Instead of testing (and priming) sudo with "true", prime with
"kill -0 $$" (just test signalling ourselves). If this fails,
we won't be able to kill the openvpn process we're going to
start later on -> thus, SKIP on failure.
This helps with misconfigured setups (especially on the buildbots)
that can correctly start openvpn but then not stop it later on -
leaving openvpn processes dangling around, requiring manual
intervention.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20161002131923.36681-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12585.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously one had to manually define correct values for the
EXPECT_IFCONFIG* variables based on what IPv4 and IPv6 addresses
the test VPN server handed out.
This was a tedious process especially with large number of tests,
as the IPs changed for every test client and for every test. With this
patch t_client.sh figures out the correct IP addresses using an
--up script and caches them to a separate file for later use.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1475491887-740-1-git-send-email-samuli@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12587.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This will check the OpenVPN log file if the process initialized
successfully.
It will check the log file for 30 seconds before aborting the test run.
This also has the advantage of starting the testing quicker if the
initialization goes faster than 10 seconds (which was the old sleep time).
The umask is also set to a more permissive mode to ensure the test
script is capable of reading the OpenVPN PID file, as that will be
created by root.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474111085-10678-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474111085-10678-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
[ v3 - Kick out bashism - '&>' redirect ]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474109433-4710-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474109433-4710-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This resolves an issue where $! returns the PID of the sudo process instead
of the PID of OpenVPN and when sudo does not properly propagate signales
down to OpenVPN.
Trac: #738
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474104026-20615-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474104026-20615-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Basically, an oversight - if one test instance does not start at all
(due to "tap driver not loaded") the whole script would exit, instead
of logging the failing instance and proceeding to the next test run.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: 20160913200458.9906-1-gert@greenie.muc.de
URL: http://www.mail-archive.com/search?l=mid&q=20160913200458.9906-1-gert@greenie.muc.de
Signed-off-by: David Sommerseth <davids@openvpn.net>
As discussed with the development team, we should start moving away from
ciphers with a small block size. For OpenVPN in particular this means
moving away from 64-bit block ciphers, towards 128-bit block ciphers.
This patch makes a start with that by moving ciphers with a block
size < 128 bits to the bottom of the --show-ciphers output, and printing
a warning in the connection phase if such a cipher is used.
While touching this function, improve the output of --show-ciphers by
ordering the output alphabetically, and changing the output format
slightly.
[DS: Fixed C89 issues in patch, moving 'int nid' and 'size_t i' declaration
to begining of function instead of in the for-loops. This is also
required to not break building on stricter compiler setups where C99
must be enabled explicitly ]
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1471358742-8773-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00029.html
CVE: 2016-6329
Signed-off-by: David Sommerseth <davids@openvpn.net>
Commit 40cb4cfc5d added infrastructure to write unit tests using
cmocka. This was implemented using a git submodule to fetch an
up-to-date cmocka test framework.
The issue which appeared was that 'make check' stopped working if
the cmocka submodule was not initialized and updated. As we do not
want this to be a hard depenency, this patch makes running these
unit tests conditional. If cmocka has not been initialized, skip
them or if it has been initialized all unit tests will be run.
[v2 - Also check if cmake is available, as cmocka depends on that
to be built ]
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1464703645-26640-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11758
No functional changes.
Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding
dependencies.
Add a minimal test for searchandreplace as a proof of concept.
[ Modified during commit: Enhanced documentation of functions in utils.h
to comply with doxygen standards ]
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-3-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11724
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
cmocka [1,2] is a testing framework for C. Adding unit test
capabilities to the openvpn repository will greatly ease the
task of writing correct code.
cmocka source code is added as git submodule in ./vendor. A
submodule approach has been chosen over a classical library
dependency because libcmocka is not available, or only
available in very old versions (e.g. on Ubuntu).
cmocka is build during 'make check' and installed in vendor/dist/.
[1] https://cmocka.org/
[2] https://lwn.net/Articles/558106/
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20160525175756.56186-2-openvpn-devel@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11725
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
Integration tests run by t_client.sh use sudo to run openvpn as root.
If the t_client.sh script is configured to use sudo then the user
must enter the password quickly because t_client assumes a startup
failure if openvpn does not start quick enough.
If the user is not quick enough, then the tests fails.
This change will refresh the sudo timestamp at the start of the script.
Tested on MacOS X & Ubuntu Precise
Signed-off-by: Jens Neuhalfen <jens@neuhalfen.name>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <280154CA-9468-429B-BCAC-DB632C0AFB32@neuhalfen.name>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11622
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Our "make check" testsuite creates quite a bit of output which is
intended to help pinpointing the exact reason for failure - hidden by
default by automake 1.12 and up, which default to "parallel-tests" which
has no benefit for us. So, just set the automake option to revert to
the old behaviour.
See also: https://www.gnu.org/software/automake/manual/html_node/Serial-Test-Harness.html
Trac #427
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Message-ID: <20150524193011.GK382@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9738
Acked-by: David Sommerseth <openvpn.list@topphemmelig.net>
... by not incorrectly hinting to the compiler the function argument of
cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
case.
Verified the fix on Debian Wheezy, one of the platforms the reporter in
trac #473 mentions with a compiler that would optimize out the required
checks.
Also add a testcase for --cipher none to t_lpback, to prevent further
regressions.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9300
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit e97aa06dc0 introduced "full openvpn cipher testing", but fails
on OpenSSL 0.9.8 with DES-CFB1 (skip), on NetBSD for RC5-* (needs extra
library, libcrypto_rc5.a) and on Solaris for POSIXly "tail" (rewrite).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1404830758-7927-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8861
... instead of just BF-CBC. Should catch more mistakes.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8777
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Teach it how to run ifconfig/route on AIX to have meaningful results.
Signed-off-by: Gert Doering <gd@medat.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-5-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8786
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- remove built tests/t_client.sh script on "make clean"
- ignore Linux iproute2 "ssthresh <n>" output that sometimes shows up
in "ip -6 route show" and breaks before/after comparison
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1398019261-30180-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8557
"ip -6 route show" prints stuff like "rtt 38ms rttvar 38ms cwnd 10", which
sometimes changes while an OpenVPN test is running, resulting in spurious
failures in the "ifconfig/route must be restored identically after
OpenVPN ends" test in t_client.sh. Not all fields are there all the time,
so use "sed" to get rid of whatever is printed this time.
Only relevant for "make check" on linux builds with "--enable-iproute2".
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1385309584-23209-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8047
IPv6 documentation prefix is 2001:db*8*:: (not :dba:), and the second
test stanza variables need to end in _2, of course...
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1384624401-27943-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7992
By adding PREPARE_$NUM and CLEANUP_$NUM variables containing command lines
to execute before and after the test case is run.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1384615074-22345-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7990
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Check if fping and fping6 is available before running the real tests,
to avoid misleading test failures.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1384535524-6366-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7981
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is useful if a test fails, and the tester wants to run the very
same OpenVPN call with the very same arguments interactively to
pinpoint and fix the problem.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1345141883-9889-2-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6984
Signed-off-by: David Sommerseth <davids@redhat.com>
Yet another postprocess-output fix for iproute2 (sometimes there was
no whitespace in the output, so substituting away expiry time failed).
Print summary line of succeeded and failed test sets at the very end.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120607174255.GV1059@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6704
Signed-off-by: David Sommerseth <davids@redhat.com>
Test for existance of "iproute2" with "-n" (Alon)
Work around "ip -6 route show" behaviour on FC14 where some parts of
the IPv6 route cache would be displayed, which has no relevance to
OpenVPN but breaks before/after comparison.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120601151507.GE400@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6637
Signed-off-by: David Sommerseth <davids@redhat.com>
- run t_client.sh at "make check" time
- in t_client.sh, read t_client.rc from source *or* build dir (as before)
- @IP@ evaluates to "" now (not "ip") if iproute2 not found - adapt script
- introduce $SETUP_TIME_WAIT to delay "waiting for openvpn startup" longer
than the default delay of 10 seconds - this is needed for test servers
with a high network RTT
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20120527202737.GV1161@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/6616
Signed-off-by: David Sommerseth <davids@redhat.com>