Age | Commit message (Collapse) | Author |
|
For some of the test we don't like the default log behavior
and there seems no easy way to change that except to fork
the driver. The license seems unproblematic since we're
GPL anyway.
v2:
- Do not use forked-test-driver for UTs. Default behavior
is fine for those.
Change-Id: I67d461afbcc9c06b1fc5ab4477141d7b8bd9ba8e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240125110036.16070-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28132.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Change-Id: Ic377958d303b1dcfa9d877d3a63ecf39bdff7aef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240315170054.2368254-1-frank@lichtenheld.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/58749316/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Individual tests can define a script to run to test
whether they should be skipped.
Included in this commit is an example check which
checks whether we can do NTLM checks. This fails
e.g. on recent versions of Fedora with mbedTLS
(tested with Fedora 39) or when NTLM support is not
compiled in.
v2:
- ntlm_support:
- support OpenSSL 3
- allow to build without cmocka
v3:
- add example to t_client.rc-sample
- t_client.sh code style
- use syshead.h in error.h
v5:
- rename SKIP_x to CHECK_SKIP_x
Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240308102818.9249-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240308102818.9249-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The openvpn/src directory needs to be included before include/wolfssl. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths.
src/openvpn/Makefile.am does not need to be modified because AM_CPPFLAGS is placed before AM_CFLAGS in the output Makefile.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20240212132522.125903-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28229.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Change-Id: I7511bc43cd6a0bcb89476f27d5822ab4a78d0d21
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240209105902.14506-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28201.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This test is reusing code from --test-crypto but is modified to not rely
on the static key functionality and also only tests the most common
algorithm. So it does not yet completely replace --test-crypto
Change-Id: Ifa5ae96165d17b3cae4afc53e844bb34d1610e58
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240208085749.869-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28195.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Change-Id: I8b5570f6314e917f92dce072279efe415d79b22a
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240207171239.86730-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28191.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Settings the environment variable required for running unit tests is
tiresome in my IDE (Clion). So allow unit tests to fall back to a hard
coded location in case the environment variable is not set.
Change-Id: Ide72b81f497088dd0fd2cdcfff83cbce5b48f145
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240201144817.188884-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28161.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
For simplicity I implemented them only with the
inline method, but they actually apply to all methods.
Change-Id: Ie8d2d5f6f58679baaf5eb817a7e2ca1afcb8c4db
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240129105358.11161-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20240129105358.11161-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
UTs for basic functionality, without management functions.
v2:
- add CMake support
- add GHA support for both MSVC and mingw
v3:
- fix distcheck by adding input/ directory to dist
Change-Id: I193aef06912f01426dd4ac298aadfab97dd75a35
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240127200716.10255-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28138.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
stderr is normally always unbuffered but stdout can be buffered. Especially,
when stdout is redirected it will become buffered while it is normally
unbuffered when connected to a terminal. This mean that if the unit exits
prematurely, the output in the buffered output will be lost.
As the unit test x_msg mock implementation prints even fatal on stdout
we ensure with this setup method that stdout is also unbuffered.
Change-Id: I5c06dc13e9d8ab73997f79b13c30ee8949e5e993
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240123104358.495517-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
OpenSSL 1.1.1 will initialise itself using clever linker magic. For
OpenSSL 1.0.2 we need to manually initialise the library. For other
unit tests just doing the OpenSSL_add_all_algorithms is enough but
this unit test needs a more complete initialisation.
Change-Id: I378081f391ad755d0a6fd5613de5c2a8bacc389a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240122130909.10706-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28112.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This introduces a number of mock function to be able to compile
ssl_verify_*.c and ssl_mbedtls.c/ssl_openssl.c into a unit and adds
quite a number of files to that unit. But it allows similar unit tests
(in term of dependencies) to be added in the future.
Change-Id: Ie248d35d063bb6878f3dd42840c77ba0d6fa3381
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240116214152.27316-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28028.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Due to the limitation of the protocol it is not
considered secure. Better to use basic auth instead
of a false sense of security. NTLM v2 remains
supported for now.
Change-Id: I0dcb2dac4136f194da7050a8ea8495e9faba9dd9
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231230143733.4426-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27862.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Serial mode is the old one and offers much less options for
running the tests. Generally our tests seem to work fine
with the newer parallel mode. The only reason we stuck with
serial_tests seems to be that we didn't like that it doesn't
output the test output by default. We could fix that with a
custom test driver. But will put that into a separate commit.
Change-Id: Ic7265d89142637b0963a6847c6beb06d9163bbb1
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231214111635.237429-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27812.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Since I was confused what exactly string_mod does, I
added documentation and additional UTs to make it
clearer.
Change-Id: I911fb5c5fa4b41f1fc1a30c6bf8b314245f64a6e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231211170214.85417-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27761.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Not actually used.
Change-Id: I5e394bb73702d87562ed354100eaff9b41f5389e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231208173529.95023-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27727.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Change-Id: Ib2aa85b9c34d0a0b8b1dfb9f477f56c9a6b705d0
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231201112243.15541-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27628.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
The original commit ID was a0a8d801dd0d84e0ec844b9ca4c225df7 (plus
subsequent fixes).
Change-Id: I2d353a0cea0a62f289b8c1060244df66dd7a14cb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231006111910.3541180-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27133.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
OpenVPN 2.6 already warned about this feature being removed. OpenVPN
2.7 will with this change no longer accept these configurations without
having a --allow-deprecated-insecure-static-crypto added to the command
line or the configuration itself. This will serve as a last and final
warning for people who missed the warning message in OpenVPN 2.6.
This commit also removes the documentation for --secret and the static key
mode.
Change-Id: I4f29953b91cf8e8daf2c9503da44073ad96d0ff5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105832.34762-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27194.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Officially deprecated since v2.4.
We have warned about using this forever.
It is time to pull the plug.
Change-Id: I58706019add6d348483ba222dd74e1466ff6c709
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20230922103830.37151-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27059.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
These are based on review comments for the 2.6 backport.
But since they apply to the original master implementation
as well, I address them in this separate patch.
- Add documentation to contrib/cmake/*.py
- Fix grammar in README.cmake.md
- Update a TODO in CMakeLists.txt to better reflect
the status quo
- Fix indentation in unit_tests' Makefile.am
Change-Id: I4e16767ee221e1aefdd18d13b3411c27d8dd844a
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/342
Message-Id: <20230919155635.708557-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27043.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This function is needed to commpile on win32 as run_command.c defines it
on Unix Linux but on windows it is defined in win32.c which pulls in too
many other unresolvable symbols.
Patch v2: Also add mock_win32_execve.c to automake files
Change-Id: I8c8fe298eb30e211279f3fc010584b9d3bc14b4a
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230712095412.570106-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26849.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Use the casting variants of mock(). Using the mock_ptr_type
fixes an existing bug where test_tls_crypt.c couldn't
build in MinGW 32bit:
test_tls_crypt.c:127:27: error:
cast to pointer from integer of different size
[-Werror=int-to-pointer-cast]
127 | const char *pem_str = (const char *) mock();
Change-Id: I6c03313b8677fa07c07e718b1f85f7efd3c4dea8
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230630123908.82588-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26796.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Completely replaced by the CMake build system now.
v3:
- rebase on top of my dist fixes
Change-Id: I807cffa40f18faa1adec4e15e84c032877a2b92e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20230620135310.94455-4-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20230620135310.94455-4-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Document the dependency. Also fixes cert_data.h missing from
distribution.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230619132934.76085-4-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26750.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Just some very basic tests.
v2:
- fix off-by-one
Change-Id: I73fc893136387d1da05f4aea98cb37b02d6c3230
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230517084422.70547-2-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26680.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This makes it easy to test an installed binary for
example.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230511101253.369196-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26648.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
It is generated from t_client.sh.in by configure,
so no need to ship it. Due to the dependency on
the configuration it also might break reproducibility
of the dist tarball.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230418134941.86637-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26596.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- Do not use non-literal initializers for static objects
- Replace empty initializer {} by {0}
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Co-authored-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230327114937.28246-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26525.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- Load some test certificate/key pairs into a temporary softhsm2 token
and enumerate available objects through pkcs11-helper interface
- For each object, load it into SSL_CTX and test sign (if using OpenSSL 3)
or check the certificate and public-key match (if using OpenSSl 1.1.1.).
The pkcs11-id for each object is specified directly or
through a mocked management callback to test pkcs11-id-management
Limitations:
Depends on libsofthsm2.so and p11tool (install softhsm2 and gnutls-bin
packages). Mbed-TLS/pkcs11-helper combination is not tested.
If locations of these binaries are not auto-detected or need to be
overridden, use -DSOFTHSM2_UTIL=<path> -DP11TOOL=<path> to configure.
Location of SOFTHSM2_MODULE is not auto-detected and defaults to
/usr/lib/softhsm/libsofthsm2.so. It may be changed by passing
-DSOFTHSM2_MODULE=/some-path/libsofthsm2.so to configure.
Also see "configure --help".
The test is enabled only if --enable-pkcs11 is in use, and SOFTHSM2_UTIL
& P11TOOL are found in path or manually defined during configuring.
Changes relative to github PR
- Explicitly disable building the test on Windows: need to port mkstemp,
mkdtemp, setenv etc., before enabling this on Windows.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230322221456.1660425-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26483.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- This function will be reused for testing pkcs11
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230322221456.1660425-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26484.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- This is the only remaining function in cryptoapi.c that has no
direct or indirect test.
This test confirms that an SSL_CTX context gets a certificate and
private key loaded into it and the public key in the certificate
matches the private key. As signing with certificate/key pairs
fetched from the store is independently tested by the 'cryptoapi_sign'
test, signing is not re-tested here.
The functions "setup_/teardown_cryptoapi_sign()" are renamed to
"setup_/teardown_xkey_provider()" to better reflect their purpose.
These are also reused for the new test.
While touching this context, also fix a memory leak in
test_cryptoapi_sign: X509_get_pubkey() -> X509_get0_pubkey()
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230318144325.1316320-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26438.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- For each sample certificate/key pair imported into the store,
load the key into xkey-provider and sign a test message.
As the key is "provided", signing will use appropriate
backend (Windows CNG in this case).
The signature is then verified using OpenSSL.
Change-Id: I520b34ba51e8c6d0247a82edc52bde181ab5a717
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315013516.1256700-5-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26416.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- find_certificate_in_store tested using 'SUBJ:', 'THUMB:'
and 'ISSUER:' select strings. Uses test certificates
imported into the store during the import test.
Change-Id: Ib5138465e6228538af592ca98b3d877277355f59
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315013516.1256700-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26415.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- A few sample certificates are defined and imported into
Windows certificate store (user store).
This only tests the import process. Use of these certs to test the
core functionality of 'cryptoapicert' are in following commits.
Change-Id: Ida5fc12c5bad5fde202da0bf0e8cdc71efe548c2
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315013516.1256700-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26417.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The HMAC leaks are just forgotten frees/deinitialisations.
tls_wrap_control() will sometimes return the original buffer (non
tls-crypt) and sometimes tls_wrap.work, so handling this buffer lifetime
is a bit more complicated. Instead of further complicating that code
just give our work buffer the same lifetime as the other one inside
tls_wrap.work (put it into per-session gc_arena) as that is also more
consistent.
Second, packet_id_init() allocates a buffer with malloc and not using a
gc_arena, so we need to also manually free it.
Patch v2: add missing deallocations in unit tests of the new workbuf
Patch v3: remove useless allocation of 0 size buffer in
tls_auth_standalone_init
Found-By: clang with asan
Change-Id: I0cff44f79ee7e3bcf7b5981fc94f469c15f21af3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230315195512.323070-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit 7f72abcf8a56bb35a510a3409e03a4e2aaba50da enabled subdir-objects
when using automake 1.16+.
There is an issue with the handling of .deps directories with this option.
While automake 1.16 fixed subdir-objects to work at all when _SOURCES
contains "unexpanded references" and it did fix subdir-objects to work
with out-of-tree build for "source files specified with an explicit
'$(srcdir)'" those fixes are not transitive. "unexpanded references"
still break out-of-tree builds when enforcing a read-only source dir
like 'make distcheck' does. When using *explicit* references to
srcdir and top_srcdir it works correctly.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230308150704.128797-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26352.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Currently we have only one slot for renegotiation of the session/keys.
If a replayed/faked packet is inserted by a malicous attacker, the
legimate peer cannot renegotiate anymore.
This commit introduces dynamic tls-crypt. When both peer support this
feature, both peer create a dynamic tls-crypt key using TLS EKM (export
key material) and will enforce using that key and tls-crypt for all
renegotiations. This also add an additional protection layer for
renegotiations to be taken over by an illegimate client, binding the
renegotiations tightly to the original session. Especially when 2FA,
webauth or similar authentication is used, many third party setup ignore
the need to secure renegotiation with an auth-token.
Since one of tls-crypt/tls-crypt-v2 purposes is to provide poor man's post
quantum crypto guarantees, we have to ensure that the dynamic key tls-crypt
key that replace the original tls-crypt key is as strong as the orginal key
to avoid problems if there is a weak RNG or TLS EKM produces weak keys. We
ensure this but XORing the original key with the key from TLS EKM. If
tls-crypt/tls-cryptv2 is not active, we use just the key generated by
TLS EKM. We also do not use hashing or anything else on the original key
before XOR to avoid any potential of a structure in the key or something
else that might weaken post-quantum use cases.
OpenVPN 2.x reserves the TM_ACTIVE session for renegotiations. When a
SOFT_RESET_V1 packet is received, the active TLS session is moved from
KS_PRIMARY to KS_SECONDARY. Here an attacker could theorectically send a
faked/replayed SOFT_RESET_V1 and first packet containing the TLS client
hello. If this happens, the session is blocked until the TLS
renegotiation attempt times out, blocking the legimitate client.
Using a dynamic tls-crypt key here blocks any SOFT_RESET_V1 (and following
packets) as replay and fake packets will not have a matching
authentication/encryption and will be discarded.
HARD_RESET packets that are from a reconnecting peer are instead put in the
TM_UNTRUSTED/KS_PRIMARY slot until they are sufficiently verified, so the
dynamic tls-crypt key is not used here. Replay/fake packets also do not
block the legimitate client.
This commit delays the purging of the original tls-crypt key data from
directly after passing it to crypto library to tls_wrap_free. We do this
to allow us mixing the new exported key with the original key.
To be able to generate the dynamic tls-cryptn key, we need the original
key, so deleting the key is not an option if we need it later again to
generate another key. Even when the client does not support secure
renegotiation, deleting the key is not an option since when the
reconnecting client or (especially in p2p mode with float) another client
does the reconnect, we might need to generate a dynamic tls-crypt key
again. Delaying the deletion of the key has also little effect as the
key is still present in the OpenSSL/mbed TLS structures in the tls_wrap
structure, so only the number of times the keys is in memory would be
reduced.
Patch v2: fix spellings of reneg and renegotiations.
Patch v3: expand comment to original_tlscrypt_keydata and commit message,
add Changes.rst
Patch v4: improve commit message, Changes.rst
Patch v5: fix spelling/grammar mistakes. Add more comments.
Patch v6: consistently calld this feature dynamic tls-crypt crypt. Note
this changes the export label and makes it incompatible with
previous patches.
Patch v7: also xor tls-auth key data into the dynamic tls-crypt key like
tls-crypt key data
Patch v8: Avoid triggering ASSERT added in v7 by properly setting keys.n = 2
when loading tls crypt v2 client keys. Add dyn-tls-crypt to
protocol options printout.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20230307150233.3551436-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26341.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- Though named cryptoapi_testdriver, right now this only tests
parsing of thumbprint specified as a selector for --cryptioapicert
option. More tests coming..
v2: a line that belongs here was mistakenly included in the previous
commit. Corrected.
v3: add to list of tests run in github actions
v4: - correct comment above invalid strings (copy paste error)
- make invalid strings differ from correct value only in the
explicitly introduced invalid characters/separators (one had
two distinct errors which is not a robust test).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230214200804.600405-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26268.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- Minor changes to the build system to include some
dependencies for Windows build
- test_tls_crypt not built as it will pull in win32.c and
its dependencies
- If cross-compiling, "make check" will only build the tests but not
run any. Copy to Windows and run manually. Executables are in
<buid-dir>/tests/unit_tests/openvpn/.libs/ and these depend on
cmocka.dll in addition to openssl libs that some tests link to.
Building with mingw on Windows should run the tests (untested).
v2: networking_testdriver was mistakenly enabled to run, while
originally it was only set to build. Corrected.
v3: exclude check_engine_keys.sh when cross-compiling
As suggested by Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230208005925.393200-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26188.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
My mingw compiler/headers (mingw-w64 10.0.0 on macOS) seem to be more
pendantic than the one that comes with Ubuntu 22.04 (github actions) or
any of the other platforms including msvc/normal windows header.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20230208001819.244694-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26182.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Not enabled by default with OpenSSL 3, so we don't
see this in our builds.
While here add missing entries to .gitignore (which
is what made me look at engine-key test in the first
place).
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110170257.113527-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25949.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Manually excluded ovpn_dco_win.h because it is an
imported file. ovpn_dco_linux.h is already excluded
because it still says 2021.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110160531.81010-1-frank@lichtenheld.com>
URL: https://patchwork.openvpn.net/project/openvpn2/patch/20230110160531.81010-1-frank@lichtenheld.com/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The realloc logic has the problem that it relies on the memory being
deallocated by uninit_options rather than by freeing the gc. This
does not always happen in all code path. Especially the crypto selftest
run by make check will not call uninit_options.
This introduces a gc_realloc function that ensures that the pointer is
instead freed when gc_free is called.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221227140249.3524943-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25829.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This surprising breakage results from the fact that Linux basically uses
a different structure from the *BSD:
For exmaple, macOS has:
struct sockaddr_in {
__uint8_t sin_len;
sa_family_t sin_family;
in_port_t sin_port;
struct in_addr sin_addr;
char sin_zero[8];
};
with sa_family_t also uint8_t
and Linux has stupidly complex definition that boils down to:
struct sockaddr_in
{
uint16_t sin_family;
in_port_t sin_port;
struct in_addr sin_addr
char sin_zero[8];
};
So Linux basically has a 16 bit uint16 instead of two uint8_t. Because
s390x is big endian, this happens to be same in memory layout as on all
BSDs with first byte being 0 and second byte being the family.
Introduce a second array to check against, if we are on little endian
Linux.
This is a bit fragile but this is also just a unit test.
This also fixes compiling test_pkt with windows.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221207140259.1083577-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25633.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
We accidentially checked the adress family size instead of the address
family.
For unit test checks we need to consider endianess to ensure the hmac
for the adress is always the same. The real code does not care about
endian since it only needs it to be same on the same architecture.
Converting the session to endianess is strictly speaking unecessary
for the actual function of the function but is almost no overhead
and makes the unit testing more robust.
Reported by David trying to the package on Red Hat/s390x and painfully
debugged by setting up a s390x qemu machine that takes 40s just to
run ./configure.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221206133647.954724-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25619.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This adds an MRU cache for the last seen packets from the peer to send acks
to all recently recently packets. This allows packets to be acknowledged
even if a single P_ACK_V1 gets lost, avoiding retransmissions. The downside
is that we add up to 28 byte to an P_ACK_V1 (7* packet_id) and up to 24
bytes to other control channel packets (4* packet_id + peer session id).
However these small increases in packet size are a small price to pay for
increased reliability.
Currently OpenVPN will only send the absolute minimum of ACK messages. A
single lost ACK message will trigger a resend from the peer and another
ACK message.
Patch v2: fix multiple typos/grammar. Change lru to mru (this is really an
MRU cache), add more unit test cases
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220831134140.913337-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25143.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Patch v4: rebase
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220921104930.3452270-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25292.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|