krb5 commit: Use imported soft-pkcs11 for tests
Greg Hudson
ghudson at mit.edu
Wed Jun 26 01:36:32 EDT 2019
https://github.com/krb5/krb5/commit/e5ef7b69765353ea62ad8712a229ed4e90a8fe17
commit e5ef7b69765353ea62ad8712a229ed4e90a8fe17
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Jun 20 13:41:57 2019 -0400
Use imported soft-pkcs11 for tests
Update the soft-pkcs11 code for OpenSSL 1.1, fix some warnings,
integrate it into the build system, and use it for the PKINIT tests.
src/configure.ac | 1 +
src/tests/Makefile.in | 2 +-
src/tests/softpkcs11/Makefile.in | 21 +++++
src/tests/softpkcs11/deps | 6 ++
src/tests/softpkcs11/main.c | 124 ++++++++++++++++++++++---------
src/tests/softpkcs11/softpkcs11.exports | 39 ++++++++++
src/tests/t_pkinit.py | 18 +----
7 files changed, 162 insertions(+), 49 deletions(-)
diff --git a/src/configure.ac b/src/configure.ac
index 179cad0..b7198c2 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1119,6 +1119,7 @@ int i = 1;
fi
if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then
K5_GEN_MAKEFILE(plugins/preauth/pkinit)
+ K5_GEN_MAKEFILE(tests/softpkcs11)
PKINIT=yes
AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])])
elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 8afa0cd..88545e3 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -1,7 +1,7 @@
mydir=tests
BUILDTOP=$(REL)..
SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
- gss-threads misc threads
+ gss-threads misc threads softpkcs11
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
LC_ALL=C $(VALGRIND)
diff --git a/src/tests/softpkcs11/Makefile.in b/src/tests/softpkcs11/Makefile.in
new file mode 100644
index 0000000..e896781
--- /dev/null
+++ b/src/tests/softpkcs11/Makefile.in
@@ -0,0 +1,21 @@
+mydir=tests$(S)softpkcs11
+BUILDTOP=$(REL)..$(S)..
+
+LOCALINCLUDES = -I$(top_srcdir)/plugins/preauth/pkinit
+
+LIBBASE=softpkcs11
+LIBMAJOR=0
+LIBMINOR=0
+
+SHLIB_EXPLIBS=$(SUPPORT_LIB) -lcrypto
+SHLIB_EXPDEPS=$(SUPPORT_DEPLIB)
+
+STLIBOBJS=main.o
+
+SRCS=$(srcdir)/main.c
+
+all-unix: all-libs
+clean-unix:: clean-libs clean-libobjs
+
+ at libnover_frag@
+ at libobj_frag@
diff --git a/src/tests/softpkcs11/deps b/src/tests/softpkcs11/deps
new file mode 100644
index 0000000..1e82d95
--- /dev/null
+++ b/src/tests/softpkcs11/deps
@@ -0,0 +1,6 @@
+#
+# Generated makefile dependencies follow.
+#
+main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/plugins/preauth/pkinit/pkcs11.h main.c
diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c
index 2acec51..5255323 100644
--- a/src/tests/softpkcs11/main.c
+++ b/src/tests/softpkcs11/main.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright (c) 2004-2006, Stockholms universitet
* (Stockholm University, Stockholm Sweden)
@@ -31,7 +32,57 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
-#include "locl.h"
+#include "k5-platform.h"
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+
+#include <ctype.h>
+#include <pwd.h>
+
+#include <pkcs11.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
+#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay
+#define RSA_get0_key compat_rsa_get0_key
+static void
+compat_rsa_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e,
+ const BIGNUM **d)
+{
+ if (n != NULL)
+ *n = rsa->n;
+ if (e != NULL)
+ *e = rsa->e;
+ if (d != NULL)
+ *d = rsa->d;
+}
+#endif
+
+#define OPENSSL_ASN1_MALLOC_ENCODE(T, B, BL, S, R) \
+ { \
+ unsigned char *p; \
+ (BL) = i2d_##T((S), NULL); \
+ if ((BL) <= 0) { \
+ (R) = EINVAL; \
+ } else { \
+ (B) = malloc((BL)); \
+ if ((B) == NULL) { \
+ (R) = ENOMEM; \
+ } else { \
+ p = (B); \
+ (R) = 0; \
+ (BL) = i2d_##T((S), &p); \
+ if ((BL) <= 0) { \
+ free((B)); \
+ (R) = EINVAL; \
+ } \
+ } \
+ } \
+ }
/* RCSID("$Id: main.c,v 1.24 2006/01/11 12:42:53 lha Exp $"); */
@@ -124,7 +175,7 @@ st_logf(const char *fmt, ...)
}
static void
-snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
+snprintf_fill(char *str, int size, char fillchar, const char *fmt, ...)
{
int len;
va_list ap;
@@ -141,19 +192,19 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
#endif
#define VERIFY_SESSION_HANDLE(s, state) \
-{ \
- CK_RV ret; \
- ret = verify_session_handle(s, state); \
- if (ret != CKR_OK) { \
- /* return CKR_OK */; \
- } \
-}
+ { \
+ CK_RV vshret; \
+ vshret = verify_session_handle(s, state); \
+ if (vshret != CKR_OK) { \
+ /* return CKR_OK */; \
+ } \
+ }
static CK_RV
verify_session_handle(CK_SESSION_HANDLE hSession,
struct session_state **state)
{
- int i;
+ size_t i;
for (i = 0; i < MAX_NUM_SESSION; i++){
if (soft_token.state[i].session_handle == hSession)
@@ -361,16 +412,20 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
CK_ULONG modulus_bits = 0;
CK_BYTE *exponent = NULL;
size_t exponent_len = 0;
+ RSA *rsa;
+ const BIGNUM *n, *e;
- modulus_bits = BN_num_bits(key->pkey.rsa->n);
+ rsa = EVP_PKEY_get0_RSA(key);
+ RSA_get0_key(rsa, &n, &e, NULL);
+ modulus_bits = BN_num_bits(n);
- modulus_len = BN_num_bytes(key->pkey.rsa->n);
+ modulus_len = BN_num_bytes(n);
modulus = malloc(modulus_len);
- BN_bn2bin(key->pkey.rsa->n, modulus);
+ BN_bn2bin(n, modulus);
- exponent_len = BN_num_bytes(key->pkey.rsa->e);
+ exponent_len = BN_num_bytes(e);
exponent = malloc(exponent_len);
- BN_bn2bin(key->pkey.rsa->e, exponent);
+ BN_bn2bin(e, exponent);
add_object_attribute(o, 0, CKA_MODULUS, modulus, modulus_len);
add_object_attribute(o, 0, CKA_MODULUS_BITS,
@@ -378,7 +433,7 @@ add_pubkey_info(struct st_object *o, CK_KEY_TYPE key_type, EVP_PKEY *key)
add_object_attribute(o, 0, CKA_PUBLIC_EXPONENT,
exponent, exponent_len);
- RSA_set_method(key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(rsa, RSA_PKCS1_OpenSSL());
free(modulus);
free(exponent);
@@ -474,7 +529,7 @@ add_certificate(char *label,
o->u.cert = cert;
public_key = X509_get_pubkey(o->u.cert);
- switch (EVP_PKEY_type(public_key->type)) {
+ switch (EVP_PKEY_base_id(public_key)) {
case EVP_PKEY_RSA:
key_type = CKK_RSA;
break;
@@ -604,8 +659,8 @@ add_certificate(char *label,
/* XXX verify keytype */
if (key_type == CKK_RSA)
- RSA_set_method(o->u.private_key.key->pkey.rsa,
- RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -755,8 +810,9 @@ CK_RV
C_Initialize(CK_VOID_PTR a)
{
CK_C_INITIALIZE_ARGS_PTR args = a;
+ size_t i;
+
st_logf("Initialize\n");
- int i;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
@@ -825,7 +881,7 @@ C_Initialize(CK_VOID_PTR a)
CK_RV
C_Finalize(CK_VOID_PTR args)
{
- int i;
+ size_t i;
st_logf("Finalize\n");
@@ -1008,7 +1064,7 @@ C_OpenSession(CK_SLOT_ID slotID,
CK_NOTIFY Notify,
CK_SESSION_HANDLE_PTR phSession)
{
- int i;
+ size_t i;
st_logf("OpenSession: slot: %d\n", (int)slotID);
@@ -1050,7 +1106,7 @@ C_CloseSession(CK_SESSION_HANDLE hSession)
CK_RV
C_CloseAllSessions(CK_SLOT_ID slotID)
{
- int i;
+ size_t i;
st_logf("CloseAllSessions\n");
@@ -1127,7 +1183,8 @@ C_Login(CK_SESSION_HANDLE hSession,
}
/* XXX check keytype */
- RSA_set_method(o->u.private_key.key->pkey.rsa, RSA_PKCS1_SSLeay());
+ RSA_set_method(EVP_PKEY_get0_RSA(o->u.private_key.key),
+ RSA_PKCS1_OpenSSL());
if (X509_check_private_key(o->u.private_key.cert, o->u.private_key.key) != 1) {
EVP_PKEY_free(o->u.private_key.key);
@@ -1226,7 +1283,6 @@ C_FindObjectsInit(CK_SESSION_HANDLE hSession,
}
if (ulCount) {
CK_ULONG i;
- size_t len;
print_attributes(pTemplate, ulCount);
@@ -1415,7 +1471,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1445,7 +1501,7 @@ C_Encrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1566,7 +1622,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1596,7 +1652,7 @@ C_Decrypt(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len + padding_len < ulEncryptedDataLen) {
+ if ((CK_ULONG)buffer_len + padding_len < ulEncryptedDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1725,7 +1781,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.private_key.key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.private_key.key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1754,7 +1810,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen + padding_len) {
+ if ((CK_ULONG)buffer_len < ulDataLen + padding_len) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1872,7 +1928,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
return CKR_ARGUMENTS_BAD;
}
- rsa = o->u.public_key->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(o->u.public_key);
if (rsa == NULL)
return CKR_ARGUMENTS_BAD;
@@ -1900,7 +1956,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
goto out;
}
- if (buffer_len < ulDataLen) {
+ if ((CK_ULONG)buffer_len < ulDataLen) {
ret = CKR_ARGUMENTS_BAD;
goto out;
}
@@ -1926,7 +1982,7 @@ C_Verify(CK_SESSION_HANDLE hSession,
if (len > buffer_len)
abort();
- if (len != ulSignatureLen) {
+ if ((CK_ULONG)len != ulSignatureLen) {
ret = CKR_GENERAL_ERROR;
goto out;
}
diff --git a/src/tests/softpkcs11/softpkcs11.exports b/src/tests/softpkcs11/softpkcs11.exports
new file mode 100644
index 0000000..aa72845
--- /dev/null
+++ b/src/tests/softpkcs11/softpkcs11.exports
@@ -0,0 +1,39 @@
+C_CloseAllSessions
+C_CloseSession
+C_Decrypt
+C_DecryptFinal
+C_DecryptInit
+C_DecryptUpdate
+C_DigestInit
+C_Encrypt
+C_EncryptFinal
+C_EncryptInit
+C_EncryptUpdate
+C_Finalize
+C_FindObjects
+C_FindObjectsFinal
+C_FindObjectsInit
+C_GenerateRandom
+C_GetAttributeValue
+C_GetFunctionList
+C_GetInfo
+C_GetMechanismInfo
+C_GetMechanismList
+C_GetObjectSize
+C_GetSessionInfo
+C_GetSlotInfo
+C_GetSlotList
+C_GetTokenInfo
+C_Initialize
+C_InitToken
+C_Login
+C_Logout
+C_OpenSession
+C_Sign
+C_SignFinal
+C_SignInit
+C_SignUpdate
+C_Verify
+C_VerifyFinal
+C_VerifyInit
+C_VerifyUpdate
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 1dadb1b..384bf14 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -4,14 +4,7 @@ from k5test import *
if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
skip_rest('PKINIT tests', 'PKINIT module not built')
-# Check if soft-pkcs11.so is available.
-try:
- import ctypes
- lib = ctypes.LibraryLoader(ctypes.CDLL).LoadLibrary('soft-pkcs11.so')
- del lib
- have_soft_pkcs11 = True
-except:
- have_soft_pkcs11 = False
+soft_pkcs11 = os.path.join(buildtop, 'tests', 'softpkcs11', 'softpkcs11.so')
# Construct a krb5.conf fragment configuring pkinit.
certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
@@ -69,9 +62,9 @@ p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12
p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12
p12_generic_identity = 'PKCS12:%s' % generic_p12
p12_enc_identity = 'PKCS12:%s' % user_enc_p12
-p11_identity = 'PKCS11:soft-pkcs11.so'
-p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:'
- 'slotid=1:token=SoftToken (token)')
+p11_identity = 'PKCS11:' + soft_pkcs11
+p11_token_identity = ('PKCS11:module_name=' + soft_pkcs11 +
+ ':slotid=1:token=SoftToken (token)')
# Start a realm with the test kdb module for the following UPN SAN tests.
realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf,
@@ -398,9 +391,6 @@ realm.klist(realm.user_princ)
realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=,'],
expected_code=1, expected_msg='Preauthentication failed while')
-if not have_soft_pkcs11:
- skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found')
-
softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
realm.env['SOFTPKCS11RC'] = softpkcs11rc
More information about the cvs-krb5
mailing list