Id: <20240906103900.37037-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4X0XlT2gJWz9sk9 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair We do not load any providers, so only file: URI internally supported by OpenSSL 3+ is tested. On non-OpenSSL 3 builds the test prints "SKIPPED". v2: avoid dead code; rebase to current master Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.161 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1smWeh-0004eN-Ao Subject: [Openvpn-devel] [PATCH v2] Add a test for loading certificate and key using file: URI X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1809444005267931593?= X-GMAIL-MSGID: =?utf-8?q?1809444005267931593?= From: Selva Nair We do not load any providers, so only file: URI internally supported by OpenSSL 3+ is tested. On non-OpenSSL 3 builds the test prints "SKIPPED". v2: avoid dead code; rebase to current master Change-Id: I7615116b5251319aa1f13d671bab7013f3a043ea Signed-off-by: Selva Nair Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/730 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index a5c58a0..a1ca344 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -66,6 +66,10 @@ } #endif +#if defined(ENABLE_CRYPTO_OPENSSL) && (OPENSSL_VERSION_NUMBER > 0x30000000L) +#define HAVE_OPENSSL_STORE +#endif + /* stubs for some unused functions instead of pulling in too many dependencies */ bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, @@ -234,6 +238,45 @@ tls_ctx_free(&ctx); } +/* test loading cert and key using file:/path URI */ +static void +test_load_certificate_and_key_uri(void **state) +{ + (void) state; + +#if !defined(HAVE_OPENSSL_STORE) + skip(); +#else /* HAVE_OPENSSL_STORE */ + + struct tls_root_ctx ctx = { 0 }; + const char *certfile = global_state.certfile; + const char *keyfile = global_state.keyfile; + struct gc_arena *gc = &global_state.gc; + + struct buffer certuri = alloc_buf_gc(6 + strlen(certfile) + 1, gc); /* 6 bytes for "file:/" */ + struct buffer keyuri = alloc_buf_gc(6 + strlen(keyfile) + 1, gc); /* 6 bytes for "file:/" */ + + /* Windows temp file path starts with drive letter -- add a leading slash for URI */ + const char *lead = ""; +#ifdef _WIN32 + lead = "/"; +#endif /* _WIN32 */ + assert_true(buf_printf(&certuri, "file:%s%s", lead, certfile)); + assert_true(buf_printf(&keyuri, "file:%s%s", lead, keyfile)); + + /* On Windows replace any '\' in path by '/' required for URI */ +#ifdef _WIN32 + string_mod(BSTR(&certuri), CC_ANY, CC_BACKSLASH, '/'); + string_mod(BSTR(&keyuri), CC_ANY, CC_BACKSLASH, '/'); +#endif /* _WIN32 */ + + tls_ctx_client_new(&ctx); + tls_ctx_load_cert_file(&ctx, BSTR(&certuri), false); + assert_int_equal(tls_ctx_load_priv_file(&ctx, BSTR(&keyuri), false), 0); + tls_ctx_free(&ctx); +#endif /* HAVE_OPENSSL_STORE */ +} + static void init_implicit_iv(struct crypto_options *co) { @@ -469,6 +512,7 @@ const struct CMUnitTest tests[] = { cmocka_unit_test(crypto_pem_encode_certificate), cmocka_unit_test(test_load_certificate_and_key), + cmocka_unit_test(test_load_certificate_and_key_uri), cmocka_unit_test(test_data_channel_roundtrip_aes_128_gcm), cmocka_unit_test(test_data_channel_roundtrip_aes_192_gcm), cmocka_unit_test(test_data_channel_roundtrip_aes_256_gcm),