diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml new file mode 100644 index 00000000..315b1363 --- /dev/null +++ b/.github/workflows/openvpn.yml @@ -0,0 +1,124 @@ +name: OpenVPN Tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + build_wolfprovider: + name: Build wolfProvider + runs-on: ubuntu-22.04 + timeout-minutes: 20 + strategy: + matrix: + wolfssl_ref: [ 'master', 'v5.7.4-stable' ] + steps: + - name: Checkout wolfProvider + uses: actions/checkout@v4 + + # Check if this version of wolfssl/wolfprovider has already been built, + # mark to cache these items on post if we do end up building + - name: Checking wolfSSL/wolfProvider in cache + uses: actions/cache@v4 + id: wolfprov-cache + with: + path: | + wolfssl-source + wolfssl-install + wolfprov-install + provider.conf + + key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }} + lookup-only: true + + # If wolfssl/wolfprovider have not yet been built, pull ossl from cache + - name: Checking OpenSSL in cache + if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' + uses: actions/cache@v4 + id: openssl-cache + with: + path: | + openssl-source + openssl-install + + key: ossl-depends + + # If not yet built this version, build it now + - name: Build wolfProvider + if: steps.wolfprov-${{ matrix.wolfssl_ref }}-cache.hit != 'true' + run: | + WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh + make check + + - name: Print errors + if: ${{ failure() }} + run: | + if [ -f test-suite.log ] ; then + cat test-suite.log + fi + + test_openvpn: + runs-on: ubuntu-22.04 + needs: build_wolfprovider + # This should be a safe limit for the tests to run. + timeout-minutes: 20 + strategy: + matrix: + openvpn_ref: [ 'master' ] + wolfssl_ref: [ 'master', 'v5.7.4-stable' ] + steps: + - name: Retrieving OpenSSL from cache + uses: actions/cache/restore@v4 + id: openssl-cache + with: + path: | + openssl-source + openssl-install + + key: ossl-depends + fail-on-cache-miss: true + + - name: Retrieving wolfSSL/wolfProvider from cache + uses: actions/cache/restore@v4 + id: wolfprov-cache + with: + path: | + wolfssl-source + wolfssl-install + wolfprov-install + provider.conf + + key: wolfprov-${{ matrix.wolfssl_ref }}-${{ github.sha }} + fail-on-cache-miss: true + + - name: Install test dependencies + run: | + sudo apt-get update + sudo apt-get install liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev \ + linux-libc-dev man2html libcmocka-dev python3-docutils \ + libtool automake autoconf libnl-genl-3-dev libnl-genl-3-200 + + - name: Build and test OpenVPN + uses: wolfSSL/actions-build-autotools-project@v1 + with: + repository: OpenVPN/openvpn + path: openvpn + ref: ${{ matrix.openvpn_ref }} + configure: + check: false + + - name: Test OpenVPN with wolfProvider + working-directory: openvpn + run: | + export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/wolfssl-install/lib:$GITHUB_WORKSPACE/openssl-install/lib64 + export OPENSSL_CONF=$GITHUB_WORKSPACE/provider.conf + export OPENSSL_MODULES=$GITHUB_WORKSPACE/wolfprov-install/lib + make check diff --git a/scripts/utils-openssl.sh b/scripts/utils-openssl.sh index ee2a6d79..62284f42 100755 --- a/scripts/utils-openssl.sh +++ b/scripts/utils-openssl.sh @@ -70,7 +70,7 @@ install_openssl() { if [ ! -d ${OPENSSL_INSTALL_DIR} ]; then printf "\tConfigure OpenSSL ${OPENSSL_TAG} ... " if [ "$WOLFPROV_DEBUG" = "1" ]; then - ./config shared --prefix=${OPENSSL_INSTALL_DIR} --debug >>$LOG_FILE 2>&1 + ./config shared enable-trace --prefix=${OPENSSL_INSTALL_DIR} --debug >>$LOG_FILE 2>&1 RET=$? else ./config shared --prefix=${OPENSSL_INSTALL_DIR} >>$LOG_FILE 2>&1 diff --git a/src/wp_dh_kmgmt.c b/src/wp_dh_kmgmt.c index ea246c2c..f9399caf 100644 --- a/src/wp_dh_kmgmt.c +++ b/src/wp_dh_kmgmt.c @@ -2119,7 +2119,7 @@ static int wp_dh_decode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio, ok = 0; } if (ok && (ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC)) { - if (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) { + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { if (!wp_dh_decode_params(dh, data, len)) { ok = 0; decoded = 0; diff --git a/src/wp_ecc_kmgmt.c b/src/wp_ecc_kmgmt.c index 76c1cb4a..ca43af0b 100644 --- a/src/wp_ecc_kmgmt.c +++ b/src/wp_ecc_kmgmt.c @@ -1644,6 +1644,12 @@ static wp_Ecc* wp_ecc_gen(wp_EccGenCtx *ctx, OSSL_CALLBACK *cb, void *cbArg) } } } + if (ok && ((ctx->selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)) { + rc = wc_ecc_set_curve(&ecc->key, 0, ecc->curveId); + if (rc != 0) { + ok = 0; + } + } if (!ok) { wp_ecc_free(ecc); ecc = NULL; @@ -2131,11 +2137,19 @@ static int wp_ecc_decode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio, */ static int wp_ecc_encode_params_size(const wp_Ecc *ecc, size_t* keyLen) { - /* ASN.1 type, len and data. */ - *keyLen = ecc->key.dp->oidSz + 2; + int ok = 1; + word32 len = 0; - WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1); - return 1; + if (wc_ecc_get_oid(ecc->key.dp->oidSum, NULL, &len) <= 0) { + ok = 0; + } + if (ok) { + /* ASN.1 type, len and data. */ + *keyLen = len + 2; + } + + WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok); + return ok; } /** @@ -2151,14 +2165,22 @@ static int wp_ecc_encode_params_size(const wp_Ecc *ecc, size_t* keyLen) static int wp_ecc_encode_params(const wp_Ecc *ecc, unsigned char* keyData, size_t* keyLen) { - keyData[0] = 0x06; - keyData[1] = ecc->key.dp->oidSz; - XMEMCPY(keyData + 2, ecc->key.dp->oid, ecc->key.dp->oidSz); + int ok = 1; + word32 len; + const byte *oid; - *keyLen = ecc->key.dp->oidSz + 2; + if (wc_ecc_get_oid(ecc->key.dp->oidSum, &oid, &len) <= 0) { + ok = 0; + } + if (ok) { + keyData[0] = 0x06; + keyData[1] = len; + XMEMCPY(keyData + 2, oid, len); + *keyLen = len + 2; + } - WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1); - return 1; + WOLFPROV_LEAVE(WP_LOG_PK, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok); + return ok; } /** @@ -2442,14 +2464,14 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio, if (ok && ((ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC) || (ctx->format == WP_ENC_FORMAT_X9_62))) { - if (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) { - if (!wp_ecc_encode_params_size(key, &derLen)) { + if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) { + private = 1; + if (!wp_ecc_encode_priv_size(key, &derLen)) { ok = 0; } } - else { - private = 1; - if (!wp_ecc_encode_priv_size(key, &derLen)) { + else if (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) { + if (!wp_ecc_encode_params_size(key, &derLen)) { ok = 0; } } @@ -2484,13 +2506,7 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio, if (ok && ((ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC) || (ctx->format == WP_ENC_FORMAT_X9_62))) { - if (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) { - pemType = DH_PARAM_TYPE; - if (!wp_ecc_encode_params(key, derData, &derLen)) { - ok = 0; - } - } - else { + if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) { if (ctx->format == WP_ENC_FORMAT_X9_62) { pemType = ECC_PRIVATEKEY_TYPE; } @@ -2499,6 +2515,12 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio, ok = 0; } } + else if (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) { + pemType = DH_PARAM_TYPE; + if (!wp_ecc_encode_params(key, derData, &derLen)) { + ok = 0; + } + } } else if (ok && (ctx->format == WP_ENC_FORMAT_SPKI)) { pemType = PUBLICKEY_TYPE; @@ -2551,7 +2573,8 @@ static int wp_ecc_encode(wp_EccEncDecCtx* ctx, OSSL_CORE_BIO *cBio, } if (ok && ((ctx->format == WP_ENC_FORMAT_TYPE_SPECIFIC) || (ctx->format == WP_ENC_FORMAT_X9_62)) && - (selection == OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) { + ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) && + (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS)) { pemData[11] = 'E'; pemData[12] = 'C'; pemData[pemLen - 19] = 'E'; diff --git a/src/wp_file_store.c b/src/wp_file_store.c index 5581e29e..ed13cbad 100644 --- a/src/wp_file_store.c +++ b/src/wp_file_store.c @@ -109,7 +109,13 @@ static wp_FileCtx* wp_file_open(WOLFPROV_CTX* provCtx, const char* uri) if (ctx != NULL) { int ok = 1; - /* TODO: support URI form 'file:'. */ + if (OPENSSL_strncasecmp(uri, "file:", 5) == 0) { + uri += 5; + if (OPENSSL_strncasecmp(uri, "//", 2) == 0) { + /* TODO: may need more uri processing for windows cases */ + uri += 2; + } + } ctx->uri = OPENSSL_strdup(uri); if (ctx->uri == NULL) { ok = 0; diff --git a/src/wp_wolfprov.c b/src/wp_wolfprov.c index e21763a0..4e458ba6 100644 --- a/src/wp_wolfprov.c +++ b/src/wp_wolfprov.c @@ -723,7 +723,6 @@ static const OSSL_ALGORITHM wolfprov_encoder[] = { wp_rsa_kp_pem_encoder_functions, "" }, #ifdef WOLFSSL_RSA_PSS_ENCODING - /* TODO: RSA-PSS encoding isn't supported in wolfSSL */ { WP_NAMES_RSA_PSS, WP_ENCODER_PROPERTIES(SubjectPublicKeyInfo, der), wp_rsapss_spki_der_encoder_functions, "" },