Re: [Openvpn-devel] [PATCH v4 2/2] Add unit tests for engine keys

[Илья Шипицин]

сб, 15 февр. 2020 г. в 19:59, James Bottomley <
james.bottom...@hansenpartnership.com>:

> On Fri, 2020-02-14 at 18:33 +0500, Илья Шипицин wrote:
> > пт, 14 февр. 2020 г. в 18:05, James Bottomley <
> > james.bottom...@hansenpartnership.com>:
> >
> > > On Thu, 2020-02-13 at 19:18 +0100, Arne Schwabe wrote:
> > > > Am 10.02.18 um 23:50 schrieb James Bottomley:
> > > > > Testing engines is problematic, so one of the prerequisites
> > > > > built
> > > > > for the tests is a simple openssl engine that reads a non-
> > > > > standard
> > > > > PEM guarded key.  The test is simply can we run a client/server
> > > > > configuration with the usual sample key replaced by an engine
> > > > > key.
> > > > > The trivial engine prints out some operations and we check for
> > > > > these in the log to make sure the engine was used to load the
> > > > > key
> > > > > and that it correctly got the password.
> > > >
> > > > This tests the openssl engine functionality in a sensible way.
> > > > But I
> > > > think it is not fully ready to be commited. To get it working I
> > > > needed to do following changes on my Mac:
> > >
> > > That could be ... I only have a linux box to try this out on.
> > >
> > > > commit afa697cec15b4e54e720efe9de39c9b20b13c5c8 (HEAD ->
> > > > review/enginekeys)
> > > > Author: Arne Schwabe 
> > > > Date:   Thu Feb 13 18:13:34 2020 +0100
> > > >
> > > > foo
> > > >
> > > > diff --git a/tests/unit_tests/engine-key/Makefile.am
> > > > b/tests/unit_tests/engine-key/Makefile.am
> > > > index 73921965..6d7fc9c5 100644
> > > > --- a/tests/unit_tests/engine-key/Makefile.am
> > > > +++ b/tests/unit_tests/engine-key/Makefile.am
> > > > @@ -10,4 +10,6 @@ TESTS_ENVIRONMENT = srcdir="$(abs_srcdir)"; \
> > > >  TESTS = check_engine_keys.sh
> > > >
> > > >  libtestengine_la_SOURCES = libtestengine.c
> > > > -libtestengine_la_LDFLAGS = -rpath /lib -avoid-version
> > > > +libtestengine_la_LDFLAGS = @TEST_LDFLAGS@  -rpath /lib
> > > > +libtestengine_la_CFLAGS  = @TEST_CFLAGS@ -I$(openvpn_srcdir)
> > > > -I$(compat_srcdir)
> > > > +
> > > > diff --git a/tests/unit_tests/engine-key/libtestengine.c
> > > > b/tests/unit_tests/engine-key/libtestengine.c
> > > > index fa7f5de1..46ec1e33 100644
> > > > --- a/tests/unit_tests/engine-key/libtestengine.c
> > > > +++ b/tests/unit_tests/engine-key/libtestengine.c
> > > > @@ -30,7 +30,6 @@ static EVP_PKEY *engine_load_key(ENGINE *e,
> > > > const
> > > > char
> > > > *key_id,
> > > > PKCS8_PRIV_KEY_INFO *p8inf;
> > > > UI *ui;
> > > > char auth[256];
> > > > -   int len;
> > >
> > > the variable is certainly unused and can go.
> > >
> > > > fprintf(stderr, "ENGINE: engine_load_key called\n");
> > > >
> > > > diff --git a/tests/unit_tests/engine-key/openssl.cnf
> > > > b/tests/unit_tests/engine-key/openssl.cnf
> > > > index 53200c46..e9513a92 100644
> > > > --- a/tests/unit_tests/engine-key/openssl.cnf
> > > > +++ b/tests/unit_tests/engine-key/openssl.cnf
> > > > @@ -9,4 +9,4 @@ engines = engines_section
> > > >  testengine = testengine_section
> > > >
> > > >  [testengine_section]
> > > > -dynamic_path   = $ENV::srcdir/.libs/libtestengine.so
> > > > +dynamic_path   = $ENV::srcdir/.libs/libtestengine.dylib
> >
> > we use gost-engine (https://github.com/engine/gost-engine)
> >
> > on both linux and osx.
> >
> > for some time there was a bug in openssl:
> >
> > https://github.com/openssl/openssl/issues/8950
> >
> >
> > however, for now "dylib" is used for osx. and
> > but we do not use "dynamic" path. we use config like that
> >
> > openssl_conf = openssl_def
> >
> > [openssl_def]
> > engines = engine_section
> >
> > [engine_section]
> > gost = gost_section
> >
> > [gost_section]
> > default_algorithms = ALL
> > engine_id = gost
> > CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
>
> Right, that works if the engine is in the correct directory.  The
> problem with this engine is that it's only built as a test
> demonstration for the openvpn engine code, so it's never installed in
> the openssl engines directory, so we have to tell openssl exactly where
> to find it in the openvpn tree ... and that seems to involve naming the
> whole file and location, including extension.
>
>
yes, I understand reasoning.
maybe we should add dynamic path to our tests as well.


> James
>
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4 2/2] Add unit tests for engine keys

[James Bottomley]

On Fri, 2020-02-14 at 18:33 +0500, Илья Шипицин wrote:
> пт, 14 февр. 2020 г. в 18:05, James Bottomley <
> james.bottom...@hansenpartnership.com>:
> 
> > On Thu, 2020-02-13 at 19:18 +0100, Arne Schwabe wrote:
> > > Am 10.02.18 um 23:50 schrieb James Bottomley:
> > > > Testing engines is problematic, so one of the prerequisites
> > > > built
> > > > for the tests is a simple openssl engine that reads a non-
> > > > standard
> > > > PEM guarded key.  The test is simply can we run a client/server
> > > > configuration with the usual sample key replaced by an engine
> > > > key.
> > > > The trivial engine prints out some operations and we check for
> > > > these in the log to make sure the engine was used to load the
> > > > key
> > > > and that it correctly got the password.
> > > 
> > > This tests the openssl engine functionality in a sensible way.
> > > But I
> > > think it is not fully ready to be commited. To get it working I
> > > needed to do following changes on my Mac:
> > 
> > That could be ... I only have a linux box to try this out on.
> > 
> > > commit afa697cec15b4e54e720efe9de39c9b20b13c5c8 (HEAD ->
> > > review/enginekeys)
> > > Author: Arne Schwabe 
> > > Date:   Thu Feb 13 18:13:34 2020 +0100
> > > 
> > > foo
> > > 
> > > diff --git a/tests/unit_tests/engine-key/Makefile.am
> > > b/tests/unit_tests/engine-key/Makefile.am
> > > index 73921965..6d7fc9c5 100644
> > > --- a/tests/unit_tests/engine-key/Makefile.am
> > > +++ b/tests/unit_tests/engine-key/Makefile.am
> > > @@ -10,4 +10,6 @@ TESTS_ENVIRONMENT = srcdir="$(abs_srcdir)"; \
> > >  TESTS = check_engine_keys.sh
> > > 
> > >  libtestengine_la_SOURCES = libtestengine.c
> > > -libtestengine_la_LDFLAGS = -rpath /lib -avoid-version
> > > +libtestengine_la_LDFLAGS = @TEST_LDFLAGS@  -rpath /lib
> > > +libtestengine_la_CFLAGS  = @TEST_CFLAGS@ -I$(openvpn_srcdir)
> > > -I$(compat_srcdir)
> > > +
> > > diff --git a/tests/unit_tests/engine-key/libtestengine.c
> > > b/tests/unit_tests/engine-key/libtestengine.c
> > > index fa7f5de1..46ec1e33 100644
> > > --- a/tests/unit_tests/engine-key/libtestengine.c
> > > +++ b/tests/unit_tests/engine-key/libtestengine.c
> > > @@ -30,7 +30,6 @@ static EVP_PKEY *engine_load_key(ENGINE *e,
> > > const
> > > char
> > > *key_id,
> > > PKCS8_PRIV_KEY_INFO *p8inf;
> > > UI *ui;
> > > char auth[256];
> > > -   int len;
> > 
> > the variable is certainly unused and can go.
> > 
> > > fprintf(stderr, "ENGINE: engine_load_key called\n");
> > > 
> > > diff --git a/tests/unit_tests/engine-key/openssl.cnf
> > > b/tests/unit_tests/engine-key/openssl.cnf
> > > index 53200c46..e9513a92 100644
> > > --- a/tests/unit_tests/engine-key/openssl.cnf
> > > +++ b/tests/unit_tests/engine-key/openssl.cnf
> > > @@ -9,4 +9,4 @@ engines = engines_section
> > >  testengine = testengine_section
> > > 
> > >  [testengine_section]
> > > -dynamic_path   = $ENV::srcdir/.libs/libtestengine.so
> > > +dynamic_path   = $ENV::srcdir/.libs/libtestengine.dylib
> 
> we use gost-engine (https://github.com/engine/gost-engine)
> 
> on both linux and osx.
> 
> for some time there was a bug in openssl:
> 
> https://github.com/openssl/openssl/issues/8950
> 
> 
> however, for now "dylib" is used for osx. and
> but we do not use "dynamic" path. we use config like that
> 
> openssl_conf = openssl_def
> 
> [openssl_def]
> engines = engine_section
> 
> [engine_section]
> gost = gost_section
> 
> [gost_section]
> default_algorithms = ALL
> engine_id = gost
> CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

Right, that works if the engine is in the correct directory.  The
problem with this engine is that it's only built as a test
demonstration for the openvpn engine code, so it's never installed in
the openssl engines directory, so we have to tell openssl exactly where
to find it in the openvpn tree ... and that seems to involve naming the
whole file and location, including extension.

James



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel