test/sock: Fixing hexstr2buf for PSK

Adding more unit tests using standard openssl The unfortunate small sleep is needed due to issue: https://www.mail-archive.com/openssl-users@openssl.org/msg02937.html Change-Id: I6f55453f12371bec6a402ba4c1d20e21aed73cf4 Signed-off-by: Boris Glimcher <Boris.Glimcher@emc.com> Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/12625 Community-CI: Mellanox Build Bot Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com> Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Reviewed-by: Ben Walker <benjamin.walker@intel.com> Reviewed-by: Jim Harris <james.r.harris@intel.com> Reviewed-by: Shuhei Matsumoto <smatsumoto@nvidia.com>
2022-05-03 18:28:20 +03:00 · 2022-05-03 18:28:20 +03:00 · 120382b7ec
commit 120382b7ec
parent 3781c0ea85
2 changed files with 89 additions and 7 deletions
--- a/module/sock/posix/posix.c
+++ b/module/sock/posix/posix.c
@ -428,21 +428,38 @@ posix_sock_tls_psk_server_cb(SSL *ssl,
 			     unsigned char *psk,
 			     unsigned int max_psk_len)
 {
+	long key_len;
+	unsigned char *default_psk;
+
+	if (PSK_KEY == NULL) {
+		SPDK_ERRLOG("PSK is not set\n");
+		goto err;
+	}
 	SPDK_DEBUGLOG(sock_posix, "Length of Client's PSK ID %lu\n", strlen(PSK_ID));
+	if (id == NULL) {
+		SPDK_ERRLOG("Received empty PSK ID\n");
+		goto err;
+	}
+	SPDK_DEBUGLOG(sock_posix,  "Received PSK ID '%s'\n", id);
 	if (strcmp(PSK_ID, id) != 0) {
 		SPDK_ERRLOG("Unknown Client's PSK ID\n");
 		goto err;
 	}

 	SPDK_DEBUGLOG(sock_posix, "Length of Client's PSK KEY %u\n", max_psk_len);
-	if (strlen(PSK_KEY) > max_psk_len) {
-		SPDK_ERRLOG("Insufficient buffer size to copy PSK_KEY\n");
+	default_psk = OPENSSL_hexstr2buf(PSK_KEY, &key_len);
+	if (default_psk == NULL) {
+		SPDK_ERRLOG("Could not unhexlify PSK\n");
+		goto err;
+	}
+	if (key_len > max_psk_len) {
+		SPDK_ERRLOG("Insufficient buffer size to copy PSK\n");
 		goto err;
 	}

-	memcpy(psk, PSK_KEY, strlen(PSK_KEY));
+	memcpy(psk, default_psk, key_len);

-	return strlen(PSK_KEY);
+	return key_len;

 err:
 	return 0;
@ -455,16 +472,34 @@ posix_sock_tls_psk_client_cb(SSL *ssl, const char *hint,
 			     unsigned char *psk,
 			     unsigned int max_psk_len)
 {
+	long key_len;
+	unsigned char *default_psk;
+
+	if (hint) {
+		SPDK_DEBUGLOG(sock_posix,  "Received PSK identity hint '%s'\n", hint);
+	}
+
+	if (PSK_KEY == NULL) {
+		SPDK_ERRLOG("PSK is not set\n");
+		goto err;
+	}
+	default_psk = OPENSSL_hexstr2buf(PSK_KEY, &key_len);
+	if (default_psk == NULL) {
+		SPDK_ERRLOG("Could not unhexlify PSK\n");
+		goto err;
+	}
 	if ((strlen(PSK_ID) + 1 > max_identity_len)
-	    || (strlen(PSK_KEY) > max_psk_len)) {
+	    || (key_len > max_psk_len)) {
 		SPDK_ERRLOG("PSK ID or Key buffer is not sufficient\n");
 		goto err;
 	}
 	spdk_strcpy_pad(identity, PSK_ID, strlen(PSK_ID), 0);
-	memcpy(psk, PSK_KEY, strlen(PSK_KEY));
+	SPDK_DEBUGLOG(sock_posix, "Sending PSK identity '%s'\n", identity);
+
+	memcpy(psk, default_psk, key_len);
 	SPDK_DEBUGLOG(sock_posix, "Provided out-of-band (OOB) PSK for TLS1.3 client\n");

-	return strlen(PSK_KEY);
+	return key_len;

 err:
 	return 0;
--- a/test/iscsi_tgt/sock/sock.sh
+++ b/test/iscsi_tgt/sock/sock.sh
@ -66,6 +66,8 @@ iscsitestinit

 HELLO_SOCK_APP="${TARGET_NS_CMD[*]} $SPDK_EXAMPLE_DIR/hello_sock"
 SOCAT_APP="socat"
+OPENSSL_APP="openssl"
+PSK_ID="nqn.2014-08.org.nvmexpress:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6"

 # ----------------
 # Test client path
@ -110,6 +112,51 @@ killprocess $server_pid || true

 timing_exit sock_client

+# ----------------
+# Test SSL server path
+# ----------------
+timing_enter sock_ssl_server
+echo "Testing SSL server path"
+
+# start echo server using hello_sock echo server
+$HELLO_SOCK_APP -H $TARGET_IP -P $ISCSI_PORT -S -N "ssl" &
+server_pid=$!
+trap 'killprocess $server_pid; iscsitestfini; exit 1' SIGINT SIGTERM EXIT
+waitforlisten $server_pid
+
+# send message using hello_sock client
+message="**MESSAGE:This is a test message from the hello_sock client with ssl**"
+response=$(echo $message | $HELLO_SOCK_APP -H $TARGET_IP -P $ISCSI_PORT -N "ssl")
+if ! echo "$response" | grep -q "$message"; then
+	exit 1
+fi
+
+# send message using openssl client using TLS 1.3
+message="**MESSAGE:This is a test message from the openssl client using TLS 1.3**"
+response=$( (
+	echo -ne $message
+	sleep 2
+) | $OPENSSL_APP s_client -debug -state -tlsextdebug -tls1_3 -psk_identity $PSK_ID -psk "1234567890ABCDEF" -connect $TARGET_IP:$ISCSI_PORT)
+if ! echo "$response" | grep -q "$message"; then
+	exit 1
+fi
+
+# send message using openssl client using TLS 1.2
+message="**MESSAGE:This is a test message from the openssl client using TLS 1.2**"
+response=$( (
+	echo -ne $message
+	sleep 2
+) | $OPENSSL_APP s_client -debug -state -tlsextdebug -tls1_2 -psk_identity $PSK_ID -psk "1234567890ABCDEF" -connect $TARGET_IP:$ISCSI_PORT)
+if ! echo "$response" | grep -q "$message"; then
+	exit 1
+fi
+
+trap '-' SIGINT SIGTERM EXIT
+# NOTE: socat returns code 143 on SIGINT
+killprocess $server_pid || true
+
+timing_exit sock_ssl_server
+
 # ----------------
 # Test server path
 # ----------------