Re: [Openvpn-devel] [PATCH] OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts.
>t_client.sh relies on "echo -e" and "echo -n" to produce nicely >looking output, which fails on Solaris /bin/sh - force SHELL=/bin/bash >on recent-enough Solaris variants that have it. Where recent is "Solaris 8 or later" I.e., just under 20 years old. :-) Can't tell how which version of bash it was shipped with, though... Casper ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/6] sitnl: harden strncpy() by forcing arguments to have the same length
>For this reason, force both strings to use IFNAMSIZ as size and, since >this constant may not exist on every platform, ensure it is always >defined. A problem with this patch misght be that strncpy() does NOT NUL terminates the copied string. (It writes EXACTLY IFNAMSIZ bytes but only when the string is shorter, it will writes NUL bytes in the reminder of the char array[].) You could use strlcpy() but I'm not sure if that is available in Windows. > > /* save result in output variables */ > memcpy(best_gw, &res.gw, res.addr_size); -strcpy(best_iface, res.iface); >+strncpy(best_iface, res.iface, IFNAMSIZ); Casper ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Solaris 11: t_lpback.sh coredump on AES-GCM
>Hello. > >Spent a day debugging this issue on OpenIndiana. >If anyone steps on this once again... >It seems the issue was caused OI/Solaris OpenSSL specific patches, in >particular by >https://github.com/OpenIndiana/oi-userland/blob/oi/hipster/components/library/openssl/openssl-1.0. 2/patches/036-evp_leak.patch >. It was fixed in solaris-userland in this commit - >https://github.com/oracle/solaris-userland/commit/05790938481cdceaedb2a9aee700bcec6fca7e34 > > . Yes I had bug 26336744 filed for this and figured out what was causing it; as a result it has been fixed in Solaris userland (in both branches). The fix was also delivered in Solaris 11.3 SRU 24 which was released somewhere in the last week. # pkg list -H entire openssl entire0.5.11-0.175.3.24.0.4.0i-- library/security/openssl 1.0.2.11-0.175.3.24.0.4.0 i-- (the weird numbers are historic and should be changed to a more easily understandable numbers in 11.4) Casper -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Solaris 11: t_lpback.sh coredump on AES-GCM
>Am 30.08.17 um 10:39 schrieb casper@oracle.com:
>>
>>
After I figured out where we went wrong, I filed:
26336744 Solaris specific cleanup code breaks gcm_aes for, e.g., openvpn
which has now been fixed in oracle solaris-userland on git hub
https://github.com/oracle/solaris-userland/tree/master/components/openssl
>>>
>>> Cool, thanks a lot!
>>>
It cannot say exactly when it will be in Solaris 11.3 SRU (patch) release.
Current workaround is disabling AES-GCM for openvpn but that should not be
needed in the future.
>>>
>>> Is there a way to reliably detect this issue from a test program (or by
>>> looking at system versions, like "uname")? It might be worth adding a
>>> configure test so users won't run into it ("AES-GCM disabled due to
>>> bug 26336744 in Solaris OpenSSL").
>>
>> Well, t_lpback would fail but that is late as then you would have
>> configured and compiled openvpn.
>>
>
>Does it fail reliable? If yes we could just run a quick version of
>failing and if this fails disable AES support, especially disabling
>cipher negoiation.
Yes, very reliable (NULL pointer dereference)
Casper
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Solaris 11: t_lpback.sh coredump on AES-GCM
>> After I figured out where we went wrong, I filed:
>> 26336744 Solaris specific cleanup code breaks gcm_aes for, e.g., openvpn
>> which has now been fixed in oracle solaris-userland on git hub
>> https://github.com/oracle/solaris-userland/tree/master/components/openssl
>
>Cool, thanks a lot!
>
>> It cannot say exactly when it will be in Solaris 11.3 SRU (patch) release.
>> Current workaround is disabling AES-GCM for openvpn but that should not be
>> needed in the future.
>
>Is there a way to reliably detect this issue from a test program (or by
>looking at system versions, like "uname")? It might be worth adding a
>configure test so users won't run into it ("AES-GCM disabled due to
>bug 26336744 in Solaris OpenSSL").
Well, t_lpback would fail but that is late as then you would have
configured and compiled openvpn.
This bug exists in Solaris 11.2 FCS. Older versions, as you have seen, do
not have GCM support so you would not find the bug.
The best way to find the install Solaris version in Solaris 11 and later
is "pkg list entire"; this will print:
NAME (PUBLISHER) VERSIONIFO
entire0.5.11-0.175.3.22.0.3.0i--
The actual string is pretty much an "historical accident" but the
important bits are: 0.5.11-0.175.*3*.*22*.0.3.0
The first three is the minor version (11.*3*) and the *22* is the
installed SRU.
For now, I think for Solaris 11+ we should disable gcm which I currently
do by hand by changing
#define HAVE_AEAD_CIPHER_MODES 1
to
#undef HAVE_AEAD_CIPHER_MODES
Casper
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Solaris 11: t_lpback.sh coredump on AES-GCM
I recently run into the same problem as Jens Neuhalfen has reported more than a year ago in this mailing list. As I was somewhat confused why the shipped Solaris openssl version failed, I looked into that issue as I also wanted to run a recent openvpn on Solaris 11.x. After I figured out where we went wrong, I filed: 26336744 Solaris specific cleanup code breaks gcm_aes for, e.g., openvpn which has now been fixed in oracle solaris-userland on git hub https://github.com/oracle/solaris-userland/tree/master/components/openssl It cannot say exactly when it will be in Solaris 11.3 SRU (patch) release. Current workaround is disabling AES-GCM for openvpn but that should not be needed in the future. Casper -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
