Test: OpenSSH testing

AES-CBC/DES3-CBC:
- IV is passed down to engine by OpenSSL layer. The IV is cached in
ctx->iv (streaming). Copy IV after encryption/decryption back into cache
and always set. (OpenSSH sets IV without changing key.)
AES-CTR:
 - Don't use EVP_CIPH_FLAG_CUSTOM_CIPHER.
- IV is cached and therefore always needs to be set and put back in
cache (streaming). (OpenSSH sets IV without changing key.)
AES-GCM:
- Split IV set and IV inc into two different flags. Move increment of
IV to after encrypt/decrypt. And no longer cache current IV (One shot
enc/dec operation so final IV is not needed.)
 - Initialize and free the wolfCrypt AES object.
- Return the authentication failure error when EVP_DecryptFinal is
called rather than update function. OpenSSH expects authentication
failure error when EVP_DecryptFinal fails and not when update fails.
RSA:
 - Added flag to indicate the message digest has been set from above.
- Only check length of RSA sign input matches the digest length when
digest set from above. Otherwise the input will have been BER encoded.

Author: SparkiDev

include/wolfengine/we_openssl_bc.h

@@ -80,6 +80,8 @@ void EVP_MD_meth_free(EVP_MD *md);
 const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx);
 void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx);
 unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx);
+int EVP_CIPHER_CTX_num(const EVP_CIPHER_CTX *ctx);
+void EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num);
 
 int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len);
 int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags);

scripts/openssh-tests.sh

@@ -0,0 +1,269 @@
+#!/bin/bash
+
+#
+# Tests that using OpenSSH with wolfEngine works.
+#
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+WOLFENGINE_ROOT="${SCRIPT_DIR}/.."
+
+OPENSSL_INSTALL_DIR=${SCRIPT_DIR}/openssl
+OPENSSH_DIR=${SCRIPT_DIR}/openssh-portable
+
+source ${SCRIPT_DIR}/build-openssl-wolfengine.sh
+
+do_cleanup() {
+    printf "Cleaning up.\n"
+
+    # Use the environment variable KEEP_OPENSSH to prevent OpenSSH directories
+    # from being deleted at the end of the run.
+    if [ -z "${KEEP_OPENSSH}" ]; then
+        printf "\tDeleting OpenSSH directory.\n"
+        rm -rf ${OPENSSH_DIR}
+
+        printf "\tDeleting OpenSSL install directory.\n"
+        rm -rf ${OPENSSL_INSTALL_DIR}
+    fi
+}
+
+do_failure() {
+    # Keep the logs around to help debug the failure.
+    KEEP_LOGS=1
+    do_cleanup
+    exit 1
+}
+
+# Register trap on interrupt (2) and terminate (15)
+trap do_failure INT TERM
+
+download_openssh() {
+    printf "Setting up OpenSSH.\n"
+    if [ -n "${OPENSSH_NO_DOWNLOAD}" -o -n "${OPENSSH_NO_BUILD}" ]; then
+        return
+    fi
+
+    rm -rf ${OPENSSH_DIR}
+
+    cd ${SCRIPT_DIR}
+
+    printf "\tDownloading..."
+    git clone https://github.com/openssh/openssh-portable.git >> $LOGFILE 2>&1
+    if [ $? != 0 ]; then
+        printf "failed\n"
+        do_failure
+    fi
+    printf "ok.\n"
+
+    cd ${WOLFENGINE_ROOT}
+}
+
+build_openssh() {
+    if [ -n "${OPENSSH_NO_BUILD}" ]; then
+        return
+    fi
+
+    cd ${OPENSSH_DIR}
+
+    printf "Building OpenSSH.\n"
+    printf "\tAutoreconf..."
+    autoreconf >> $LOGFILE 2>&1
+    if [ $? != 0 ]; then
+        printf "failed.\n"
+        do_failure
+    fi
+    printf "ok.\n"
+
+    printf "\tConfiguring..."
+    ./configure --with-ssl-dir=${OPENSSL_INSTALL} --without-openssl-header-check --with-ssl-engine >> $LOGFILE 2>&1
+    if [ $? != 0 ]; then
+        printf "failed.\n"
+        do_failure
+    fi
+    printf "ok.\n"
+    make clean >> $LOGFILE 2>&1
+
+    printf "\tBuilding..."
+    make -j$MAKE_JOBS >> $LOGFILE 2>&1
+    if [ $? != 0 ]; then
+        printf "failed.\n"
+        do_failure
+    fi
+    printf "ok.\n"
+
+    cd ${WOLFENGINE_ROOT}
+}
+
+test_openssh_separate() {
+    cd ${OPENSSH_DIR}
+
+    printf "Running OpenSSH tests with wolfEngine\n"
+    for T in connect \
+                proxy-connect \
+                connect-privsep \
+                connect-uri \
+                proto-version \
+                proto-mismatch \
+                exit-status \
+                envpass \
+                transfer \
+                banner \
+                rekey \
+                dhgex \
+                stderr-data \
+                stderr-after-eof \
+                broken-pipe \
+                try-ciphers \
+                yes-head \
+                login-timeout \
+                agent \
+                agent-getpeereid \
+                agent-timeout \
+                agent-ptrace \
+                agent-subprocess \
+                keyscan \
+                keygen-change \
+                keygen-convert \
+                keygen-moduli \
+                key-options \
+                scp \
+                scp-uri \
+                sftp \
+                sftp-chroot \
+                sftp-cmds \
+                sftp-badcmds \
+                sftp-batch \
+                sftp-glob \
+                sftp-perm \
+                sftp-uri \
+                reconfigure \
+                dynamic-forward \
+                forwarding \
+                multiplex \
+                reexec \
+                brokenkeys \
+                sshcfgparse \
+                cfgparse \
+                cfgmatch \
+                cfgmatchlisten \
+                percent \
+                addrmatch \
+                localcommand \
+                forcecommand \
+                portnum \
+                keytype \
+                kextype \
+                cert-hostkey \
+                cert-userkey \
+                host-expand \
+                keys-command \
+                forward-control \
+                integrity \
+                krl \
+                multipubkey \
+                limit-keytype \
+                hostkey-agent \
+                keygen-knownhosts \
+                hostkey-rotate \
+                principals-command \
+                cert-file \
+                cfginclude \
+                servcfginclude \
+                allow-deny-users \
+                authinfo \
+                sshsig \
+                keygen-comment \
+                knownhosts-command
+    do
+        printf "\t$T..."
+        make t-exec LTESTS=$T >> $LOGFILE 2>&1
+        if [ $? != 0 ]; then
+            printf "failed\n"
+            do_failure
+        fi
+        printf "ok.\n"
+    done
+
+    cd ${WOLFENGINE_ROOT}
+}
+
+test_openssh_one() {
+    cd ${OPENSSH_DIR}
+
+    printf "Running OpenSSH tests with wolfEngine\n"
+    for T in integrity
+    do
+        printf "\t$T..."
+        make t-exec LTESTS=$T >> $LOGFILE 2>&1
+        if [ $? != 0 ]; then
+            printf "failed\n"
+            do_failure
+        fi
+        printf "ok.\n"
+    done
+
+    cd ${WOLFENGINE_ROOT}
+}
+
+test_openssh() {
+    cd ${OPENSSH_DIR}
+
+    printf "Running OpenSSH tests with wolfEngine..."
+    make tests >> $LOGFILE 2>&1
+    if [ $? != 0 ]; then
+        printf "failed\n"
+        do_failure
+    fi
+    printf "ok.\n"
+
+    cd ${WOLFENGINE_ROOT}
+}
+
+if [ -z "${LOGFILE}" ]; then
+    LOGFILE=${SCRIPT_DIR}/openssh-tests.log
+fi
+rm -f $LOGFILE
+
+export OPENSSL_EXTRA_CFLAGS="-g3 -O0 -fno-omit-frame-pointer -fno-inline-functions"
+
+# Versions of OpenSSL to test
+if [ -n "${OPENSSL_VERSIONS}" ]; then
+    VERSIONS=${OPENSSL_VERSIONS}
+else
+    VERSIONS="1.0.2 1.1.1"
+fi
+
+export OPENSSL_CONF=$WOLFENGINE_ROOT/engine.conf
+export OPENSSL_ENGINES=$WOLFENGINE_ROOT/.libs
+export LD_LIBRARY_PATH="$WOLFENGINE_ROOT/.libs:$WOLFENGINE_ROOT:$LD_LIBRARY_PATH"
+
+download_openssh
+
+for VERSION in $VERSIONS
+do
+    if [ "${VERSION}" = "1.0.2" ]; then
+        OPENSSL_VERS_STR="OpenSSL 1.0.2h"
+        get_openssl_102h
+        configure_openssl_102h
+        build_openssl_102h
+        install_openssl_102h
+    elif [ "${VERSION}" = "1.1.1" ]; then
+        OPENSSL_VERS_STR="OpenSSL 1.1.1b"
+        get_openssl_111b
+        configure_openssl_111b
+        build_openssl_111b
+        install_openssl_111b
+    fi
+    OPENSSL_INSTALL=${OPENSSL_INSTALL_DIR}
+    setup_openssl_install
+
+    WE_OPENSSL_CONF=${SCRIPT_DIR}/wolfengine.conf
+    WE_DEBUG=0
+
+    build_wolfengine
+    write_conf_file
+
+    build_openssh
+    test_openssh
+done
+
+

src/we_aes_block.c

@@ -38,8 +38,6 @@ typedef struct we_AesBlock
     unsigned int   init:1;
     /** Flag to indicate whether we are doing encrypt (1) or decrpyt (0). */
     unsigned int   enc:1;
-    /** Flag to indicate whether iv has been set. */
-    unsigned int   ivSet:1;
 } we_AesBlock;
 
 #endif
@@ -88,32 +86,22 @@ static int we_aes_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
             WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesInit", rc);
             ret = 0;
         }
-        aes->init = 1;
+        aes->init = (ret == 1);
     }
 
-    if (ret == 1 && (aes->init == 1)) {
-        aes->over = 0;
+    if (ret == 1) {
         /* Store whether encrypting. */
         aes->enc = enc;
+    }
 
-        if (key != NULL) {
-            WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting AES key (%d bytes)",
-                           EVP_CIPHER_CTX_key_length(ctx));
-            rc = wc_AesSetKey(&aes->aes, key, EVP_CIPHER_CTX_key_length(ctx),
-                              iv, enc ? AES_ENCRYPTION : AES_DECRYPTION);
-            if (rc != 0) {
-                WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetKey", rc);
-                ret = 0;
-            }
-        }
-        if (ret == 1 && iv != NULL) {
-            WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting AES IV");
-            rc = wc_AesSetIV(&aes->aes, iv);
-            if (rc != 0) {
-                WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetIV", rc);
-                ret = 0;
-            }
-            aes->ivSet = (ret == 1);
+    if ((ret == 1) && (key != NULL)) {
+        WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting AES key (%d bytes)",
+                       EVP_CIPHER_CTX_key_length(ctx));
+        rc = wc_AesSetKey(&aes->aes, key, EVP_CIPHER_CTX_key_length(ctx), iv,
+                          enc ? AES_ENCRYPTION : AES_DECRYPTION);
+        if (rc != 0) {
+            WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetKey", rc);
+            ret = 0;
         }
     }
 
@@ -216,14 +204,13 @@ static int we_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                    "EVP_CIPHER_CTX_get_cipher_data", aes);
         ret = -1;
     }
-    if ((ret == 1) && (!aes->ivSet)) {
+    if (ret == 1) {
         WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting AES IV");
         rc = wc_AesSetIV(&aes->aes, EVP_CIPHER_CTX_iv_noconst(ctx));
         if (rc != 0) {
             WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetIV", rc);
             ret = 0;
         }
-        aes->ivSet = (ret == 1);
     }
     if (ret == 1) {
         if (aes->enc) {
@@ -232,6 +219,8 @@ static int we_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         else {
             ret = we_aes_cbc_decrypt(aes, out, in, len);
         }
+
+        XMEMCPY(EVP_CIPHER_CTX_iv_noconst(ctx), aes->aes.reg, AES_BLOCK_SIZE);
     }
 
     WOLFENGINE_LEAVE(WE_LOG_CIPHER, "we_aes_cbc_cipher", ret);