From patchwork Wed Mar 22 22:14:54 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 3155
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp3544288dye;
        Wed, 22 Mar 2023 15:15:50 -0700 (PDT)
X-Google-Smtp-Source: 
 AK7set9G5RVS2sNTuxZn7QSR6IPIBj71VojziB0bDpm7LSGvP4Y6mNyM6/hGpjNmE4tUy5UYSL33
X-Received: by 2002:a17:90b:3b4b:b0:23a:ad68:25a7 with SMTP id
 ot11-20020a17090b3b4b00b0023aad6825a7mr4954373pjb.2.1679523350237;
        Wed, 22 Mar 2023 15:15:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679523350; cv=none;
        d=google.com; s=arc-20160816;
        b=g3WRx4z1Rn21MXfpAhFFatpHSb4XFx+Rw+SVMf+cMPTeRm1pJnY+2EU9lc7JZxS9TO
         iRXlvEvdhEkF3auMDFaxrplVJ2lHWQ0GMH8w2dHM5Uuc2L8ZKG42guOgcPbfm6xprgK7
         AcfCjtpKHH8xOJDMZNkPQUCmR3agZZ5o2pqiH/Ji9KWcktIEmP8uqPv76oc7pvoVyqXy
         b2hZSg5JsN7daHAuclzOK8fYJROwRpBoUdhK/R8BtTaE4XAED88P7axrRPzStLuVSCZo
         Te+3vaih6SXRjgirfOke+VWzrm1Ed+d+5Mmq4tA5KMICjNr4EIBkhP+Hu5eYoIg0VPzo
         EOuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature
         :dkim-signature;
        bh=9oU6U0eTynbemEn8yFYTSKF5rfyLVXTERfdsdRwVHBs=;
        b=BUF5d7cZYjDw2j3dQrsRzSFkcAYZmIgvTgkroshaZLbThseixckR13wqv4sVsfDThD
         REhZCVEPFcVK4u23FqktDC63Sk/DVWL83hl6/00Kt7pBX96+NJzxBQLtqVdTtAfbQgVB
         v7824+J9b9BRtGi/I4wDYuPN2gZuyEJjiub+6wmntrIFfBa4jrTusc/wUuOpxZqIOwma
         3yS7iPu04nUxzzvY2Bna39v5KTq8QJFhEi9ShaNOWjTgv6PUxDPF9JEdWgTnQRaPF0he
         rMLqJw6XLxsj5EU4niBo85efJ7WfDSR342qM5nMKxSBRrL8gITPNHn0/Ys2XC1EGhVw1
         GxAg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Im7UBqJe;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=f5d4+Zje;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=o0g2WZSK;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net ([216.105.38.7])
        by mx.google.com with ESMTPS id
 gl18-20020a17090b121200b002340b11f1e8si53924pjb.44.2023.03.22.15.15.50
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 22 Mar 2023 15:15:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Im7UBqJe;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=f5d4+Zje;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=o0g2WZSK;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1pf6jk-0002pV-L4;
	Wed, 22 Mar 2023 22:15:17 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <selva.nair@gmail.com>) id 1pf6jj-0002pP-0H
 for openvpn-devel@lists.sourceforge.net;
 Wed, 22 Mar 2023 22:15:15 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=; b=Im7UBqJexLWqQfUDq/DWWosRyR
 waziTvkMMQhIF4DbRVLkEJMw43qk5oWUEosG7OvWdzi1eMeFuGKMeMEukSTnUv9E7K/eS1/JxdPcJ
 O0pVyEKTSnW8JWfcRMiHHhPKKo69A4x6m5LZiWfXBCb/lZyFFfCKOGBKptolwrboUaSI=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=; b=f
 5d4+Zjei01WL86Yr3EPJItrCdNrwvjVUEdrxbd5WZC0uiaDPPUIev+4VAh9JP0pKcIaRN8fhcg25N
 RnYF/pUQ925nUlCs8RBqfLB7DTArzMagsOqHXdhdRZ9s4pZhQF/zyxhXgXMZ7EAMF+Dq7b4ngWEKE
 uyDZmbWE3t/aozwU=;
Received: from mail-io1-f48.google.com ([209.85.166.48])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1pf6ji-00H3S2-PH for openvpn-devel@lists.sourceforge.net;
 Wed, 22 Mar 2023 22:15:15 +0000
Received: by mail-io1-f48.google.com with SMTP id bf15so9171062iob.7
 for <openvpn-devel@lists.sourceforge.net>;
 Wed, 22 Mar 2023 15:15:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1679523309; x=1682115309;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=;
 b=o0g2WZSKKnp7sKl1AXJqHp/96YHcOyTc89/otgjxC73GNscs/PI1hepBsBqtXV0MAa
 arMfMN6KfAUAZAVMz2GOsEy7KJGEkzORNnkaR82yJH76kykaQpESDL+/u8aqZG62NKUs
 5DNavEpqy37conzm53XbeYkmcpNu5rvcBIMNTcAMGpke4McYVeenJb4vlnFTHItGhgTX
 9B3yaJ/2Oici4L7NF4twHkQWa68rTJjfXbz6B5uM5Vnt91TOX+GSb0fk0O/BXn1lYwhV
 fxFf0xla/5mWrJ0c9XYfrARQ+D+HfRQengfxP4RsUzHV7M2obHdN87ADw++0ekC9ArDE
 UfoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1679523309; x=1682115309;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=WSlfwYzufgXkPHil9AlShSz/Ure5KqmmGJowyxlQ+A8=;
 b=Z391OnZgDpuoWkOS5MmV/Q1XlMCo6lzZ2ew3ZZp+YgHicKh8mEGgBc74ednQzXhv1u
 0yiYTYW0Ni8ZVm4Uo+tXipzKRMPy80xz9HVqsWEzHZpOsPMAJ6uk5i71BpSR29yLu/BY
 nH6FFK242TQdzea4dDdNoEGWv7JCaiM8rsz6uD5VkylQbZuzX3OTclHEK1crwb7uXxXb
 gsmg3J1OibA3aWYh3s5V5syEb/phAr6Kpn/l2ZVHejsXn3FbJUi5Vx2a6qW5w/QDwsdg
 UaY4e0xsFzi4YhZwyB5Vo6CWTNYglTuBp4j9csz4ymWv7yymvDJ7cIKR/Yr68CcwGhiV
 OkMw==
X-Gm-Message-State: AO0yUKWuj8IMk7r03DCQwnMOuPDTFcf6VMoYFAF3VW37odv1a4yxahMj
 p/dy58GcDg+gpHW1Da2xInYeML/SuLVsWQ==
X-Received: by 2002:a05:6602:168a:b0:758:6517:c621 with SMTP id
 s10-20020a056602168a00b007586517c621mr4233818iow.2.1679523308834;
 Wed, 22 Mar 2023 15:15:08 -0700 (PDT)
Received: from uranus.sansel.ca
 (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66])
 by smtp.gmail.com with ESMTPSA id
 d2-20020a0566380d4200b00406d71405bcsm1573044jak.44.2023.03.22.15.15.08
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 22 Mar 2023 15:15:08 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 22 Mar 2023 18:14:54 -0400
Message-Id: <20230322221456.1660425-1-selva.nair@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Selva Nair - This function will be reused for testing
 pkcs11 Signed-off-by: Selva Nair --- tests/unit_tests/openvpn/Makefile.am
 | 1 + tests/unit_tests/openvpn/pkey_test_utils.c | 141 +++++++++++++++++++++
 tests/unit_tests/openvpn/test_cryptoapi.c | 98 +------ [...]
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.166.48 listed in list.dnswl.org]
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [selva.nair[at]gmail.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
X-Headers-End: 1pf6ji-00H3S2-PH
Subject: [Openvpn-devel] [PATCH 1/3] Move digest_sign_verify out of
 test_cryptoapi.c
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1761107876339556643?=
X-GMAIL-MSGID: =?utf-8?q?1761107876339556643?=

From: Selva Nair <selva.nair@gmail.com>

- This function will be reused for testing pkcs11

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-By: Frank Lichtenheld <frank@lichtenheld.com>
---
 tests/unit_tests/openvpn/Makefile.am       |   1 +
 tests/unit_tests/openvpn/pkey_test_utils.c | 141 +++++++++++++++++++++
 tests/unit_tests/openvpn/test_cryptoapi.c  |  98 +-------------
 3 files changed, 143 insertions(+), 97 deletions(-)
 create mode 100644 tests/unit_tests/openvpn/pkey_test_utils.c

diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am
index 4391a54e..30659561 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -156,6 +156,7 @@ cryptoapi_testdriver_CFLAGS  = @TEST_CFLAGS@ \
 cryptoapi_testdriver_LDFLAGS = @TEST_LDFLAGS@ \
 	$(OPTIONAL_CRYPTO_LIBS) -lcrypt32 -lncrypt
 cryptoapi_testdriver_SOURCES = test_cryptoapi.c mock_msg.c \
+	pkey_test_utils.c \
 	$(top_srcdir)/src/openvpn/xkey_helper.c \
 	$(top_srcdir)/src/openvpn/xkey_provider.c \
 	$(top_srcdir)/src/openvpn/buffer.c \
diff --git a/tests/unit_tests/openvpn/pkey_test_utils.c b/tests/unit_tests/openvpn/pkey_test_utils.c
new file mode 100644
index 00000000..7adaf33f
--- /dev/null
+++ b/tests/unit_tests/openvpn/pkey_test_utils.c
@@ -0,0 +1,141 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ *             over a single UDP port, with support for SSL/TLS-based
+ *             session authentication and key exchange,
+ *             packet encryption, packet authentication, and
+ *             packet compression.
+ *
+ *  Copyright (C) 2023 Selva Nair <selva.nair@gmail.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation, either version 2 of the License,
+ *  or (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#elif defined(_MSC_VER)
+#include "config-msvc.h"
+#endif
+
+
+#include "syshead.h"
+#include "xkey_common.h"
+#include <setjmp.h>
+#include <cmocka.h>
+
+#ifdef HAVE_XKEY_PROVIDER
+
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+
+extern OSSL_LIB_CTX *tls_libctx;
+
+/* A message for signing */
+static const char *test_msg = "Lorem ipsum dolor sit amet, consectetur "
+                              "adipisici elit, sed eiusmod tempor incidunt "
+                              "ut labore et dolore magna aliqua.";
+
+/**
+ * Sign "test_msg" using a private key. The key may be a "provided" key
+ * in which case its signed by the provider's backend -- cryptoapi in our
+ * case. Then verify the signature using OpenSSL.
+ * Returns 1 on success, 0 on error.
+ */
+int
+digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey)
+{
+    uint8_t *sig = NULL;
+    size_t siglen = 0;
+    int ret = 0;
+
+    OSSL_PARAM params[2] = {OSSL_PARAM_END};
+    const char *mdname = "SHA256";
+
+    if (EVP_PKEY_get_id(privkey) == EVP_PKEY_RSA)
+    {
+        const char *padmode = "pss"; /* RSA_PSS: for all other params, use defaults */
+        params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE,
+                                                     (char *)padmode, 0);
+        params[1] = OSSL_PARAM_construct_end();
+    }
+    else if (EVP_PKEY_get_id(privkey) == EVP_PKEY_EC)
+    {
+        params[0] = OSSL_PARAM_construct_end();
+    }
+    else
+    {
+        print_error("Unknown key type in digest_sign_verify()");
+        return ret;
+    }
+
+    EVP_PKEY_CTX *pctx = NULL;
+    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+
+    if (!mctx
+        || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey,  params) <= 0)
+    {
+        /* cmocka assert output for these kinds of failures is hardly explanatory,
+         * print a message and assert in caller. */
+        print_error("Failed to initialize EVP_DigestSignInit_ex()\n");
+        goto done;
+    }
+
+    /* sign with sig = NULL to get required siglen */
+    if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1)
+    {
+        print_error("EVP_DigestSign: failed to get required signature size");
+        goto done;
+    }
+    assert_true(siglen > 0);
+
+    if ((sig = test_calloc(1, siglen)) == NULL)
+    {
+        print_error("Out of memory");
+        goto done;
+    }
+    if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1)
+    {
+        print_error("EVP_DigestSign: signing failed");
+        goto done;
+    }
+
+    /*
+     * Now validate the signature using OpenSSL. Just use the public key
+     * which is a native OpenSSL key.
+     */
+    EVP_MD_CTX_free(mctx); /* this also frees pctx */
+    mctx = EVP_MD_CTX_new();
+    pctx = NULL;
+    if (!mctx
+        || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey,  params) <= 0)
+    {
+        print_error("Failed to initialize EVP_DigestVerifyInit_ex()");
+        goto done;
+    }
+    if (EVP_DigestVerify(mctx, sig, siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1)
+    {
+        print_error("EVP_DigestVerify failed");
+        goto done;
+    }
+    ret = 1;
+
+done:
+    if (mctx)
+    {
+        EVP_MD_CTX_free(mctx); /* this also frees pctx */
+    }
+    test_free(sig);
+    return ret;
+}
+#endif /* HAVE_XKEY_PROVIDER */
diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c
index e64a1de3..c8468103 100644
--- a/tests/unit_tests/openvpn/test_cryptoapi.c
+++ b/tests/unit_tests/openvpn/test_cryptoapi.c
@@ -67,11 +67,6 @@ OSSL_LIB_CTX *tls_libctx;
 #define _countof(x) sizeof((x))/sizeof(*(x))
 #endif
 
-/* A message for signing */
-static const char *test_msg = "Lorem ipsum dolor sit amet, consectetur "
-                              "adipisici elit, sed eiusmod tempor incidunt "
-                              "ut labore et dolore magna aliqua.";
-
 /* test data */
 static const uint8_t test_hash[] = {
     0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae,
@@ -374,98 +369,7 @@ teardown_xkey_provider(void **state)
     return 0;
 }
 
-/**
- * Sign "test_msg" using a private key. The key may be a "provided" key
- * in which case its signed by the provider's backend -- cryptoapi in our
- * case. Then verify the signature using OpenSSL.
- * Returns 1 on success, 0 on error.
- */
-static int
-digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey)
-{
-    uint8_t *sig = NULL;
-    size_t siglen = 0;
-    int ret = 0;
-
-    OSSL_PARAM params[2] = {OSSL_PARAM_END};
-    const char *mdname = "SHA256";
-
-    if (EVP_PKEY_get_id(privkey) == EVP_PKEY_RSA)
-    {
-        const char *padmode = "pss"; /* RSA_PSS: for all other params, use defaults */
-        params[0] = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_PAD_MODE,
-                                                     (char *)padmode, 0);
-        params[1] = OSSL_PARAM_construct_end();
-    }
-    else if (EVP_PKEY_get_id(privkey) == EVP_PKEY_EC)
-    {
-        params[0] = OSSL_PARAM_construct_end();
-    }
-    else
-    {
-        print_error("Unknown key type in digest_sign_verify()");
-        return ret;
-    }
-
-    EVP_PKEY_CTX *pctx = NULL;
-    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
-
-    if (!mctx
-        || EVP_DigestSignInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, privkey,  params) <= 0)
-    {
-        /* cmocka assert output for these kinds of failures is hardly explanatory,
-         * print a message and assert in caller. */
-        print_error("Failed to initialize EVP_DigestSignInit_ex()\n");
-        goto done;
-    }
-
-    /* sign with sig = NULL to get required siglen */
-    if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1)
-    {
-        print_error("EVP_DigestSign: failed to get required signature size");
-        goto done;
-    }
-    assert_true(siglen > 0);
-
-    if ((sig = test_calloc(1, siglen)) == NULL)
-    {
-        print_error("Out of memory");
-        goto done;
-    }
-    if (EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1)
-    {
-        print_error("EVP_DigestSign: signing failed");
-        goto done;
-    }
-
-    /*
-     * Now validate the signature using OpenSSL. Just use the public key
-     * which is a native OpenSSL key.
-     */
-    EVP_MD_CTX_free(mctx); /* this also frees pctx */
-    mctx = EVP_MD_CTX_new();
-    pctx = NULL;
-    if (!mctx
-        || EVP_DigestVerifyInit_ex(mctx, &pctx, mdname, tls_libctx, NULL, pubkey,  params) <= 0)
-    {
-        print_error("Failed to initialize EVP_DigestVerifyInit_ex()");
-        goto done;
-    }
-    if (EVP_DigestVerify(mctx, sig, siglen, (uint8_t *)test_msg, strlen(test_msg)) != 1)
-    {
-        print_error("EVP_DigestVerify failed");
-        goto done;
-    }
-    ret = 1;
-
-done:
-    if (mctx)
-    {
-        EVP_MD_CTX_free(mctx); /* this also frees pctx */
-    }
-    test_free(sig);
-    return ret;
-}
+int digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey);
 
 /* Load sample certificates & keys, sign a test message using
  * them and verify the signature.

From patchwork Wed Mar 22 22:14:55 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 3156
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp3544284dye;
        Wed, 22 Mar 2023 15:15:50 -0700 (PDT)
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=TF4o+PMq;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=YA9FzNRX;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=GGhTKOvU
X-Google-Smtp-Source: 
 AK7set9TF5Cduhih/LR7YwMXj5/BXAXaUr2yrd47ws86T9NqPVa3FNbilZN/ucLktnqD+VNiI98i
X-Received: by 2002:a17:90b:38c8:b0:23b:4005:26e6 with SMTP id
 nn8-20020a17090b38c800b0023b400526e6mr5167659pjb.34.1679523349854;
        Wed, 22 Mar 2023 15:15:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679523349; cv=none;
        d=google.com; s=arc-20160816;
        b=hnxfy4zhQkw0ykZjsM5VJOEmBxB3QhMUISh/ybvJv/AUGaNbS/ON5JbspreBlw1RiK
         PxTwwz6n2uwkxazyKEmQLp5m3Q7z0Ug/JDzLz9aWkpMiMZS1vssRZQZGMD11O4ax63x6
         +Ytgcy+TvQVn4chDPlFfiSonUvD+SQDjhjvJb3lqsdwKN8k9+rF+13wuEW2m+VOGWkXn
         9YEwRZX2dPJnGgG46TXgTBwe42HhNGDQTqeNlKfFC7i1nAQBmuXjnnPdwYpfC8d+7hjA
         BNmvTAgDWAFyZBypk1T/1zSai4FpDjiilM9HtHXf8Wjr7vIcjFjE6nJ6vcyOX6qyfErg
         PcaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=C2T1rYn7+vzKAV7NsH3qk1xRZl7I/yQD5Ixuc0yMiNY=;
        b=mDVXGpvDzupibomnAQ4Pws2EXgVYjL4c4I7tTDZM2s0FHMsonKrufF4jNK3hvZtpDm
         zT303o31/11HXjzvGFQhickmJ/IEA0UyRZE67bpRmo1Wb5KwJOCc6tmETq2Vz1KGsqAP
         4cxEN6+3wssuhLBTXhMc+YGhFu7rUrJbVpUw0g0x4LwYgurwI6CV6qkRiK5g7icSnXal
         cKsINMlcOKqz60NS+OsUEaPzj+LMIN+2gD+zPJbgylrpJkEM/kKMRMVa5q/R5nkz42eL
         MzsiRox9LbfFeB5sHxNIs5vS51NQS+/kt9Oesf51PYOJCSFfRbohjE8YNJsyCJzo07AS
         zvag==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=TF4o+PMq;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=YA9FzNRX;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=GGhTKOvU;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net ([216.105.38.7])
        by mx.google.com with ESMTPS id
 c7-20020a17090abf0700b0023d1bcea88bsi38813pjs.66.2023.03.22.15.15.49
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 22 Mar 2023 15:15:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=TF4o+PMq;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=YA9FzNRX;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=GGhTKOvU;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1pf6jo-0000qO-CM;
	Wed, 22 Mar 2023 22:15:22 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <selva.nair@gmail.com>) id 1pf6jm-0000qI-EH
 for openvpn-devel@lists.sourceforge.net;
 Wed, 22 Mar 2023 22:15:20 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=3lmufcX6oPn79HuqtPcNQRKIkcscWlzgTNkT3cOzSrI=; b=TF4o+PMqeasmJniDbOLU4Y800x
 IGePr65C5y38zqjMrMujUH+MFwPqJse10Kd2vsj5Spe+abeT5h8YI4sWawnuCPIfsE0aciZN8oy8S
 rfEVgvex1oIdu+pQ/ORnLW7sjqaFSAHPwxe70P8Cb7lnhYQVTRlfk6oaJU/EAOrKcyfE=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=3lmufcX6oPn79HuqtPcNQRKIkcscWlzgTNkT3cOzSrI=; b=YA9FzNRXoDq5p2/w9qH5RQya0T
 4M9Lh2GV+S1fwDBRlxT8je18uTGi3/YaIBSBO25hV+0YMkHdMXr2VjB1Pu0fplWpiK3ZovUk/7Ebh
 ASITvcArda5VHaNBFXZYND94TxIK6YKv/huBYleUO0A+hYUIsIuNh8IOmmxf0/geToMY=;
Received: from mail-il1-f176.google.com ([209.85.166.176])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1pf6jn-0002bi-3w for openvpn-devel@lists.sourceforge.net;
 Wed, 22 Mar 2023 22:15:20 +0000
Received: by mail-il1-f176.google.com with SMTP id j6so10668166ilr.7
 for <openvpn-devel@lists.sourceforge.net>;
 Wed, 22 Mar 2023 15:15:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1679523313;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=3lmufcX6oPn79HuqtPcNQRKIkcscWlzgTNkT3cOzSrI=;
 b=GGhTKOvU4rN2Qxk7jkXZs3BSNSCcA9KBQY4IGeul7U+We6GrTM+mYy7DrQjN3xBlZb
 KYX+TRx5549PCmyaklf1kRt+1ztYlvpIokWCXHUX3yZLU1u1ReGVSvbyJCBGPmc7lxUj
 NFSKc3dbA/X7MhrlQsYhSjJYZfgUXe3pyBMTqqWZu9NJYFAw1zn+voPjXlSpZljzGQUY
 rk4n5k5c4Icd8RiKSGNdjYf+8y3NZhq5qKVXm/AepO3VZsM3C868t8ryH+6x8pb7FAZE
 QxsnmrH0W2yV7gXCfw9HV4cL/YD26K8k9moVfYUeTQb7IutuoB0HMlR89JTsMYlzo7YJ
 EHmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1679523313;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=3lmufcX6oPn79HuqtPcNQRKIkcscWlzgTNkT3cOzSrI=;
 b=TmgJesTmyZuFHVeSKKO26xl6UmV+RHvSal81GQS4139qBJw6beSLeC5MrxHijORQ6b
 ry7vfE43N0evf3zhLpg5BCIO7exaLuchSIGdWKiD+KiahV53eM3Sfc2VzslmwgnWiSbq
 UL0OEqJNNSe9HvrwkwBLrRo0vkOPQng3DDOAJOlL/xjMUUiSeV43fYe7smC+DsiY9wbq
 lw13mmNAwzgqQSBtBbUKvzNp88zzp/UBh9e+dV57/H/zZKwrHbqZlIM76mrrWRufI0LV
 2cwFA7wZ69CIf9eaw+lTPbFHIR9v4lOGEdll0KUHkSeyhbAZ53dLYlCEILLTcqc/KItz
 2zWg==
X-Gm-Message-State: AO0yUKXIkmojIjiBK6dzG7YwM/Cvf82Gs5ZFw3dj6EJj1m4JGoLxZD1u
 BEjQL4fyKRnB4UkJ5+MO0q+D+nsSzFdJRQ==
X-Received: by 2002:a05:6e02:188f:b0:324:4102:8a9 with SMTP id
 o15-20020a056e02188f00b00324410208a9mr5315122ilu.1.1679523313063;
 Wed, 22 Mar 2023 15:15:13 -0700 (PDT)
Received: from uranus.sansel.ca
 (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66])
 by smtp.gmail.com with ESMTPSA id
 d2-20020a0566380d4200b00406d71405bcsm1573044jak.44.2023.03.22.15.15.12
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 22 Mar 2023 15:15:12 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 22 Mar 2023 18:14:55 -0400
Message-Id: <20230322221456.1660425-2-selva.nair@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230322221456.1660425-1-selva.nair@gmail.com>
References: <20230322221456.1660425-1-selva.nair@gmail.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Selva Nair - Load some test certificate/key pairs into
 a temporary softhsm2 token and enumerate available objects through
 pkcs11-helper
 interface - For each object, load it into SSL_CTX and test sign (if using
 OpenSSL 3) or check the certificate and public-key match (if using OpenSSl
 1.1.1.). The pkcs11-id for each object is specified directly [...]
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.166.176 listed in list.dnswl.org]
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [selva.nair[at]gmail.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.166.176 listed in wl.mailspike.net]
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
X-Headers-End: 1pf6jn-0002bi-3w
Subject: [Openvpn-devel] [PATCH 2/3] Unit tests: Test for PKCS#11 using a
 softhsm2 token
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1761107875751542164?=
X-GMAIL-MSGID: =?utf-8?q?1761107875751542164?=

From: Selva Nair <selva.nair@gmail.com>

- Load some test certificate/key pairs into a temporary softhsm2 token
  and enumerate available objects through pkcs11-helper interface

- For each object, load it into SSL_CTX and test sign (if using OpenSSL 3)
  or check the certificate and public-key match (if using OpenSSl 1.1.1.).
  The pkcs11-id for each object is specified directly or
  through a mocked management callback to test pkcs11-id-management

Limitations:
  Depends on libsofthsm2.so and p11tool (install softhsm2 and gnutls-bin
  packages). Mbed-TLS/pkcs11-helper combination is not tested.

  If locations of these binaries are not auto-detected or need to be
  overridden, use -DSOFTHSM2_UTIL=<path> -DP11TOOL=<path> to configure.
  Location of SOFTHSM2_MODULE is not auto-detected and defaults to
  /usr/lib/softhsm/libsofthsm2.so. It may be changed by passing
  -DSOFTHSM2_MODULE=/some-path/libsofthsm2.so to configure.
  Also see "configure --help".

  The test is enabled only if --enable-pkcs11 is in use, and SOFTHSM2_UTIL
  & P11TOOL are found in path or manually defined during configuring.

Changes relative to github PR
  - Explicitly disable building the test on Windows: need to port mkstemp,
    mkdtemp, setenv etc., before enabling this on Windows.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-By: Frank Lichtenheld <frank@lichtenheld.com>
---
 configure.ac                           |  16 +
 tests/unit_tests/openvpn/Makefile.am   |  29 ++
 tests/unit_tests/openvpn/mock_msg.c    |   6 +
 tests/unit_tests/openvpn/test_pkcs11.c | 453 +++++++++++++++++++++++++
 4 files changed, 504 insertions(+)
 create mode 100644 tests/unit_tests/openvpn/test_pkcs11.c

diff --git a/configure.ac b/configure.ac
index 67f680b2..ca85e5ed 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1345,6 +1345,7 @@ if test "${enable_comp_stub}" = "yes"; then
 	AC_DEFINE([ENABLE_COMP_STUB], [1], [Enable compression stub capability])
 fi
 
+AM_CONDITIONAL([HAVE_SOFTHSM2], [false])
 if test "${enable_pkcs11}" = "yes"; then
 	test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])
 	OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
@@ -1357,6 +1358,21 @@ if test "${enable_pkcs11}" = "yes"; then
 		 AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])],
 		[]
 	)
+	#
+	# softhsm2 for pkcs11 tests
+	#
+	AC_ARG_VAR([P11TOOL], [full path to p11tool])
+	AC_PATH_PROGS([P11TOOL], [p11tool],, [$PATH:/usr/local/bin:/usr/bin:/bin])
+	AC_DEFINE_UNQUOTED([P11TOOL_PATH], ["$P11TOOL"], [Path to p11tool])
+	AC_ARG_VAR([SOFTHSM2_UTIL], [full path to softhsm2-util])
+	AC_ARG_VAR([SOFTHSM2_MODULE], [full path to softhsm2 module @<:@default=/usr/lib/softhsm/libsofthsm2.so@:>@])
+	AC_PATH_PROGS([SOFTHSM2_UTIL], [softhsm2-util],, [$PATH:/usr/local/bin:/usr/bin:/bin])
+	test -z "$SOFTHSM2_MODULE" && SOFTHSM2_MODULE=/usr/lib/softhsm/libsofthsm2.so
+	AC_DEFINE_UNQUOTED([SOFTHSM2_UTIL_PATH], ["$SOFTHSM2_UTIL"], [Path to softhsm2-util])
+	AC_DEFINE_UNQUOTED([SOFTHSM2_MODULE_PATH], ["$SOFTHSM2_MODULE"], [Path to softhsm2 module])
+	if test "${with_crypto_library}" = "openssl"; then
+		AM_CONDITIONAL([HAVE_SOFTHSM2], [test "${P11TOOL}" -a "${SOFTHSM2_UTIL}" -a "${SOFTHSM2_MODULE}"])
+	fi
 fi
 
 # When testing a compiler option, we add -Werror to force
diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am
index 30659561..ccd0e37b 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -21,6 +21,12 @@ test_binaries += cryptoapi_testdriver
 LDADD = -lws2_32
 endif
 
+if HAVE_SOFTHSM2
+if !WIN32
+test_binaries += pkcs11_testdriver
+endif
+endif
+
 if !CROSS_COMPILING
 TESTS = $(test_binaries)
 endif
@@ -166,6 +172,29 @@ cryptoapi_testdriver_SOURCES = test_cryptoapi.c mock_msg.c \
 	$(top_srcdir)/src/openvpn/win32-util.c
 endif
 
+if HAVE_SOFTHSM2
+if !WIN32
+pkcs11_testdriver_CFLAGS  = @TEST_CFLAGS@ \
+	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \
+	$(OPTIONAL_CRYPTO_CFLAGS)
+pkcs11_testdriver_LDFLAGS = @TEST_LDFLAGS@ \
+	$(OPTIONAL_CRYPTO_LIBS)
+pkcs11_testdriver_SOURCES = test_pkcs11.c mock_msg.c \
+	pkey_test_utils.c mock_get_random.c \
+	$(top_srcdir)/src/openvpn/xkey_helper.c \
+	$(top_srcdir)/src/openvpn/xkey_provider.c \
+	$(top_srcdir)/src/openvpn/argv.c \
+	$(top_srcdir)/src/openvpn/env_set.c \
+	$(top_srcdir)/src/openvpn/buffer.c \
+	$(top_srcdir)/src/openvpn/otime.c \
+	$(top_srcdir)/src/openvpn/run_command.c \
+	$(top_srcdir)/src/openvpn/base64.c \
+	$(top_srcdir)/src/openvpn/platform.c \
+	$(top_srcdir)/src/openvpn/pkcs11.c \
+	$(top_srcdir)/src/openvpn/pkcs11_openssl.c
+endif
+endif
+
 auth_token_testdriver_CFLAGS  = @TEST_CFLAGS@ \
 	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \
 	$(OPTIONAL_CRYPTO_CFLAGS)
diff --git a/tests/unit_tests/openvpn/mock_msg.c b/tests/unit_tests/openvpn/mock_msg.c
index 3fa9a166..a6fcf432 100644
--- a/tests/unit_tests/openvpn/mock_msg.c
+++ b/tests/unit_tests/openvpn/mock_msg.c
@@ -48,6 +48,12 @@ mock_set_debug_level(int level)
     x_debug_level = level;
 }
 
+int
+get_debug_level(void)
+{
+    return x_debug_level;
+}
+
 void
 x_msg_va(const unsigned int flags, const char *format,
          va_list arglist)
diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c
new file mode 100644
index 00000000..ea394bea
--- /dev/null
+++ b/tests/unit_tests/openvpn/test_pkcs11.c
@@ -0,0 +1,453 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ *             over a single UDP port, with support for SSL/TLS-based
+ *             session authentication and key exchange,
+ *             packet encryption, packet authentication, and
+ *             packet compression.
+ *
+ *  Copyright (C) 2023 Selva Nair <selva.nair@gmail.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation, either version 2 of the License,
+ *  or (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#elif defined(_MSC_VER)
+#include "config-msvc.h"
+#endif
+
+#include "syshead.h"
+#include "manage.h"
+#include "base64.h"
+#include "run_command.h"
+#include "xkey_common.h"
+#include "cert_data.h"
+#include "pkcs11.h"
+#include "ssl.h"
+
+#include <setjmp.h>
+#include <cmocka.h>
+
+#define token_name "Test Token"
+#define PIN "12345"
+#define HASHSIZE 20
+
+struct management *management; /* global */
+
+/* stubs for some unused functions instead of pulling in too many dependencies */
+int
+parse_line(const char *line, char **p, const int n, const char *file,
+           const int line_num, int msglevel, struct gc_arena *gc)
+{
+    assert_true(0);
+    return 0;
+}
+char *
+x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc)
+{
+    return "N/A";
+}
+void
+query_user_clear(void)
+{
+    assert_true(0);
+}
+bool
+query_user_exec_builtin(void)
+{
+    assert_true(0);
+    return false;
+}
+void
+query_user_add(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo)
+{
+    (void) prompt;
+    (void) prompt_len;
+    (void) resp;
+    (void) resp_len;
+    (void) echo;
+    assert_true(0);
+}
+void
+purge_user_pass(struct user_pass *up, const bool force)
+{
+    (void) force;
+    secure_memzero(up, sizeof(*up));
+}
+
+char *
+management_query_pk_sig(struct management *man, const char *b64_data,
+                        const char *algorithm)
+{
+    (void) man;
+    (void) b64_data;
+    (void) algorithm;
+    return NULL;
+}
+
+int
+digest_sign_verify(EVP_PKEY *privkey, EVP_PKEY *pubkey);
+
+/* Test certificate database: data for cert1, cert2 .. key1, key2 etc.
+ * are defined in cert_data.h
+ */
+static struct test_cert
+{
+    const char *const cert;             /* certificate as PEM */
+    const char *const key;              /* key as unencrypted PEM */
+    const char *const cname;            /* common-name */
+    const char *const issuer;           /* issuer common-name */
+    const char *const friendly_name;    /* identifies certs loaded to the store -- keep unique */
+    uint8_t hash[HASHSIZE];             /* SHA1 fingerprint: computed and filled in later */
+    char *p11_id;                       /* PKCS#11 id -- filled in later */
+} certs[] = {
+    {cert1,  key1,  cname1,  "OVPN TEST CA1",  "OVPN Test Cert 1",  {},  NULL},
+    {cert2,  key2,  cname2,  "OVPN TEST CA2",  "OVPN Test Cert 2",  {},  NULL},
+    {cert3,  key3,  cname3,  "OVPN TEST CA1",  "OVPN Test Cert 3",  {},  NULL},
+    {cert4,  key4,  cname4,  "OVPN TEST CA2",  "OVPN Test Cert 4",  {},  NULL},
+    {}
+};
+
+static bool pkcs11_id_management;
+static char softhsm2_tokens_path[] = "softhsm2_tokens_XXXXXX";
+static char softhsm2_conf_path[] = "softhsm2_conf_XXXXXX";
+int num_certs;
+static const char *pkcs11_id_current;
+struct env_set *es;
+
+/* Intercept get_user_pass for PIN and other prompts */
+bool
+get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix,
+                 const unsigned int flags, const char *unused)
+{
+    (void) unused;
+    bool ret = true;
+    if (!strcmp(prefix, "pkcs11-id-request") && flags&GET_USER_PASS_NEED_STR)
+    {
+        assert_true(pkcs11_id_management);
+        strncpynt(up->password, pkcs11_id_current, sizeof(up->password));
+    }
+    else if (flags & GET_USER_PASS_PASSWORD_ONLY)
+    {
+        openvpn_snprintf(up->password, sizeof(up->password), "%s", PIN);
+    }
+    else
+    {
+        msg(M_NONFATAL, "ERROR: get_user_pass called with unknown request <%s> ignored\n", prefix);
+        ret = false;
+    }
+
+    return ret;
+}
+
+/* Compute sha1 hash of a X509 certificate */
+static void
+sha1_fingerprint(X509 *x509, uint8_t *hash, int capacity)
+{
+    assert_true(capacity >= EVP_MD_size(EVP_sha1()));
+    assert_int_equal(X509_digest(x509, EVP_sha1(), hash, NULL), 1);
+}
+
+#if defined(HAVE_XKEY_PROVIDER)
+OSSL_LIB_CTX *tls_libctx;
+OSSL_PROVIDER *prov[2];
+#endif
+
+static int
+init(void **state)
+{
+    (void) state;
+
+    umask(0077);  /* ensure all files and directories we create get user only access */
+    char config[256];
+
+    if (!mkdtemp(softhsm2_tokens_path))
+    {
+        fail_msg("make tmpdir using template <%s> failed (error = %d)", softhsm2_tokens_path, errno);
+    }
+
+    int fd = mkstemp(softhsm2_conf_path);
+    if (fd < 0)
+    {
+        fail_msg("make tmpfile using template <%s> failed (error = %d)", softhsm2_conf_path, errno);
+    }
+    openvpn_snprintf(config, sizeof(config), "directories.tokendir=%s/",
+                     softhsm2_tokens_path);
+    assert_int_equal(write(fd, config, strlen(config)), strlen(config));
+    close(fd);
+
+    /* environment */
+    setenv("SOFTHSM2_CONF", softhsm2_conf_path, 1);
+    es = env_set_create(NULL);
+    setenv_str(es, "SOFTHSM2_CONF", softhsm2_conf_path);
+    setenv_str(es, "GNUTLS_PIN", PIN);
+
+    /* init the token using the temporary location as storage */
+    struct argv a = argv_new();
+    argv_printf(&a, "%s --init-token --free --label \"%s\" --so-pin %s --pin %s",
+                SOFTHSM2_UTIL_PATH, token_name, PIN, PIN);
+    assert_true(openvpn_execve_check(&a, es, 0, "Failed to initialize token"));
+
+    /* Import certificates and keys in our test database into the token */
+    char cert[] = "cert_XXXXXX";
+    char key[] = "key_XXXXXX";
+    int cert_fd = mkstemp(cert);
+    int key_fd = mkstemp(key);
+    if (cert_fd < 0 || key_fd < 0)
+    {
+        fail_msg("make tmpfile for certificate or key data failed (error = %d)", errno);
+    }
+
+    for (struct test_cert *c = certs; c->cert; c++)
+    {
+        /* fill-in the hash of the cert */
+        BIO *buf = BIO_new_mem_buf(c->cert, -1);
+        X509 *x509 = NULL;
+        if (buf)
+        {
+            x509 = PEM_read_bio_X509(buf, NULL, NULL, NULL);
+            BIO_free(buf);
+        }
+        assert_non_null(x509);
+        sha1_fingerprint(x509, c->hash, HASHSIZE);
+        X509_free(x509);
+
+        /* we load all cert/key pairs even if expired as
+         * signing should still work */
+        assert_int_equal(write(cert_fd, c->cert, strlen(c->cert)), strlen(c->cert));
+        assert_int_equal(write(key_fd, c->key, strlen(c->key)), strlen(c->key));
+
+        argv_free(&a);
+        a = argv_new();
+        /* Use numcerts+1 as a unique id of the object  -- same id for matching cert and key */
+        argv_printf(&a, "%s --provider %s --load-certificate %s --label \"%s\" --id %08x --login --write",
+                    P11TOOL_PATH, SOFTHSM2_MODULE_PATH, cert, c->friendly_name, num_certs+1);
+        assert_true(openvpn_execve_check(&a, es, 0, "Failed to upload certificate into token"));
+
+        argv_free(&a);
+        a = argv_new();
+        argv_printf(&a, "%s --provider %s --load-privkey %s --label \"%s\" --id %08x --login --write",
+                    P11TOOL_PATH, SOFTHSM2_MODULE_PATH, key, c->friendly_name, num_certs+1);
+        assert_true(openvpn_execve_check(&a, es, 0, "Failed to upload key into token"));
+
+        assert_int_equal(ftruncate(cert_fd, 0), 0);
+        assert_int_equal(ftruncate(key_fd, 0), 0);
+        num_certs++;
+    }
+
+    argv_free(&a);
+    close(cert_fd);
+    close(key_fd);
+    unlink(cert);
+    unlink(key);
+    return 0;
+}
+
+static int
+cleanup(void **state)
+{
+    (void) state;
+    struct argv a = argv_new();
+
+    argv_printf(&a, "%s --delete-token --token \"%s\"", SOFTHSM2_UTIL_PATH, token_name);
+    assert_true(openvpn_execve_check(&a, es, 0, "Failed to delete token"));
+    argv_free(&a);
+
+    rmdir(softhsm2_tokens_path); /* this must be empty after delete token */
+    unlink(softhsm2_conf_path);
+    for (struct test_cert *c = certs; c->cert; c++)
+    {
+        free(c->p11_id);
+        c->p11_id = NULL;
+    }
+    env_set_destroy(es);
+    return 0;
+}
+
+static int
+setup_pkcs11(void **state)
+{
+#if defined(HAVE_XKEY_PROVIDER)
+    /* Initialize providers in a way matching what OpenVPN core does */
+    tls_libctx = OSSL_LIB_CTX_new();
+    prov[0] = OSSL_PROVIDER_load(tls_libctx, "default");
+    OSSL_PROVIDER_add_builtin(tls_libctx, "ovpn.xkey", xkey_provider_init);
+    prov[1] = OSSL_PROVIDER_load(tls_libctx, "ovpn.xkey");
+    assert_non_null(prov[1]);
+
+    /* set default propq as we do in ssl_openssl.c */
+    EVP_set_default_properties(tls_libctx, "?provider!=ovpn.xkey");
+#endif
+    pkcs11_initialize(true, 0); /* protected auth enabled, pin-cache = 0 */
+    pkcs11_addProvider(SOFTHSM2_MODULE_PATH, false, 0, false);
+    return 0;
+}
+
+static int
+teardown_pkcs11(void **state)
+{
+    pkcs11_terminate();
+#if defined(HAVE_XKEY_PROVIDER)
+    for (size_t i = 0; i < SIZE(prov); i++)
+    {
+        if (prov[i])
+        {
+            OSSL_PROVIDER_unload(prov[i]);
+            prov[i] = NULL;
+        }
+    }
+    OSSL_LIB_CTX_free(tls_libctx);
+#endif
+    return 0;
+}
+
+static struct test_cert *
+lookup_cert_byhash(uint8_t *sha1)
+{
+    struct test_cert *c = certs;
+    while (c->cert && memcmp(c->hash, sha1, HASHSIZE))
+    {
+        c++;
+    }
+    return c->cert ? c : NULL;
+}
+
+/* Enumerate usable items in the token and collect their pkcs11-ids */
+static void
+test_pkcs11_ids(void **state)
+{
+    char *p11_id = NULL;
+    char *base64 = NULL;
+
+    int n = pkcs11_management_id_count();
+    assert_int_equal(n, num_certs);
+
+    for (int i = 0; i < n; i++)
+    {
+        X509 *x509 = NULL;
+        uint8_t sha1[HASHSIZE];
+
+        /* We use the management interface functions as a quick way
+         * to enumerate objects available for private key operations */
+        if (!pkcs11_management_id_get(i, &p11_id, &base64))
+        {
+            fail_msg("Failed to get pkcs11-id for index (%d) from pkcs11-helper", i);
+        }
+        /* decode the base64 data and convert to X509 and get its sha1 fingerprint */
+        unsigned char *der = malloc(strlen(base64));
+        assert_non_null(der);
+        int derlen = openvpn_base64_decode(base64, der, strlen(base64));
+        free(base64);
+        assert_true(derlen > 0);
+
+        const unsigned char *ppin = der; /* alias needed as d2i_X509 alters the pointer */
+        assert_non_null(d2i_X509(&x509, &ppin, derlen));
+        sha1_fingerprint(x509, sha1, HASHSIZE);
+        X509_free(x509);
+        free(der);
+
+        /* Save the pkcs11-id of this ceritificate in our database */
+        struct test_cert *c = lookup_cert_byhash(sha1);
+        assert_non_null(c);
+        c->p11_id = p11_id; /* p11_id is freed in cleanup */
+        assert_memory_equal(c->hash, sha1, HASHSIZE);
+    }
+    /* check whether all certs in our db were found by pkcs11-helper*/
+    for (struct test_cert *c = certs; c->cert; c++)
+    {
+        if (!c->p11_id)
+        {
+            fail_msg("Certificate <%s> not enumerated by pkcs11-helper", c->friendly_name);
+        }
+    }
+}
+
+/* For each available pkcs11-id, load it into an SSL_CTX
+ * and test signing with it.
+ */
+static void
+test_tls_ctx_use_pkcs11(void **state)
+{
+    (void) state;
+    struct tls_root_ctx tls_ctx = {};
+    uint8_t sha1[HASHSIZE];
+    for (struct test_cert *c = certs; c->cert; c++)
+    {
+#ifdef HAVE_XKEY_PROVIDER
+        tls_ctx.ctx = SSL_CTX_new_ex(tls_libctx, NULL, SSLv23_client_method());
+#else
+        tls_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
+#endif
+        if (pkcs11_id_management)
+        {
+            /* The management callback will return pkcs11_id_current as the
+             * selection. Set it here as the current certificate's p11_id
+             */
+            pkcs11_id_current = c->p11_id;
+            tls_ctx_use_pkcs11(&tls_ctx, 1, NULL);
+        }
+        else
+        {
+            /* directly use c->p11_id */
+            tls_ctx_use_pkcs11(&tls_ctx, 0, c->p11_id);
+        }
+
+        /* check that the cert set in SSL_CTX is what we intended */
+        X509 *x509 = SSL_CTX_get0_certificate(tls_ctx.ctx);
+        assert_non_null(x509);
+        sha1_fingerprint(x509, sha1, HASHSIZE);
+        assert_memory_equal(sha1, c->hash, HASHSIZE);
+
+        /* Test signing with the private key in SSL_CTX */
+        EVP_PKEY *pubkey = X509_get0_pubkey(x509);
+        EVP_PKEY *privkey = SSL_CTX_get0_privatekey(tls_ctx.ctx);
+        assert_non_null(pubkey);
+        assert_non_null(privkey);
+#ifdef HAVE_XKEY_PROVIDER
+        digest_sign_verify(privkey, pubkey); /* this will exercise signing via pkcs11 backend */
+#else
+        if (!SSL_CTX_check_private_key(tls_ctx.ctx))
+        {
+            fail_msg("Certificate and private key in ssl_ctx do not match for <%s>", c->friendly_name);
+            return;
+        }
+#endif
+        SSL_CTX_free(tls_ctx.ctx);
+    }
+}
+
+/* same test as test_tls_ctx_use_pkcs11, with id selected via management i/f */
+static void
+test_tls_ctx_use_pkcs11__management(void **state)
+{
+    pkcs11_id_management = true;
+    test_tls_ctx_use_pkcs11(state);
+}
+
+int
+main(void)
+{
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(test_pkcs11_ids, setup_pkcs11,
+                                        teardown_pkcs11),
+        cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11, setup_pkcs11,
+                                        teardown_pkcs11),
+        cmocka_unit_test_setup_teardown(test_tls_ctx_use_pkcs11__management, setup_pkcs11,
+                                        teardown_pkcs11),
+    };
+    int ret = cmocka_run_group_tests_name("pkcs11_tests", tests, init, cleanup);
+
+    return ret;
+}

From patchwork Wed Mar 22 22:14:56 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 3157
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp3544453dye;
        Wed, 22 Mar 2023 15:16:07 -0700 (PDT)
X-Google-Smtp-Source: 
 AK7set/++kwFJJ2og7WHTXc7BV5KznZ+HmLSJ4MYrbK9x4pr7359kVNo3hBkP1qbcjA47aD5KFE8
X-Received: by 2002:a17:902:f292:b0:19c:a866:6a76 with SMTP id
 k18-20020a170902f29200b0019ca8666a76mr3311442plc.42.1679523367799;
        Wed, 22 Mar 2023 15:16:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679523367; cv=none;
        d=google.com; s=arc-20160816;
        b=WM/m8zzR6uX+UL3WW6V6GQUlsuRGhSN1j21B6rDsAlOYqKhAyIokAd1BmMoJWEkFrL
         HKOnGvy1iibtp1Rb6cdGU5u0czR5DEe1yelDG7udfZPur8THvwThDliGk61qDQDJC//3
         IwwGQCncyly6jhgQQ+4OEs2lkBuTx3XE+EdvmoAKTM+HcRA/HoCZbddsiuGMMgqMH5QB
         rGky7Hm84l+dgqp+8eBybP9OVVmFvNnYRjgQdYgfPoSNmB2dD5dwQHOM7f6/NucUTw0F
         e/MF4/0bcRbtzwMXNDmNDMzEtsz7IWCUviu+71OyX9YZpVxp6sqW2/eXhnUI93DLtimk
         ZROQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=aMpywM5kGiTzH25NsJ56alTGkBJdQX0w2+qyyOCJHp8=;
        b=papDuElFWnNc0pjrgTcTrvGf/4WboeRqelSGvg+6cqWsXYcE9XOu0uOsi22/bLwdYv
         PBdNh2aNfPhWWtid2GxJuakKiWMQDsS1R5u9io6x3Ou1DomDFnC0ynPbTXVqBT5Ny99J
         KRtDygjuNYYy3ABx/sqfx7I8GAIHtcKbNw2AU7njUfaWEg8HPMQtgmhG/j3Nx7MtZLW+
         KHytV8/FCwM7wcOGHYOezF70bZUKjBDY0kdF4Q5cV9X6d8XsTNzmCZk55N+i8cYaimpW
         kaJmmZWlewr2jVFMrDxjcbIDc0sVILeXzXN4pXr+IhrBsYs/eX5AnScBgVVcVN8sBoda
         Ymlg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SrPn9KLj;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=MWAqkpkp;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=aGj7vcIX;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net ([216.105.38.7])
        by mx.google.com with ESMTPS id
 j12-20020a170903024c00b0019cec506164si17961362plh.178.2023.03.22.15.16.07
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 22 Mar 2023 15:16:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SrPn9KLj;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=MWAqkpkp;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=aGj7vcIX;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1pf6jq-0007LX-BR;
	Wed, 22 Mar 2023 22:15:22 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <selva.nair@gmail.com>) id 1pf6jo-0007LR-GN
 for openvpn-devel@lists.sourceforge.net;
 Wed, 22 Mar 2023 22:15:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=X1zp291+sQ6ml8/DeQHbFVQqHfHwyvWYozQ8i6ZOYr0=; b=SrPn9KLj2R0+xZochCShRg+ApB
 X9nbkw0yuhc0U2zoTdeRt0E4xGtyxBfeuXsbCyRtxyxrMn58yJhIqFRkpLFiTFbU4lIwjxoZci4BL
 GKsW1ouaflVMcPaAnRF4HVfE9b1oTLlVFTDfxnjrJTjiH4xECkDm/GxZ5Gu/fv61q1t8=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=X1zp291+sQ6ml8/DeQHbFVQqHfHwyvWYozQ8i6ZOYr0=; b=MWAqkpkpsv5cjwm26eMUiSzwok
 RNEFR3Aj/280473cBM2WMZiq4g2GWHqYlVjF1YwsGWfW6vTJFOirnbhqF6Y5EjjIMdU3ppgMpk726
 bn1yMAB/61nWIC/LAKLj+cgbNEU03knxBCSjxfihe13aFDDaOcuPND57QPpcfXESduEg=;
Received: from mail-il1-f173.google.com ([209.85.166.173])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1pf6jo-00H3SH-Bi for openvpn-devel@lists.sourceforge.net;
 Wed, 22 Mar 2023 22:15:20 +0000
Received: by mail-il1-f173.google.com with SMTP id w4so10712584ilv.0
 for <openvpn-devel@lists.sourceforge.net>;
 Wed, 22 Mar 2023 15:15:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1679523314;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=X1zp291+sQ6ml8/DeQHbFVQqHfHwyvWYozQ8i6ZOYr0=;
 b=aGj7vcIXbw6LPNFOPPkj9GezZKwaEo+PuHVnl/tSpQd+Re0r4I+bKXKvloAgQ/f7y9
 X3aRZvEt3N2vQ2cLscZhhDiRlUW9xVSKY3MD30gcV9RYqb2Ts1eq5kItUstAhuNryEZj
 YA1OqnSaUa1WpYw0FZi4KzCWHNKate+Pe85ZTOqCM0bYg9L+7TG/H944n54RFtYSP0qm
 9ZLpWn4aY++iMZOXBtqmU2FuBRemQ/SEKrNXetWeGmXk4zcxAoNKgA8UvqSrG2ksKpF4
 5JKRZlpbal2x3ZBfnXvVlVY/fBt9ysbBgECPlHl3Nh4BECjtdWvrXmamcS6aBndy0Vv8
 yUOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1679523314;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=X1zp291+sQ6ml8/DeQHbFVQqHfHwyvWYozQ8i6ZOYr0=;
 b=xDp2vzdcm/wAAVvP6CKcRQVOR0gmV50d1F4T8k51H4b39l0NB/UT1T/T+FF22GC591
 IQYmN1i9OarJ0RPJNKzqqbI0IvxFg9Ht9MUDSP62WEzBINHauX/CLbF2IkLqEZYFvp2W
 wXOvJYu3E+nnSFwke4zID86rXPg6Jl1cuWSJF5i/HaiszI0VmgrY/AfmX0j+Hz7RAihj
 8aEnatRpFRCrhlOWJrJS82TEW9z4KujeDJ4r6QvmJ1ha0ipKCp6Hw0hTDEYW8uFikIvK
 XVDFH52L7s5okZsRSUcE1vCIynnznPQrUcj2OaZL/5Ruz2FqmZemFReqiIcpIrzgYmQb
 /4eQ==
X-Gm-Message-State: AO0yUKXlgEZsAmRRjLtB/atOmPmokscaa4MwPCbTJLlHQHA003nPgbNR
 iZvhQx2n/3nocMwIm2aw/A6BPaDPbF9SWg==
X-Received: by 2002:a05:6e02:12e9:b0:318:8674:be8 with SMTP id
 l9-20020a056e0212e900b0031886740be8mr5285676iln.2.1679523314620;
 Wed, 22 Mar 2023 15:15:14 -0700 (PDT)
Received: from uranus.sansel.ca
 (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66])
 by smtp.gmail.com with ESMTPSA id
 d2-20020a0566380d4200b00406d71405bcsm1573044jak.44.2023.03.22.15.15.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 22 Mar 2023 15:15:14 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 22 Mar 2023 18:14:56 -0400
Message-Id: <20230322221456.1660425-3-selva.nair@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230322221456.1660425-1-selva.nair@gmail.com>
References: <20230322221456.1660425-1-selva.nair@gmail.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Selva Nair - Enabled for the Ubuntu 22.04 build
 (OpenSSL
 3) and one of the Ubuntu 20.04 builds (OpenSSL 1.1.1). Signed-off-by: Selva
 Nair --- .github/workflows/build.yaml | 8 ++++++-- 1 file changed,
 6 insertions(+), 2 deletions(-)
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [selva.nair[at]gmail.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.166.173 listed in list.dnswl.org]
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.166.173 listed in wl.mailspike.net]
X-Headers-End: 1pf6jo-00H3SH-Bi
Subject: [Openvpn-devel] [PATCH 3/3] Enable pkcs11 an dtest_pkcs11 in github
 actions
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1761107895030682156?=
X-GMAIL-MSGID: =?utf-8?q?1761107895030682156?=

From: Selva Nair <selva.nair@gmail.com>

- Enabled for the Ubuntu 22.04 build (OpenSSL 3) and one of the
  Ubuntu 20.04 builds (OpenSSL 1.1.1).

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-By: Frank Lichtenheld <frank@lichtenheld.com>
---
 .github/workflows/build.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index a3ca7a2e..2538c818 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -297,11 +297,14 @@ jobs:
             sslpkg: "libssl-dev"
             libname: OpenSSL 3.0.2
             ssllib: openssl
+            pkcs11pkg: "libpkcs11-helper1-dev softhsm2 gnutls-bin"
+            extraconf: --enable-pkcs11
           - os: ubuntu-20.04
             sslpkg: "libssl-dev"
             libname: OpenSSL 1.1.1
             ssllib: openssl
-            extraconf: "--enable-iproute2"
+            pkcs11pkg: "libpkcs11-helper1-dev softhsm2 gnutls-bin"
+            extraconf: "--enable-iproute2 --enable-pkcs11"
           - os: ubuntu-20.04
             sslpkg: "libssl-dev"
             libname: OpenSSL 1.1.1
@@ -326,11 +329,12 @@ jobs:
     name: "gcc - ${{matrix.os}} - ${{matrix.libname}} ${{matrix.extraconf}}"
     env:
       SSLPKG: "${{matrix.sslpkg}}"
+      PKCS11PKG: "${{matrix.pkcs11pkg}}"
 
     runs-on: ${{matrix.os}}
     steps:
       - name: Install dependencies
-        run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG}
+        run: sudo apt update && sudo apt install -y liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf ${SSLPKG} ${PKCS11PKG}
       - name: Checkout OpenVPN
         uses: actions/checkout@v3
       - name: autoconf