This commit adds two tests for tls-crypt-v2 to verify the client and server key generation. These are introduced primarily as a regression test for the off-by-one bug fixed by Arne in tls_crypt_v2_read_keyfile() recently (no commit hash availble, patch has not been applied yet).
Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> --- tests/unit_tests/openvpn/Makefile.am | 6 +- tests/unit_tests/openvpn/test_tls_crypt.c | 89 ++++++++++++++++++++++- 2 files changed, 93 insertions(+), 2 deletions(-) diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index b4304e35..4f137b2b 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -55,7 +55,11 @@ packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c \ tls_crypt_testdriver_CFLAGS = @TEST_CFLAGS@ \ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) -tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ -Wl,--wrap=parse_line +tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ + -Wl,--wrap=buffer_read_from_file \ + -Wl,--wrap=buffer_write_file \ + -Wl,--wrap=parse_line \ + -Wl,--wrap=rand_bytes tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c \ $(openvpn_srcdir)/argv.c \ $(openvpn_srcdir)/base64.c \ diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c b/tests/unit_tests/openvpn/test_tls_crypt.c index 62721e82..b793a7a2 100644 --- a/tests/unit_tests/openvpn/test_tls_crypt.c +++ b/tests/unit_tests/openvpn/test_tls_crypt.c @@ -49,7 +49,30 @@ #define PARAM1 "param1" #define PARAM2 "param two" -const char plaintext_short[1]; +static const char *plaintext_short = ""; + +static const char *test_server_key = \ + "-----BEGIN OpenVPN tls-crypt-v2 server key-----\n" + "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n" + "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n" + "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8=\n" + "-----END OpenVPN tls-crypt-v2 server key-----\n"; + +static const char *test_client_key = \ + "-----BEGIN OpenVPN tls-crypt-v2 client key-----\n" + "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n" + "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n" + "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6P\n" + "kJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/\n" + "wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v\n" + "8PHy8/T19vf4+fr7/P3+/xd9pcB0qUYZsWvkrLcfGmzPJPM8a7r0mEWdXwbDadSV\n" + "LHg5bv2TwlmPR3HgaMr8o9LTh9hxUTkrH3S0PfKRNwcso86ua/dBFTyXsM9tg4aw\n" + "3dS6ogH9AkaT+kRRDgNcKWkQCbwmJK2JlfkXHBwbAtmn78AkNuho6QCFqCdqGab3\n" + "zh2vheFqGMPdGpukbFrT3rcO3VLxUeG+RdzXiMTCpJSovFBP1lDkYwYJPnz6daEh\n" + "j0TzJ3BVru9W3CpotdNt7u09knxAfpCxjtrP3semsDew/gTBtcfQ/OoTFyFHnN5k\n" + "RZ+q17SC4nba3Pp8/Fs0+hSbv2tJozoD8SElFq7SIWJsciTYh8q8f5yQxjdt4Wxu\n" + "/Z5wtPCAZ0tOzj4ItTI77fBOYRTfEayzHgEr\n" + "-----END OpenVPN tls-crypt-v2 client key-----\n"; int __wrap_parse_line(const char *line, char **p, const int n, const char *file, @@ -61,6 +84,40 @@ __wrap_parse_line(const char *line, char **p, const int n, const char *file, return 3; } +bool +__wrap_buffer_write_file(const char *filename, const struct buffer *buf) +{ + const char *pem = BSTR(buf); + check_expected(filename); + check_expected(pem); + + return mock(); +} + +struct buffer +__wrap_buffer_read_from_file(const char *filename, struct gc_arena *gc) +{ + check_expected(filename); + + const char *pem_str = (const char *) mock(); + struct buffer ret = alloc_buf_gc(strlen(pem_str) + 1, gc); + buf_write(&ret, pem_str, strlen(pem_str) + 1); + + return ret; +} + + +/** Predictable random for tests */ +int +__wrap_rand_bytes(uint8_t *output, int len) +{ + for (int i = 0; i < len; i++) + { + output[i] = i; + } + return true; +} + struct test_tls_crypt_context { struct crypto_options co; struct key_type kt; @@ -450,6 +507,34 @@ tls_crypt_v2_wrap_unwrap_dst_too_small(void **state) { assert_true(0 == BLEN(&ctx->unwrapped_metadata)); } +static void +test_tls_crypt_v2_write_server_key_file(void **state) { + const char *filename = "testfilename.key"; + + expect_string(__wrap_buffer_write_file, filename, filename); + expect_string(__wrap_buffer_write_file, pem, test_server_key); + will_return(__wrap_buffer_write_file, true); + + tls_crypt_v2_write_server_key_file(filename); +} + +static void +test_tls_crypt_v2_write_client_key_file(void **state) { + const char *filename = "testfilename.key"; + + /* Test writing the client key */ + expect_string(__wrap_buffer_write_file, filename, filename); + expect_string(__wrap_buffer_write_file, pem, test_client_key); + will_return(__wrap_buffer_write_file, true); + + /* Key generation re-reads the created file as a sanity check */ + expect_string(__wrap_buffer_read_from_file, filename, filename); + will_return(__wrap_buffer_read_from_file, test_client_key); + + tls_crypt_v2_write_client_key_file(filename, NULL, INLINE_FILE_TAG, + test_server_key); +} + int main(void) { const struct CMUnitTest tests[] = { @@ -489,6 +574,8 @@ main(void) { cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_dst_too_small, test_tls_crypt_v2_setup, test_tls_crypt_v2_teardown), + cmocka_unit_test(test_tls_crypt_v2_write_server_key_file), + cmocka_unit_test(test_tls_crypt_v2_write_client_key_file), }; #if defined(ENABLE_CRYPTO_OPENSSL) -- 2.17.1 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel