From patchwork Fri Dec 19 13:51:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4693 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:148e:b0:7b1:439f:bdf with SMTP id bf14csp215718mac; Fri, 19 Dec 2025 05:51:26 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUoNqzMvNth/6iPtwaHZO1zJ/MvBEYdVuninNdTCeNW0PAdCSItqRdngejPKgJfX1nbrpKrdkd6LuM=@openvpn.net X-Google-Smtp-Source: AGHT+IEKNrQipPvEqlDDq7Sr/v6D+v0Q43dDcg+KCw9MZaS0vGd5PgOJtt8QZcp9B1xbrxBrruuc X-Received: by 2002:a05:6830:2e03:b0:7c7:595d:abbd with SMTP id 46e09a7af769-7cc668bb79dmr1719038a34.15.1766152286445; Fri, 19 Dec 2025 05:51:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1766152286; cv=none; d=google.com; s=arc-20240605; b=OsQowvLjkBWQUvs2M4AUashc9+awVJPvYLV0yHQOQ5wmRrA+czwrEec5E2pYCaAXMV 78xT82fS19UC4AkQnFo+1BzfllEcEuwQnuE1Qp8A4cy48dYVFz6YCl6DfKb5xekpQGrH 45odjeb/9UCFyY5RDdV7daanTKnAZgNNvhe7+oyRJlyFIhz9wCW4VnT9W1vKoDrwTkkn zeXAPtAA3hGJDRWNZdZz5+7adWqhmI4d7YzU4a7IH3FGtROMf2Vsp5B2xfct/23vSul0 9CV2PswH9p/OO9IQhGFq4oEMVUE1moiI6UbNqdfDm+rayHmjLfjKcRPyom2pRZTugkvp SxkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=Bx+/srfaoam3+a86g9n4cMJDmMEx3i6D+Xc7hjx1U8Y=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=BCyusBCZrLw3esUvi3pUin9aRXLSWZYy5sCtqxEr3hmouwHJm+5i8ZzKkPXoUEUjJr ltWfHMnJlwqBnLyLWrx6U7LRupP0fyjpRMpTvek5Nc3RcEXMz6kgVn/wxv4mBza+94+I BwttgSDDHxrHYrxhe6SAL7Bx/3FwQsgfHq9RrtcKzoJuSD2L/gk4FiXT4KNYyk/TYzp+ qXuArUDdwmgxszj3DazA+nsQ3KsEnF1SybKvUpnciLgDPB4AiO2B2h0bLawqmPQ43l+O TqHZLhwyALSc+07tEUy99S4WQiZuCuDj0ZGIon1rUd2HHNpTVfJCmJv6ySNeQ6dU376K EHFA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=e0FpBPvw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DzBZUlen; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dJeHwBEE; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="gKXSSY/K"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7cc6673e591si1547371a34.49.2025.12.19.05.51.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Dec 2025 05:51:26 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=e0FpBPvw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DzBZUlen; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dJeHwBEE; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="gKXSSY/K"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Bx+/srfaoam3+a86g9n4cMJDmMEx3i6D+Xc7hjx1U8Y=; b=e0FpBPvwzw+9f+J2bvz8LK+/rF RJr+Q1vXQmN1YXAFv940mCpsbU018MOw5nm1W4xMn6pLK6W2+3C3ZLQyRwq6YQ3ni+edPiqYsKeGU Fagrrhmw7y+D1EeZNgh9/3V+DrsgtW5TVm0b3AJ/JxN1+lzeNCGtlqyYSfu9dAZCuSW8=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vWat9-0001v0-7L; Fri, 19 Dec 2025 13:51:23 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vWat7-0001us-QN for openvpn-devel@lists.sourceforge.net; Fri, 19 Dec 2025 13:51:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+KDNdKRxd2TdPFI8s+njWItR/3Dq93UPx/FvzPs3OJY=; b=DzBZUleneq7ogjVv/FgdPMYHvT byu8RXiCBllYISdp/8L8WORb8rGyqVI5TvnhwtFOcPmmxrAnlMPeeLlTuVw/XLzq6tVDLNM49i+jk yWIJgBXTKAaXUbdvQhtf8KrGZwJXU4OrYcAwD6SW37lYrbWnhkITsj/Xa1xFigEPSzvs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+KDNdKRxd2TdPFI8s+njWItR/3Dq93UPx/FvzPs3OJY=; b=dJeHwBEEiJyff1vS7DWBnbPMDZ k8ynLrw4UJjBTxZgnL19e7/kxtk85Y2MtlWH809imGINDPfhCV5ddNh+SaZ+ZOrt8w0q3AnbGJAcC n5C+8VxBaYnlfKFWgwtqyL9YX0Yr5f+6d5cFCkfW41TFMJg98VpZdhHC+FzTTli3YZGQ=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vWat6-0003rR-9Y for openvpn-devel@lists.sourceforge.net; Fri, 19 Dec 2025 13:51:21 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4dXppl5tcjz9tJf; Fri, 19 Dec 2025 14:51:11 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1766152271; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+KDNdKRxd2TdPFI8s+njWItR/3Dq93UPx/FvzPs3OJY=; b=gKXSSY/Kwzh2Y6ocI8poOp1k53riqKyWriaYzowo4sN7p9MlB/GMI1LboaGA+Knl5M/Ywq Re3t4a0hZrIP5hbJ07KixYNMjXAGKagkrQaPj/PifCmwHxCOO+ZP1SmIVBl3EmGLg7POO0 /pFxcX+F7xzFpIiJplWIp+bBNyoP9oTRIwD32p1gjqHv784ftD0BrZEVcokUhsYenI5vs5 YN/m7Otu4VdPedQWzbyChb2Gref3keWofsxdKDK0Hx0eW/3TNY2AjEDJe+nvlRIFwMNUlA /wan1suEwEb92/IN8C/mzVOj6DWU4r85wJwXlJO2PDX91mqvOvRhmBIaq7qrjA== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of frank@lichtenheld.com designates 2001:67c:2050:b231:465::202 as permitted sender) smtp.mailfrom=frank@lichtenheld.com From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Dec 2025 14:51:10 +0100 Message-ID: <20251219135110.166468-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4dXppl5tcjz9tJf X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The --test-crypto still requires the --secret argument. Since --secret will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove the dependency of test-crypto on --static. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1vWat6-0003rR-9Y Subject: [Openvpn-devel] [PATCH v7] Allow test-crypto to work without the --secret argument X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1851944900120231684?= X-GMAIL-MSGID: =?utf-8?q?1851944900120231684?= From: Arne Schwabe The --test-crypto still requires the --secret argument. Since --secret will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove the dependency of test-crypto on --static. Instead we will just generate a random key for this selftest method. This also removes the extra logic that is a leftover from the early multi-thread implementation attempt. Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1435 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1435 This mail reflects revision 7 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/Changes.rst b/Changes.rst index 048434d..c8a3058 100644 --- a/Changes.rst +++ b/Changes.rst @@ -343,6 +343,10 @@ loading for key/cert files with non-ASCII characters in their file names (GH: OpenVPN/openvpn#920). +- The ``test-crypto`` option no longer requires a ``--secret`` argument and + will automatically generate a random key. + + Deprecated features ------------------- ``--opt-verify`` feature removed diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a9232ce..ed581b1 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -427,13 +427,13 @@ The typical usage of ``--test-crypto`` would be something like this: :: - openvpn --test-crypto --secret key + openvpn --test-crypto or :: - openvpn --test-crypto --secret key --verb 9 + openvpn --test-crypto --verb 9 This option is very useful to test OpenVPN after it has been ported to a new platform, or to isolate problems in the compiler, OpenSSL crypto @@ -441,6 +441,10 @@ problems with encryption and authentication can be debugged independently of network and tunnel issues. + Older versions of OpenVPN used the ``--secret`` argument to specify a + static key for this test. Newer version generate a random key for the + test. + --tmp-dir dir Specify a directory ``dir`` for temporary files instead of the default :code:`TMPDIR` (or "/tmp" if unset). Note that it must be writable by the main diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index e43bc6c..ddf3c17 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1325,6 +1325,18 @@ secure_memzero(&key2, sizeof(key2)); } +void +generate_test_crypto_random_key(const struct key_type *key_type, struct key_ctx_bi *ctx, + const char *key_name) +{ + struct key2 key2; + key2.n = 2; + generate_key_random(&key2.keys[0]); + generate_key_random(&key2.keys[1]); + init_key_ctx_bi(ctx, &key2, KEY_DIRECTION_BIDIRECTIONAL, key_type, key_name); +} + + /* header and footer for static key file */ static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----"; static const char static_key_foot[] = "-----END OpenVPN Static key V1-----"; diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 9424fd7..6670deb 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -632,6 +632,13 @@ const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata); +/** + * Generate a random key and initialise ctx to be used the in the crypto random + * test + */ +void generate_test_crypto_random_key(const struct key_type *key_type, struct key_ctx_bi *ctx, + const char *key_name); + /* * Inline functions */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index ee198ce..c0e4418 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2998,6 +2998,34 @@ #endif } + +static void +do_init_crypto_test(struct context *c) +{ + const struct options *options = &c->options; + ASSERT(options->test_crypto); + + init_crypto_pre(c, 0); + + c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; + + /* Initialize packet ID tracking */ + packet_id_init(&c->c2.crypto_options.packet_id, options->replay_window, options->replay_time, + "STATIC", 0); + + ASSERT(!key_ctx_bi_defined(&c->c1.ks.static_key)); + + /* Init cipher and hash algorithm */ + init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, + options->test_crypto, true); + + generate_test_crypto_random_key(&c->c1.ks.key_type, &c->c1.ks.static_key, + "test crypto key"); + + /* Get key schedule */ + c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; +} + /* * Static Key Mode (using a pre-shared key) */ @@ -5003,17 +5031,18 @@ * Do a loopback test * on the crypto subsystem. */ -static void * -test_crypto_thread(void *arg) +void +do_test_crypto(struct context *c) { - struct context *c = (struct context *)arg; + /* print version number */ + msg(M_INFO, "%s", title_string); const struct options *options = &c->options; ASSERT(options->test_crypto); init_verb_mute(c, IVM_LEVEL_1); context_init_1(c); next_connection_entry(c); - do_init_crypto_static(c, 0); + do_init_crypto_test(c); frame_finalize_options(c, options); @@ -5023,25 +5052,4 @@ packet_id_free(&c->c2.crypto_options.packet_id); context_gc_free(c); - return NULL; -} - -bool -do_test_crypto(const struct options *o) -{ - if (o->test_crypto) - { - struct context c; - - /* print version number */ - msg(M_INFO, "%s", title_string); - - context_clear(&c); - c.options = *o; - options_detach(&c.options); - c.first_time = true; - test_crypto_thread((void *)&c); - return true; - } - return false; -} +} \ No newline at end of file diff --git a/src/openvpn/init.h b/src/openvpn/init.h index 97318ec..d5c8c04 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -71,7 +71,7 @@ void close_instance(struct context *c); -bool do_test_crypto(const struct options *o); +void do_test_crypto(struct context *o); void context_gc_free(struct context *c); diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index eaaa59b..0c22e27 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -258,8 +258,9 @@ pre_setup(&c.options); /* test crypto? */ - if (do_test_crypto(&c.options)) + if (c.options.test_crypto) { + do_test_crypto(&c); break; } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 34af0d3..22ec7fe 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2276,11 +2276,7 @@ init_options(&defaults, true); - if (options->test_crypto) - { - notnull(options->shared_secret_file, "key file (--secret)"); - } - else + if (!options->test_crypto) { notnull(options->dev, "TUN/TAP device (--dev)"); } @@ -2694,7 +2690,7 @@ msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); } - if (!options->tls_server && !options->tls_client) + if (!options->tls_server && !options->tls_client && !options->test_crypto) { msglvl_t msglevel = M_USAGE; if (options->allow_deprecated_insecure_static_crypto) diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh index 8ab3973..6802506 100755 --- a/tests/t_lpback.sh +++ b/tests/t_lpback.sh @@ -89,13 +89,12 @@ # Also test cipher 'none' CIPHERS=${CIPHERS}$(printf "\nnone") -"${openvpn}" --genkey secret key.$$ set +e for cipher in ${CIPHERS} do test_start "Testing cipher ${cipher}... " - ( "${openvpn}" --test-crypto --secret key.$$ --allow-deprecated-insecure-static-crypto --cipher ${cipher} ) >log.$$ 2>&1 + ( "${openvpn}" --test-crypto --cipher ${cipher} ) >log.$$ 2>&1 test_end $? log.$$ done @@ -126,6 +125,6 @@ echo "$0: tests passed: $tests_passed failed: $tests_failed" fi -rm key.$$ tc-server-key.$$ tc-client-key.$$ log.$$ +rm tc-server-key.$$ tc-client-key.$$ log.$$ trap 0 exit $e