| Message ID | 20221115122940.1947284-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +H8kCWqGc2NzIAAAIUCqbw (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 15 Nov 2022 07:30:34 -0500 Received: from proxy6.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id mCUMCWqGc2OmbAAAIasKDg (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 15 Nov 2022 07:30:34 -0500 Received: from smtp18.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3b.rsapps.net with LMTPS id ODGWAGqGc2OGRgAARawThA (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 15 Nov 2022 07:30:34 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4bd051d0-64e1-11ed-b57f-5254009ad1d4-1-1 Received: from [216.105.38.7] ([216.105.38.7:55918] helo=lists.sourceforge.net) by smtp18.gate.iad3b.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F4/7A-18652-96683736; Tue, 15 Nov 2022 07:30:33 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1ouv4h-0004pk-Jh; Tue, 15 Nov 2022 12:29:59 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <arne@kamera.blinkt.de>) id 1ouv4f-0004pd-5H for openvpn-devel@lists.sourceforge.net; Tue, 15 Nov 2022 12:29:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QO/mhASGWCDrcD0+oHh3vM6FTjql3Qj0jtxnb6tu6/w=; b=DSxfaQ70aIvd58g6EOoUJiQ2Dr onV2r6Zw333hto+IaZblIAaEgL2iKk8SbAT6Iop1Mi2WXgN5dxybP/OTB3Bo7wpJgU5fkO91G4FM0 V8AIXeeEnLbRV3TkC4UqKqxh53T1pVw3sqhdupMlxutfBB1BQ0VDBQMKtY2fqRupIHSk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=QO/mhASGWCDrcD0+oHh3vM6FTjql3Qj0jtxnb6tu6/w=; b=l GqzYfvxrVCeLdho4p2iN9QHfVvecPvX1X/NVRSBXrxjZFS3Mj347pfzyGoKqUdIU+La27Io87qu66 6KMOLtc+6royw02Hy+exQP3zMQ2UkQI4biPlMElzEZhA7cPgx+hUKPcIvY7EWS8OsUAoH6/KOSubV HKkSCsR77x/E4eNc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ouv4b-0094LJ-Df for openvpn-devel@lists.sourceforge.net; Tue, 15 Nov 2022 12:29:57 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from <arne@kamera.blinkt.de>) id 1ouv4O-000NVp-Ms for openvpn-devel@lists.sourceforge.net; Tue, 15 Nov 2022 13:29:40 +0100 Received: (nullmailer pid 1947330 invoked by uid 10006); Tue, 15 Nov 2022 12:29:40 -0000 From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Nov 2022 13:29:40 +0100 Message-Id: <20221115122940.1947284-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We want to check if EARLY_NEG_START is set and reserve the other bits for future expansions. Right now we also check if all reserved bits are zero. oops. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/mudp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1ouv4b-0094LJ-Df Subject: [Openvpn-devel] [PATCH] Fix logic error in checking early negotiation support check X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
| Series |
[Openvpn-devel] Fix logic error in checking early negotiation support check
|
|
Commit Message
Arne Schwabe
Nov. 15, 2022, 12:29 p.m. UTC
We want to check if EARLY_NEG_START is set and reserve the other bits
for future expansions. Right now we also check if all reserved bits are
zero. oops.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
src/openvpn/mudp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Hi, On 15/11/2022 13:29, Arne Schwabe wrote: > We want to check if EARLY_NEG_START is set and reserve the other bits > for future expansions. Right now we also check if all reserved bits are > zero. oops. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > --- > src/openvpn/mudp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c > index 7c6fc816e..bdf35a8ba 100644 > --- a/src/openvpn/mudp.c > +++ b/src/openvpn/mudp.c > @@ -92,7 +92,7 @@ do_pre_decrypt_check(struct multi_context *m, > ASSERT(packet_id_read(&pin, &tmp, true)); > > /* The most significant byte is 0x0f if early negotiation is supported */ > - bool early_neg_support = (pin.id & EARLY_NEG_MASK) == EARLY_NEG_START; > + bool early_neg_support = ((pin.id & EARLY_NEG_MASK) & EARLY_NEG_START) == EARLY_NEG_START; The "== EARLY_NEG_START" is not needed. On top of that, my brain parses the expression easier without that part, because the question is "after filtering using the mask, is EARLY_NEG_START set?". The "==" imho adds logic which is not needed (both at the code and at the brain level). Cheers, > > /* All clients that support early negotiation and tls-crypt are assumed > * to also support resending the WKc in the 2nd packet */
Am 15.11.2022 um 13:36 schrieb Antonio Quartulli: > Hi, > > On 15/11/2022 13:29, Arne Schwabe wrote: >> We want to check if EARLY_NEG_START is set and reserve the other bits >> for future expansions. Right now we also check if all reserved bits are >> zero. oops. >> >> Signed-off-by: Arne Schwabe <arne@rfc2549.org> >> --- >> src/openvpn/mudp.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c >> index 7c6fc816e..bdf35a8ba 100644 >> --- a/src/openvpn/mudp.c >> +++ b/src/openvpn/mudp.c >> @@ -92,7 +92,7 @@ do_pre_decrypt_check(struct multi_context *m, >> ASSERT(packet_id_read(&pin, &tmp, true)); >> /* The most significant byte is 0x0f if early negotiation >> is supported */ >> - bool early_neg_support = (pin.id & EARLY_NEG_MASK) == >> EARLY_NEG_START; >> + bool early_neg_support = ((pin.id & EARLY_NEG_MASK) & >> EARLY_NEG_START) == EARLY_NEG_START; > > The "== EARLY_NEG_START" is not needed. > > On top of that, my brain parses the expression easier without that > part, because the question is "after filtering using the mask, is > EARLY_NEG_START set?". > The "==" imho adds logic which is not needed (both at the code and at > the brain level). Without the == it is enough if any of the bits EARLY_NEG_START is set (0xf00000), we want them all to be set. If EARLY_NEG_START were a flag/single bit, you would be right. Arne
Acked-by: Gert Doering <gert@greenie.muc.de> The discussion in the mail thread and on IRC explains why we need to check the full EARLY_NEG_START value (because it's "0x0f" in the topmost byte, not "just one bit set"). This is because it was done that way initially, and now it is what it is... so what this patch adds is "ignore the uppermost 4 bits in comparison, should we want to use these 4 bits for protocol extention in the future". Arguably one could just do "(pin.id & EARLY_NEG_START) == EARLY_NEG_START" here, but maybe this way it's clear what is being looked at. Only compile tested. Your patch has been applied to the master branch. commit 543f709f13bca9887cabd4545554539f18346e3c Author: Arne Schwabe Date: Tue Nov 15 13:29:40 2022 +0100 Fix logic error in checking early negotiation support check Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20221115122940.1947284-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25519.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
Hi, On 16/11/2022 01:54, Arne Schwabe wrote: > Without the == it is enough if any of the bits EARLY_NEG_START is set > (0xf00000), we want them all to be set. If EARLY_NEG_START were a > flag/single bit, you would be right. Ouch, I indeed assumed it was 1 bit only.. Cheers,
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 7c6fc816e..bdf35a8ba 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -92,7 +92,7 @@ do_pre_decrypt_check(struct multi_context *m, ASSERT(packet_id_read(&pin, &tmp, true)); /* The most significant byte is 0x0f if early negotiation is supported */ - bool early_neg_support = (pin.id & EARLY_NEG_MASK) == EARLY_NEG_START; + bool early_neg_support = ((pin.id & EARLY_NEG_MASK) & EARLY_NEG_START) == EARLY_NEG_START; /* All clients that support early negotiation and tls-crypt are assumed * to also support resending the WKc in the 2nd packet */