mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
e498cb0ea8
Previously, if a mode was selected where packet ids are not allowed to roll over, but renegotiation does not succeed for some reason (e.g. no password entered in time, certificate expired or a malicious peer that refuses the renegotiaion on purpose) we would continue to use the old keys. Until the packet ID would roll over and we would ASSERT() out. Given that this can be triggered on purpose by an authenticated peer, this is a fix for an authenticated remote DoS vulnerability. An attack is rather inefficient though; a peer would need to get us to send 2^32 packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in (20+8+1+4+16)*2^32 bytes, or approx. 196 GB). This is a fix for finding 5.2 from the OSTIF / Quarkslab audit. CVE: 2017-7479 Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <1494358209-4568-3-git-send-email-steffan.karger@fox-it.com> URL: http://www.mail-archive.com/search?l=mid&q=1494358209-4568-3-git-send-email-steffan.karger@fox-it.com Signed-off-by: David Sommerseth <davids@openvpn.net> |
||
---|---|---|
.. | ||
example_test | ||
openvpn | ||
plugins | ||
Makefile.am | ||
README.md |
Unit Tests
This directory contains unit tests for openvpn. New features/bugfixes should be written in a test friendly way and come with corresponding tests.
Run tests
Tests are run by make check
. A failed tests stops test execution. To run all
tests regardless of errors call make -k check
.
Add new tests to existing test suite
Test suites are organized in directories. example_test/ is an example for a test suite with two test executables. Feel free to use it as a template for new tests.
Test suites
Test suites live inside a subdirectory of $ROOT/tests/unit_tests
, e.g. $ROOT/tests/unit_tests/my_feature
.
Test suites are configured by a Makefile.am
. Tests are executed by testdrivers. One testsuite can contain more than one testdriver.
Hints
- Name suites & testdrivers in a way that the name of the driver says something about which component/feature is tested
- Name the testdriver executable
*_testdriver
. This way it gets picked up by the default.gitignore
- If this is not feasible: Add all output to a
.gitignore
* Use descriptive test names:coffee_brewing__with_no_beans__fails
vs.test34
- If this is not feasible: Add all output to a
- Testing a configurable feature? Wrap test execution with a conditional (see auth_pam for an example)
- Add multiple test-drivers when one testdriver looks crowded with tests
New Test Suites
- Organize tests in folders for features.
- Add the new test directory to
SUBDIRS
inMakefile.am
- Edit
configure.ac
and add the newMakefile
toAC_CONFIG_FILES
- Run
./configure
, and enable the feature you'd like to test - Make sure that
make check
runs your tests - Check: Would a stranger be able to easily find your tests by you looking at the test output?
- Run
./configure
, and disable the feature you'd like to test - Make sure that
make check
does not run your tests