| Message ID | 20211019183127.614175-22-arne@rfc2549.org |
|---|---|
| State | Not Applicable |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kI/gGDwPb2EaQwAAIUCqbw (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:28 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id GOXVGDwPb2FMGAAApN4f7A (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:28 -0400 Received: from smtp5.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTPS id 4DbCFzwPb2E8UwAAAY1PeQ (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:28 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e9469bce-310a-11ec-b3c5-525400d73c44-1-1 Received: from [216.105.38.7] ([216.105.38.7:44034] helo=lists.sourceforge.net) by smtp5.gate.ord1d.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 28/AC-02346-B3F0F616; Tue, 19 Oct 2021 14:32:28 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1mcttu-0001dy-1f; Tue, 19 Oct 2021 18:31:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <arne@kamera.blinkt.de>) id 1mcttg-0001a3-Pf for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=R4bdthZFlCJBB37LWoI6+61tUEH2ZBIbLjmfaPjqTxg=; b=EjAYlzn9zAfzQb+mzrCKFaPXmH kcmpT3f8jaKcAS93TCtHfa8UWXz7Fh0SDOu4yZjcoLLTRh59uk+JdrgjHpSp4/GLrt3itpT9q1Kd8 Ggi+GDVjgCyDprQQO8kdqQHpdbHvY/uX+U0np/A/lmXkuJliK2HfKkxveWJUasKZAcDA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=R4bdthZFlCJBB37LWoI6+61tUEH2ZBIbLjmfaPjqTxg=; b=RuW4/8o23xgZbX4Kq7HHhdC5TT hSDKEHI5mIornSNiSk9yMPXeENBuw+2fT5bPl52VVYVowvIFzeW7s4H8/yVsmot0ZSeX6VHtna2pK PUyeRAB7JQf5lSlPg4nXcnITUpmVWlREJDEKFD4ju/vVKEcVk56so2mTgZBq53GmZRMM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-006U0I-Ou for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from <arne@kamera.blinkt.de>) id 1mcttY-0008id-OP for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614286 invoked by uid 10006); Tue, 19 Oct 2021 18:31:29 -0000 From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:27 +0200 Message-Id: <20211019183127.614175-22-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The signature messages required by external key managed also break the 1280 limit. To also avoid this surprise of different behaviour with PKCS11 enabled/disable, always use the larger size. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/error.h | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-006U0I-Ou Subject: [Openvpn-devel] [PATCH v3 21/21] Always use 8192 bytes for ERR_BUF_SIZE X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
| Series |
OpenSSL 3.0 improvements for OpenVPN
|
|
Commit Message
Arne Schwabe
Oct. 19, 2021, 7:31 a.m. UTC
The signature messages required by external key managed also break
the 1280 limit. To also avoid this surprise of different behaviour
with PKCS11 enabled/disable, always use the larger size.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
src/openvpn/error.h | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
Comments
Hi, On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe <arne@rfc2549.org> wrote: > The signature messages required by external key managed also break > the 1280 limit. To also avoid this surprise of different behaviour > with PKCS11 enabled/disable, always use the larger size. > This may be enough in most cases, but to be safer, shall we increase it to 10240? I have seen up to 6 K handshake messages when undigested messages are to be passed to the management interface and that's already 8K with base64 overhead. That said, I think we need a better solution. As it stands it's a bit silly that we keep allocating required buffers dynamically at the origination point, a number of places in manage.c, all the way up to x_msg_va() in error.c where it gets silently truncated to a hard-coded size. Can we use the return value of vsnprintf() in x_msg_va() to determine the size of the buffer required? Not sure whether that is reliable on all platforms. Only the size of m1 has to be determined as m2 has a more-or-less predictable overhead on top of that. Selva <div dir="ltr"><div>Hi,</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe <<a href="mailto:arne@rfc2549.org">arne@rfc2549.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The signature messages required by external key managed also break<br> the 1280 limit. To also avoid this surprise of different behaviour<br> with PKCS11 enabled/disable, always use the larger size.<br></blockquote><div><br></div><div>This may be enough in most cases, but to be safer, shall we increase it to 10240? I have seen up to 6 K handshake messages when undigested messages are to be passed to the management interface and that's already 8K with base64 overhead.</div><div><br></div><div>That said, I think we need a better solution. As it stands it's a bit silly that we keep allocating required buffers dynamically at the origination point, a number of places in manage.c, all the way up to x_msg_va() in error.c where it gets silently truncated to a hard-coded size. </div><div><br></div><div>Can we use the return value of vsnprintf() in x_msg_va() to determine the size of the buffer required? Not sure whether that is reliable on all platforms. Only the size of m1 has to be determined as m2 has a more-or-less predictable overhead on top of that.</div><div><br></div><div>Selva</div></div></div>
Hi, On Tue, Oct 19, 2021 at 08:31:27PM +0200, Arne Schwabe wrote: > The signature messages required by external key managed also break > the 1280 limit. To also avoid this surprise of different behaviour > with PKCS11 enabled/disable, always use the larger size. JFTR, this patch has been obsoleted by Selva's eeb019acee57e commit. This is now "large" for PKCS11 *or* ENABLE_MANAGEMENT, so for the original purpose, fixed. All original comments still apply, like, "make this less silly" gert
diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 533354b3c..c36a82659 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -36,12 +36,8 @@ #endif /* #define ABORT_ON_ERROR */ - -#ifdef ENABLE_PKCS11 #define ERR_BUF_SIZE 8192 -#else -#define ERR_BUF_SIZE 1280 -#endif + struct gc_arena;