Merge pull request #75 from ColtonWilley/wp_openvpn_fixes

Changes for openvpn tests to run successfully

Author: dgarske

.github/workflows/openvpn.yml

@@ -0,0 +1,124 @@
+name: OpenVPN Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfprovider:
+    name: Build wolfProvider
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        wolfssl_ref: [ 'master', 'v5.7.4-stable' ]
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+
+      # Check if this version of wolfssl/wolfprovider has already been built,
+      # mark to cache these items on post if we do end up building
+      - name: Checking wolfSSL/wolfProvider in cache
+        uses: actions/cache@v4
+        id: wolfprov-cache
+        with:
+          path: |
+            wolfssl-source
+            wolfssl-install
+            wolfprov-install
+            provider.conf
+
+          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }}
+          lookup-only: true
+
+      # If wolfssl/wolfprovider have not yet been built, pull ossl from cache
+      - name: Checking OpenSSL in cache
+        if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true'
+        uses: actions/cache@v4
+        id: openssl-cache
+        with:
+          path: |
+            openssl-source
+            openssl-install
+
+          key: ossl-depends
+
+      # If not yet built this version, build it now
+      - name: Build wolfProvider
+        if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true'
+        run: |
+          WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
+
+  test_openvpn:
+    runs-on: ubuntu-22.04
+    needs: build_wolfprovider
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        openvpn_ref: [ 'master' ]
+        wolfssl_ref: [ 'master', 'v5.7.4-stable' ]
+    steps:
+      - name: Retrieving OpenSSL from cache
+        uses: actions/cache/restore@v4
+        id: openssl-cache
+        with:
+          path: |
+            openssl-source
+            openssl-install
+
+          key: ossl-depends
+          fail-on-cache-miss: true
+
+      - name: Retrieving wolfSSL/wolfProvider from cache
+        uses: actions/cache/restore@v4
+        id: wolfprov-cache
+        with:
+          path: |
+            wolfssl-source
+            wolfssl-install
+            wolfprov-install
+            provider.conf
+
+          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }}
+          fail-on-cache-miss: true
+
+      - name: Install test dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev \
+                     linux-libc-dev man2html libcmocka-dev python3-docutils \
+                     libtool automake autoconf libnl-genl-3-dev libnl-genl-3-200
+
+      - name: Build and test OpenVPN
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: OpenVPN/openvpn
+          path: openvpn
+          ref: ${{ matrix.openvpn_ref }}
+          configure:
+          check: false
+
+      - name: Test OpenVPN with wolfProvider
+        working-directory: openvpn
+        run: |
+          export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/wolfssl-install/lib:$GITHUB_WORKSPACE/openssl-install/lib64
+          export OPENSSL_CONF=$GITHUB_WORKSPACE/provider.conf
+          export OPENSSL_MODULES=$GITHUB_WORKSPACE/wolfprov-install/lib
+          make check

scripts/utils-openssl.sh

@@ -70,7 +70,7 @@ install_openssl() {
     if [ ! -d ${OPENSSL_INSTALL_DIR} ]; then
         printf "\tConfigure OpenSSL ${OPENSSL_TAG} ... "
         if [ "$WOLFPROV_DEBUG" = "1" ]; then
-            ./config shared --prefix=${OPENSSL_INSTALL_DIR} --debug >>$LOG_FILE 2>&1
+            ./config shared enable-trace --prefix=${OPENSSL_INSTALL_DIR} --debug >>$LOG_FILE 2>&1
             RET=$?
         else
             ./config shared --prefix=${OPENSSL_INSTALL_DIR} >>$LOG_FILE 2>&1

src/wp_dh_kmgmt.c

@@ -2119,7 +2119,7 @@ static int wp_dh_decode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
         ok = 0;
     }
     if (ok && (ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC)) {
-        if (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) {
+        if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
             if (!wp_dh_decode_params(dh, data, len)) {
                 ok = 0;
                 decoded = 0;

src/wp_ecc_kmgmt.c

@@ -1644,6 +1644,12 @@ static wp_Ecc* wp_ecc_gen(wp_EccGenCtx *ctx, OSSL_CALLBACK *cb, void *cbArg)
                 }
             }
         }
+        if (ok && ((ctx->selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)) {
+            rc = wc_ecc_set_curve(&ecc->key, 0, ecc->curveId);
+            if (rc != 0) {
+                ok = 0;
+            }
+        }
         if (!ok) {
             wp_ecc_free(ecc);
             ecc = NULL;
@@ -2131,11 +2137,19 @@ static int wp_ecc_decode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
  */
 static int wp_ecc_encode_params_size(const wp_Ecc *ecc, size_t* keyLen)
 {
-    /* ASN.1 type, len and data. */
-    *keyLen = ecc->key.dp->oidSz + 2;
+    int ok = 1;
+    word32 len = 0;
 
-    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
-    return 1;
+    if (wc_ecc_get_oid(ecc->key.dp->oidSum, NULL, &len) <= 0) {
+        ok = 0;
+    }
+    if (ok) {
+        /* ASN.1 type, len and data. */
+        *keyLen = len + 2;
+    }
+
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
+    return ok;
 }
 
 /**
@@ -2151,14 +2165,22 @@ static int wp_ecc_encode_params_size(const wp_Ecc *ecc, size_t* keyLen)
 static int wp_ecc_encode_params(const wp_Ecc *ecc, unsigned char* keyData,
     size_t* keyLen)
 {
-    keyData[0] = 0x06;
-    keyData[1] = ecc->key.dp->oidSz;
-    XMEMCPY(keyData + 2, ecc->key.dp->oid, ecc->key.dp->oidSz);
+    int ok = 1;
+    word32 len;
+    const byte *oid;
 
-    *keyLen = ecc->key.dp->oidSz + 2;
+    if (wc_ecc_get_oid(ecc->key.dp->oidSum, &oid, &len) <= 0) {
+        ok = 0;
+    }
+    if (ok) {
+        keyData[0] = 0x06;
+        keyData[1] = len;
+        XMEMCPY(keyData + 2, oid, len);
+        *keyLen = len + 2;
+    }
 
-    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
-    return 1;
+    WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
+    return ok;
 }
 
 /**
@@ -2442,14 +2464,14 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
 
     if (ok && ((ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC) ||
                (ctx->format == WP_ENC_FORMAT_X9_62))) {
-        if (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) {
-            if (!wp_ecc_encode_params_size(key, &derLen)) {
+        if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
+            private = 1;
+            if (!wp_ecc_encode_priv_size(key, &derLen)) {
                 ok = 0;
             }
         }
-        else {
-            private = 1;
-            if (!wp_ecc_encode_priv_size(key, &derLen)) {
+        else if (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) {
+            if (!wp_ecc_encode_params_size(key, &derLen)) {
                 ok = 0;
             }
         }
@@ -2484,13 +2506,7 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
 
     if (ok && ((ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC) ||
                (ctx->format == WP_ENC_FORMAT_X9_62))) {
-        if (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) {
-            pemType = DH_PARAM_TYPE;
-            if (!wp_ecc_encode_params(key, derData, &derLen)) {
-                ok = 0;
-            }
-        }
-        else {
+        if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
             if (ctx->format == WP_ENC_FORMAT_X9_62) {
                 pemType = ECC_PRIVATEKEY_TYPE;
             }
@@ -2499,6 +2515,12 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
                 ok = 0;
             }
         }
+        else if (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) {
+            pemType = DH_PARAM_TYPE;
+            if (!wp_ecc_encode_params(key, derData, &derLen)) {
+                ok = 0;
+            }
+        }
     }
     else if (ok && (ctx->format == WP_ENC_FORMAT_SPKI)) {
         pemType = PUBLICKEY_TYPE;
@@ -2551,7 +2573,8 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
         }
         if (ok && ((ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC) ||
                (ctx->format == WP_ENC_FORMAT_X9_62)) &&
-               (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) {
+               ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) &&
+               (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) {
             pemData[11] = 'E';
             pemData[12] = 'C';
             pemData[pemLen - 19] = 'E';

src/wp_file_store.c

@@ -109,7 +109,13 @@ static wp_FileCtx* wp_file_open(WOLFPROV_CTX* provCtx, const char* uri)
     if (ctx != NULL) {
         int ok = 1;
 
-        /* TODO: support URI form 'file:'. */
+        if (OPENSSL_strncasecmp(uri, "file:", 5) == 0) {
+            uri += 5;
+            if (OPENSSL_strncasecmp(uri, "//", 2) == 0) {
+                /* TODO: may need more uri processing for windows cases */
+                uri += 2;
+            }
+        }
         ctx->uri = OPENSSL_strdup(uri);
         if (ctx->uri == NULL) {
             ok = 0;

src/wp_wolfprov.c

@@ -723,7 +723,6 @@ static const OSSL_ALGORITHM wolfprov_encoder[] = {
       wp_rsa_kp_pem_encoder_functions,
       "" },
 #ifdef WOLFSSL_RSA_PSS_ENCODING
-    /* TODO: RSA-PSS encoding isn't supported in wolfSSL */
     { WP_NAMES_RSA_PSS, WP_ENCODER_PROPERTIES(SubjectPublicKeyInfo, der),
       wp_rsapss_spki_der_encoder_functions,
       "" },