AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"])
AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"])
+AM_CONDITIONAL([OPENSSL_ENGINE], [test "${have_openssl_engine}" = "yes"])
sampledir="\$(docdir)/sample"
AC_SUBST([plugindir])
tests/unit_tests/openvpn/Makefile
tests/unit_tests/plugins/Makefile
tests/unit_tests/plugins/auth-pam/Makefile
+ tests/unit_tests/engine-key/Makefile
sample/Makefile
])
AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh])
--- /dev/null
+AUTOMAKE_OPTIONS = foreign
+
+check_LTLIBRARIES = libtestengine.la
+conffiles = openssl.cnf
+
+TESTS_ENVIRONMENT = srcdir="$(abs_srcdir)"; \
+ builddir="$(abs_builddir)"; \
+ top_builddir="$(top_builddir)"; \
+ top_srcdir="$(top_srcdir)"; \
+ export srcdir builddir top_builddir top_srcdir;
+
+TESTS = check_engine_keys.sh
+check_engine_keys.sh: $(conffiles)
+
+clean-local:
+ rm -f $(conffiles)
+
+$(builddir)/openssl.cnf: $(srcdir)/openssl.cnf.in
+ sed "s|ABSBUILDDIR|$(abs_builddir)|" < $< > $@
+
+libtestengine_la_SOURCES = libtestengine.c
+libtestengine_la_LDFLAGS = @TEST_LDFLAGS@ -rpath /lib -shrext .so
+libtestengine_la_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir)
--- /dev/null
+#!/bin/sh
+
+OPENSSL_CONF="${builddir}/openssl.cnf"
+export OPENSSL_CONF
+
+password='AT3S4PASSWD'
+
+key="${builddir}/client.key"
+pwdfile="${builddir}/passwd"
+
+# create an engine key for us
+sed 's/PRIVATE KEY/TEST ENGINE KEY/' < ${top_srcdir}/sample/sample-keys/client.key > ${key}
+echo "$password" > $pwdfile
+
+# note here we've induced a mismatch in the client key and the server
+# cert which openvpn should report and die. Check that it does. Note
+# also that this mismatch depends on openssl not openvpn, so it is
+# somewhat fragile
+${top_builddir}/src/openvpn/openvpn --cd ${top_srcdir}/sample --config sample-config-files/loopback-server --engine testengine --key ${key} --askpass $pwdfile > log.txt 2>&1
+
+# first off check we died because of a key mismatch. If this doesn't
+# pass, suspect openssl of returning different messages and update the
+# test accordingly
+grep -q 'X509_check_private_key:key values mismatch' log.txt || { echo "Key mismatch not detected"; exit 1; }
+
+# now look for the engine prints (these are under our control)
+grep -q 'ENGINE: engine_init called' log.txt || { echo "Engine initialization not detected"; exit 1; }
+grep -q 'ENGINE: engine_load_key called' log.txt || { echo "Key was not loaded from engine"; exit 1; }
+grep -q "ENGINE: engine_load_key got password ${password}" log.txt || { echo "Key password was not retrieved by the engine"; exit 1; }
+exit 0
--- /dev/null
+#include <string.h>
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+static char *engine_id = "testengine";
+static char *engine_name = "Engine for testing openvpn engine key support";
+
+static int is_initialized = 0;
+
+static int engine_init(ENGINE *e)
+{
+ is_initialized = 1;
+ fprintf(stderr, "ENGINE: engine_init called\n");
+ return 1;
+}
+
+static int engine_finish(ENGINE *e)
+{
+ fprintf(stderr, "ENGINE: engine_finsh called\n");
+ is_initialized = 0;
+ return 1;
+}
+
+static EVP_PKEY *engine_load_key(ENGINE *e, const char *key_id,
+ UI_METHOD *ui_method, void *cb_data)
+{
+ BIO *b;
+ EVP_PKEY *pkey;
+ PKCS8_PRIV_KEY_INFO *p8inf;
+ UI *ui;
+ char auth[256];
+
+ fprintf(stderr, "ENGINE: engine_load_key called\n");
+
+ if (!is_initialized) {
+ fprintf(stderr, "Load Key called without correct initialization\n");
+ return NULL;
+ }
+ b = BIO_new_file(key_id, "r");
+ if (!b) {
+ fprintf(stderr, "File %s does not exist or cannot be read\n", key_id);
+ return 0;
+ }
+ /* Basically read an EVP_PKEY private key file with different
+ * PEM guards --- we are a test engine */
+ p8inf = PEM_ASN1_read_bio((d2i_of_void *)d2i_PKCS8_PRIV_KEY_INFO,
+ "TEST ENGINE KEY", b,
+ NULL, NULL, NULL);
+ BIO_free(b);
+ if (!p8inf) {
+ fprintf(stderr, "Failed to read engine private key\n");
+ return NULL;
+ }
+ pkey = EVP_PKCS82PKEY(p8inf);
+
+ /* now we have a private key, pretend it had a password
+ * this verifies the password makes it through openvpn OK */
+ ui = UI_new();
+
+ if (ui_method)
+ UI_set_method(ui, ui_method);
+
+ UI_add_user_data(ui, cb_data);
+
+ if (UI_add_input_string(ui, "enter test engine key",
+ UI_INPUT_FLAG_DEFAULT_PWD,
+ auth, 0, sizeof(auth)) == 0) {
+ fprintf(stderr, "UI_add_input_string failed\n");
+ goto out;
+ }
+
+ if (UI_process(ui)) {
+ fprintf(stderr, "UI_process failed\n");
+ goto out;
+ }
+
+ fprintf(stderr, "ENGINE: engine_load_key got password %s\n", auth);
+
+ out:
+ UI_free(ui);
+
+ return pkey;
+}
+
+
+static int engine_bind_fn(ENGINE *e, const char *id)
+{
+ if (id && strcmp(id, engine_id) != 0)
+ return 0;
+ if (!ENGINE_set_id(e, engine_id) ||
+ !ENGINE_set_name(e, engine_name) ||
+ !ENGINE_set_init_function(e, engine_init) ||
+ !ENGINE_set_finish_function(e, engine_finish) ||
+ !ENGINE_set_load_privkey_function(e, engine_load_key))
+ return 0;
+ return 1;
+}
+
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(engine_bind_fn)